Data protection officers will need to be previously certified

Written on 9 Aug 2017

The Spanish Data Protection Agency has released its “Data Protection Officers Certification Scheme” dated 10 July 2017. This document adds to the growing list of interpretative and practical tools developed by this Spanish authority since the publication of the General Data Protection Regulation at EU level in 2016.

The Spanish Data Protection Agency (“Spanish DPA“), jointly with the National Certification Entity, has published a document aimed at regulating the framework within which data protection officers (“DPO“) will need to be certified with a view to providing this new figure –at least, at a legal level in Spain- with a system of minimum guarantees and requisites.

The new General Data Protection Regulation (“GDPR“, Regulation (EU) 2016/679 of the European Parliament and of the Council dated 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC) establishes the obligation for companies, organisations and administrations to appoint a DPO as an aid to ensure their compliance with their own obligations as data controllers or processors of personal data, provided that some conditions established by Article 37 are met.

For the Spanish addressees of the GDPR the DPO is regulated for the first time; it was not regulated previously in the Spanish national data protection laws. However, this figure has played a main role in the national laws of other EU Member States. Some of them, such as Germany and Croatia, provide for a general obligation of appointing a DPO, while others, such as Finland (healthcare service operators) or Hungary (financial institutions, public utility entities, and telecoms entities), require the appointment of a DPO by entities operating in certain sectors.

DPOs, as regulated in the GDPR, have been interpreted in the guide issued under Article 29 Working Party, in particular in relation to those cases where their appointment is mandatory pursuant to the GDPR. The main message conveyed by Article 29 Working Party is that addressees appoint a DPO on a voluntary basis, even in those cases where it is not mandatory by law. The appointment of a DPO shall be mandatory for any public authority or body, as well as for entities whose main activities require a “regular and systematic monitoring of data subjects on a large scale” or “consist of processing on a large scale of special categories of data”.

Said Working Party deals with essential aspects of the figure such as “large scale”, “main activities” and “regular and systematic monitoring of data subjects”, describing the factors that will be taken into account and offering practical examples. Other possibilities offered by the GDPR, such as the use of a DPO for several entities, are also dealt with in the guide.

The Data Protection Officers Certification Scheme of the Spanish Data Protection Agency (“Scheme”) uses a four-fold organic structure, namely: the Spanish DPA, as proprietor of the Scheme and responsible for its development; National Certification Entity, sole body with powers to certify the certification entities taking part in the Scheme; the certification entities, which certify the DPO and grant them the so-called “conformity mark”; and the training entities, which offer training that satisfies the pre-requisites for the certification of the DPOs.

In order to reach the certification requirements that DPOs must satisfy, the Scheme aims towards DPOs being qualified to carry out the tasks that any DPO would have, pursuant to Article 39 of the GDPR. An overview of them would be as follows:

  • To inform and advise the data controller or processor about their legal duties.
  • To supervise compliance with the GDPR and other related rules –either national or European-, the allocation of responsibilities, personnel training, and audits carried out.
  •  To cooperate with, and serve as a point of contact of, the supervisory authority.

The Scheme sets out an extensive list of capacities, competences and qualifications to be demonstrated by DPOs for discharging their duties as established in the GDPR and in the national laws of Member States. Competences can be brought together into a number of key tasks:

  • Assessment of the processing purposes and legal grounds on which they can be based.
  • Ascertaining the sectorial rules applicable.
  • Design of policies and schemes regarding the various obligations of data controllers and processors (e.g. information duties, data subjects’ rights requests, internal policies).
  • Implementation of privacy by default and privacy by design measures.
  • Identification of adequate tools to carry out international data transfers.
  • Ascertainment of the need to, and carrying out of impact assessments.
  • Training and sensitisation of the data controller or processor personnel.

The Scheme also looks at identifying a number of pre-requisites of training and experience for the obtainment of the certification as DPO, which are complemented with a 150-question test divided into three blocks that correspond to effective knowledge of the laws, “active responsibility” (i.e. knowledge related to assessment and management of the risks in the processing, as well as data protection by design and by default), and expertise on techniques to secure compliance with the laws (i.e. audits).

It must be noted that the pre-requisites section sets out that their examination, as it refers to the GDPR, “will correspond to the one acquired after the date on which the GDPR enters into force: 25/5/2016”.

Lastly, it must be noted that the certification to be obtained will be valid for three years and must be renewed by evidencing both having received/lectured sufficient training and having a year of professional experience in projects related to the tasks pertaining to DPOs.