France, Luxem­bourg and Bel­gi­um: The­se requi­re­ments app­ly to data pro­tec­tion officers

In recent weeks, both the French data pro­tec­tion super­vi­so­ry aut­ho­ri­ty Com­mis­si­on Natio­na­le de l’In­for­ma­tique et des Liber­tés (CNIL) (PDF only in French) and the Luxem­bourg data pro­tec­tion super­vi­so­ry aut­ho­ri­ty Com­mis­si­on natio­na­le pour la pro­tec­tion des don­nées (CNPD) (PDF only in French) have issued state­ments on requi­re­ments for com­pa­ny data pro­tec­tion offi­cers. Pre­vious­ly, the Bel­gi­an data pro­tec­tion super­vi­so­ry aut­ho­ri­ty, the Auto­ri­té de pro­tec­tion des don­nées (APD) (PDF only in French), had alre­a­dy com­men­ted on this. We take the­se opi­ni­ons and decis­i­ons as an oppor­tu­ni­ty to pre­sent the requi­re­ments for the qua­li­fi­ca­ti­ons of a data pro­tec­tion offi­cer in this artic­le and to take a clo­ser look at the spe­cial fea­tures in France, Luxem­bourg and Belgium.

Pro­fes­sio­nal qua­li­fi­ca­ti­ons and exper­ti­se of data pro­tec­tion officers

Pur­su­ant to Artic­le 37(5) GDPR, the Data Pro­tec­tion Offi­cer is to be appoin­ted on the basis of his/her pro­fes­sio­nal qua­li­fi­ca­ti­ons and exper­ti­se in the field of data pro­tec­tion law and prac­ti­ce, as well as his/her abili­ty to per­form the duties pur­su­ant to Artic­le 39 GDPR.

The pro­fes­sio­nal qua­li­fi­ca­ti­ons and exper­ti­se of data pro­tec­tion offi­cers are always a sub­ject of dis­pu­te when review­ed by the data pro­tec­tion super­vi­so­ry aut­ho­ri­ty, even in other Euro­pean count­ries. Even though a data pro­tec­tion offi­cer does not have to have under­go­ne any spe­ci­fic pro­fes­sio­nal trai­ning to be able to per­form the func­tion, super­vi­so­ry aut­ho­ri­ties pay strict atten­ti­on to ensu­ring that the offi­cer is also able to per­form the duties assi­gned to him or her in accordance with the GDPR.

For exam­p­le, the Bel­gi­an data pro­tec­tion super­vi­so­ry aut­ho­ri­ty APD impo­sed a fine against a muni­ci­pa­li­ty (PDF only in French) becau­se the muni­ci­pa­li­ty was unable to ade­qua­te­ly explain why the appoin­ted data pro­tec­tion offi­cer was sui­ta­ble to per­form his func­tion. In the cour­se of the review, APD in par­ti­cu­lar did not accept the argu­ment that the muni­ci­pa­li­ty had sel­ec­ted the “most sui­ta­ble” can­di­da­te: Just becau­se a cer­tain per­son is the most sui­ta­ble among seve­ral can­di­da­tes or appli­cants does not mean that he or she is actual­ly sui­ta­ble. In its decis­i­on, APD stres­sed the importance of pay­ing atten­ti­on to both the legal and tech­ni­cal skills of the DPO.

The Luxem­bourg data pro­tec­tion super­vi­so­ry aut­ho­ri­ty CNPD recent­ly took a dif­fe­rent approach: In a decis­i­on dated 13 Octo­ber 2021, it impo­sed a fine on a com­pa­ny becau­se the company’s data pro­tec­tion offi­cer did not have at least three years of pro­fes­sio­nal expe­ri­ence in the field of data pro­tec­tion (PDF only in French). Such pro­fes­sio­nal expe­ri­ence, the CNPD argued, is requi­red to demons­tra­te the neces­sa­ry qualifications.

Neither the Ger­man super­vi­so­ry (PDF) aut­ho­ri­ties nor the French CNIL in their new­ly published gui­de­lines for data pro­tec­tion com­mis­sio­ners (PDF only in French) requi­re such a peri­od of pro­fes­sio­nal expe­ri­ence for the pro­per appoint­ment of data pro­tec­tion offi­cers. Howe­ver, the requi­re­ments for the qua­li­fi­ca­ti­ons and sui­ta­bi­li­ty of DPOs must also be docu­men­ted in detail in the case of doubt.

