Fran­ce, Luxem­bourg and Bel­gi­um: The­se requi­re­ments app­ly to data pro­tec­tion officers

In recent weeks, both the French data pro­tec­tion super­vi­so­ry aut­ho­ri­ty Com­mis­si­on Natio­na­le de l’In­for­ma­tique et des Liber­tés (CNIL) (PDF only in French) and the Luxem­bourg data pro­tec­tion super­vi­so­ry aut­ho­ri­ty Com­mis­si­on natio­na­le pour la pro­tec­tion des don­nées (CNPD) (PDF only in French) have issued state­ments on requi­re­ments for com­pa­ny data pro­tec­tion offi­cers. Pre­vious­ly, the Bel­gi­an data pro­tec­tion super­vi­so­ry aut­ho­ri­ty, the Auto­ri­té de pro­tec­tion des don­nées (APD) (PDF only in French), had alrea­dy com­men­ted on this. We take the­se opi­ni­ons and decisi­ons as an oppor­tu­ni­ty to pre­sent the requi­re­ments for the qua­li­fi­ca­ti­ons of a data pro­tec­tion offi­cer in this arti­cle and to take a clo­ser look at the spe­cial fea­tures in Fran­ce, Luxem­bourg and Belgium.

Pro­fes­sio­nal qua­li­fi­ca­ti­ons and exper­ti­se of data pro­tec­tion officers

Pur­suant to Arti­cle 37(5) GDPR, the Data Pro­tec­tion Offi­cer is to be appoin­ted on the basis of his/her pro­fes­sio­nal qua­li­fi­ca­ti­ons and exper­ti­se in the field of data pro­tec­tion law and prac­ti­ce, as well as his/her abi­li­ty to per­form the duties pur­suant to Arti­cle 39 GDPR.

The pro­fes­sio­nal qua­li­fi­ca­ti­ons and exper­ti­se of data pro­tec­tion offi­cers are always a sub­ject of dis­pu­te when review­ed by the data pro­tec­tion super­vi­so­ry aut­ho­ri­ty, even in other Euro­pean coun­tries. Even though a data pro­tec­tion offi­cer does not have to have under­go­ne any spe­ci­fic pro­fes­sio­nal trai­ning to be able to per­form the func­tion, super­vi­so­ry aut­ho­ri­ties pay strict atten­ti­on to ensu­ring that the offi­cer is also able to per­form the duties assi­gned to him or her in accordance with the GDPR.

For examp­le, the Bel­gi­an data pro­tec­tion super­vi­so­ry aut­ho­ri­ty APD impo­sed a fine against a muni­ci­pa­li­ty (PDF only in French) becau­se the muni­ci­pa­li­ty was unab­le to ade­qua­te­ly exp­lain why the appoin­ted data pro­tec­tion offi­cer was sui­ta­ble to per­form his func­tion. In the cour­se of the review, APD in par­ti­cu­lar did not accept the argu­ment that the muni­ci­pa­li­ty had selec­ted the “most sui­ta­ble” can­di­da­te: Just becau­se a cer­tain per­son is the most sui­ta­ble among several can­di­da­tes or app­li­cants does not mean that he or she is actual­ly sui­ta­ble. In its decisi­on, APD stres­sed the impor­t­ance of paying atten­ti­on to both the legal and tech­ni­cal skills of the DPO.

The Luxem­bourg data pro­tec­tion super­vi­so­ry aut­ho­ri­ty CNPD recent­ly took a dif­fe­rent approach: In a decisi­on dated 13 Octo­ber 2021, it impo­sed a fine on a com­pa­ny becau­se the company’s data pro­tec­tion offi­cer did not have at least three years of pro­fes­sio­nal expe­ri­ence in the field of data pro­tec­tion (PDF only in French). Such pro­fes­sio­nal expe­ri­ence, the CNPD argued, is requi­red to demons­tra­te the necessa­ry qualifications.

Neit­her the Ger­man super­vi­so­ry (PDF) aut­ho­ri­ties nor the French CNIL in their new­ly publis­hed gui­de­li­nes for data pro­tec­tion com­mis­sio­ners (PDF only in French) requi­re such a peri­od of pro­fes­sio­nal expe­ri­ence for the pro­per appoint­ment of data pro­tec­tion offi­cers. Howe­ver, the requi­re­ments for the qua­li­fi­ca­ti­ons and sui­ta­bi­li­ty of DPOs must also be docu­men­ted in detail in the case of doubt.

