The DPO, a key function for companies

DPO, who are you?

To begin with, it is important to remember that the GDPR* indicates the rules regarding the appointment, functions and missions of the Data Protection Officer (DPO). The guidelines for Data Protection Officers (DPO), adopted on December 13, 2016, revised and adopted on April 5, 2017, provide further details regarding these provisions.

The principle of the DPO function is not recent. It dates back to Directive 95/46/EC, which preceded the implementation of the RGPD. In summary, the DPO has a central role within his company to promote compliance with the rules of personal data protection and its implementation in the company. The DPO must include all the actors and professions: HR, Finance, IT, Commerce, Production... The DPO is also the point of contact between his company, customers, suppliers, partners and the national control authority.

The criteria for appointing the DPO are therefore crucial to the success of his or her missions.

How is it called?

A single DPO can be appointed for several companies and he can be external. His appointment may be mandatory if the company is confronted with certain criteria. For example, when the company has to carry out regular and systematic large-scale monitoring of data subjects, or when there is large-scale processing of sensitive data or criminal data.

The level of expertise of the DPO must be proportionate to the specificity of the data processed by his company. He must be appointed on the one hand on the basis of professional qualities:

• Legal and organizational knowledge/practices,
• Ability to lead a system that allows it to accomplish its missions

On the other hand, on the basis of his personal qualities: he must have a high level of integrity and ethics, qualities that will enable him to develop, within his company, a real culture of personal data protection.

What is its role?

The DPO or his representatives must be involved in all matters relating to the protection of personal data in the company. It is recommended to consult the DPO before designing any project involving data processing. His opinions must be taken into consideration. If a data breach is detected, the DPO must be informed immediately.

The organization must help its DPO by providing him/her with all the resources needed to carry out his/her duties: operating budget, external advice, continuous training, access to DPO clubs, etc.)

In order to guarantee his or her independence, the DPO must not receive any instructions regarding the performance of his or her duties. The data controller remains solely responsible for compliance with the legislation on the protection of personal data. Therefore, he/she cannot be sanctioned or relieved of his/her duties for the performance of his/her tasks.

His function can be carried out with another function, provided that this does not lead to conflicts of interest. The assessment of such situations must be made on a case-by-case basis.

What are the missions of the DPO?

The DPO ensures that his company complies with the obligations of the RGPD. On the one hand, through a collection of information (inventory of processing). On the other hand, through the implementation of essential procedures and documents (privacy by design, data breach notifications, protection policy), verification of the compliance of the processing (audits) and advice to the controller.

He should cooperate with the supervisory authority and act as a contact point to facilitate the authority's access to documents and information needed for an audit. He or she may also contact the supervisory authority to seek its advice.

Its approach must be risk-based, taking into account "the nature, scope, context and purposes of the processing. "

To conclude, the function of the DPO, at the heart of the RGPD, is a central element in the implementation and maintenance of the company's compliance. The modalities of its choice are therefore crucial. In the absence of a DPO intervening within a regulated framework, it is always recommended to appoint one or more employees in charge of the personal data issue in the company.

*RGPD: General Data Protection Regulation