On the 15th of March, French Data Protection Authority (CNIL) released an English translation of their Guide on the role of Data Protection Officers (Guide). The Guide provides concrete examples, answers to frequently asked questions, and practical tools on the topic of DPO. Our comprehensive summary is provided below:
The role of the DPO:
- advising and supporting the organisation. The DPO shall identify and formalize the key moments of their systematic intervention or presence in processes such as drafting or keeping records of processing activities, internal data protection rules and policies, deciding the need for data protection impact assessments (DPIA’s), advising on personal data breaches and their notification, etc.;
- what does not fall into the list of DPO’s responsibilities. It is important to note that the DPO is not responsible for the organisation’s compliance. Following the example provided above, whilst DPO may decide when DPIA is needed, carrying out the DPIA is not DPO’s responsibility. DPO’s mission is information, advice, and oversight;
- compliance management by the DPO. Compliance with GDPR requirements is an active process. This section of the Guide provides examples, that DPO can take to ensure this. The list includes examples such as being involved and updating compliance documents, providing support to the operational staff, etc.;
- monitoring the effectiveness of the rules. As DPO is responsible for monitoring GDPR compliance, this responsibility should take the form of verifications organised by the DPO (external audit or internal contact), or carried out by the DPO personally, in collaboration with other key functions (such as Chief Information Security Officer). It must be accompanied by monitoring of the corrective and ongoing action plan;
- being the organisation’s point of contact on GDPR matters. The DPO is the key contact for the data protection authority and data subjects. CNIL highlights that they will not respond to requests for advice sent by organizations that have not first consulted with their DPO on that specific question;
- ensuring the documentation of data processing. Documentation plays a dominating role in the new logic of accountability under GDPR. Documentation is an essential tool for the DPO because it makes it possible to have an exhaustive knowledge of the processing operations implemented and to plan their management. The DPO must actively to monitor that necessary documentation is in place, they are updated; however, organization has guarantee and demonstrate compliance with its obligations as well as the steps taken.
Designating the DPO
- This section includes four practical files on when and how to appoint a DPO, the requirements for the role as well as issue of internal, external, and shared DPO. Notably, the Guide includes practical annexes, that may assist organisations in the process of DPO designation.
Performing the function of DPO
This section of the Guide includes practical guides on topics such as:
- Organisation must provide the DPO with the necessary resources to carry out their tasks (time required, access to financial resources, contributors if necessary); by facilitating the DPO access to data and processing operations (facilitated access to other departments of the organisation) and by allowing the DPO to maintain their specialized knowledge;
- DPO status. This section discusses DPO’s independence, lack of liability in the event of non-compliance with GDPR, professional secrecy obligation, as well as factsheet on how organisations should navigate the process of replacement of their DPO.
Overall, this Guide is a useful tool, that will be continuously updated by CNIL. The covered topics offer guidance not only to DPO’s themselves, but to organizations that process personal data. Full text to the Guide can be found here.
The content of this article is intended to provide a general guide to the subject matter. The expert should be consulted for the assessment of the specific situation. If you need assistance in matters regarding the role of DPO or any other issues related personal data protection, please consult the experts of ECOVIS ProventusLaw.
This review was prepared by certified ECOVIS ProventusLaw data protection expert, senior associate Milda Šlekytė and junior lawyer Julija Ginotytė