RGPD

When is a DPO mandatory? GDPR criteria and CNIL sanctions

Appointing a data protection officer (DPO) is one of the cornerstones of compliance with the General Data Protection Regulation (GDPR). For many digital companies, e-commerce sites, digital platforms, mutual insurers, healthcare organisations or public authoritie

Contents
Schedule a discussion

Reading time:

16 min

Appointing a data protection officer (DPO) is one of the cornerstones of compliance with the General Data Protection Regulation (GDPR). For many digital companies, e-commerce sites, digital platforms, mutual insurers, healthcare organisations or public authorities, this obligation is far from a mere formality. It determines the organisation's ability to demonstrate its compliance, anticipate risks and engage effectively with the CNIL.

The stakes are considerable. Where a DPO is not appointed although required by Article 37 of the GDPR, or where there is a failure to comply with the DPO's duties, the CNIL may impose administrative fines of up to 20 million euros or 4% of total annual worldwide turnover, whichever is higher.

This article reviews the criteria that make appointing a DPO mandatory, the sanctions incurred in the event of a breach, and the best practices that every executive should know in order to secure their business.

What is a DPO and why did the GDPR create this role?

The data protection officer (in English, Data Protection Officer or DPO) is the person responsible, within an organisation or externally, for ensuring the compliance of personal data processing with the GDPR and French law.

The European legislator established this function to strengthen data governance in organisations that process a significant volume of personal information or particularly sensitive information. The DPO acts as an independent watchdog, an internal advisor and a privileged point of contact with the supervisory authority, namely the CNIL in France.

What specific duties does the GDPR assign to the DPO?

Article 39 of the GDPR lists the duties of the officer. In particular, the DPO must:

  • Inform and advise the controller, the processor and employees of their obligations regarding data protection;
  • Monitor compliance with the GDPR, the French Data Protection Act of 6 January 1978 and internal policies;
  • Provide advice on data protection impact assessments (DPIA) and verify their proper execution;
  • Cooperate with the CNIL and act as a point of contact for the authority;
  • Have due regard to the risk associated with processing, taking into account the nature, scope and purposes of the processing.

Article 38 of the GDPR further specifies that the DPO must be involved, properly and in a timely manner, in all issues relating to the protection of personal data. This obligation has been strongly reiterated by the CNIL's restricted committee in several recent decisions, as we shall see.

Can the DPO be internal, external or shared?

The GDPR offers three options to the controller:

  • An internal DPO, an employee of the organisation, provided there is no conflict of interest;
  • An external DPO, an independent service provider (lawyer, specialised consultant, advisory firm), bound by a service contract;
  • A shared DPO between several entities within the same group or several public bodies, provided that the DPO remains easily reachable from each site.

Whichever option is chosen, the DPO must have the required professional qualifications, specialised knowledge of data protection law and practices, and be provided with sufficient resourcesto carry out their duties.

When is appointing a DPO mandatory under Article 37 of the GDPR?

Article 37 of the GDPR requires the appointment of a DPO in three exhaustively listed cases. As soon as just one of these situations is met, the appointment becomes mandatory, with no possibility of derogation on grounds of the organisation's size or cost.

Is your organisation a public authority or public body?

The first criterion covers all public authorities and public bodies, with the exception of courts acting in their judicial capacity.

The following are notably concerned:

  • State administrations and decentralised services;
  • Local authorities (municipalities, departments, regions, EPCIs);
  • Public establishments (hospitals, universities, schools, agencies, offices);
  • Private-law legal entities entrusted with a public service mission, insofar as they process data in that context.

Article 103 of the Data Protection Act of 6 January 1978, as amended by Order No. 2018-1125 of 12 December 2018, specifies that these entities must appoint an officer, and that a single DPO may be appointed for several competent authorities depending on their organisational structure and size. This notably allows pooling between small municipalities or inter-municipal associations.

Do your activities involve regular and systematic monitoring on a large scale?

The second criterion concerns controllers and processors whose core activities require regular and systematic monitoring on a large scale of data subjects.

The following are typically concerned:

  • Banks and credit institutions;
  • Insurance companies and mutual insurers with high numbers of policyholders;
  • Telecom operators and internet service providers;
  • Large e-commerce platforms and marketplaces;
  • Social networks and content-sharing platforms;
  • SaaS software publishers processing large volumes of user accounts;
  • Advertising networks engaging in profiling or behavioural advertising.

Do you process sensitive or criminal data on a large scale?

The third criterion covers organisations whose core activities consist of processing, on a large scale:

  • Sensitive data within the meaning of Article 9 of the GDPR: data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, as well as genetic data, biometric data for the purpose of uniquely identifying a person, health data, or data concerning a person's sex life or sexual orientation;
  • Or data relating to criminal convictions and offences within the meaning of Article 10 of the GDPR.

