Data Protection Officer (DPO) CERTIFICATION
On 25 May 2016, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data came into force, and repealing Directive 95/46/EC (General Data Protection Regulation) applicable since 25 May 2018.
With the purpose of adapting it to the Spanish Legal System, regulate the fundamental right to data protection and to guarantee digital rights of citizens, on 6 December 2018, the Organic Law 3/2018 was published, of 5 December, on Personal Data Protection and Guarantee of Digital Rights. Coming into force 7 December 2018.
This Regulation includes significant new features.
This Regulation introduces the new role of the Data Protection Officer (DPO), who is tasked with new and skilled responsibilities in the area of data protection control and regulatory compliance.
Having this role in place in organisations constitutes a guarantee of regulatory compliance.
Data Protection Officers must have specialised know-how in Law and, obviously, data protection. DPOs operate independently and are assigned a series of functions regulated in article 39 of the GDPR, including the obligation to report and advise, as well as supervise management's compliance with the GDPR.
Additionally, any person responsible for or in charge of personal data processing may voluntarily designate a DPD/DPO, even if not obliged.
A DPO can be an in-house or external private individual or private entity specialised in this area.
The Spanish Data Protection Agency (AEPD) has promoted, in conjunction with the National Accreditation Body (ENAC), the development of certification for Data Protection Officers (DPOs), to offer security and reliability to both privacy professionals and companies and other institutions incorporating this figure into their organisations.
Certifications will be issued by certification bodies duly accredited by ENAC and will guarantee DPO qualifications and professional skills. Although certification is not mandatory, it will bring great recognition and constitutes a significant professional opportunity considering future demand for this role.
What does Certification entail?
The DPO candidate will have to provide competence requirements, based on two criteria:
Once Phase I has been completed, the knowledge and technical or professional capacities will be assessed through an Exam.
Renewable every 3 years.
To apply for Assessment, the candidate must have professional experience in projects and/or activities and tasks relating to the functions of the DPO regarding data protection and/or minimum recognised training in the areas included in the
Once Stage I of candidate analysis is completed, technical or professional knowledge and skills will be assessed by means of an exam.
The exam lasts 4 hours and covers a total of 150 test questions on specific knowledge detailed in the AEPD certification framework
After assessing the theoretical and practical know-how for carrying out DPO functions, the applicant must pass the exam in order to obtain certification.
Recognition of DPO courses