As we get closer to 25 May 2018, the date when the General Data Protection Regulation (“GDPR”) will enter into force, the discussions on whether organisations should appoint a Data Protection Officer (“DPO”) and what qualifications such person should meet, have significantly increased.
The GDPR indeed establishes the obligation for a DPO on all public authorities and also on private companies that conduct “heavy” data processing activities, namely their core activity is either to systematically monitor individuals and on a large scale or to process special categories of personal data on a large scale as well. The appointment of a DPO is most probably the obligation of the GDPR that has attracted most attention.
Recently the Greek Data Protection Authority (“DPA”) issued an announcement regarding the certification of DPOs, which came as a response to the overwhelming increase of educational programs and seminars currently offered in the Greek market and the provision of certification services for DPOs locally.
In its announcement the DPA made clear that:
- the GDPR neither imposes an obligation for certification of a DPO nor does it encourage such certification on a voluntary basis
- the offered seminars or programs do not constitute a certification of professional qualifications or skills of a DPO and
- currently there is no accredited organisation in Greece that may provide such certifications.
The above announcement of the DPA, which generally follows the views adopted by the Working Party of Article 29 in the Guidelines on DPOs issued on 13.12.2016, puts things straight as regards the professional skills and certifications required for DPOs. There is no doubt that the DPO should have a good level of knowledge of data protection laws and practices, but this knowledge should not be merely based or evidenced by the DPOs participation in educational programs, whose scope and quality are solely determined by the organisations that offer them. In any event, the DPA adds that the existence of educational seminars is a positive step forward, since they contribute to the growth of knowledge regarding GDPR and data protection issues in general.