The CNIL asks 22 French municipalities to appoint a data protection officer (DPO), mandatory for all local authorities.
From the smallest to the largest, each French local authority is required to appoint a DPO. It is explained by Article 37 of the General Data Protection Regulation, which imposes it when personal information is processed by a public authority or body. The CNIL has just publicly given formal notice to 22 municipalities that do not respect it.
The municipalities given formal notice have 4 months to appoint a DPO
How did we get here ? In June 2021, the CNIL carried out checks in municipalities with more than 20,000 inhabitants, alerting those which had not yet appointed a data protection officer. A simple call to order, at the time.
Except that the data constable noticed, a little less than a year after this first warning, that some of the municipalities contacted had not yet taken this step. The president of the CNIL has thus decided to take the next step. For this, it proceeded for each of them to a formal notice made public, which gives the cities a period of 4 months to bring themselves into compliance.
The municipalities concerned are both from metropolitan France and from our overseas territories. We thus find the cities of Achères (78), Auch (32), Bastia (2B), Beaune (21), Bezons (95), Bruay-la-Buissière (62), Étampes (91), Gagny (93) , Koungou (976), Kourou (973), Le Gosier (971), Le Robert (972), Montmorency (95), Montfermeil (93), Petit-bourg (971), Pierrefitte-sur-Seine (93), Saint -André (974), Saint-Benoît (974), Saint-Dizier (52), Sotteville-lès-Rouen (76), Villeneuve-Saint-Georges (94) and Vitry-sur-Seine (94). Note that the municipality of Villeneuve-Saint-Georges, served with formal notice, has since been brought into compliance.
A risk of fines for pinned cities
If the CNIL insists so much on the appointment of a DPO, it is because it is important. He indeed plays an essential role in the compliance of the data processing implemented by the communities and remains the privileged interlocutor of the agents as well as the citizens.
Internally, the DPO adopts the right reflexes vis-à-vis the GDPR, the reference text in this area, whether in the event of a cyberattack or the creation of a digital project. Regarding any requests from citizens (deletion of data, etc.), it is responsible for processing them and can/must contact the CNIL in case of doubt. Within the framework of a local authority, the DPO can be an internal agent as well as an external actor. He can, for example, work for several geographically close municipalities.
The CNIL, which therefore grants municipalities a certain period of time to comply, warns that those which do not appoint their data protection officer in time may be sanctioned by the authority, which may go so far as to impose a fine.
On the same subject :
Data theft: there has never been as much as today, according to the CNIL
Source : CNIL
0