Ronan Tigner and Alex van der Wolk
Privacy + Data Security
The European General Data Protection Regulation (GDPR, applicable as of May 25, 2018) for the first time introduces a Europe-wide concept of a Data Protection Officer (DPO). If your organization engages in certain specific activities (such as large-scale monitoring of individuals or handling of sensitive information such as health or criminal data), you may need to appoint a DPO. Under the GDPR, the DPO will have a host of specific privacy-related tasks, which include advising on and monitoring GDPR compliance within the organization, acting as a point of contact for individuals, and cooperating with regulators regarding privacy matters.
Since the GDPR was published in 2016, there have been many questions around the function of the DPO. Where does the person need to sit within the organization? Can the DPO be held liable for a company’s non-compliance? Is it possible for a DPO to be based outside of Europe? While European-level guidance was issued in December 2016 (by the Article 29 Working Party, the EU consortium of EU Member State privacy regulators, available here), some questions remained unanswered.
We are now seeing more specific guidance at the national level, including the most recent guidelines from the French privacy regulator, the CNIL.
In May 2017, the CNIL updated its GDPR-specific website to include additional guidance (on top of the WP29’s guidance) on the following (French) aspects of the DPO requirement. We include practical tips below:
The CNIL’s guidance on DPOs is available (in French).
©1996-2019 Morrison & Foerster LLP. All rights reserved.