The DPOs, or data protection delegates, today number nearly 29,000 according to the last census of 2021. Although their number is increasing from year to year, there are still municipalities in France without a DPO.
However, under the General Data Protection Regulation (GDPR), which has celebrated its fourth anniversary, all local authorities, regardless of their size, are required to appoint a data protection officer. If they do not have an internal DPO, municipalities always have the option of appointing a shared or external DPO.
In an effort to control – a task which in fact is difficult to implement with all the public bodies concerned – the National Commission for Computing and Liberties (CNIL) publicly announced on Tuesday 31 May the implementation remains for 22 municipalities to appoint a data protection officer.
Four months to settle
In June 2021, the CNIL alerted municipalities with more than 20,000 inhabitants who had not appointed a DPO. However, the commission now notes that some of them have still not taken this step. It therefore gives formal notice to these municipalities to make a designation.
The 22 municipalities have four months to comply. If they do not comply after this deadline, then the restricted formation of the CNIL could decide on a fine.
The CNIL specifies that only one municipality concerned by a formal notice has appointed a data protection officer. This is Villeneuve-Saint-Georges, in the Val-de-Marne. In addition, the municipalities of Auch (32) and Bruay-la-Buissière (62), also affected by these formal notices, have sent their declaration of designation to the CNIL, these being currently under investigation. .
The “essential role” of the DPO
The CNIL took advantage of these announcements to insist on “the essential role” of a DPO in “the compliance of data processing implemented by public authorities”. This GDPR expert is “the privileged interlocutor of agents and citizens on all subjects relating to data protection”, both “internally” but also “with regard to stakeholders”.
In particular, the DPO ensures the organization of the processing of requests to exercise rights and any requests for clarification from the CNIL in the event of an audit.
In the case of local authorities, this delegate may be “an internal agent or an external player pooled between several municipalities), which is the case, for example, within a public institution for inter-municipal cooperation (EPCI) or a public operator of digital services (OPSN).