A recent decree provides further information on how to appoint a data protection officer whose primary task is to ensure that his/her organization processes the personal data of its staff, customers, providers, or any other individuals in compliance with the EU’s General Data Protection Regulation.
Under the General Data Protection Regulation (GDPR), a data protection officer (DPO) must be designated by a controller or a processor where the core activities of said controller or processor consist of (i) processing operations which require regular and systematic monitoring of data subjects on a large scale; or (ii) processing special categories of data (e.g., data revealing racial or ethnic origin) or data relating to criminal convictions and offences.
Under French law, the DPO is the person responsible for ensuring compliance with the obligations laid down both by GDPR and by French law (enacted January 6, 1978, and modified on June 20, 2018.)
This complex dual legal framework explains that it is often recommended to appoint a DPO even in scenarios where it is not mandatory under GDPR.
A decree has recently clarified the procedure for designating a DPO in France:
- First, this decree has confirmed that several undertakings may appoint the same DPO acting on their behalf, which is only a reminder of the rule laid down by GDPR.
- Second, the decree provides that contact details of the DPO and any modification of them must be communicated as soon as possible to the French data protection authority (CNIL) by electronic means (this can currently be done through the CNIL’s website).
For the purpose of this communication, the following information must be provided:
- Regarding the DPO (and in accordance with GDPR), (i) name, surname, and work contact details (in practice, the CNIL currently requires the work address, work phone number, mobile phone number, and email address); or (ii), if it is a legal entity, those of the agent designated to act as a DPO
- Regarding the processor or the controller (which is not expressly required by GDPR), (i) name, surname, and work contact details or those of its representative; or (ii), if it is a legal entity, its designation, registered headquarter, and legal representative
- Third, the designation and the work contact details of the processor or the controller as well as the contact details of the DPO (in practice, the CNIL currently requires at least two different forms of communication with the DPO as well as a public email address or a link to a contact form) must be made available to the public in an open format easily reusable by the CNIL.
As indicated by the CNIL in its opinion on the decree, this measure goes a bit beyond GDPR’s requirements and aims to strengthen the protection of the information of data subjects.