A recent decree provides further information on how to appoint a data protection officer whose primary task is to ensure that his/her organization processes the personal data of its staff, customers, providers, or any other individuals in compliance with the EU’s General Data Protection Regulation.
Under the General Data Protection Regulation (GDPR), a data protection officer (DPO) must be designated by a controller or a processor where the core activities of said controller or processor consist of (i) processing operations which require regular and systematic monitoring of data subjects on a large scale; or (ii) processing special categories of data (e.g., data revealing racial or ethnic origin) or data relating to criminal convictions and offences.
Under French law, the DPO is the person responsible for ensuring compliance with the obligations laid down both by GDPR and by French law (enacted January 6, 1978, and modified on June 20, 2018.)
This complex dual legal framework explains that it is often recommended to appoint a DPO even in scenarios where it is not mandatory under GDPR.
A decree has recently clarified the procedure for designating a DPO in France:
For the purpose of this communication, the following information must be provided:
As indicated by the CNIL in its opinion on the decree, this measure goes a bit beyond GDPR’s requirements and aims to strengthen the protection of the information of data subjects.
If you have any questions or would like more information on the issues discussed in this LawFlash, please contact the following Morgan Lewis lawyer: