The company IVAC-Instituto de Certificación S.L., hosted at the University of Valencia Science Park, is one of the four companies authorized by the Spanish Agency for Data Protection (AEPD) to issue the certificates of the new figure of the Delegate for Data Protection.
This position, popularly known as DPO (in English, Data Protection Officer), is one of the key elements of the new European Regulation on Data Protection that will come into effect on May 25. Its function will be to ensure compliance with the regulations on data protection in organizations, without replacing the functions developed by the control authorities.
According to the European Regulation 2016/1979, the DPO will be obligatory for authorities and public organisms; entities that require regular and systematic observation of large-scale stakeholders; entities that deal with special categories of data (art.9) and those that handle data related to convictions and criminal offenses (art.10).
"However, pending the final text of the Data Protection Law, which will be updated according to the European regulation, other companies may also have the obligation to have a Data Protection Delegate, which may be professional colleges; ; providers of services in the information society that deal on a large scale with user profiles, insurers, and entities responsible for common files for the management and prevention of fraud, among others", explained Sandra Ausell, legal technician of IVAC and evaluator of the DPO certificate.
In order to generate trust in the citizens, who are the owners of their personal data, the Spanish Data Protection Agency has promoted together with the National Accreditation Entity (ENAC) a certification scheme as Data Protection Delegate, which in these moments can be issued by four Spanish companies, including the Valencian company IVAC.
In this line, Sandra Ausell specifies that "although this certification as a DPO is totally voluntary and for its exercise is not necessary to possess it, the fact of obtaining it is a guarantee of both the professional competence defined by the Agency. It is also advisable to be able to demonstrate the proactivity carried out by the company when choosing its delegate".
IVAC plans to launch the first exam for future DPO certification on June 9. Candidates must meet at least one of these requirements:
• 5 years of experience in data protection functions
• 3 years of experience and a recognized training of 60 hours in subject areas of the AEPD scheme
• 2 years of experience and 100 hours of recognized training in subject areas of the AEPD scheme
• 180 hours of training in in subject areas of the AEPD scheme in case you do not have experience
Regarding these conditions, Ausell stresses that "not all the training done in data protection is valid, but only that which complies with the requirements established in the AEPD scheme, that is, the training must cover all subjects of the program established in the scheme as well as the time distribution, must be theoretical and practical and its accreditation shall not consist of mere presence in the course, you must pass an examination". "Although the experience may have been acquired prior to 2016, the training must have been developed from the year 2016, when the scheme was developed", the legal technique highlights.
Regarding the DPO certification exam, this will consist of 150 multiple-choice questions with four response options and a single correct option. To pass it, you must exceed 75% of the exam questions, which corresponds to obtaining 113 points in it.
The DPO may be internal or external to the organization, company or entity; but yes, in all cases, a natural or legal person specialized in this matter. Require or not the figure of the DPO, all organizations, companies and entities must have shown to the Spanish Agency for Data Protection a conscious, diligent and proactive attitude regarding the processing of personal data that carry out.
Tags: