The DPO is not required to be omniscient, but it must demonstrate that it has set up reasonable mechanisms to detect and supervise data processing. In the event of undeclared use of an AI tool by an employee or a team, formal responsibility remains that of the company, as treatment manager. However, a DPO which would not have established monitoring procedures, audit or awareness could be implicated for breach of its advisory and control obligations.
To do: Establish regular audits of the use of SaaS and AI applications, set up an internal reporting channel for employees, and aware of managers to declare any new tool used.
Legal references: RGPD Article 39 (DPO missions: information, advice, control), article 24 (responsibility of the controller).
Practical solutions: Implement detection tools (SSO Logs, CASB, Audits Navigators), organize quarterly awareness campaigns, and integrate a “IA uses” point in the treatment register.
