RGPD

GDPR DPO: duties, responsibilities and real cost for a business

Since the General Data Protection Regulation (GDPR) came into force in May 2018, the role of Data Protection Officer (DPO) has established itself as a central pillar of digital compliance. Yet many directors of micro-businesses, SMEs and sta

Contents
Schedule a discussion

Reading time:

7 min

Since the General Data Protection Regulation (GDPR) came into force in May 2018, the role of Data Protection Officer (DPO, or DPO) has established itself as a central pillar of digital compliance. Yet many directors of micro-businesses, SMEs and startups still do not know whether they are actually required to appoint a DPO, what this person concretely does, and how much it costs.

In 2025, the CNIL issued 83 sanctions for a record amount of 486 million euros in fines across all sectors. SMEs, associations, local authorities: no organisation is immune. Understanding the issues surrounding the DPO means protecting your business before it is too late.

This article gives you a clear, legally reliable and practical overview of what the DPO role entails, who is concerned, what its statutory duties are, how to avoid common pitfalls, and what budget to plan for depending on the size of your organisation.

What is a DPO and what is its place within the GDPR?

The DPO is the central figure for compliance with personal data protection rules within an organisation. The role is provided for and governed by Articles 37, 38 and 39 of the GDPR, as well as by the French Data Protection Act as amended by the order of 12 December 2018.

Its primary mission is to steer the organisation's compliance with the GDPR: it informs, advises, monitors, documents and acts as the liaison with the CNIL. The CNIL itself describes the DPO as the "conductor" of data protection within the entity that appointed them.

Contrary to common belief, the DPO is neither an IT manager nor merely a lawyer. The role combines cross-disciplinary skills: personal data law, IT security, risk management, internal communication. It is a hybrid profile, increasingly sought after, operating at the intersection of legal, technical and organisational matters.

Does the DPO replace the Data Protection Correspondent (CIL)?

Yes. The DPO role succeeded that of the Data Protection Correspondent (CIL), which existed under the former regime of the 1978 French Data Protection Act. However, the DPO has significantly enhanced powers and obligations, particularly with regard to independence, allocated resources and documentary traceability.

Who is required to appoint a DPO?

This is often the first question directors ask. The answer is precise: Article 37 of the GDPR sets out three situations in which appointing a DPO is mandatory.

Which types of organisation are subject to the obligation to appoint a DPO?

The obligation applies in the following cases:

  • Public authorities and bodies (except for courts acting in their judicial capacity),
  • Organisations whose core activity consists of carrying out regular and systematic monitoring of individuals on a large scale (for example: marketing profiling, e-commerce platforms processing millions of users, telecommunications operators),
  • Organisations whose core activity consists of processing special categories of data on a large scale (health data, biometric data, data relating to criminal convictions, data revealing ethnic origin or political opinions, etc.).

Apart from these three cases, appointment remains strongly recommended by the CNIL for any business handling a significant volume of personal data, particularly in the e-commerce, human resources, finance and digital marketing sectors.

My company does not fall within a mandatory case: should I still appoint a DPO?

In practice, the answer is often yes. Appointing a DPO, even on a voluntary basis, sends a strong signal to the CNIL, to your clients and to your business partners. It is also a way to structure your compliance approach and avoid the costly mistakes that are subject to growing sanctions.

Worth noting: in early 2024, more than 34,000 DPOs were registered in France with the CNIL, compared with 21,000 in 2019, an increase of 62% over five years. This trend reflects genuine awareness within the business community.

What are the DPO's statutory duties?

The DPO's duties are defined in Article 39 of the GDPR. They are broad, demanding and cannot be delegated to a person lacking the required skills.

What are the five main DPO duties provided for by the GDPR?

1. Inform and advise the organisation and its employees about their data protection obligations. This includes raising staff awareness, drafting internal memos and training employees in good practices.

2. Monitor compliance with the GDPR and national law, in particular the French Data Protection Act. The DPO ensures the proper upkeep of the record of processing activities (mandatory for any data controller, pursuant to Article 30 of the GDPR), the legitimacy of the legal bases relied upon, and respect for individuals' rights.

3. Advise on impact assessments (DPIA, for Data Protection Impact Assessment) and verify their performance. Where processing is likely to result in a high risk to the rights and freedoms of individuals, a DPIA is mandatory before the processing is implemented (Article 35 of the GDPR).

4. Act as the contact point for data subjects, that is, respond to requests to exercise rights: right of access, right to rectification, right to erasure ("right to be forgotten"), right to data portability, right to object.

5. Cooperate with the CNIL and serve as the primary point of contact in the event of an inspection, complaint or sanction proceeding. In the event of a personal data breach, the DPO coordinates the notification to the CNIL, which must be made within 72 hours (Article 33 of the GDPR).

What can the DPO not do?

The issue of the DPO's independence is central. Article 38 of the GDPR guarantees that the DPO may not receive instructions from management regarding the performance of its duties. Nor may the DPO be dismissed or penalised for performing its functions.

Above all, the DPO cannot be both "judge and party": it cannot simultaneously hold functions that involve determining the purposes and means of a data processing operation. In practice, this means that a chief information officer (CIO), a marketing director or a human resources director generally cannot combine these roles with that of DPO.

A concrete example: An e-commerce SME appoints its IT manager as DPO to save costs. This manager also handles the customer databases and decides which CRM tools are used. This combination of roles creates a conflict of interest expressly prohibited by the GDPR and exposes the company to a CNIL sanction in the event of an inspection.

