GDPR – DPO Role (the Spanish view)

The AEPD ( the Spanish Data Privacy Authority) lists the DPO functions that are listed as “required competences” for people seeking certification. While pretty massive compared with the GDPR’s own list of at-minimum tasks, it could provide a useful guide for people thinking of becoming a DPO elsewhere in the EU, too:

  1. Compliance with principles relating to processing, such as purpose limitation, data minimization or accuracy
  2. Identifying the legal basis for data processing
  3. Assessment of the compatibility of purposes other than those which gave rise to initial data collection
  4. Determining whether any sectoral regulation may determine specific data processing conditions that are different from those established by general data protection regulations
  5. Designing and implementing measures to provide information to data subjects
  6. Establishing mechanisms to receive and manage requests to exercise rights of the data subjects
  7. Assessing requests to exercise rights of the data subjects
  8. Hiring data processors, including the content of the contracts or legal documents that regulate the controller – processor relationship
  9. Identifying international data transfer instruments that are suited to the needs and characteristics of the organisation and the reasons that justify the transfer
  10. Design and implementation of data protection policies
  11. Data protection audits
  12. Establishing and managing a register of processing activities
  13. Risk analysis of the processing operations carried out
  14. Implementing data protection measures by design and by default that are suited to the risks and nature of the processing operations
  15. Implementing security measures that are suited to the risks and nature of the processing operations
  16. Establishing procedures to manage violations of data security, including assessing the risk to the rights and freedoms of the data subjects and procedures to notify supervisory authorities and the data subjects
  17. Determining the need to carry out data protection impact assessments
  18. Carrying out data protection impact assessments
  19. Relations with supervisory authorities
  20. Implementing training and awareness programs for personnel on data protection.

This is a nice Job description :-)


Nice article (from IAPP) to more details : 


Be the first to comment

Leave a Reply

Your email address will not be published.