Typically concerned are hospitals, clinics, medical analysis laboratories, health mutual insurers, social protection bodies, certain corporate HR departments processing large amounts of health data, as well as recruitment platforms centralising criminal record extracts.

Summary of cases where the DPO becomes mandatory

What do the GDPR's key concepts mean with regard to the DPO?

The concepts used in Article 37 of the GDPR are deliberately flexible to adapt to the diversity of situations. Their practical assessment relies on the guidelines of the European Data Protection Board (EDPB), formerly the Article 29 Working Party (WP29), and on the CNIL's doctrine.

How is the "large scale" criterion to be assessed?

The GDPR does not set a numerical threshold. The assessment relies on a body of indicators:

  • The number of data subjects, in absolute terms or as a proportion of the relevant population;
  • The volume of data processed or the range of data categories;
  • The duration or permanence of the processing;
  • The geographical scope of the processing;
  • The sensitivity of the data involved.

An individual medical practice or a sole practitioner lawyer does not, in principle, process health data or criminal conviction data on a large scale. Conversely, a network of private clinics or a national health mutual insurerclearly falls within the scope of the obligation.

What is meant by "regular and systematic monitoring"?

Regular and systematic monitoring refers to any form of surveillance, tracking or profiling of individuals, whether automated or not. The following are notably covered:

  • Advertising profiling and targeted advertising;
  • Behavioural analysis on a website or application;
  • Customer scoring in the banking or insurance sector;
  • Continuous geolocation of users or employees;
  • Video surveillance deployed across a large network of stores.

What are an organisation's "core activities"?

Core activities are those that are essential to achieving the objectives of the controller, as opposed to purely ancillary activities such as payroll or routine administrative management. Thus, for a hospital, the processing of health data constitutes a core activity, even if medical care is legally distinct from the data processing. For an industrial SME whose business does not involve the large-scale management of personal data, simply keeping standard customer files does not, in principle, qualify as a core activity within the meaning of the GDPR.

What CNIL sanctions apply in the event of a breach of the obligations relating to the DPO?

Article 20 of the Act of 6 January 1978, as amended by Act No. 2024-449 of 21 May 2024, sets out the range of corrective measures and sanctions that may be imposed by the CNIL.

What corrective measures can the CNIL impose?

Before or in addition to a financial penalty, the president of the CNIL or the restricted committee may impose:

  • A warning where the envisaged processing is likely to infringe the GDPR;
  • A reprimand;
  • A formal notice to bring processing into compliance, within a period that may be reduced to 24 hours in cases of urgency;
  • An injunction to bring processing into compliance, which may be accompanied by a penalty payment of up to 100,000 euros per day of delay;
  • The temporary or permanent limitation of processing or its prohibition;
  • The withdrawal of a certification;
  • The suspension of data flows to a third country;
  • The partial or total suspension of the approval of binding corporate rules (BCR).

These measures may be made public, which carries significant reputational consequences for the companies concerned.

What is the scale of the applicable administrative fines?

Article 20 of the Data Protection Act and Article 83 of the GDPR establish a two-tier scale of administrative fines:

  • For the breaches referred to in Article 83(4) of the GDPR, which notably include breaches of the obligations of the controller and the processor (Articles 8, 11, 25 to 39, 42 and 43), therefore the failure to appoint a DPO or the failure to comply with the DPO's duties: a fine of up to 10 million euros or, for an undertaking, 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher;
  • For the most serious breaches referred to in Article 83(5) and (6) (fundamental processing principles, rights of data subjects, international transfers, failure to comply with a CNIL injunction): a fine of up to 20 million euros or 4% of total annual worldwide turnover, whichever is higher.

In determining the amount, the restricted committee takes into account the criteria set out in Article 83 of the GDPR: the nature, gravity and duration of the breach, whether it was intentional or not, the measures taken to mitigate the damage, the degree of cooperation with the CNIL, the categories of data concerned and the organisation's record.

What is the CNIL's simplified sanction procedure?

Article 22-1 of the Act of 6 January 1978, as amended by the Act of 21 May 2024, sets out a simplified procedure reserved for cases presenting no particular difficulty. The president of the restricted committee, or a designated member, may rule alone and impose:

  • A reprimand;
  • An injunction to bring processing into compliance, accompanied where applicable by a penalty payment capped at 100 euros per day of delay;
  • An administrative fine capped at 20,000 euros.

Decisions issued under this procedure are not made public, which limits the reputational impact while ensuring a swift response to less serious breaches.

Summary of sanctions incurred by companies

Nature of the sanction

What concrete examples of sanctions illustrate the risks for companies?

The CNIL restricted committee's recent decisions show that breaches of the obligations relating to the DPO are systematically factored into the calculation of the fines imposed.

What lessons can be drawn from decision SAN-2025-008 of 18 September 2025?

