Questions About GDPR? Here Are Some Answers to the Most Common Topics

Under the GDPR, appointing a Data Protection Officer (DPO) is mandatory in certain cases, including:

• Public authorities and bodies (except for courts acting in their judicial capacity);

• Organizations whose core activities require regular and systematic monitoring of individuals on a large scale;

• Organizations whose core activities involve large-scale processing of special categories of data (sensitive data) or data relating to criminal convictions and offences.

If your organization does not fall into one of these categories, appointing a DPO is optional — but often recommended to support your GDPR compliance efforts.

In all cases, the DPO must have the necessary expertise, act independently, and be easily accessible to both data subjects and the supervisory authority (in France, the CNIL).

To assess whether your organization is required to appoint a DPO — and to determine the best compliance setup — feel free to get in touch via the Contact section.

Setting up compliance documents (processing records, privacy policy, legal notices, etc.) is an essential step — but it is never a "one-and-done" exercise.

The GDPR requires regular updates to documentation to reflect changes in processing activities, tools used, subcontractors, and internal organization. Compliance is an ongoing process, not a fixed state.

Additionally, some documents need to be periodically reassessed (impact assessments, retention periods, security policies, etc.), especially when launching new services or undergoing significant changes within the company.

Building a solid foundation is indispensable, but it must be monitored, maintained, and adapted over time. To develop a sustainable and proportionate approach tailored to your activity, feel free to contact me via the Contact section.

No.

Even if your processors (service providers, partners, platforms, etc.) comply with the GDPR, your company remains fully responsible for the way personal data is collected, used, and secured within your own structure.

Each organization must document and demonstrate its own compliance — including how processors are selected, monitored, and bound by appropriate contractual safeguards (such as DPAs and SCCs).

Relying on compliant partners is essential, but it is only one part of your overall responsibility.
To assess your current level of compliance and identify any gaps, feel free to contact me via the Contact section.

Currently, the GDPR requires all data controllers and processors to maintain a Record of Processing Activities (ROPA), except for companies with fewer than 250 employees that do not carry out high-risk, regular, or sensitive data processing.

The European Commission is currently discussing a proposal that would, starting in 2026, exempt certain mid-sized companies (up to 500 or even 700 employees) from this obligation — unless they process sensitive data or present a high risk to individuals’ rights and freedoms.

This proposal is still under discussion and has not yet come into force.

In the meantime, it is strongly recommended to maintain a complete and up-to-date record of processing activities.

To assess your obligations and create a register tailored to your organization, feel free to contact me via the Contact section.

Yes, it is possible to use a generic email address as your GDPR contact point.

However, to ensure effective and compliant handling of data protection requests (such as access, rectification, objection, etc.), it is recommended that the address be clearly identified and dedicated to this purpose.

The email address should be easily accessible via your privacy policy and any information provided to data subjects. It must allow for prompt processing of requests and ensure traceability of communications.

If a generic email is used, make sure that only the team responsible for GDPR compliance has access to it, to avoid delays or loss of information.

For optimal management, some organizations prefer to create a dedicated address such as gdpr@mycompany.com to clearly indicate the purpose of the contact.

The Data Processing Agreement (DPA) — or data processing contract — is a key legal document that defines the obligations of the processor regarding personal data protection.

Although it may appear “technical” or minor at first glance, the DPA is legally binding and outlines responsibilities, security measures, and how data is to be handled.

Signing a DPA without first consulting your DPO can lead to risks — especially if the clauses do not properly reflect GDPR requirements or fail to align with your operational realities.

The DPO’s role is precisely to review such documents to ensure that your contractual commitments are compliant with the regulation and protect your interests.

In short, it is strongly recommended to have every DPA reviewed by your DPO before signing, to avoid legal or operational pitfalls.

For assistance with drafting or reviewing your DPAs, feel free to contact me via the Contact section.

The GDPR requires that the Data Protection Officer (DPO) be able to carry out their duties independently and without any conflict of interest.
If the founder or director of a company is also responsible for implementing and managing data processing activities, this dual role may create a potential conflict of interest.

In practice, the same person should not be both judge and party — that is, defining the purposes of processing (as the data controller) while also being in charge of monitoring compliance (as the DPO).

It is therefore recommended, whenever possible, to ensure that the DPO can act autonomously and without pressure or conflicts related to other operational roles.

In case of uncertainty or specific organizational setups, it is advisable to seek guidance to ensure both compliance and efficiency.

If you'd like to discuss your particular situation, feel free to contact me via the Contact section.

