Required competences for the Data Protection Officer

The DPO must have specialized knowledge of data protection law and practice.


Consequently, the necessary knowledge, skills or abilities that the person to be certified must know or possess in order to carry out each of the functions of the position of Data Protection Officer have been identified.


Compliance with processing principles, such as purpose limitation, minimization or accuracy of data.

Identification of the legal bases for processing.

Compatibility assessment of purposes other than those for which the data were originally collected.

Determination of the existence of sectorial regulations that may determine specific processing conditions different from those established by the general data protection regulations.

Design and implementation of information measures for those affected by data processing.
Establishment of mechanisms for the reception of requests for the exercise of rights by data subjects.

Compliance with data processing principles, such as purpose limitation, minimization or accuracy of data.

Identification of the legal bases for processing.

Compatibility assessment of purposes other than those for which the data were originally collected.

Determination of the existence of sectorial regulations that may determine specific processing conditions different from those established by the general data protection regulations.
Design and implementation of information measures for those affected by the data processing.

Establishment and management of records of treatment activities.

Risk analysis of the treatments performed.

Implementation of data protection measures by design and data protection by default, appropriate to the risks and nature of the processing.

Implementation of security measures appropriate to the risks and nature of the processing.
Establishment of procedures for managing data security breaches, including the assessment of the risk to the rights and freedoms of data subjects and procedures for notifying supervisory authorities and data subjects.

Determination of the need for data protection impact assessments.

Conducting data protection impact assessments.

Relations with supervisory authorities.

Implementation of training and awareness programs for staff on data protection.