In order to demons­tra­te suf­fi­ci­ent exper­ti­se in data pro­tec­tion law, it is neces­sa­ry for the per­son appoin­ted as data pro­tec­tion offi­cer to be fami­li­ar with all data pro­tec­tion regu­la­ti­ons rele­vant to the pro­ces­sing ope­ra­ti­ons of the respec­ti­ve enti­ty and also to be able to app­ly them, inclu­ding area-specific data pro­tec­tion regulations.

As a rule, howe­ver, such know­ledge can only be achie­ved through peri­odic fur­ther edu­ca­ti­on and trai­ning of the data pro­tec­tion offi­cer, sin­ce new tech­no­lo­gies and chan­ging legal requi­re­ments must con­stant­ly be taken into account. In order to enable this trai­ning and to pro­vi­de the tech­ni­cal and human resour­ces, the con­trol­ler or pro­ces­sor are obli­ged as fol­lows from the appoint­ment of the data pro­tec­tion offi­cer pur­su­ant to Artic­le 38(2) GDPR: “The Con­trol­ler and Pro­ces­sor shall sup­port the Data Pro­tec­tion Offi­cer in the per­for­mance of his or her duties pur­su­ant to Artic­le 39 by pro­vi­ding the resour­ces and access to per­so­nal data and pro­ces­sing ope­ra­ti­ons neces­sa­ry for the per­for­mance of tho­se duties and the resour­ces neces­sa­ry to main­tain his or her expertise.”

In spe­ci­fic cases, an alter­na­ti­ve to full qua­li­fi­ca­ti­ons on the part of the data pro­tec­tion offi­cer may be to call in exter­nal experts to sup­ple­ment the officer’s own exper­ti­se. The fact that such an approach satis­fies the legal requi­re­ments has alre­a­dy been con­firm­ed by the Sta­te Labour Court of Mecklenburg-Vorpommern in its judgment of 25 Febru­ary 2020 (Case No. 5 Sa 108/19) (only in Ger­man): “If the data pro­tec­tion offi­cer has his or her own qua­li­fi­ca­ti­ons in only one sub­area, it is suf­fi­ci­ent if he or she is able to rely on expert co-workers for the rest.”

The aca­de­mic lite­ra­tu­re is near­ly unani­mous in the opi­ni­on that the data pro­tec­tion offi­cer should “seek advice from lawy­ers and data secu­ri­ty experts if neces­sa­ry” (Taeger/Gabel/Scheja, 3rd Edi­ti­on 2019, Artic­le 37 GDPR, Mar­gi­nal No. 65) and that “the pos­si­bi­li­ty (which exists at all times and is not limi­t­ed by pri­or appr­oval requi­re­ments in spe­ci­fic cases, but at most by an ade­qua­te over­all bud­get) to obtain exter­nal legal advice or invol­ve IT spe­cia­lists in cases of more com­pli­ca­ted pro­blems” can com­pen­sa­te for any miss­ing qua­li­fi­ca­ti­ons on the part of the data pro­tec­tion offi­cer (Kühling/Buchner/Bergt, 3rd Edi­ti­on 2020, Artic­le 37 GDPR, Mar­gi­nal No. 34).

In addi­ti­on to con­ser­ving the company’s own per­son­nel resour­ces and capa­ci­ties, such an approach also has the advan­ta­ge that the per­son appoin­ted as data pro­tec­tion offi­cer does not have to be equal­ly qua­li­fied in all are­as of data pro­tec­tion law. In prac­ti­ce, the sel­ec­ti­ve use of exter­nal experts when neces­sa­ry is the­r­e­fo­re often the more sui­ta­ble opti­on and is also par­ti­cu­lar­ly sui­ta­ble for absor­bing peak workloads.


Num­e­rous decis­i­ons alre­a­dy issued and fines impo­sed on com­pa­nies due to the fail­ure to appoint or the incor­rect appoint­ment of a data pro­tec­tion offi­cer show that this requi­re­ment in the GDPR and the Ger­man Fede­ral Data Pro­tec­tion Act (BDSG) is high­ly rele­vant. Due to the com­ple­xi­ty of the spe­ci­fi­ca­ti­ons and the legal requi­re­ments, avo­ida­ble errors regu­lar­ly even occur when the data pro­tec­tion offi­cer per­forms his or her duties.

In addi­ti­on to the pro­per appoint­ment and qua­li­fi­ca­ti­ons of the data pro­tec­tion offi­cer, com­pa­nies should the­r­e­fo­re make use of exter­nal and spe­cia­li­sed legal advice to avo­id fines, espe­ci­al­ly in the case of com­plex issues.


Stay up-to-date

We use your email address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.