Competences requerided of the DPO


The DPO must gather specialized knowledge of law and practice in the field of data protection. Therefore, the necessary knowledge, abilities or skills that the person to certify must be known or possessed to carry out each one of the functions of the Data Protection Officer.


These generic functions of the DPD can be specified in advisory and supervision tasks, among others, in the following areas:



1. Compliance with principles relating to treatment, such as limitation of purpose, minimization or accuracy of data


2. Identification of the legal bases of the treatments


3. Assessment of compatibility of purposes other than those that originated the initial collection of data


4. Determination of the existence of sectoral regulations that can determine specific treatment conditions different from those established by the general regulations on data protection


5. Design and implementation of information measures for those affected by data processing


6. Establishment of mechanisms for receiving and managing requests for the exercise of rights by interested parties


7. Assessment of requests for exercise of rights by interested parties


8. Hiring of treatment managers, including the content of the contracts or legal acts that regulate the responsible-manager relationship


9. Identification of international data transfer instruments appropriate to the needs and characteristics of the organization and the reasons that justify the transfer


10. Design and implementation of data protection policies


11. Data protection audit


12. Establishment and management of records of treatment activities


13. Risk analysis of the treatments performed


14. Implementation of data protection measures from the design and protection of data by default appropriate to the risks and nature of the treatments


15. Implementation of security measures appropriate to the risks and nature of the treatments


16. Establishment of procedures for managing data security breaches, including risk assessment for the rights and freedoms of those affected and notification procedures for supervisory authorities and those affected


17. Determination of the need to conduct impact evaluations on data protection


18. Carrying out impact evaluations on data protection


19. Relations with supervisory authorities



20. Implementation of training and awareness programs for personnel on data protection.