Several novelties are enshrined in the General Data Protection Regulation (GDPR) as regards the position of data protection officer (DPO). Organisations are required, for the first time across the European Union (EU), to designate a DPO (in-house or by delegation) (Art 37 GDPR); the pre-GDPR regime did not foresee a mandatory requirement at EU level. The tasks of the DPO are listed (Art 39 (1) GDPR), while ‘certification’ may be provided using ‘seals and marks’ (Art 42 GDPR) to be delivered by accredited certification bodies (Art 43 GDPR). These provisions notwithstanding, the GDPR regulates neither the training, nor the certification of DPOs, thus leaving a wide margin of appreciation to national regulators. The present article will compare and contrast the national frameworks adopted by the data protection authorities (DPAs) of France and Spain. These two case studies represent two rather dissimilar approaches to the implementation of the said GDPR provisions. It seems likely that more individuals will over time have been certified by the French, than by the Spanish DPA, as the former represents a more pragmatic approach than the latter. The article also looks into EU frameworks for the validation of competences and skills which might be used as a source of inspiration, should DPAs decide, ideally within the European Data Protection Board (EDPB), to bring about a more unified approach to DPO certification.
