The General Data Protection Regulation, in force since April 2016 and mandatory as of May 25, 2018, requires a guarantee and accreditation of compliance through responsible management.
The Regulation introduces the position of Data Protection Officer (DPO - also referred to as DPDs in Spain), who assumes the supervision and coordination of compliance with the Regulation. This person must be assigned on the basis of his/her professional qualities, theoretical and practical knowledge, and capacity to perform the functions indicated in the Regulation.
Furthermore, Organic Law 3/2018, of 5 December, on Personal Data Protection and guarantee of digital rights, which became effective on 7 December 2018, adapts the GDPR to the Spanish legal system and, among other aspects, specifies organizations where the designation of a Data Protection Officer is mandatory.
This figure will be mandatory in:
- Authorities and public bodies
- Companies that deal with large-scale sensitive data
- Companies that monitor people systematically and on a large scale
- Insurers, financial and investment institutions, educational centres, information society service providers, and so on.
In February, due to the development of the requirements of the accredited Delegates of Data Protection certification scheme, AENOR decided to definitively abandon the DPD certification activity.