Last review date: January 2025

Yes.

Last review date: January 2025

Yes.

If yes, under what circumstances?

☒     the processing is carried out by a public authority or body, except for courts acting in their judicial capacity

☒     the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale

☒     the core activities of the controller or the processor consist of processing on a large scale of special categories of data

Last review date: January 2025

Yes.

If yes, what are these requirements?

☒ other professional qualifications / experience

☒ other

According to the CNIL, the DPO shall have:

• the skills to communicate efficiently and exercise their functions independently
• a certain expertise regarding data protection and receive continuous training
• a good knowledge of the company's line of business and of its data protection governance and needs, and
• a strategic position in the company and be able to report directly to the highest position in the company

In November 2021, the CNIL published a guide for DPOs (available here). It provides key information about the role, its nomination, the exercise of its role and support by the CNIL. However, the CNIL specifies that there is no standard profile of the DPO. The CNIL has issued guidelines on DPO's certification which was modified on 13 April 13 2023. Nonetheless, the prerequisites and conditions to obtain the certification did not change (available here).

Lastly, the EDPB launched in March 2023 a Coordinated Enforcement Action on the role and tasks of data protection officers. The CNIL, alongside the other data protection authorities, is taking part in this coordinated enforcement action (press release available here).

Last review date: January 2025

Yes.

The Data Protection Act ends the various prior formalities such as the obligation to register with the CNIL. However, in order to ensure high standards of protection, it maintains, as provided for in the GDPR, both individual and global authorization schemes for some processing presenting a significant risk to the data subject's rights and freedoms.

• Pursuant to article 30 of the Data Protection Act, processing of personal data containing the registration number of individuals in the national identification register of natural persons ("NIR")is only authorized by decree No. 2019-341 of 19 April 2019 (on the implementation of processing operations involving the use of the registration number of individuals in the national identification register of natural persons (NIR) or requiring consultation of this register). The decree defines the categories of data controllers concerned and the purposes of processing for which the use of NIR is authorized, particularly in the field of health data. Few exceptions apply: processing of such data for the sole purpose of official statistics, scientific or historical research, or for the provision of remote public services does not require authorization and are not affected by the provisions of the Decree No. 2019-341.
• Pursuant to article 31(I) of the Data Protection Act, processing carried out on behalf of the State which is relevant to its security, defense or criminal investigations shall remain subject to the individual authorization system held by Ministerial Order, after the CNIL has given its opinion.
• Pursuant to article 32 of the Data Protection Act, processing of biometric or genetic data necessary for authentication or control of an individual's identity, and which is carried out on behalf of the State, also remains subject to the individual authorization system by a Decree issued by the State Council and after consultation of the CNIL.
• In addition to these individual or global authorization schemes, Section 3 of the Chapter III, Title II of the Data Protection Act also provides for an ad hoc scheme for health data and subjects their processing to a prior declaration of conformity with standard references (référentiels) of the CNIL. Failing that, article 66 of the Data Protection Act states that processing shall be subject to the CNIL's prior authorization, except in the field of health research or study. By way of derogation from Article 66, the processing of health-related personal data by bodies or services entrusted with a public service mission appearing on a list drawn up by the Ministerial Order responsible for health and social security, the sole purpose of which is to respond to and manage the consequences of a health alert in the event of an emergency situation, is only subject to the provisions of Section 3 of Chapter IV of the GDPR.

Also, pursuant to article 46 (3) (a) of the GDPR, some transfers of personal data to a third country shall be declared to, and authorized by, the CNIL:

• contractual clauses between the controller or processor and the controller, processor, or the recipient of the personal data in the third country or international organization
• provisions to be inserted into administrative arrangements between public authorities or bodies which include enforceable and effective data subject rights.