DPO Certification

(Data Protection Officer)

The DPO was created by publication of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27th April 2016 (in short: GDPR) on the protection of individuals with regard to the processing and free movement of personal data, and repealing Directive 95/46/EC (General Regulation on data protection):

  • The GDPR specifies in its “recital” number (77): “Guidance on the implementation of appropriate measures and on the demonstration of compliance by the controller or the processor, especially as regards the identification of the risk related to the processing, their assessment in terms of origin, nature, likelihood and severity, and the identification of best practices to mitigate the risk, could be provided in particular by means of approved codes of conduct, approved certifications, guidelines provided by the Board or indications provided by a data protection officer.”
  • The GDPR specifies in Section 4 Articles 37,387 and 39, the designation, functions and missions of the DPO.

Experts

 

  • Mr. Yoann SIBILLE lawyer at the Versailles Bar Digital and personal data law expert
  • Romain LEBLOND legal expert in Digital and personal data law
  • Benjamin KORNHAUSER information systems security expert
  • Anouar JAOUHARI information systems security expert

The DPO certification program stems from the work carried out in the summer of 2017 by a group of experts, which resulted in a “common core” DPO Foundation defining the first level of a DPO certification, characterized by knowledge of the fundamentals of personal data protection:

  • Knowledge of GDPR definition and terminology
  • General knowledge of GDPR pension plan requirements
  • Knowledge of DPO functions and missions
  • Knowledge of required methods and tools

The DPO certification scheme supports two main trades on this common core:

The DPO with full range of competencies described in sections 38 and 39 of the DGPP.

The DPO Auditor, whose role will be to monitor compliance with the rules of the GDPR in the evaluated company.

  • Note 1: The DPO Foundation does not claim to fully meet the requirements set out in Articles 37 38 and 39 of the DPR for the Data Protection Officer.
  • Note 2: DPO at level 2 of the Consulting Assistance channel is a temporary denomination which simply shows that it meets the requirements of the GDPR concerning the Data Protection Officer. Other denominations may be studied (e. g. DPO-Compliant, DPO-GDPR… or others) but this does not change its content.
  • Note 3: As the DPO role has been created by EU law, the basic knowledge to be certified is based solely on the European Regulation. The other levels of certification will allow for further development and adaptation according to the respective national legislation.
  • Note 4: Since the DPO function was recently created and could not yet be put into practice, no case law is available by its very nature. This makes it mandatory to regularly update this certification.
  • Note 5: In general, it is clarified that the Regulation itself provides that provisions of future domestic law may adapt, limit the effect of certain provisions (e. g. Article 23) or on the contrary extend them (e. g. cases of designation of the DPO). This makes it mandatory to regularly update this certification.

Level 1 Certification: DPO Foundation

The DPO Foundation level is the common core of knowledge shared by all the professions in the DPO certification scheme. It is not a profession in itself, but the totality of the knowledge it brings together makes it possible to certify it. The DPO Foundation certification thus responds to the need to ensure that, despite very different trades and professional experience, candidates for the DPO function as required by the GDPR have reached a sufficient level of knowledge to contribute or collaborate in this function, pending DPO or DPO Auditor certification. It is therefore a prerequisite to apply for a Level 2 assessment in the DPO certification scheme. The DPO Foundation certification attests to its holder’s ability to take part in activities assigned to the DPO defined by the GDPR, in the form of performing tasks, interlocuting and contributing to projects or tasks specified to it. The person carrying out the activities described under the name “DPO Foundation” contributes to the activities of the DPO as required by the DMP GDPR, without being able to hold a DPO position.

Back to the regulatory fundamentals…. The implementation of activities by the DPO that are related to the protection of personal data within the meaning of the original data base, requires the special skills addressed in the following extracts from the DPR:
Article 37 Designation of the data protection officer
5. The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39.
Article 39 Tasks of the data protection officer
1. The tasks of the Data Protection Delegate are at least the following:
a) to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions;
b) to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
c) to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35;;
d) to cooperate with the supervisory authority;
e) to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter.
2. The data protection officer shall in the performance of his or her tasks have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing.