Should the data protection officer be designated based on the same qualifications as it was for the
The requirements imposed on data protection officers by the GDPR are similar to those previously imposed on AIS, but are not identical. According to Article 36a(5)(2) of the Act of August 29, 1997 on the Protection of Personal Data, a person appointed to the position of AIS should have had relevant knowledge in the field of personal data protection. The GDPR, on the other hand, stipulates in Article 37(5) that the data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39.
The level of expertise required Ffrom an inspector is not explicitly stated anywhere, but according to the Article 29 Working Party's Guidelines on Data Protection Officers (WP 243), it must be commensurate with the sensitivity, complexity and amount of data an organisation processes. A higher level of expertise should be required, for example, in the case of extremely complex processing, processing of a large amount of special category personal data or organisations that regularly transfer data to the third countries.
The DPO should have relevant knowledge of national, European and sectoral data protection laws and practices, as well as in-depth knowledge of the GDPR. At the same time, he or she should have adequate knowledge of processing operations, IT systems and safeguards in place at the controller’s, the sector in which the controller operates, administrative procedures and the operation of the organisation.
Assessing the ability to perform the tasks requires consideration of the nature and scope of the inspector's tasks, several of which are new compared to the requirements for the AIS. Under the provisions of the GDPR, the inspector is required, among other things, to identify the various obligations imposed by the GDPR on the controller (including management and all persons processing personal data) and the processor (including management and all all persons processing personal data), inform about them, and advise on those obligations. Special substantive preparation is required to provide advice to the controller and processor on data protection impact assessments (for more on the inspector's role in data protection impact assessments, see the WP29 Guidelines on Data Protection Officers (WP 243) and the WP29 Guidelines on Data Protection Impact Assessment). An important new task is the obligation to act as the contact point for the supervisory authority as well as for data subjects (Article 38(4) of the GDPR).
The Article 29 Working Party, in its Guidelines on Data Protection Officers with regard to the DPO's ability to perform his or her tasks, indicates that the priority for the DPO should be to ensure compliance with the regulation. The DPO is therefore expected to play a key role in fostering a "culture of data protection" and help implement the essential elements of the GDPR, including especially the new obligations, i.e., e.g., data protection by design and by default , records of processing activities and notification of data breaches.
The importance of expertise in law and practice is further emphasized by the obligation of data controllers and processors to provide to the data protection officer resources necessary to maintain his or her expert knowledge. (Article 38(2) GDPR). Although the GDPR very strongly emphasizes the requirement for the DPO's knowledge and expertise, it does not regulate the rules or procedure for verifying that this requirement is met. Nevertheless, certificates, diplomas and other documents certifying the knowledge and experience of the inspector will undoubtedly be an important qualification criterion in most cases and an argument in favour of the person designated to perform this position.