The role and resources of the data protection officer: results of CNIL investigations

17 January 2024

As part of an action coordinated by the European Data Protection Board (EDPB), in 2023 the CNIL carried out investigations on public and private bodies to verify the DPO’s role and resources. Its overall assessment is positive, but it has identified a number of infringements.

For this second edition of the European Data Protection Board’s coordinated enforcement framework (CEF), the European Union's data protection authorities have carried out large-scale investigations regarding the resources allocated to data protection officers (DPOs) by the bodies that have appointed them. The EDPB has published its report and recommendations.

Positive results overall but resources disparities

The CNIL sent questionnaires to 14 public bodies (hospitals, universities, rectorates, local authorities and management centres) and private bodies (working in the luxury goods and transport sectors) and also carried out several on-site investigations.

Five years after the GDPR came into force, the results of this inspection campaign show that organisations have taken into account their obligations relating the appointment of the Data Protection Officer and his due role within the organisation. DPOs generally have sufficient resources to carry out their duties and are usually involved in decisions relating to personal data.

However, the responses highlight the significant disparity in resources between the DPOs of large companies and those of small organizations: DPOs in local public bodies often carry out their duties alone, whereas DPOs in private bodies can generally manage a team.

Penalties for infrigements

As part of this coordinated action and following its inspections, the CNIL has adopted corrective measures (formal notice or call to order) against a number of organisations, in particular because of the existence of conflicts of interest between DPO’s duties and other tasks assigned to them, or the lack of involvement of the DPO in data protection issues.

Outside the framework of the European coordinated action, the CNIL fined a social sector organisation €10,000 for breaches of Article 38 GDPR. The DPO were unable to carry out their duties properly, in particular because they were not sufficiently involved in issues relating to the protection of personal data and their role were not sufficiently advertised to the organisation's employees.