In its decision SAN-2025-008 of 18 September 2025, the CNIL's restricted committee sanctioned the company SAMARITAINE SAS with a public administrative fine of 100,000 euros, for several breaches of the GDPR.

The case concerned the installation, in August 2023, of five cameras concealed in fake smoke detectors in the storerooms of the Paris store. In addition to breaches of the principles of fairness and data minimisation, the CNIL expressly found a breach of Article 38(1) of the GDPR, that is, the obligation to involve the data protection officer in matters relating to data protection.

According to the decision, the officer was only informed of the system on 2 October 2023, that is, after its installation and removal. The restricted committee noted that consulting her beforehand would have allowed the DPO to point out the strict conditions for deploying such a system, and that the company would likely have avoided the contested installation. This decision is instructive on two counts. First, it shows that appointing a DPO is not enough: the DPO must also be effectively involved in all sensitive matters. Second, it confirms that the CNIL now systematically includes this breach in its reasoning, including for employee video surveillance systems, a hot topic for many companies.

What lessons for VSEs/SMEs and e-merchants?

Several practical lessons emerge for executives:

  • The existence of a DPO does not preclude a sanction if the organisation does not genuinely involve them in its projects;
  • Emergency decisions taken during holiday periods do not exempt an organisation from consulting the DPO, even if only by asynchronous email;
  • The absence of documentation for a processing operation (register, DPIA, exchanges with the DPO) constitutes an aggravating circumstance retained by the CNIL;
  • The publicity of sanctions on the CNIL and Légifrance websites produces a reputational effect that is often greater than the amount of the fine itself.

What best practices secure GDPR compliance even without a mandatory DPO?

Many VSEs/SMEs do not meet the criteria of Article 37 of the GDPR. This does not exempt them from their other obligations, and the CNIL strongly recommends appointing a reference person, even on a voluntary basis.

Should a GDPR reference person be appointed in the absence of a DPO?

Where the appointment of a DPO is not mandatory, it is strongly advisable to:

  • Appoint an internal GDPR reference person, clearly identified within the organisation chart;
  • Entrust them with keeping the record of processing activities required by Article 30 of the GDPR;
  • Enable them to oversee DPIAs where they are required;
  • Give them the means to handle requests to exercise data subject rights (access, rectification, erasure, objection, portability, restriction).

This reference person does not have the protective legal status of a formally appointed DPO. However, they considerably secure the internal chain of responsibility and facilitate any CNIL inspections.

What obligations remain in the absence of a DPO?

Even without a mandatory DPO, the accountability principle set out in Article 5(2) of the GDPR remains fully applicable. The controller must be able to demonstrate its compliance at any time. This notably entails:

  • Keeping a record of processing activities;
  • Carrying out impact assessments where the processing is likely to result in a high risk;
  • Notifying the CNIL of data breaches within 72 hours, in accordance with Article 33 of the GDPR;
  • Implementing appropriate technical and organisational security measures;
  • Complying with the retention periods defined in advance;
  • Providing fair and transparent information to data subjects.

How does this interact with other areas of law?

GDPR compliance frequently intersects with other obligations arising from the Labour Code (implementing a video surveillance system, consulting the works council), the Consumer Code (pre-contractual information, right of withdrawal, advertising cookies) or the Commercial Code (retention of accounting records). This cross-cutting nature often justifies the involvement of multidisciplinary legal counsel, able to combine these constraints to propose comprehensive compliance.

How does the Mirabile Avocat law firm support executives with GDPR compliance?

Specialising in digital law, commercial law and distribution law, the Mirabile Avocat law firmregularly works with VSEs, SMEs, startups and digital platforms on all issues relating to the GDPR and the appointment of a DPO.

The support offered covers several areas:

  • Assessment of the situation: analysis of the business, the data processing carried out and the thresholds that trigger, or not, the obligation to appoint a DPO;
  • Strategic advice on the choice between an internal DPO, external DPO or shared DPO, and drafting of engagement contracts where the DPO is outsourced;
  • Operational compliance: drafting the record of processing activities, privacy policies, information notices, and carrying out impact assessments on high-risk processing;
  • Contractual security of relationships with processors within the meaning of Article 28 of the GDPR;
  • Assistance in the event of a CNIL inspection, from preparing the interviews to drafting observations in response to a sanction report;
  • Defence before the restricted committee of the CNIL and, where applicable, an appeal before the Conseil d'État within the two-month period provided for by the relevant texts;
  • Training of management and operational teams, particularly in sensitive contexts (e-commerce, digital marketing, video surveillance, AI and profiling).

The aim is to turn compliance into a governance tool and a lever of trust for clients, partners and investors.

What conclusions should an executive draw?

