On 31 May 2022, the CNIL published a press release in which it announced that it was giving formal notice to 22 French municipalities. Indeed, the French watchdog recalls the appointment of a data protection officer (DPO) is mandatory for local authorities, and is part of the RGPD compliance process.
The 22 municipalities in question (Beaune, Bastia, Saint-Dizier, Sotteville-lès-Rouen, etc.) are given four months to comply.
The requirements for municipalities according to the GDPR
The obligation to appoint a data protection officer (DPO) concerns all local authorities, regardless of their size. Indeed, the Article 37 of the GDPR makes it compulsory to designate a data protection officer in certain cases, in particular when personal data is processed by a public authority or a public body.
As early as June 2021, the CNIL, which had focused its control action on municipalities with more than 20,000 inhabitants, had alerted those that had not designated a data protection officer. After a year of waiting, the formal notice was inevitable.
The DPO’s crucial role
According to the CNIL, the DPO is essential to ensure « the compliance of data processing implemented by public authorities ».
Moreover, he or she is the main contact for staff and citizens on all matters relating to data protection.
It should be noted that local authorities and municipalities are not bound to appoint an internal officer; they may choose to work with an external player and even pool it between several municipalities that are likely to share the same issues.
A publicly available list
These formal notices were voluntarily made public, particularly because of the importance of the missions of the municipalities and the need to inform the public. It is thus a transparency matter. If municipalities do not comply within the time limit set, they risk a fine that would also be made public.
Here is the publicly available list of municipalities: Achères (78), Auch (32), Bastia (2B), Beaune (21), Bezons (95), Bruay-la-Buissière (62), Étampes (91), Gagny (93), Koungou (976), Kourou (973), Le Gosier (971), Le Robert (972), Montmorency (95), Montfermeil (93), Petit-bourg (971), Pierrefitte-sur-Seine (93), Saint-André (974), Saint-Benoît (974), Saint-Dizier (52), Sotteville-lès-Rouen (76), Villeneuve-Saint-Georges (94) et Vitry-sur-Seine (94).
Cimino, Valentin. “22 Communes Sommées Par La Cnil De Désigner UN DPO.” Siècle Digital, 1 June 2022, https://siecledigital.fr/2022/06/01/22-communes-sommees-par-la-cnil-de-designer-un-dpo/.
“La Cnil Met En Demeure Vingt-Deux Communes De Désigner Un Délégué à La Protection Des Données.” Fil d Ariane, https://www.cnil.fr/fr/la-cnil-met-en-demeure-vingt-deux-communes-de-designer-un-delegue-la-protection-des-donnees.