Client Alert

CNIL Offers Guidance on Data Protection Officers

29 Jun 2017

The European General Data Protection Regulation (GDPR, applicable as of May 25, 2018) for the first time introduces a Europe-wide concept of a Data Protection Officer (DPO). If your organization engages in certain specific activities (such as large-scale monitoring of individuals or handling of sensitive information such as health or criminal data), you may need to appoint a DPO. Under the GDPR, the DPO will have a host of specific privacy-related tasks, which include advising on and monitoring GDPR compliance within the organization, acting as a point of contact for individuals, and cooperating with regulators regarding privacy matters.

Since the GDPR was published in 2016, there have been many questions around the function of the DPO. Where does the person need to sit within the organization? Can the DPO be held liable for a company’s non-compliance? Is it possible for a DPO to be based outside of Europe? While European-level guidance was issued in December 2016 (by the Article 29 Working Party, the EU consortium of EU Member State privacy regulators, available here), some questions remained unanswered.

We are now seeing more specific guidance at the national level, including the most recent guidelines from the French privacy regulator, the CNIL.

In May 2017, the CNIL updated its GDPR-specific website to include additional guidance (on top of the WP29’s guidance) on the following (French) aspects of the DPO requirement. We include practical tips below:

  • The CNIL insists on the need to prepare in advance for appointing a DPO and urges organizations not to wait until May 2018. The CNIL also recommends that organizations implement the WP29’s DPO guidance and entrust their DPO with the following tasks: prepare an inventory of processing activities, evaluate processing practices and set up relevant processes (e.g., audits, security incident notifications, and handling requests from individual), identify risks associated with processing activities, create privacy policies, and sensitize the business and Management to the new GDPR obligations.

    Tip: Organizations should map out their activities to evaluate if they are required to appoint a DPO under the GDPR (or any additional local rules) and document that evaluation. This evaluation should be documented particularly if the outcome is that a DPO is not required. If the outcome is to appoint a DPO, organizations should consider preparing a job description and seeing how this role would fit under their governance.
  • The DPO must be easily accessible. For organizations that do not have establishments in the EU, the CNIL believes that a DPO may in certain cases actually be better positioned to exercise its functions if the DPO is located outside the EU.

    Tip: Depending on how your organization is structured, you may be better off having a DPO outside the EU, for instance, at your headquarters. Local teams can assist the DPO by, for example, helping to disseminate the DPO’s advice and escalating concerns to the DPO. Note that if you do appoint such local persons with DPO supporting tasks, they should be called anything but ‘privacy officer’ (rather, for instance, ‘privacy lead,’ ‘privacy champion,’ etc.). This avoids confusion as to whether these people are tasked with the role of the DPO.
  • Although the CNIL confirms that DPOs cannot be held personally responsible for infringements of the GDPR, the DPO could be held liable under French criminal law (if the DPO intentionally infringes the criminal provisions of the French Data Protection Act or act as an accomplice in assisting the data controller or processor in breaching such provisions).
  • As part of the DPO’s duty to cooperate with privacy regulators, the CNIL believes that the DPO must facilitate access to documents and information for the regulator in the course of the regulator exercising its powers. The CNIL will soon issue an online form by which organizations can provide the contact details of their DPO to the CNIL (the GDPR requires that the contact details of the DPO are communicated to each applicable European privacy regulator).

The CNIL’s guidance on DPOs is available (in French).



Unsolicited e-mails and information sent to Morrison & Foerster will not be considered confidential, may be disclosed to others pursuant to our Privacy Policy, may not receive a response, and do not create an attorney-client relationship with Morrison & Foerster. If you are not already a client of Morrison & Foerster, do not include any confidential information in this message. Also, please note that our attorneys do not seek to practice law in any jurisdiction in which they are not properly authorized to do so.