Logo Data Legal Drive, logiciel RGPD
Logo Data Legal Drive, logiciel RGPD
  • Solution
    • Solution
    • GDPR
      • Control
        GDPR compliance assessment Data Processing Mapping Record of processing activities
      • Automate
        Personal Data Breach Project management in privacy by design mode GDPR Management workflow
      • React
        Accountability management Data Subject Request (DSR) PIA – Privacy impact assessment Data governance management
      • Inform
        Clauses & contracts templates Legal information & texts Customer Success Support Monitoring GDPR training
    • Anti-corruption
    • Control
      GDPR compliance assessment Data Processing Mapping Record of processing activities
    • Automate
      Personal Data Breach Project management in privacy by design mode GDPR Management workflow
    • React
      Accountability management Data Subject Request (DSR) PIA – Privacy impact assessment Data governance management
    • Inform
      Clauses & contracts templates Legal information & texts Customer Success Support Monitoring GDPR training
  • Partner
    • Partner
    • Become partner
    • Our partners
  • Clients
  • Blog
  • About us
    • About us
    • Our team
  • En
Request demo
    • Connect to your software
    • Before connecting, share your share your opinion by clicking here!
  • En
Request demo

DPO : Definition & missions

Home //DPO : Definition & missions
DPO : Definition & missions

DPO : Definition

The Data Protection Officer (DPO) is the person in charge of personal data protection in public or private organisations. This function existed in few companies but the GDPR enshrines it, makes it mandatory in certain cases and provides a framework.

For organizations where such designation is mandatory, the DPO would be the advisor and privileged intermediary with the CNIL in order to manage compliance with the GDPR.

Moreover, an assessment that was made after one year of application of the GDPR shows that VSEs/SMEs are increasingly using the DPO function to protect themselves from the risks and constraints imposed by the GDPR.

Indeed, appointment of an internal collaborator to carry out this function is a good practice, if not a sine qua non condition for ensuring compliance management and avoiding financial penalties.

What are the missions of the DPO

The DPO ensures data protection compliance within his or her organization. As such, the DPO must:

Inform and advise the organization in which he or she works and the organization’s employees.

Check compliance with the regulation and national law on the protection of personal data.

Propose to its organisation to establish a data protection impact assessment and ensure its execution.

Be available to answer questions from the data subjects.

Ensure cooperation with the local supervisory authority.

The DPO is therefore an essential and highly recommended function to enable an organisation processing personal data to ensure that it complies with the applicable regulations on the protection of personal data.

DPO Mandatory or not ?

Not all organisations, private or public, are obliged to appoint a Data Protection Officer within their structure. However, the DPO is strongly recommended by the CNIL. It has the role of advisor and allows you to manage your GDPR compliance.

Section 37.7 of the GDPR provides for the designation of an DPO in 3 specific cases:

When the processing is carried out by a public authority or body.

When the main activities of the controller and the processor involve regular large-scale monitoring of the data subjects by the processing operations.

When the main activities of the controller and the processor involve large-scale processing of categories of sensitive data (health data, biometric data, etc.) or personal data relating to criminal convictions and offences.

The skills and means to exercise the DPO profession

Before designating a DPO, it must be ensured that the DPO meets the following three conditions:

1. He must have the skills required to perform the DPO function (in-depth knowledge of legislation, a good knowledge of the internal organisation and the needs of the organisation, a good knowledge of information systems).

2. It must have sufficient resources to carry out the DPO function (accessibility to useful information; availability; sufficient time to carry out its missions; adequate material and human resources).

3. He must act in complete independence (there must be no conflict of interest in the event of cumulation of DPO functions with another function, no sanctions in the context of his DPO activity, no hierarchical instruction in the case of his DPO activity,…).

Finally, it is necessary to declare your DPO to the competent supervisory authority. For France, the CNIL has created an online declaration.

Our awards & prizes

palmares-droit-2021-logo-slide
meilleure-legaltech-logo-slide
sommet-du-droit-2021-logo-slide
trophee-eurocloud
ey-logo-slide
macaron-trophée-conformité-rgpd-2022
palmarès-du-droit-2022-logo-slide
trophée-du-droi-2022-logo-slide
tech500-logo-slide
sommet-du-droit-2022-mention-spéciale-logo-slide
wavestone-logo-slide
sommet-du-droit-2023-meilleure-legaltech-editeur-logiciels-logo-slide
france-digitale-logo-slide
  • Our experience
  • More than 3,000 customers
  • Used in 50 countries
  • About us
  • Our team
  • Our offer
  • GDPR Software
  • Anti-corruption software
  • Our prices
  • Partner
  • Our resources
  • The GDPR
  • The DPO
  • Personal Data
A tool adapted to your organization
Request demo
GDPR experts
Contact us

Subscribe to our newsletter

  • Data Legal Drive collects and processes your personal data for the purposes of (i) responding to your requests for a demonstration of our services, to get in touch and/or (ii) sending you information about our services, news and privacy. Please see our Privacy Policy for more information about the data processing we do and your rights regarding your personal data.

  • This field is for validation purposes and should be left unchanged.
  • General Terms of Service
  • Privacy policy
  • Legal mentions
  • Data Subject request