Home / Data Protection Officer/ Justification Conditions for DPO


Please turn your phone to see the tables below correctly.


- Provide certificate of having received a minimum recognised training on subjects related to the Scheme programme.

- Depending on pre-requisites demonstrate training of 60, 100 or 180 hours.

- The recognition of training programmes will be made by the Certification Entities according to the requirements defined in the Scheme.

- The distribution of the hours of the training programmmes will follow the same percentage established for each of the domains of the program of the Scheme. A training programme may consist of several courses.

For the 60 hours training, the distribution will be as follows:

Domain 1 – 30 hours
Domain 2 – 18 hours
Domain 3 – 12 hours

For the 100 hours training, the distribution will be as follows:

Domain 1 - 50 hours
Domain 2 – 30 hours
Domain 3 – 20 hours

For the 180 hours training, the distribution will be as follows:

Domain 1 - 90 hours
Domain 2 – 54 hours
Domain 3 – 36 hours

- For the training expressed in ECTS1 or LRU2 credits (referred to university training, even with internships or final degree work) it is considered that ECTS and LRU are equivalent to 25 and 10 hours respectively.

*1 Credit according to the European Credit Transfer and Accumulation System.
*2 Credits according to the University Reform Act of 1983


It is necessary to justify work or professional experience required by the pre-requisites: two, three or five years of experience. To do so candidates must submit objective evidence of the general and specific experience must be provided through the employer or client's declaration, work contract, etc.

Experience processing of high-risk personal data will be especially valued as twice the time as years of experience processing non-high-risk personal data.

If a certain work experience did not last a full year, experience equal to or greater than six month will be counted as a half of a year.

Only in case of not reaching the required experience it can be validated up to one year of experience through validation of additional qualification, that is up to 60 points.

As work experience, the training provided will also be considered and it will be particulary valued as twice the hours of the training received.

For the training taught in a specific subject, only one of the editions taught will be accepted if there are more than one with the same title and curriculum.

For the evaluation of the experience the following scale will be applied:

Training Experience Score of Years of Experience Minimum score of years of experience
- 5 years 60 points 300 points
60 hours 3 years 60 points 180 points
100 hours 2 years 60 points 120 points
180 hours - - -


If the score required by the pre-requisites of professional experience is reached, it will not be necessary to assess any additional qualification. Only in the case where the minimum required score is not exceeded due to lack of years of experience, the following table of qualifications will be used to complement the score.

Aspects that have already been considered as pre-requisites will not be assessed as qualifications.

For the assessment of the additional qualifications the following scale will be applied:

Merit Unit
Specific or complementary university
education on data protection or privacy,
according to European Higher
Education Area (EHEA).4
30 Bachelor´s degree or technical engineering degree 6 12
Unofficial postgraduate or master's degree 6 12
Official Postgraduate degree 8 16
Official master´s degree 10 20
Doctorate 9 9
Specific or complementary
training on data
protection or privacy
50 Attending courses, seminars, events, sessions or
conferences organised or expressly recognised by
Data Protection Certification Authorities or Bodies
(minimum 1 credit or 10h)
1 25
Attending non-university courses
or seminars organised by professional
organisations (minimum 2 credits or 20h).
0,20 10
Attending university courses or
seminars (minimum 2 credits or 20h)
0,50 10
Attending events, sessions or
conferences on the specialization,
which must total at least 20h per year
0,50 5
End of course work on data
protection or privacy issues.
10 Overcoming end of course work with
a dedication of at least 40 hours.
1,5 5
Internships in companies in matters
of data protection or privacy.
10 Overcoming end-of-course
work with a dedication of
at least 40 hours.
1,5 5
Work experience in data
protection or privacy
505 Specific privacy functions at
the job, per year of experience
10 30
Professional or employee carrying out different activities, per project
(complexity, duration and role played will be considered)
5 20
*3 Attributable to each quqlification individually considered. In specific cases such as attending events,
a unit will have been considered to be reached when the total number of minimum recognised hours has been accredited.

*4 According to the EHEA: European Higher Education Area.
*5 Experience other than that used as a pre-requisite.
Category Maximum
Qualification Unit
Teaching activity related to data protection or privacy 30 Teaching at university degree programmes (per every 10 hours). 0,5 10
Professor for basic level courses / seminars (per every 20h.) Professor for specialized courses and seminars (per every 10h.) 0,2 5
Speaker or presenter at conferences (per event) 0,5 10
Lecturer, speaker or conference speaker (per event) 0,1 5
Specific or complementary training on data protection privacy 20 Authorship or co-authorship of books 2,5 8
Authorship or co-authorship of book´s chapters, conference, reports and similar documents. 0,5 5
Authorship or co-authorship of articles in specialised journals and publications. 0,25 5
Authorship or co-authoring contributions in the media or blogs. 0,10 2
Data Protection or Privacy Awards 5 Awards and professional or similar recognition 5 10
Certifications in matters of data protection or privacy (current) 5 ACP-DPO from APEP, CDPP from ISMS FORUM, ECPC-B DPO from Maastricht University, DPO from EIPA (European Institute of Public Administration) or similar certification. 4 10
Other certifications in related topics (current) 10 ACP-B/ACP-CL/ACP-CT/ACP-AL/ACP-AT from APEP, CDPP from ISMS FORUM, CISA/CISM/CRISC from ISACA,CISSP from Certified Information Systems Security Profesional ISC, CIPP/CIPT from IAPP (International Association of Privacy Professionals), Auditor ISO 27001 or similar certification 2 10
*6 New CDPP from December 2016.

*7 Former CDPP prior to December 2016.