RGPD
Appointing a data protection officer (DPO) is one of the cornerstones of compliance with the General Data Protection Regulation (GDPR). For many digital companies, e-commerce sites, digital platforms, mutual insurers, healthcare organisations or public authoritie
Reading time:
16 min
Appointing a data protection officer (DPO) is one of the cornerstones of compliance with the General Data Protection Regulation (GDPR). For many digital companies, e-commerce sites, digital platforms, mutual insurers, healthcare organisations or public authorities, this obligation is far from a mere formality. It determines the organisation's ability to demonstrate its compliance, anticipate risks and engage effectively with the CNIL.
The stakes are considerable. Where a DPO is not appointed although required by Article 37 of the GDPR, or where there is a failure to comply with the DPO's duties, the CNIL may impose administrative fines of up to 20 million euros or 4% of total annual worldwide turnover, whichever is higher.
This article reviews the criteria that make appointing a DPO mandatory, the sanctions incurred in the event of a breach, and the best practices that every executive should know in order to secure their business.
The data protection officer (in English, Data Protection Officer or DPO) is the person responsible, within an organisation or externally, for ensuring the compliance of personal data processing with the GDPR and French law.
The European legislator established this function to strengthen data governance in organisations that process a significant volume of personal information or particularly sensitive information. The DPO acts as an independent watchdog, an internal advisor and a privileged point of contact with the supervisory authority, namely the CNIL in France.
Article 39 of the GDPR lists the duties of the officer. In particular, the DPO must:
Article 38 of the GDPR further specifies that the DPO must be involved, properly and in a timely manner, in all issues relating to the protection of personal data. This obligation has been strongly reiterated by the CNIL's restricted committee in several recent decisions, as we shall see.
The GDPR offers three options to the controller:
Whichever option is chosen, the DPO must have the required professional qualifications, specialised knowledge of data protection law and practices, and be provided with sufficient resourcesto carry out their duties.
Article 37 of the GDPR requires the appointment of a DPO in three exhaustively listed cases. As soon as just one of these situations is met, the appointment becomes mandatory, with no possibility of derogation on grounds of the organisation's size or cost.
The first criterion covers all public authorities and public bodies, with the exception of courts acting in their judicial capacity.
The following are notably concerned:
Article 103 of the Data Protection Act of 6 January 1978, as amended by Order No. 2018-1125 of 12 December 2018, specifies that these entities must appoint an officer, and that a single DPO may be appointed for several competent authorities depending on their organisational structure and size. This notably allows pooling between small municipalities or inter-municipal associations.
The second criterion concerns controllers and processors whose core activities require regular and systematic monitoring on a large scale of data subjects.
The following are typically concerned:
The third criterion covers organisations whose core activities consist of processing, on a large scale:
Typically concerned are hospitals, clinics, medical analysis laboratories, health mutual insurers, social protection bodies, certain corporate HR departments processing large amounts of health data, as well as recruitment platforms centralising criminal record extracts.
The concepts used in Article 37 of the GDPR are deliberately flexible to adapt to the diversity of situations. Their practical assessment relies on the guidelines of the European Data Protection Board (EDPB), formerly the Article 29 Working Party (WP29), and on the CNIL's doctrine.
The GDPR does not set a numerical threshold. The assessment relies on a body of indicators:
An individual medical practice or a sole practitioner lawyer does not, in principle, process health data or criminal conviction data on a large scale. Conversely, a network of private clinics or a national health mutual insurerclearly falls within the scope of the obligation.
Regular and systematic monitoring refers to any form of surveillance, tracking or profiling of individuals, whether automated or not. The following are notably covered:
Core activities are those that are essential to achieving the objectives of the controller, as opposed to purely ancillary activities such as payroll or routine administrative management. Thus, for a hospital, the processing of health data constitutes a core activity, even if medical care is legally distinct from the data processing. For an industrial SME whose business does not involve the large-scale management of personal data, simply keeping standard customer files does not, in principle, qualify as a core activity within the meaning of the GDPR.
Article 20 of the Act of 6 January 1978, as amended by Act No. 2024-449 of 21 May 2024, sets out the range of corrective measures and sanctions that may be imposed by the CNIL.
Before or in addition to a financial penalty, the president of the CNIL or the restricted committee may impose:
These measures may be made public, which carries significant reputational consequences for the companies concerned.
Article 20 of the Data Protection Act and Article 83 of the GDPR establish a two-tier scale of administrative fines:
In determining the amount, the restricted committee takes into account the criteria set out in Article 83 of the GDPR: the nature, gravity and duration of the breach, whether it was intentional or not, the measures taken to mitigate the damage, the degree of cooperation with the CNIL, the categories of data concerned and the organisation's record.
Article 22-1 of the Act of 6 January 1978, as amended by the Act of 21 May 2024, sets out a simplified procedure reserved for cases presenting no particular difficulty. The president of the restricted committee, or a designated member, may rule alone and impose:
Decisions issued under this procedure are not made public, which limits the reputational impact while ensuring a swift response to less serious breaches.
