On October 11, 2018, the French data protection authority (the “CNIL”) announced that it adopted two referentials (i.e., guidelines) on the certification of the data protection officer (“DPO”). View the announcement (in French). The referentials include:
- a certification referential that sets forth the conditions regarding the admissibility of DPO applications, and lists 17 qualifications that the DPO must have in order to be certified as a DPO by a certification body approved by the CNIL; and
- an accreditation referential that outlines the criteria organizations must satisfy in order to be accredited by the CNIL as certification bodies.
The French Data Protection Act, as amended on June 20, 2018 to supplement the GDPR, allows the CNIL to draft certification criteria and approve certification bodies for the purpose of certifying individuals as DPOs.
The CNIL adopted the referentials for the certification of DPOs on this basis, following a public consultation held from May 23, 2018 to June 22, 2018. The CNIL received about 200 contributions from DPOs (or prospective DPOs), data controllers and data processors in different industries, as well as certification bodies. According to the CNIL, this consultation helped it strike “the most appropriate balance” between the knowledge and skills that a DPO must have and the expectations of privacy professionals.
Certification of the DPO
The certification of a DPO based on the standards of the CNIL’s referential is not a prerequisite in order to be appointed as a DPO with the CNIL and fulfill the responsibilities of a DPO. It is a purely voluntary process to assist in demonstrating compliance with the GDPR requirements. Article 37(5) of the GDPR requires that the DPO “shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfill the [DPO] tasks.”
In the CNIL’s view, the certificate is a vote of confidence not only for the organization that has a certified DPO, but also for its clients, vendors, employees or agents, since that organization will be able to demonstrate that the DPO has the required level of expertise and skills.
The certification will only be available to individuals (and not to legal persons). The CNIL will not grant the certification: it will be issued by certification bodies when the CNIL accredits the first certification bodies in 2019.
Prerequisites to Certification And Certification Criteria
To be eligible for certification, candidates will need to fulfill one of the following conditions:
- professional experience of at least 2 years in projects, activities or tasks related to data protection and the tasks of a DPO; or
- professional experience of at least 2 years in any field, with at least 35 hours of data protection training administered by a training body.
Candidates also will need to successfully complete a written test that will consist of at least 100 multiple choice questions, 30% of which will be presented in the form of case studies. These questions aim to test skills listed in the CNIL’s DPO certification referential, which include knowledge of fundamental data protection principles, the ability to draft and implement data protection policies, and the ability to assist with data protection impact assessments, among many other skills.
Successful candidates will obtain a certification that will be valid for three years, which may be renewed provided that the DPO passes the test again at the end of this three-year term. As the test will be available in French only, this voluntary certification mechanism is intended to apply to DPOs in France or French-speaking DPOs.