Data Protection Officer: professional skills and requirements

By | Monday May 25th, 2015

Pursuant to article 35 c. 5 of the General Data Protection Regulation (Regulation COM(2012)11), Data Protection Officer (DPO) must have professional qualities and, in particular, expert knowledge of data protection law and practices and ability to fulfill the tasks referred into the following article 37.

This would means that the level of required expert knowledge of the DPO candidate should be determined by the employer that must take into account the required professional skills, level of expert knowledge and the candidate’s ability to fulfill the tasks allocated by the Regulation.

First of all, the employer (the controller) should consider:

1) The nature of the processing carried out and the required level of data protection;

2) Extension of his organization in the EU territory. Where an organization operates in multiple EU Member States the DPO would need to demonstrate relevant expert knowledge of each Member State’s data protection law;

3) Relevant experience of DPO on how the laws operate in practice (e.g., the inevitable local differences in approach between data protection authorities, and the cultural expectations of local data subjects).

As prescribed by article 36 c. 2 the employer shall ensure that the DPO performs the duties and tasks independently and does not receive any instructions as regards the exercise of the function. Moreover, the DPO shall directly report to the management of the organization.

However, the requirement for independence may create conflicts of interests between DPO and management. There is a concrete risk that the DPO will not be fully integrated into and involved by the organization. DPO’s activities could be viewed internally with suspicious. This would prevent the DPO from being involved in new projects of products and services, failing to comply with new obligations of privacy by design and privacy by default, as prescribed by the Regulation. 

Category: Data Protection Officer Tags: , , , , , ,

About Guglielmo Troiano

Lawyer in Milan, Senior Legal Consultant at Partners4Innovation (Digital360 Group), with a technical background coming from being an IT Analyst for several years before practicing law. Currently advises companies, mostly software houses and ISPs, regarding civil liability, IP negotiation, ICT contracts, competition, trademarks, domain names, data protection (privacy) and IT security, on both transactional and litigation aspects. From 2009 to 2014 he worked as scholar at University of Milan, chair of Legal Informatics, where he did lectures for students and attendees of Post-Graduate Course in Digital Forensics, Privacy, Cloud e Cyber Warfare (edition 2014). He was partner of Array, a high specialized law firm in IT law.

One thought on “Data Protection Officer: professional skills and requirements

Leave a Reply