The GDPR indeed establishes the obligation for a DPO on all public authorities and also on these private companies that conduct “heavy” data processing activities, namely their core activity is either to monitor individuals systematically and on a large scale or to process special categories of personal data on a large scale as well. The appointment of a DPO is most probably the obligation of the GDPR that has attracted most attention.
Recently the Greek DPA issued an announcement regarding the certification of DPOs, which most probably came as a response to the overwhelming increase of educational programs and seminars currently offered in the Greek market and the provision of certification services for DPOs locally.
In its announcement the DPA made clear th
- the GDPR neither imposes an obligation for certification of a DPO nor does it encourage such certification on a voluntary basis
- the offered seminars or programs do not constitute a certification of professional qualifications or skills of a DPO and
- currently there is no accredited organisation in Greece that may provide such certifications.
The above announcement of the DPA, which generally follows the views adopted by the Working Party of Article 29 in the Guidelines on DPOs issued on 13.12.2016, puts things straight regarding the professional skills and certifications required for DPOs. There is no doubt that the DPO should have a good level of knowledge of data protection laws and practices, but this knowledge should not be merely based or evidenced by the DPOs participation in an educational program, which is determined both in terms of scope and quality by the organisations that offer them.
Article provided by:
- Takis Kakouris, Partner, Zepos & Yannopoulos
- Mary Deligianni, Senior Associate, Zepos & Yannopoulos