What are the DPO's responsibilities in the event of a breach?

This is a point that is often misunderstood. The DPO does not personally bear legal liability for GDPR breaches. That liability falls on the data controller, that is, the company itself and its management.

However, the DPO incurs contractual liability if it fails to perform its duties in accordance with its mandate. An external DPO also incurs professional liability under the service agreement binding them to the company.

What does a company that fails to appoint a DPO when required risk?

The risks are serious and well documented:

  • An administrative fine of up to 10 million euros or 2% of worldwide annual turnover (whichever is higher),
  • A formal notice or an injunction to appoint, with a binding deadline,
  • Enhanced scrutiny from the CNIL, with an increased risk of an extended inspection covering other aspects of compliance,
  • Reputational damage to the company in the eyes of its clients, partners and service providers.

In 2024, the CNIL carried out more than 340 inspections and several dozen sanctions exceeded one million euros. SMEs are no longer spared.

Summary table: DPO mandatory or recommended depending on the company's profile

Article 37 GDPR
DPO mandatory or recommended depending on the profile
Company profileAppointment of a DPOWhy / details
Public authority or bodyMandatoryExcept for courts acting in their judicial capacity (Art. 37).
Regular and systematic monitoring of individuals on a large scaleMandatoryMarketing profiling, large-scale e-commerce platforms, telecoms operators.
Large-scale processing of special categories of dataMandatoryHealth, biometrics, criminal convictions, ethnic origin, political opinions.
Significant volume of personal data (outside mandatory cases)RecommendedStrongly recommended by the CNIL: e-commerce, HR, finance, digital marketing.
Company outside mandatory casesRecommendedStrong signal to the CNIL and clients; structures compliance, avoids sanctions.
Provided for informational purposes only; does not constitute legal advice.

DPO obligation according to the company profile

To learn more

What are the DPO's duties?

The DPO informs and advises the organisation, monitors compliance with the GDPR, advises on impact assessments, cooperates with the CNIL and acts as its point of contact. As a pillar of digital compliance, it has played a central role since the GDPR came into force.

Is a company required to appoint a DPO?

Appointment is mandatory for public bodies and for companies whose activity involves regular and systematic monitoring of individuals on a large scale, or the processing of special categories of data. No organisation, SME, association or local authority, is in principle immune.

What is the real cost of a DPO?

The cost depends on the choice between an internal and an external DPO, the volume of processing and the level of support. An external DPO makes it possible to pool expertise without bearing a full-time position, which is often suited to micro-businesses, SMEs and startups.

What was the outcome of CNIL sanctions in 2025?

In 2025, the CNIL issued 83 sanctions for a record amount of 486 million euros, across all sectors. This outcome shows that no organisation is immune and underscores the importance of compliance, to which the DPO contributes.

Are SMEs concerned by CNIL sanctions?

Yes. SMEs, associations and local authorities are concerned by CNIL sanctions. No organisation is immune, which makes understanding the issues surrounding the DPO essential to protect your business before it is too late.

Can the DPO be external?

Yes. A company may appoint an external DPO, which allows it to benefit from pooled expertise without the cost of a full-time position. This option is often suited to micro-businesses, SMEs and startups subject to GDPR obligations.

What responsibilities rest on the DPO?

The DPO performs its duties in full independence and ensures the organisation's compliance. Its responsibility is exercised through its advisory and monitoring role, with liability for processing remaining with the data controller. Its function remains a pillar of compliance.

Is a lawyer useful regarding the DPO role?

A lawyer helps determine the obligation to appoint a DPO, decide between an internal and external arrangement, and secure compliance. A lawyer may also perform the DPO role, combining operational oversight with legal expertise.

Still have questions?

Our team is available!

Have a question?

Vos informations restent strictement confidentielles.
Thank you! We will get back to you shortly. If you'd like to speed things up, schedule a time with me directly here:
Schedule a 15-minute call
Oops! Something went wrong while submitting the form.
Homme en costume bleu foncé avec cravate et pochette blanche, bras croisés, regardant vers l'avant.

Ressources

Aller plus loin

00
article(s) affiché(s) sur
00

6 min

The APD fines an electronic invoicing website for a GDPR breach
The APD (Data Protection Authority) imposed a fine on an electronic invoicing website for a GDPR breach.

3 min

IT hosting contract drafted by a lawyer - Romain Mirabile
Storing a company's IT data can represent a challenge. Fortunately, it is possible to conclude a hosting contract, with a host who will be responsible for storing a website on behalf of its client. This contract will govern the terms of performance of each party's obligati

16 min

How to Draft a Commercial Agent Contract Compliant with French Law in 2025
Drafting a commercial agent contract is a crucial step in setting up an effective and secure distribution strategy. Too often, businesses underestimate the importance of this legal formalization, settling for generic templates or imprecise clauses

8 min

The 2024 SREN Act and the gaming industry: what every developer needs to know
In May 2024, France took a decisive step in regulating emerging digital economies with the adoption of the SREN Act (Securing and Regulating the Digital Space). Among the many provisions of this legislation, Articles 40 and 41 attracted particular attention from de

5 min

The major legal risks for digital businesses in 2025
At a time when digital transformation is accelerating, the legal risks for businesses are evolving at a dizzying pace.

5 min

Misleading commercial practices and the sale of online training courses
In a context where the internet has become fertile ground for online education, the sale of training courses is attracting more and more potential buyers. However, this thriving market is not free from questionable practices. Misleading commercial practices prove particularly conc
Prendre rendez-vous
Book an appointment