The new General Data Protection Regulation (GDPR) along with its new requirements will come into force in May 25th 2018. The regulatory framework regarding data controllers and data processors will transform completely, while in some cases of data processing by a company a Data Protection Officer (DPO) shall be compulsory appointed. But what is really the case behind this much discussed Certification that companies can acquire? What is provided in the GDPR and what is the reality about Certifications in Greece? In this article we will present the new provisions regarding the Data Protection Officer (DPO) and how can one be certified as DPO based on Greek and European legislation.
Designation of DPO
Article 37 of the GDPR introduces for the first time the position of DPO and according to it the controller and the processor shall designate a DPO in any case where:
(a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
(b) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
(c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data such as genetic or biometric data, health data and also personal data relating to criminal convictions and offences referred to in Article 10.
Hospitals, insurance companies, banks, companies processing online data for advertising purposes and pharmaceutical companies that process sensitive personal data fall within the concept of large scale activities.
Position and tasks of DPO in a company
Essentially the Data Protection Officer will play a prominent role as the contact point between the company acting as a controller or processor and the supervisory authority on issues relating to processing, as explicitly mentioned in article 39 of the GDPR. The role of DPO is mainly advisory and supportive and he must be able to act independently inside the company. The Data Protection Officer shall at all times inform and advise the data controller or the data processor and the company’s staff for every legislative imperative regarding data protection and monitor the compliance with the Regulation in order to minimize the risk of a data breach, taking always into account the risk associated with the process of data, the nature, the context and the purpose of the process. Furthermore, article 38 of the GDPR states that the Data Protection Officer shall directly report to the highest management level of the controller or the processor, he will not receive any instructions regarding the exercise of his tasks, he shall not be dismissed or penalized for performing his tasks and he will not be held liable for the non-compliance of the data controller or data processor.
Is there a possibility for Certification according to the GDPR?
The possibility for the controller or the processor of personal data to acquire a certification is introduced for the first time in the new General Data Protection Regulation. In contrary to what was set out in Directive 95/46/EE, the GDPR explicitly acknowledges certifications -as well as seals and marks- as acceptable mechanisms for demonstrating compliance with the requirements of the Regulation, but always under certain conditions.
In particular, an explicit reference to the Certification possibilities, with a maximum duration of three years, is made in article 42 of the GDPR. A certification pursuant to this Article does not reduce the responsibility of the controller or the processor for compliance with this Regulation and is without prejudice to the tasks and powers of the supervisory authorities.
But what can be certified, is the adherence (or else: compliance) with the qualification criteria specified in GDPR. Compliance with these criteria implies that a controller or processor has taken steps to ensure that he meets certain requirements for a certain period of time. Moreover as explicitly stated in the Regulation, holding a Certification is voluntary (not mandatory) and is acquired through a transparent process.
The above Certifications are provided by the competent supervisory authority or by the certification bodies which are explicitly mentioned in the Regulation and have the ability to provide certifications to any organization. This certification bodies can provide Certifications only after acquiring a license, as provided in article 43 of the GDPR, by:
- a) the Hellenic Personal Data Protection Authority or/and
- b) the National Accreditation Body designated in accordance to Regulation no. 765/2008.
What is the reality behind entities providing GDPR Certifications in Greece?
The Hellenic Personal Data Protection Authority and the accredited bodies, which have acquired a license by the Personal Data Protection Authority or the National Accreditation Body, have the exclusive competence to provide a Certification in Greece. Nonetheless, the Personal Data Protection Authority following the numerous education programs/ seminars which are offered in order to acquire a Data Protection Officer (DPO) certificate, has made clear, via an official announcement in its website, that no entity in Greece has been qualified to provide certifications regarding the professional qualifications/ skills of a DPO. Therefore, any existing DPO certificate offered until now is not an official Hellenic certification. In fact, the Data Protection Authority stated that the GDPR does not set any requirement for a DPO certificate and does not even encourages such certification.
Similarly the Belgian Data Protection Authority with its decision no. 4/2017 stated that according to the GDPR, the appointment of a DPO requires no diploma or special certificate. Moreover, the Opinion issued by the European Network and Information Security Agency (ENISA) is of key importance as it explicitly states that any certificate provided for the controller or processor of personal data is not automatically the certification mechanism for data protection provided by GDPR. Finally, as pointed out by ENISA, the certification under the GDPR concerns solely the controller or the processor and not any other person or entity.
Our law firm’s comment:
The upcoming implementation of the new General Data Protection Regulation (GDPR) and the changes that it will bring to any company, which will be characterized as controller or processor are numerous and multilayered. The new Regulation will bring new challenges regarding the way that personal data are processed and protected, including the new position of DPO. However, the need of compliance with the GDPR must not be translated as a need to acquire any kind of certificate but it must lead to a change in the way that companies acting as a controller or processor deal with personal data.