France, Luxembourg and Belgium: These requirements apply to data protection officers
In recent weeks, both the French data protection supervisory authority Commission Nationale de l'Informatique et des Libertés (CNIL) (PDF only in French) and the Luxembourg data protection supervisory authority Commission nationale pour la protection des données (CNPD) (PDF only in French) have issued statements on requirements for company data protection officers. Previously, the Belgian data protection supervisory authority, the Autorité de protection des données (APD) (PDF only in French), had already commented on this. We take these opinions and decisions as an opportunity to present the requirements for the qualifications of a data protection officer in this article and to take a closer look at the special features in France, Luxembourg and Belgium.
Professional qualifications and expertise of data protection officers
Pursuant to Article 37(5) GDPR, the Data Protection Officer is to be appointed on the basis of his/her professional qualifications and expertise in the field of data protection law and practice, as well as his/her ability to perform the duties pursuant to Article 39 GDPR.
The professional qualifications and expertise of data protection officers are always a subject of dispute when reviewed by the data protection supervisory authority, even in other European countries. Even though a data protection officer does not have to have undergone any specific professional training to be able to perform the function, supervisory authorities pay strict attention to ensuring that the officer is also able to perform the duties assigned to him or her in accordance with the GDPR.
For example, the Belgian data protection supervisory authority APD imposed a fine against a municipality (PDF only in French) because the municipality was unable to adequately explain why the appointed data protection officer was suitable to perform his function. In the course of the review, APD in particular did not accept the argument that the municipality had selected the "most suitable" candidate: Just because a certain person is the most suitable among several candidates or applicants does not mean that he or she is actually suitable. In its decision, APD stressed the importance of paying attention to both the legal and technical skills of the DPO.
The Luxembourg data protection supervisory authority CNPD recently took a different approach: In a decision dated 13 October 2021, it imposed a fine on a company because the company's data protection officer did not have at least three years of professional experience in the field of data protection (PDF only in French). Such professional experience, the CNPD argued, is required to demonstrate the necessary qualifications.
Neither the German supervisory (PDF) authorities nor the French CNIL in their newly published guidelines for data protection commissioners (PDF only in French) require such a period of professional experience for the proper appointment of data protection officers. However, the requirements for the qualifications and suitability of DPOs must also be documented in detail in the case of doubt.
In order to demonstrate sufficient expertise in data protection law, it is necessary for the person appointed as data protection officer to be familiar with all data protection regulations relevant to the processing operations of the respective entity and also to be able to apply them, including area-specific data protection regulations.
As a rule, however, such knowledge can only be achieved through periodic further education and training of the data protection officer, since new technologies and changing legal requirements must constantly be taken into account. In order to enable this training and to provide the technical and human resources, the controller or processor are obliged as follows from the appointment of the data protection officer pursuant to Article 38(2) GDPR: "The Controller and Processor shall support the Data Protection Officer in the performance of his or her duties pursuant to Article 39 by providing the resources and access to personal data and processing operations necessary for the performance of those duties and the resources necessary to maintain his or her expertise."
In specific cases, an alternative to full qualifications on the part of the data protection officer may be to call in external experts to supplement the officer's own expertise. The fact that such an approach satisfies the legal requirements has already been confirmed by the State Labour Court of Mecklenburg-Vorpommern in its judgment of 25 February 2020 (Case No. 5 Sa 108/19) (only in German): "If the data protection officer has his or her own qualifications in only one subarea, it is sufficient if he or she is able to rely on expert co-workers for the rest."
The academic literature is nearly unanimous in the opinion that the data protection officer should "seek advice from lawyers and data security experts if necessary" (Taeger/Gabel/Scheja, 3rd Edition 2019, Article 37 GDPR, Marginal No. 65) and that "the possibility (which exists at all times and is not limited by prior approval requirements in specific cases, but at most by an adequate overall budget) to obtain external legal advice or involve IT specialists in cases of more complicated problems" can compensate for any missing qualifications on the part of the data protection officer (Kühling/Buchner/Bergt, 3rd Edition 2020, Article 37 GDPR, Marginal No. 34).
In addition to conserving the company's own personnel resources and capacities, such an approach also has the advantage that the person appointed as data protection officer does not have to be equally qualified in all areas of data protection law. In practice, the selective use of external experts when necessary is therefore often the more suitable option and is also particularly suitable for absorbing peak workloads.
Numerous decisions already issued and fines imposed on companies due to the failure to appoint or the incorrect appointment of a data protection officer show that this requirement in the GDPR and the German Federal Data Protection Act (BDSG) is highly relevant. Due to the complexity of the specifications and the legal requirements, avoidable errors regularly even occur when the data protection officer performs his or her duties.
In addition to the proper appointment and qualifications of the data protection officer, companies should therefore make use of external and specialised legal advice to avoid fines, especially in the case of complex issues.