France’s DPA advises on DPO role

New guidance in English from France’s Data Protection Authority, the CNIL, highlights important aspects to take into consideration when appointing an internal or external DPO. Most of this advice is relevant to the appointment of a DPO in any country in the European Economic Area.

The GDPR does not set a requirement for the DPO’s location. However, in EU cross-border processing situations, the DPO must be designated with the lead authority.

Overall, the DPO must be easily reachable by data subjects and the DPA. The CNIL therefore recommends that the DPO be located in the European Union, whether or not the data controller or data processor is established in the European Union.

If the organisation does not have an establishment in the European Union, DPOs may be established outside the European Union, provided that they can effectively perform their duties.

The guidance also refers to DPO independence and resources.

The CNIL says there is no typical profile for a DPO, or educational requirement. Around 28% of DPOs in France have an IT background, 28% legal, and the remaining 43% come from administration, finance, compliance, audit, etc.

In France, more than 80,000 organisations had designated a DPO in 2021.

The guidance, issued on 15 March.