The assets of the lawyer appointed as the Data Protection Officer
The appointment of a data’s protection officer was enabled by the 2018 modification of the IT and Freedoms Law dated January 6th of 1978.
In fact, it makes it mandatory to report the personal data IT processing projects before achieving them. This requirement is applicable to any IT operations relating to data allowing someone’s identification. It can concern data identifying directly a person (surname, name, address) or indirectly (IP address, credit card’s number, photo…).
Examples of IT processing having to be reported:
- Collecting or selling of clients’ data
- Creation of human resources’ files
- Analysis of IT data coming from the web navigation as the cyber surveillance/watch) or from cookies needed to the Internet services personalization
Whereas a private or public body appoints a DPO in application of European Data Privacy Reglement, it enjoys no exemption from the report formalities requirement in the case of sensitive data are processing (it could be remain subjected to the CNIL report requirement).
Moreover, recommendations made by the DPO, the CNIL direct contact, assures the projects’ lawfulness. When following the DPO’s advice the person in charge of the data processing prevents any legal risks due to their nonconformity to the Law (criminal and financial penalties that could amount to a 20 m€ euros fine and five years’ imprisonment, putting aside the catastrophic effects brought by the media coverage).
The lawyer can be officially appointed as the Data Protection Officer by small and medium sized organization where few persons having access to any computerized data brink is not passed over.
The appointed lawyer has not only both the legal and technical knowledge required (of which any Correspondent has to bring supporting documents) but he or she also makes his or her clients, for all of their project, benefit from the professional confidentiality associated to his or her status, which makes her or him differ from any other service provider.
The Correspondent’s mission is also to raise awareness among the organization that designated him or her to the IT and Freedoms Law’s protagonists to anticipate a CNIL inspection (which can happen following a complaint related to the rights provided in the said law: access and rectification rights, market research contestation right, that must be efficient and notified in advance).
As for the organizations not wanting to appoint such a Correspondent or having already chosen one, it is always beneficial to get some sound advice from a specialized lawyer in CNIL matters for the most sensitive projects.
Indeed, some kinds of data processing, using some sensitive data (biometry, video monitoring, geolocation…) need a specific approval, authorization from the CNIL.
The lawyer can determine what kind of formalities is required for a specific data processing: a report or a specific authorization from the CNIL.
His/her role is to anticipate the legal difficulties of a project and prevents the encounter of a long and expensive project with a CNIL blockage (in fact, the CNIL can freeze a project by preventing it from being carried out).
As for the IT resources policy, the lawyer makes sure it is enforceable towards the users and its accordance with the active legislation. In fact, the lawyer will adapt it to recent customs and usages and ensure that the report required for the monitored data processing is done.
Furthermore, it is crucial that a hypothetical subcontracted personal data processing is strictly regulated by specific stipulations. As a matter of fact, the entity hiring the subcontractor remains liable for any nonconformity with the Law (throughout the subcontract’s execution) (surveillance forfeited concerning the IT security of data transferred outside the European Union).
Contracts written by the Lawyer will be conferred the lawyers’ (legal) deeds granting them a legal legitimacy.