Lexicon > Data Protection Officer (DPO)

IT Lexicon

Data Protection Officer (DPO)

The Data Protection Officer is at the heart of the compliance framework enshrined in the GDPR and facilitates organizations’ compliance with its provisions.

It is one of the cornerstones of the controller and processor liability regime, and provides a competitive advantage by promoting compliance with the GDPR and acting as an intermediary between the relevant actors (supervisory authorities, data subjects, processors).

Its designation is mandatory when:

  • The processing is carried out by a public authority or public body;
  • The core activities of the controller or processor consist of processing operations which, by virtue of their nature, scope and/or purposes, require regular and systematic large-scale monitoring of data subjects;
  • The core activities of the controller or processor consist of large-scale processing of special categories of data and personal data relating to criminal convictions and offences.

Even where the GDPR does not specifically require the appointment of a DPO, organizations are encouraged to appoint one on a voluntary basis, particularly where they encounter data protection issues.

The DPO must be a professional with legal expertise in data protection, be able to perform his or her duties independently, and have sufficient autonomy and resources to carry out his or her duties effectively.

Dedicated or shared, the DPO can be internal to the organization, but also external.

The data controller or the processor must communicate the contact details of the DPO to the CNIL and to the data subjects as part of their right to information.

In the exercise of his missions, the DPO remains subject to professional secrecy and respects a duty of confidentiality.

Concerning his missions, the DPO can be in charge of :

  • To inform and advise the controller or processor and the employees carrying out the processing on their data protection obligations;
  • Monitor compliance with the GDPR, including the allocation of responsibilities, awareness and training of personnel involved in processing operations, and related audits;
  • Provide advice, upon request, on the data protection impact assessment and verify its execution;
  • To cooperate with the supervisory authority;
  • To act as a contact point for the supervisory authority on matters relating to data processing.

GDPR Point

The Data Protection Officer shall be appointed on the basis of professional qualities and, in particular, expert data protection law and practice, and the ability to perform the tasks“.

Article 37, paragraph 5 of the GDPR

Point of jurisprudence

The Spanish Data Protection Authority has sanctioned GLOVO APP 23 S.L. for not having appointed a Data Protection Officer to the supervisory authority.

Agencia Española de Protección de Datos, June 9, 2020, N°PS/00417/2019

The Bouchara Law firm assists you in particular in :

  • Making your organization GDPR compliant;
  • The drafting of data protection policies (privacy policy, computer charter …);
  • Documentation of your processing (register of processing activities, register of violations, privacy impact analysis, prior consultation…);
  • Obtaining certifications and adhering to codes of conduct;
  • The study of the legal feasibility of the implementation of a new personal data processing;
  • The drafting and transmission of your codes of conduct to the CNIL for approval;
  • Legal analysis of the compliance of your data processing, including data transfers outside the European Economic Area;
  • Drafting and negotiating your data processing agreements (DPA);
  • Drafting your Binding Corporate Rules (BCR) and Codes of Conduct;
  • Training and awareness of your employees.

We are also the external Data Protection Officer of many data processors and subcontractors.