In order to demons­tra­te suf­fi­ci­ent exper­ti­se in data pro­tec­tion law, it is necessa­ry for the per­son appoin­ted as data pro­tec­tion offi­cer to be fami­li­ar with all data pro­tec­tion regu­la­ti­ons rele­vant to the pro­ces­sing ope­ra­ti­ons of the respec­ti­ve enti­ty and also to be able to app­ly them, inclu­ding area-specific data pro­tec­tion regulations.

As a rule, howe­ver, such know­ledge can only be achie­ved through perio­dic fur­ther edu­ca­ti­on and trai­ning of the data pro­tec­tion offi­cer, sin­ce new tech­no­lo­gies and chan­ging legal requi­re­ments must con­stant­ly be taken into account. In order to enab­le this trai­ning and to pro­vi­de the tech­ni­cal and human resour­ces, the con­trol­ler or pro­ces­sor are obli­ged as fol­lows from the appoint­ment of the data pro­tec­tion offi­cer pur­suant to Arti­cle 38(2) GDPR: “The Con­trol­ler and Pro­ces­sor shall sup­port the Data Pro­tec­tion Offi­cer in the per­for­mance of his or her duties pur­suant to Arti­cle 39 by pro­vi­ding the resour­ces and access to per­so­nal data and pro­ces­sing ope­ra­ti­ons necessa­ry for the per­for­mance of tho­se duties and the resour­ces necessa­ry to main­tain his or her expertise.”

In spe­ci­fic cases, an alter­na­ti­ve to full qua­li­fi­ca­ti­ons on the part of the data pro­tec­tion offi­cer may be to call in exter­nal experts to sup­ple­ment the officer’s own exper­ti­se. The fact that such an approach satis­fies the legal requi­re­ments has alrea­dy been con­fir­med by the Sta­te Labour Court of Mecklenburg-Vorpommern in its judgment of 25 Febru­a­ry 2020 (Case No. 5 Sa 108/19) (only in Ger­man): “If the data pro­tec­tion offi­cer has his or her own qua­li­fi­ca­ti­ons in only one sub­area, it is suf­fi­ci­ent if he or she is able to rely on expert co-workers for the rest.”

The aca­de­mic lite­ra­tu­re is near­ly unani­mous in the opi­ni­on that the data pro­tec­tion offi­cer should “seek advice from lawy­ers and data secu­ri­ty experts if necessa­ry” (Taeger/Gabel/Scheja, 3rd Edi­ti­on 2019, Arti­cle 37 GDPR, Mar­gi­nal No. 65) and that “the pos­si­bi­li­ty (which exists at all times and is not limi­ted by pri­or appro­val requi­re­ments in spe­ci­fic cases, but at most by an ade­qua­te over­all bud­get) to obtain exter­nal legal advice or invol­ve IT spe­cia­lists in cases of more com­pli­ca­ted pro­blems” can com­pen­sa­te for any mis­sing qua­li­fi­ca­ti­ons on the part of the data pro­tec­tion offi­cer (Kühling/Buchner/Bergt, 3rd Edi­ti­on 2020, Arti­cle 37 GDPR, Mar­gi­nal No. 34).

In addi­ti­on to con­ser­ving the company’s own per­son­nel resour­ces and capa­ci­ties, such an approach also has the advan­ta­ge that the per­son appoin­ted as data pro­tec­tion offi­cer does not have to be equal­ly qua­li­fied in all are­as of data pro­tec­tion law. In prac­ti­ce, the selec­ti­ve use of exter­nal experts when necessa­ry is the­re­fo­re often the more sui­ta­ble opti­on and is also par­ti­cu­lar­ly sui­ta­ble for absor­bing peak workloads.

Sum­ma­ry

Nume­rous decisi­ons alrea­dy issued and fines impo­sed on com­pa­nies due to the fail­u­re to appoint or the incor­rect appoint­ment of a data pro­tec­tion offi­cer show that this requi­re­ment in the GDPR and the Ger­man Federal Data Pro­tec­tion Act (BDSG) is high­ly rele­vant. Due to the com­ple­xi­ty of the spe­ci­fi­ca­ti­ons and the legal requi­re­ments, avo­ida­ble errors regu­lar­ly even occur when the data pro­tec­tion offi­cer per­forms his or her duties.

In addi­ti­on to the pro­per appoint­ment and qua­li­fi­ca­ti­ons of the data pro­tec­tion offi­cer, com­pa­nies should the­re­fo­re make use of exter­nal and spe­cia­li­sed legal advice to avoid fines, espe­cial­ly in the case of com­plex issues.

back

Stay up-to-date

We use your e-mail address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.