The GDPR applies to all structures (companies, administrations or public bodies) of any size when they are established in one of the member countries of the European Union or when they process personal data relating to residents of the European Union.
Personal data is defined as “any information relating to an identified or identifiable natural person”.
An identifiable natural person is a person who can be identified, directly or indirectly, in particular by reference to an identifier, an identification number, location data or to one or more specific elements specific to his physical, physiological, genetic, psychological, economic, cultural or social.
With the entry into force of the GDPR, the formalities to be carried out with the CNIL have almost all disappeared. Thus, it is no longer necessary to make a normal declaration, simplified declaration or authorization request. These texts will soon be transformed by the CNIL into "references" to guide professionals wishing to comply with the regulations.
Notable exception: requests for authorization in medical matters remain applicable.
The DPO can be an employee of the organization that appoints him but also an external service provider (for example, a lawyer). In order to carry out his mission effectively, a DPO must have a good knowledge of the GDPR but an in-depth knowledge of the sector of activity of the organization which appoints him. Finally, he must not have any conflicts of interest with his other missions and must be able to carry out his duties as DPO in complete independence.
In practice, this is often the IT manager or the legal manager.
The appointment of a DPO is mandatory for public bodies or companies whose basic activity leads them to carry out regular and systematic monitoring of people on a large scale, or to process so-called "sensitive" data or data on a large scale. to criminal convictions and offences.
In other cases, the appointment of a DPO is optional but is encouraged by the CNIL.
To provide the best experiences, we use technologies such as cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Failure to consent or withdrawing consent may adversely affect certain features and functions.
The storage or technical access is strictly necessary for the purpose of legitimate interest to allow the use of a specific service explicitly requested by the subscriber or the Internet user, or for the sole purpose of carrying out the transmission of communication over an electronic communications network.
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Storage or technical access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
The storage or technical access is necessary to create profiles of Internet users in order to send advertisements, or to follow the Internet user on a website or on several websites with similar marketing purposes.