News
❌ DPO : Insufficient Resources
⚠️ Insufficient Resources for the Exercise of DPO Functions
Following an evaluation campaign, the CNIL conducted several audits across public and private organizations to assess the resources allocated to their Data Protection Officers (DPOs) and to verify compliance with the GDPR.
👉 As a result, the CNIL fined a social sector organization €10,000 for violations of Article 38 of the GDPR.
🔎 According to the CNIL:
- The DPO was not in a position to properly carry out their tasks,
- They were not sufficiently involved in matters relating to the protection of personal data,
- And their role lacked visibility within the organization’s staff
📜 According to Article 38 (1 & 2) of the GDPR:
1️⃣ The controller must ensure that the DPO is involved, properly and in a timely manner, in all issues relating to the protection of personal data.
2️⃣ The controller must support the DPO in carrying out their duties as defined in Article 39 by:
- Providing the necessary resources to perform their role,
- Ensuring access to personal data and processing operations,
- And allowing them to maintain their expert knowledge.
⚖️ Consequences:
- 💸 Administrative fine: €10,000
- 📉 Reputational damage