The CNIL publishes a guide for DPOs

14 March 2022

Why and how to appoint a data protection officer? What means should be given to them to accomplish their missions? The CNIL publishes a guide for data protection officers that combines useful knowledge and best practices to help organisations in appointing and supporting DPOs.

The role of the DPO

Emerging in 2018 with the entry into force of the General Data Protection Regulation (GDPR), the data protection officer (DPO) has a central position in personal data governance. The DPO must inform and advise the data controller, monitor the organisation's compliance with legal obligations and act as a point of contact with the data protection authority. Although the DPO is not responsible for the organisation compliance, they are an essential part of it, as they are able to combine expertise and advice at all stages of projects involving the use of personal data.

As of today, nearly 30,000 people in France work in this position (individuals and companies combined) for 80,000 organisations that have designated a DPO. Among these, the public administration, education and health sectors are the most represented.

What is mandatory for organisations?

Public authorities and some private organisations whose core business involves large-scale processing of sensitive data or data that allows for regular and systematic tracking of individuals are required to appoint a DPO. This appointment must be made according to criteria including skills, knowledge and absence of conflict of interest.

The obligations of organisations also include that the DPO does not receive instructions, that they are involved in due course in all matters relating to personal data and that they are put in a position to perform their duties. These requirements can be monitored and, if necessary, sanctioned by the data protection authority.

But what do these obligations really mean? How to ensure that the chosen DPO can fulfil their missions in a satisfactory manner? The CNIL now offers a new practical guide dedicated to the DPO function that answers these questions.

A reference guide for questions about the data protection officer

With the help of many professional associations, the CNIL has gathered in this guide the most important and useful knowledge about the DPO.

This guide is organised in four parts:

  1. The role of the DPO;
  2. Appointing a DPO;
  3. Performing the function of DPO;
  4. CNIL’s support for DPOs.

Each topic is illustrated by concrete examples and answers to frequently asked questions on the subject. The reader can also rely on practical tools such as a sample engagement letter.

From their appointment to the end of their mission, this guide provides essential and precise information about the DPO. The CNIL has been particularly careful to provide clear information on how to ensure that the DPO can carry out their tasks independently, without any conflict of interest and with real efficiency for the organisation.

Document reference

Download the CNIL’s Guide on Data Protection Officers