he Data Protection Officer (DPO) is responsible for ensuring compliance with local data protection regulations, such as the GDPR for the European Union, within their entities. The DPO handles all matters related to the protection of personal data within their group of entities. They serve as the primary contact for the Data Protection Regulator in the territory where their entity operates (e.g., in France, the CNIL - National Commission on Informatics and Liberties) .

The DPO also serves as the legal referent for their entities. They act as the legal point of contact for Privacy Ambassadors (PA) and Project Owners (PO) regarding GDPR compliance. Additionally, the DPO ensures that the group’s data protection policies are implemented across business units. Hierarchically, they report to the legal representatives of their entities through the responsible Director or Business Unit Manager. Functionally, they report to the Group DPO.

Detailed Responsibilities:

Data Protection:

• The DPO deploys the group’s privacy roadmap, ensuring compliance with local regulations (if stricter) .

• They adapt group procedures related to privacy protection and oversee their implementation.

• The DPO applies data protection governance rules within their group of entities and deploys additional rules if necessary.

• They maintain data flow diagrams and the register of data processing activities.

• In case of personal data breaches, the DPO manages the situation following the group’s procedure.

Support and Advice:

• The DPO supports and advises the Global Privacy Ambassador (GPA) , Privacy Ambassadors, and Privacy Relays within their entities.

• They provide guidance to business units and departments on data protection matters.

Legal Validation:

• The DPO legally analyzes and validates data processing activities recorded by POs, PRs, and GPAs in BCSI sheets or other tools.

• They keep the register of data processing activities up to date and co-create impact assessment sheets (to evaluate non-compliance risks) .

Communication and Exercise of Rights:

• The DPO ensures compliance and deployment of information to individuals through Privacy Policies, Cookie Policies, and legal notices.

• They organize the process for exercising rights within their entities, collaborating with corporate teams or other group entities when necessary. They handle requests from clients and employees within their scope and escalate any arbitration needs to the Group DPO.

Contractual and Aspects:

• The DPO identifies contract evolution needs to comply with current or upcoming data protection regulations. They co-create Data Privacy Annexes (DPA) for these contracts.

Training:

• In collaboration with the Group DPO, the entity’s DPO identifies training needs for Global Privacy Ambassadors, Privacy Ambassadors, Privacy Relays, and RMSSI.

• They participate in creating training offerings and deliver them with the assistance of the Group DPO or other relevant teams (e.g., IT Security, audit) .

• Ensures the tracking of training conducted within their entity.

Internal Control and Audit

The DPO:

• Receives and processes audit requests from regulators. They promptly report any regulator’s control/audit requests to the Group’s DPO, their management within the entity, and the Legal Data Corporate team. Depending on the nature of the controls, the Group’s DPO may assist the DPO of the audited entity during the control period.

• Drives the advancement of compliance action plans for data processing within their entity, collaborating with Internal Control teams alongside the Global Privacy Ambassador and Privacy Ambassador.

• Participates in defining audit plans related to Personal Data Protection for their entity.

• Deploys these plans with Privacy Ambassadors within their entity and each entity they supervise.

• Collaborates with auditors and internal controllers.

Regulatory Monitoring

• The DPO conducts regulatory monitoring (in countries where the entities they oversee are based) regarding any regulatory developments (or proposed changes) related to Personal Data, Information Systems Security, or any other domain that could impact or affect data protection within their entity.

• To this end, the DPO attends events organized by regulators and/or associations involved in Personal Data Protection and Information Systems Security. They promptly inform the Group’s DPO and the Legal Data Corporate team of any significant developments that could impact their entities, their entities’ subsidiaries, or the Group.

Key Deliverables and Indicators

• Legal and regulatory analyses, both prospective and preventive.

• In support and coordination with risk-owning entities, development and implementation of compliance programs to ensure the company operates within legal and regulatory frameworks.

• Provision of technically reliable, timely, and commercially adapted legal advice; positioning as a ‘business partner’; all documented through positive ‘Voice of Customers’ surveys.

• Calculation and reporting of key performance indicators (KPIs) based on criteria defined with the Group’s DPO.

Qualifications:

• Master’s degree (Master 2) in Personal Data Law, Intellectual Property, Contracts, or a business school with a legal/data protection option.

• Minimum 3 years of experience as a DPO within a legal department of a company (preferably international) responsible for Data Privacy aspects, a law firm, or a Data Protection Authority.

• Autonomy and ability to work with multiple teams across different departments. Rigorous, detail-oriented, and skilled in community management, training, and maintaining close relationships with multidisciplinary teams