On May 31, 2022, the CNIL published a press release in which she explains that she gives formal notice to 22 French municipalities. They now have a period of 4 months to appoint a data protection officer (or DPO), an obligation provided for in Article 37 of the General Data Protection Regulation (GDPR).
The essential role of the DPO for municipalities
The appointment of a DPO is mandatory in certain cases. Indeed, the CNIL specifies that the GDPR makes the appointment of a data protection officer mandatory in certain cases, “in particular when processing of personal data is carried out by a public authority or a public body”. Therefore, this duty concerns all French local authorities, regardless of their size. Initially, the CNIL had concentrated its control action on municipalities with more than 20,000 inhabitants. Today it is even interested in smaller municipalities.
Researcher says she was raped in the metaverse
The central role of the data protection officer is not insignificant. According to the CNIL, it is even essential to ensure “the compliance of data processing implemented by public authorities”. In fact, it constitutes the privileged interlocutor of agents and citizens on all matters relating to data protection. Local authorities and municipalities are not obliged to appoint an internal agent, they can choose to work with an external actor and even pool it between several municipalities likely to share the same problems.
A period of 4 months to comply
This time, the 22 municipalities concerned by the formal notice from the CNIL are as follows: Achères (78), Auch (32), Bastia (2B), Beaune (21), Bezons (95), Bruay-la- Buissière (62), Étampes (91), Gagny (93), Koungou (976), Kourou (973), Le Gosier (971), Le Robert (972), Montmorency (95), Montfermeil (93), Petit-bourg (971), Pierrefitte-sur-Seine (93), Saint-André (974), Saint-Benoît (974), Saint-Dizier (52), Sotteville-lès-Rouen (76), Villeneuve-Saint-Georges (94) ) and Vitry-sur-Seine (94). Municipalities located in metropolitan France and overseas.
The CNIL specifies that they now have 4 months to comply with “appointing a data protection officer, under the conditions set by the GDPR”. These formal notices were voluntarily made public, in particular because of the sensitivity of the missions of the municipalities and the need to inform citizens. The National Commission for Computing and Liberties therefore fulfills its mission of transparency with the French. If the municipalities do not comply within the time limit, they risk a fine.