Practical Guide GDPR for Data Protection Officers

1 Practical . Guide DATA. Protection . GDPR Officers . The objective of this Guide is to support both organisations in setting up the function of Data Protection Officer (DPO) and such Officers in the exercise of their profession. This Guide is a living tool which will be enriched by best practices reported by professionals to the French Data Protection Authority (CNIL). 2 FOREWORD. 3 WHAT ARE THE CNIL'S MISSIONS? 4 THE ROLE OF THE DPO. 4 Advising and supporting the organisation 6 Monitoring the effectiveness of the rules 6 Being the organisation's point of contact on GDPR matters 7 Ensuring the documentation of data processing 10 DESIGNATING THE DPO. 12 Factsheet 1: In which cases should a DPO be appointed? 14 Factsheet 2: Who can be designated DPO?

2 20 Factsheet 3: Internal or external DPO? How can the function be shared? 24 Factsheet 4: How to appoint a DPO? 28 PERFORMING THE FUNCTION OF DPO. 28 Factsheet 5: what resources should be allocated to the DPO? 32 Factsheet 6: What is the status of the DPO? 36 Factsheet 7: What to do in the event of departure, leave or replacement of the DPO? 38 HOW DOES THE CNIL SUPPORT DPOS? 38 Tools for training 38 Tools for finding an answer 39 Compliance tools 40 FAQ. 40 I am looking for a DPO for my organisation, what should I do? 40 What does the designation of a DPO bring if my organisation already has a legal department responsible for data Protection ? 41 Where should the DPO be located? 41 What language should the DPO speak? 42 Is the title of data Protection officer - DPO reserved for persons designated with the CNIL?

3 42 How can a DPO be trained? 43 APPENDICES. 43 Appendix No. 1: key questions to ask when appointing a DPO. 44 Appendix No. 2: mission statement template to be given by the organisation to the DPO when they take up their post 46 Appendix No. 3: the DPO designation form 51 Appendix No. 4: Glossary 1. FOREWORD. The job of Data Protection Officer ( DPO in this CIL, more than 80,000 organisations had desi- Guide ) has become essential since the entry into gnated a DPO in 2021 in France, including 26,000. application of the European General Data Pro- in the public sphere. tection Regulation (GDPR) on 25 May 2018. This regulation, which harmonises formerly natio- Fully aware of this development, the CNIL has nal obligations at the European level, concerns adapted its support strategy for DPOs, mainly by organisations in all their activities: human re- orienting it on the development and backing of sources management, prospecting, relations DPOs' networks.

4 Organised by sector or region, with customers or users, etc. From now on, the they respond to a first level of questions from processing of personal data is a fundamental the field, with the CNIL only intervening with component of most business lines. such representatives and federations in a se- cond phase. It is therefore natural that the GDPR devotes This Guide aims to support both organisations three of its articles to outlining the profession in setting up the function of the data Protection responsible for advising data controllers on the officer and DPOs in the exercise of their tasks. Protection of such data. Consequently, the DPO. takes on a new qualitative and quantitative im- The DPO Guide is divided into 4 chapters: portance compared to its predecessor in France, the Correspondant Informatique et Libert s The role of the DPO.

5 (CIL). Designating the DPO;. The exercise of the DPO's tasks;. This development is qualitative, first of all: the spirit of the regulation is to make the DPO the CNIL support for the DPO. orchestra conductor of the management of personal data in the organisation which desi- Each theme is illustrated by concrete cases and gnates them. The hierarchical position of the frequently asked questions related to the sub- DPO must bear witness to this, and their re- ject being dealt with. The reader can also rely sources must be adapted, so that they can ful- on FAQs and Practical tools, such as the mission ly accomplish their job and their role of com- statement. pliance coordinator. They should not work in a vacuum, but be fully integrated into the opera- This Guide , which has been drafted on the basis tional activities of their organisation.

6 The DPO is of three years of Practical support for DPOs, will an essential link in data governance, in conjunc- provide you with the keys to making the most of tion with the CISO (Chief Information Security the presence of a DPO, being recruited as a DPO. Officer) and the IT (information technology) or more generally improving your compliance. department. The job of DPO has also changed from a quanti- tative point of view. Indeed, the number of DPOs has increased considerably, due to the designa- tion obligation to which many organisations are subject. Thus, while 18,000 organisations had a 2. WHAT ARE THE CNIL'S MISSIONS? The Commission Nationale de l'Informatique et des Libert s (CNIL) is the French data Protection authority.

7 It pursues four main missions: Informing and Supporting protecting rights compliance The CNIL responds to requests from indi- and advising viduals and professionals. It carries out communication actions with the general In order to help private and public bodies public and professionals, whether through to comply with the GDPR, the CNIL offers a its networks, the press, its website, its pre- complete toolbox adapted to their size and sence on social networks or by providing needs. educational tools. The CNIL oversees the search for solutions allowing them to pursue their legitimate Anyone can contact the CNIL in the event of objectives while strictly respecting the a difficulty in exercising their rights. rights and freedoms of citizens.

8 Anticipating Oversight and innovating and sanctioning To detect and analyse technologies or new Oversight allows the CNIL to verify the uses that may have significant impacts concrete implementation of the law. It can on privacy, the CNIL provides dedicated require an actor to bring its processing into monitoring. compliance (formal notice) or impose sanc- tions (fines, etc.). It contributes to the development of technological solutions protecting privacy by advising companies as early as possible, with a view to privacy by design. FOR FURTHER READING. On , in French: CNIL's missions Status and organisation of the CNIL. 3. THE ROLE OF THE DPO. The GDPR places the DPO as a key player in the personal data governance system.

9 Indeed, the missions assigned to the DPO establish their role as manager of the permanent and dynamic com- pliance process which organisations must put in place. FOCUS: THE TEXTS DEFINING THE FUNCTION OF DPO. The function of the DPO is regulated and precisely defined in Articles 37 to 39 of the GDPR. This Guide is based on that regulation, the French Data Protection Act, and its implementing decree, as well as the guidelines on the DPO of the European Data Protection Board (EDPB). At the end of each section, a refe- rence to the relevant passages of those texts is provided. Advising and supporting the organisation The DPO has an advisory and support role at several levels : bringing their expertise to management so that it can ensure compliance of processing.

10 D isseminating the personal data Protection culture and rules to all the individuals who process personal data within the organisation.. The DPO can thus identify and formalize the key moments during which they would like their inter- vention or presence to be systematic, for example for each: d raft decision to create or upgrade existing processing (particularly to ensure compliance with the principles of data Protection by design and by default);. c onsidering of the need for a data Protection impact assessment (DPIA) and the actual completion of one;. drafting or keeping of a record of processing activities;. drafting and updating of internal data Protection rules or policies;. p ersonal data breach, in order to advise on the measures to be taken as well as on the notification to the authority and to the data subjects.