Appointing a DPO is not a discretionary choice. It is required as soon as an organisation falls within one of the three cases set out in Article 37 of the GDPR. Failure to comply with this obligation, like failure to comply with the DPO's duties once appointed, exposes the organisation to sanctions of up to 20 million euros or 4% of worldwide turnover. The CNIL's recent decisions, including decision SAN-2025-008 of 18 September 2025, show that the obligation to effectively involve the DPO is now a central focus of the supervisory authority.

For executives, the challenge is threefold. It involves verifying whether the obligation applies in light of the business and the data processed, structuring the DPO function where it is required, and establishing internal processesthat ensure the officer is involved in all decisions affecting personal data. Failing this, the organisation exposes itself not only to heavy financial penalties, but also to a reputational riskthat is difficult to contain once the decision is made public.

Disclaimer

This article is intended to be informative and educational. It does not constitute personalised legal advice nor a substitute for consulting a lawyer. Each situation calls for a specific analysis in light of the business, the data processed and the organisation of the company. For any question relating to your GDPR compliance or the appointment of a DPO, it is advisable to consult a specialised lawyer.

To learn more

When is appointing a DPO mandatory?

Article 37 of the GDPR makes appointing a DPO mandatory for public authorities, organisations whose core activity involves regular and systematic monitoring of individuals on a large scale, and those processing sensitive data on a large scale.

What does Article 37 of the GDPR provide?

Article 37 of the GDPR defines the cases in which appointing a DPO is mandatory. It notably covers public authorities and organisations carrying out large-scale monitoring of individuals or processing sensitive data on a large scale.

Which organisations are concerned by the DPO obligation?

Those notably concerned include digital companies, e-commerce sites, digital platforms, mutual insurers, healthcare organisations and public authorities, where they meet the criteria of Article 37 of the GDPR. For them, this obligation is not a mere formality.

What sanctions apply for failing to appoint a DPO?

Where a DPO is not appointed although required, or where there is a failure to comply with the DPO's duties, the CNIL may impose administrative fines of up to 20 million euros or 4% of total annual worldwide turnover, whichever is higher.

What is regular and systematic monitoring on a large scale?

This criterion covers processing involving continuous or recurring observation of individuals on a large scale, such as profiling or behaviour tracking. Where it characterises an organisation's core activity, appointing a DPO becomes mandatory.

Does processing sensitive data require a DPO?

Yes, where it is carried out on a large scale. Organisations processing sensitive data on a large scale, such as health data, are required to appoint a DPO pursuant to Article 37 of the GDPR.

Why is the DPO a cornerstone of compliance?

The DPO determines the organisation's ability to demonstrate its compliance, anticipate risks and engage effectively with the CNIL. Their appointment, where mandatory, is a considerable challenge for the organisation's legal security.

Is a lawyer useful in determining the DPO obligation?

A lawyer helps determine whether appointing a DPO is mandatory in light of Article 37 of the GDPR, secure that appointment and avoid CNIL sanctions. This support clarifies an obligation with significant stakes.

Still have questions?

Our team is available!

Have a question?

Vos informations restent strictement confidentielles.
Thank you! We will get back to you shortly. If you'd like to speed things up, schedule a time with me directly here:
Schedule a 15-minute call
Oops! Something went wrong while submitting the form.
Homme en costume bleu foncé avec cravate et pochette blanche, bras croisés, regardant vers l'avant.

Ressources

Aller plus loin

00
article(s) affiché(s) sur
00

10 min

Pre-Contractual Disclosure Document (DIP): a crucial document in your franchise project
In the world of franchising, one document stands out for its fundamental and mandatory nature: the Pre-Contractual Disclosure Document, commonly known as the DIP.

6 min

Regulation (EU) 2023/988 on product safety: new responsibilities for online marketplace providers
In a world where online selling is becoming increasingly prevalent, product safety is emerging as a major concern for both consumers and industry professionals. Regulation (EU) 2023/988, which came into force on 13 December 2024, represents a significant step forward

16 min

How to Draft a Commercial Agent Contract Compliant with French Law in 2025
Drafting a commercial agent contract is a crucial step in setting up an effective and secure distribution strategy. Too often, businesses underestimate the importance of this legal formalization, settling for generic templates or imprecise clauses

2 min

Domain name disputes: Between amicable and judicial resolution
Domain name disputes offer options ranging from amicable to judicial resolution. Navigating domain name disputes therefore requires a clear understanding of the amicable and judicial options available. Here is how to approach these delicate situations in order to defend your digital space

4 min

Who owns the rights to a work generated by artificial intelligence (AI)?
With the advances in AI, the ownership of rights in a work generated by artificial intelligence (AI) is becoming unclear.

5 min

Artificial intelligence in business: anticipating the new legal risks
At a time when artificial intelligence is establishing itself across the economic landscape, the companies adopting it face a legal framework that is still taking shape. Between innovation opportunities and legal grey areas, AI raises numerous legal questions that can turn
Prendre rendez-vous
Book an appointment