Hello everyone, this is Manon DURAND, health lawyer within the company Pharmaspecific. We meet again to talk about the General Data Protection Regulation (the GDPR) which, I remind you, is the reference text in terms of personal data protection within the European Union and which is applicable since May 25, 2018.
The question of the day is whether it is possible to appoint a DPO who is located outside the European Union. As a reminder, the data protection officer, DPO, is the person who will take care of the compliance of the organization that has appointed him, to the GDPR. That is to say that he is the one who will implement all the obligations related to the GDPR: the processing registers, the impact assessment, the security measures…
He can be internal to the company, that is to say that he can be an employee, but he can also be external to the company, that is to say that the company can call upon a third company to carry out its DPO missions. There is a list of cases in which the appointment of a DPO is mandatory, however nothing prevents you from appointing a DPO even if you do not fit into this list of cases.
Therefore, a priori there is no contraindication to the appointment of a DPO who is located outside the European Union. However, if you make this choice, it is up to you to verify that the DPO you choose is completely aware of the principles and rules of the GDPR, since it is possible that he is not subject to it. Therefore, he does not have to work with the GDPR on a regular basis. So, if you make this choice, it is up to you to verify that your compliance will not be tainted by this choice of DPO located outside the European Union.
The second point to which you must pay attention is the framework of transfers outside the European Union, because precisely if your DPO is located outside the European Union, unless it is located in a country recognized as adequate by the European Commission, you will have to implement transfer tools that are detailed in the GDPR, for example standard contractual clauses or binding corporate rules to secure your transfer. So be careful if you make this choice to properly frame your data transfer outside the European Union so as not to deviate from the GDPR.
That’s it for this video, I hope you liked it. If you did, don’t hesitate to subscribe to our channel and to like this video. You will find in the information bar information about our services and in particular the monthly legal watch as well as the legal advice in clinical research and as for me, I’ll see you soon for a new video.