The GDPR, as opposed to the former French data protection law of Jan. 6, 1978, provides that in some situations a data protection officer must be appointed. In order to acknowledge the quality of the DPO designated by a data controller, the CNIL has recently released a DPO logo available for internal and external communications of DPOs whose designation has been notified to the CNIL.
Article 37 of the GDPR indicates that a DPO must be designated when:
- “The processing is carried out by a public authority or body, except for courts acting in their judicial capacity.
- The core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale.
- The core activities of the controller or the processor consist of processing on a large scale special categories of data pursuant to Article 9 or personal data relating to criminal convictions and offences referred to in Article 10."
However, even though the entity is not legally required to appoint a DPO, the French supervisory authority, Commission Nationale de l’Informatique et des Libertés (CNIL), recommends that the entity appoints a specific person to ensure compliance with the GDPR.
Indeed, this person would constitute a major asset in understanding and complying with the obligations of the GDPR and in communicating with data protection authorities, thus increasing the accountability of the data controller.
Until the GDPR entered into force, companies in France had the responsibility to appoint a “correspondant informatique et libertés” ("CIL," a correspondent with the CNIL). However, this designation was not mandatory.
When appointed, CIL were responsible for ensuring the compliance with data protection law requirements within the entity that had appointed them (either a company, a group, an association or an administration).
The possibility to appoint a CIL no longer exists since the GDPR entered into force on May 25, 2018.
The terms and conditions for the use of the new DPO logo are detailed in a regulation issued by the “Agence du patrimoine immatériel de l’Etat," a French agency responsible for designing and disseminating immaterial culture such as trademarks and logos.
What is this logo used for?
This collective mark was created in order to allow easy recognition by the public and professionals of the DPOs.
DPOs will be able to use it in their communications, which will help convey information about the capacity of the sender of the communication quickly and efficiently.
The collective mark may only be used for the sole purpose of the work of the DPO. Use is further limited to specific media such as:
- Printed or digital media to raise awareness among internal and external audiences of the missions and functions of the DPO.
- The DPO's professional correspondence tools.
- Objects associated with the DPO function.
Except with the prior agreement of the CNIL, any other use of the collective mark is prohibited.
Especially, the collective mark cannot be used for:
- Commercial or prospection purposes.
- Political or polemical purposes.
- Affronting public decency or public provisions.
- Violating the rights granted by the law or activities likely to infringe or harm the French State.
Who is the owner of the collective mark?
The French State assumes ownership of the collective mark. Although it can be used under the provisions of the regulation, the ownership is not transferred by this use.
The regulation also indicates that the right to use the collective mark is granted free of charge.
Who can use the collective mark?
The use of the collective mark is expressly reserved to DPOs whose designation was notified to the CNIL (individuals or legal entities).
In order to notify the designation of a DPO to the CNIL, one has to follow the procedure on the French supervisory authority website.
As only DPOs can use the logo, their right cannot be assigned or transferred.
The process is automatic: As soon as the CNIL is notified of the designation and has sent the confirmation email, the DPO has the authorization to use the collective mark. There are no other specific formalities to accomplish.
Likewise, the end of the designation as DPO implies the end of the right to use the collective mark.
Where can the collective mark be used?
Only on the French territory and the French Polynesia territory.
What are the sanctions in the event of a non-compliant use?
At first, the approach is informal. The CNIL notifies the DPO of the breaches found, and the latter then has 10 days to comply with the regulations.
It is only in the absence of compliance within this period that the authorization to use the collective mark is automatically withdrawn.
The non-compliant use or the use of the collective mark despite the withdrawal of authorization are considered as unlawful acts that the CNIL can obtain sanctions for and seek compensation before the appropriate courts.
In addition to the sanctions set out above, any unauthorized use by a DPO or a third party gives the CNIL the right to initiate any appropriate legal action.
photo credit: xavier buaillon via photopin