Consent is not required for B2B marketing. However, the GDPR still applies as soon as you process personal data — and several obligations must be respected:

• The marketing message must relate to the professional activity of the person contacted (for example, you should not offer nutrition or wellness coaching services to finance professionals).

• You must clearly inform the data subject about the identity of the data controller, the purpose of the outreach, the source of the data, and their rights (especially the right to object).

• A complete and accessible privacy policy must be made available.

• The right to object must be easy to exercise.

• You must document the legal basis for processing, which is typically legitimate interest.

To develop a compliant outreach strategy tailored to your activity, feel free to contact me via the Contact section.

When a customer creates an account on my online store, can I send them marketing emails in a B2C context? What about promotional games or contests?

Creating a customer account does not automatically give you the right to send marketing emails (see CNIL decision SAN-2021-008 of June 14, 2021).

According to the CNIL (France’s Data Protection Authority):

“Creating an account does not imply that the person will eventually place an order with the company,” and therefore does not justify marketing communications based on legitimate interest without consent.

Only individuals who have already made a purchase may be contacted without explicit consent, under legitimate interest — and only for similar products or services, with a simple way to opt out.

Promotional games and commercial invitations

Sending a contest invitation to someone who is not a customer and not subscribed to your newsletter constitutes commercial prospecting.
This requires prior explicit consent, even if the person has interacted with your website.

Designing a GDPR-compliant marketing strategy often raises questions such as:

• How should consent be collected for personalized offers based on purchase or browsing behavior?

• If someone has unsubscribed from your newsletter, can you still send them cart reminders or notify them that their cart will soon expire?

• What are the key differences between a transactional message and a marketing message?

• Can you use anonymous browsing data to show targeted ads?

These are core issues when building a GDPR-compliant marketing strategy for B2C activities.

To define the right approach for your business, feel free to contact me via the Contact section.

The GDPR requires that data subjects be clearly informed about how their personal data is processed.
Article 12 of the Regulation states that this information must be provided in a manner that is “concise, transparent, intelligible and easily accessible, using clear and plain language.”

The CNIL (France’s Data Protection Authority) also emphasizes that information must be “easily accessible, written in clear and understandable terms, and provided free of charge.”

In the context of home healthcare services (PSAD), it is important to go beyond mere technical simplicity.

At My DPO Partner, experience shows that a significant portion of patients are elderly or not comfortable with digital tools. Therefore, it is essential that the communication methods used are genuinely adapted to their abilities, habits, and needs.

What may seem clear and user-friendly from a technical point of view may not be so for the individuals concerned.
Providing information only via an online account does not automatically meet the GDPR's transparency and accessibility requirements.

In short:
Digital solutions are valuable, but they must be complemented by alternative communication channels (e.g. printed documents, phone support, user assistance) to ensure truly accessible information for all — in line with the GDPR and CNIL guidelines.

If you’d like to assess whether your current patient information approach is compliant with the GDPR, feel free to contact me via the Contact section.

Yes, this is entirely possible, including for international collaborations with multiple partners, provided that certain legal requirements are strictly followed.

Legal framework for international data transfers
Any transfer of personal data to a country outside the European Economic Area (EEA) must be governed by the rules set out in Articles 44 to 50 of the GDPR.
This generally requires the use of Standard Contractual Clauses (SCCs), an adequacy decision, or other appropriate safeguards as defined under Article 46 of the GDPR. These mechanisms ensure a level of protection equivalent to that required within the EU.

Health data and hosting requirements
When it comes to personal health data, additional requirements apply.
In France, such data must in principle be hosted by a provider certified as a Health Data Host (Hébergeur de Données de Santé – HDS), and located within the EEA. This may raise specific technical and legal challenges when working with partners outside the EU.

💡 The role of sponsors, access modalities for international partners, and the use of compliant technical solutions (secure hosting, pseudonymisation, data transfers, or secure remote access, etc.) must be carefully assessed on a case-by-case basis.

👉 To define a GDPR-compliant data transfer framework tailored to your research project, feel free to contact me via the Contact section.

It is not permitted to use real patient data provided by a hospital to test a solution — unless that data has been irreversibly anonymised.
According to the CNIL, only truly anonymous data falls outside the scope of the GDPR and can be freely used outside the context of healthcare or regulated research.

However, a hospital cannot anonymise its data for commercial testing purposes without following strict procedures, which are generally reserved for approved research projects.

For this reason, testing a solution with real patient data may be difficult, but several alternatives do exist — including the use of synthetic data or the establishment of legally compliant partnerships under appropriate frameworks.

To explore your options and receive tailored guidance, feel free to contact me via the Contact section.