Skip main navigation
You are at: Home>Certification>Persons Certification–DPO>Data Protection Officer Certification
Data Protection Officer Certification

Data Protection Officer Certification

Data Protection Officer Certification

Data Protection Officer (DPO) CERTIFICATION

On 25 May 2016, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data came into force, and repealing Directive 95/46/EC (General Data Protection Regulation) applicable since 25 May 2018. 

With the purpose of adapting it to the Spanish Legal System, regulate the fundamental right to data protection and to guarantee digital rights of citizens, on 6 December 2018, the Organic Law 3/2018 was published, of 5 December, on Personal Data Protection and Guarantee of Digital Rights. Coming into force 7 December 2018.

This Regulation includes significant new features.

What is a Data Protection Officer (DPO)?
What is a Data Protection Officer (DPO)?

This Regulation introduces the new role of the Data Protection Officer (DPO), who is tasked with new and skilled responsibilities in the area of data protection control and regulatory compliance.

Having this role in place in organisations constitutes a guarantee of regulatory compliance.

What know-how should they contribute?
What know-how should they contribute?

Data Protection Officers must have specialised know-how in Law and, obviously, data protection. DPOs operate independently and are assigned a series of functions regulated in article 39 of the GDPR, including the obligation to report and advise, as well as supervise management's compliance with the GDPR.

What companies are required to have a DPO?
What companies are required to have a DPO?
  • Public authorities and organisations. Organisations whose core activity entails systematically overseeing persons on a large scale, or processing special categories of personal data on a large scale.
  • Companies like: insurers, financial and investment institutions, educational centres, information society service providers, and so on.

Additionally, any person responsible for or in charge of personal data processing may voluntarily designate a DPD/DPO, even if not obliged.

Does the DPO have to be an in-house post?
Does the DPO have to be an in-house post?

A DPO can be an in-house or external private individual or private entity specialised in this area.


Data protection certification

The Spanish Data Protection Agency (AEPD) has promoted, in conjunction with the National Accreditation Body (ENAC), the development of certification for Data Protection Officers (DPOs), to offer security and reliability to both privacy professionals and companies and other institutions incorporating this figure into their organisations.

Certifications will be issued by certification bodies duly accredited by ENAC and will guarantee DPO qualifications and professional skills. Although certification is not mandatory, it will bring great recognition and constitutes a significant professional opportunity considering future demand for this role.

What does Certification entail?


Candidate analysis

The DPO candidate will have to provide competence requirements, based on two criteria:

  • Professional experience
  • Training



Once Phase I has been completed, the knowledge and technical or professional capacities will be assessed through an Exam.



Renewable every 3 years.

To apply for Assessment, the candidate must have professional experience in projects and/or activities and tasks relating to the functions of the DPO regarding data protection and/or minimum recognised training in the areas included in the Framework Programme.

Professional experience
​5 years 
​Not mandatory 
​3 years
​60 hours
2 years 
​100 hours
No experience 
​180 hours


Once Stage I of candidate analysis is completed, technical or professional knowledge and skills will be assessed by means of an exam.

The exam lasts 4 hours and covers a total of 150 test questions on specific knowledge detailed in the AEPD certification framework

After assessing the theoretical and practical know-how for carrying out DPO functions, the applicant must pass the exam in order to obtain certification.