This post was written by Nick Tyler and Moritz Wagner.
The German data protection authorities (DPAs) have recently passed a resolution setting minimum requirements for the competency and independence of company data protection officers (DPOs).
This initiative follows inspections carried out within companies that revealed a generally insufficient level of competency among DPOs, as well as of data controllers’ organizational framework and resources for data protection compliance, in particular given the ever-increasing complexities of automated processing of personal data and the requirements of the Federal Data Protection Act.
The resolution should be read as a warning from the DPAs that companies must not view the appointment of a DPO as a mere formality, but must ensure that the DPO has sufficient competency and independence and is provided with the necessary support and resources to do his or her job effectively. The resolution also shows that DPAs will increasingly monitor compliance with these requirements.
We have published a Client Alert which provides more detail about the new requirements and the consequences of non-compliance.