The sentence no. 287/2018 filed 13 on September 13th by the Regional Administrative Court for Friuli-Venezia Giulia, represents one of the very first decisions regarding the assignment of the Data Protection Officer (DPO, Data Protection Officer), as provided by the General Data Protection Regulation (RGPD).
The case that is the subject of the sentence, originates from the declaration of inadmissibility of an application for participation in a public notice of a Health Company, concerning the assignment of the professional collaboration appointment as DPO. The aforementioned public notice provided for certain requirements for participation in the selection, In fact, it required "the possession. for each candidate. of the degree in Computer Science or Computer Engineering, or in Law or equivalent, as well as the certification of Auditor / Lead Auditor for the Safety Management Systems of the Information according to ISO / IEC / 27001", -, -, -, ..
the applicant stated that he had a degree in law but did not possess , the usual, "the Auditor certification / Lead Auditor for Information Security Management Systems".
In accepting the appeal, the TAR motivates its own decision by stating that in the comparative analysis of the professional experience and the experience of the individual candidate to play the role of DPOs, it may also take into consideration any qualifications, certifications, participation certificates to courses, etc, but these can’t represent an illogical and conditioning barrier to participation in the selection process.
This decision was made considering that, firstly, certification 27001 does not constitute an enabling title for the DPO functions. Secondly, the certification in question can not constitute an admission requirement (nor equivalent to the degree title required) because it does not capture the specific guarantee function inherent in the assignment conferred, whose primary object is not constituted by the predisposition of mechanisms aimed to increase the levels of efficiency and security in the management of information but at least concerns the protection of the fundamental right of the individual to the protection of personal data.