Nature of the sanction
The CNIL restricted committee's recent decisions show that breaches of the obligations relating to the DPO are systematically factored into the calculation of the fines imposed.
In its decision SAN-2025-008 of 18 September 2025, the CNIL's restricted committee sanctioned the company SAMARITAINE SAS with a public administrative fine of 100,000 euros, for several breaches of the GDPR.
The case concerned the installation, in August 2023, of five cameras concealed in fake smoke detectors in the storerooms of the Paris store. In addition to breaches of the principles of fairness and data minimisation, the CNIL expressly found a breach of Article 38(1) of the GDPR, that is, the obligation to involve the data protection officer in matters relating to data protection.
According to the decision, the officer was only informed of the system on 2 October 2023, that is, after its installation and removal. The restricted committee noted that consulting her beforehand would have allowed the DPO to point out the strict conditions for deploying such a system, and that the company would likely have avoided the contested installation. This decision is instructive on two counts. First, it shows that appointing a DPO is not enough: the DPO must also be effectively involved in all sensitive matters. Second, it confirms that the CNIL now systematically includes this breach in its reasoning, including for employee video surveillance systems, a hot topic for many companies.
Several practical lessons emerge for executives:
Many VSEs/SMEs do not meet the criteria of Article 37 of the GDPR. This does not exempt them from their other obligations, and the CNIL strongly recommends appointing a reference person, even on a voluntary basis.
Where the appointment of a DPO is not mandatory, it is strongly advisable to:
This reference person does not have the protective legal status of a formally appointed DPO. However, they considerably secure the internal chain of responsibility and facilitate any CNIL inspections.
Even without a mandatory DPO, the accountability principle set out in Article 5(2) of the GDPR remains fully applicable. The controller must be able to demonstrate its compliance at any time. This notably entails:
GDPR compliance frequently intersects with other obligations arising from the Labour Code (implementing a video surveillance system, consulting the works council), the Consumer Code (pre-contractual information, right of withdrawal, advertising cookies) or the Commercial Code (retention of accounting records). This cross-cutting nature often justifies the involvement of multidisciplinary legal counsel, able to combine these constraints to propose comprehensive compliance.
Specialising in digital law, commercial law and distribution law, the Mirabile Avocat law firmregularly works with VSEs, SMEs, startups and digital platforms on all issues relating to the GDPR and the appointment of a DPO.
The support offered covers several areas:
The aim is to turn compliance into a governance tool and a lever of trust for clients, partners and investors.
Appointing a DPO is not a discretionary choice. It is required as soon as an organisation falls within one of the three cases set out in Article 37 of the GDPR. Failure to comply with this obligation, like failure to comply with the DPO's duties once appointed, exposes the organisation to sanctions of up to 20 million euros or 4% of worldwide turnover. The CNIL's recent decisions, including decision SAN-2025-008 of 18 September 2025, show that the obligation to effectively involve the DPO is now a central focus of the supervisory authority.
For executives, the challenge is threefold. It involves verifying whether the obligation applies in light of the business and the data processed, structuring the DPO function where it is required, and establishing internal processesthat ensure the officer is involved in all decisions affecting personal data. Failing this, the organisation exposes itself not only to heavy financial penalties, but also to a reputational riskthat is difficult to contain once the decision is made public.
This article is intended to be informative and educational. It does not constitute personalised legal advice nor a substitute for consulting a lawyer. Each situation calls for a specific analysis in light of the business, the data processed and the organisation of the company. For any question relating to your GDPR compliance or the appointment of a DPO, it is advisable to consult a specialised lawyer.
To learn more
Article 37 of the GDPR makes appointing a DPO mandatory for public authorities, organisations whose core activity involves regular and systematic monitoring of individuals on a large scale, and those processing sensitive data on a large scale.
Article 37 of the GDPR defines the cases in which appointing a DPO is mandatory. It notably covers public authorities and organisations carrying out large-scale monitoring of individuals or processing sensitive data on a large scale.
Those notably concerned include digital companies, e-commerce sites, digital platforms, mutual insurers, healthcare organisations and public authorities, where they meet the criteria of Article 37 of the GDPR. For them, this obligation is not a mere formality.
Where a DPO is not appointed although required, or where there is a failure to comply with the DPO's duties, the CNIL may impose administrative fines of up to 20 million euros or 4% of total annual worldwide turnover, whichever is higher.
This criterion covers processing involving continuous or recurring observation of individuals on a large scale, such as profiling or behaviour tracking. Where it characterises an organisation's core activity, appointing a DPO becomes mandatory.
Yes, where it is carried out on a large scale. Organisations processing sensitive data on a large scale, such as health data, are required to appoint a DPO pursuant to Article 37 of the GDPR.
The DPO determines the organisation's ability to demonstrate its compliance, anticipate risks and engage effectively with the CNIL. Their appointment, where mandatory, is a considerable challenge for the organisation's legal security.
A lawyer helps determine whether appointing a DPO is mandatory in light of Article 37 of the GDPR, secure that appointment and avoid CNIL sanctions. This support clarifies an obligation with significant stakes.
Still have questions?
Our team is available!
Have a question?

Ressources
Aller plus loin