• Home
  • CNIL
  • The CNIL requires 22 municipalities to appoint a DPO

The CNIL requires 22 municipalities to appoint a DPO

Partager sur facebook
Partager sur twitter
Partager sur linkedin
Partager sur email

On 31 May 2022, the CNIL published a press release in which it announced that it was giving formal notice to 22 French municipalities. Indeed, the French watchdog recalls the appointment of a data protection officer (DPO) is mandatory for local authorities, and is part of the RGPD compliance process. 

The 22 municipalities in question (Beaune, Bastia, Saint-Dizier, Sotteville-lès-Rouen, etc.) are given four months to comply.

The requirements for municipalities according to the GDPR

The obligation to appoint a data protection officer (DPO) concerns all local authorities, regardless of their size. Indeed, the Article 37 of the GDPR makes it compulsory to designate a data protection officer in certain cases, in particular when personal data is processed by a public authority or a public body. 

As early as June 2021, the CNIL, which had focused its control action on municipalities with more than 20,000 inhabitants, had alerted those that had not designated a data protection officer. After a year of waiting, the formal notice was inevitable. 

The DPO’s crucial role

According to the CNIL, the DPO is essential to ensure « the compliance of data processing implemented by public authorities ». 

Moreover, he or she is the main contact for staff and citizens on all matters relating to data protection. 

It should be noted that local authorities and municipalities are not bound to appoint an internal officer; they may choose to work with an external player and even pool it between several municipalities that are likely to share the same issues.

A publicly available list

These formal notices were voluntarily made public, particularly because of the importance of the missions of the municipalities and the need to inform the public. It is thus a transparency matter. If municipalities do not comply within the time limit set, they risk a fine that would also be made public.

Here is the publicly available list of municipalities: Achères (78), Auch (32), Bastia (2B), Beaune (21), Bezons (95), Bruay-la-Buissière (62), Étampes (91), Gagny (93), Koungou (976), Kourou (973), Le Gosier (971), Le Robert (972), Montmorency (95), Montfermeil (93), Petit-bourg (971), Pierrefitte-sur-Seine (93), Saint-André (974), Saint-Benoît (974), Saint-Dizier (52), Sotteville-lès-Rouen (76), Villeneuve-Saint-Georges (94) et Vitry-sur-Seine (94). 



Évaluez votre niveau
de conformité

En quelques clics,
lancez sans engagement
et en toute conformité un
audit flash !

Pour recevoir votre audit flash gratuit et sans engagement, merci de bien vouloir remplir ce formulaire :