The AEPD will examine 30,000 DPOs

DPO exam

The Data Protection Agency will subject 30,000 DPOs of public and private entities to ‘examination’.

DPOs to be examined

A few weeks ago the Spanish Data Protection Agency (AEPD) announced that, as part of an action coordinated at EU level by the European Data Protection Board (EDPB), it will examine and analyse 30,000 data protection officers and their role within the public and private organisations to which they belong.

Mandatory from 2018

The entry into force of the General Data Protection Regulation in 2018 determined that all companies and public bodies must appoint a data protection officer (DPD or DPO) as a fundamental piece in the data protection management of companies and public entities to ensure compliance with the regulation.

Although this figure is of vital importance when it comes to managing the processing of personal data in organisations, in many cases he or she has only been appointed to comply with the obligation for companies and public administrations to have a data protection officer, but they do not meet the necessary requirements to be one.

What are the requirements that a DPO must fulfil?

Not just anyone can be an organisation’s data protection officer, as they must meet certain requirements. Would you like to know what they are?
Elena Sánchez, a lawyer specialising in privacy and technology recruitment at Metricson, tells you everything you need to know about a DPO in this article.

What the exam will consist of

As far as we know, this ‘exam’ will consist of a questionnaire that will assess whether the DPOs appointed in these bodies have the knowledge and experience, know their role and position within the structure of the entity.

The results of this questionnaire will be followed up to determine whether further action is needed and a report will be drawn up with the results obtained from all the companies and bodies assessed.

Does your DPO meet the characteristics and requirements?

If you have a DPO appointed within the company, it is time to assess whether he or she meets the conditions of suitability to carry out this task. If not, the risk that exists, in the event of receiving this questionnaire from the AEPD, is that it will be determined that he or she does not have the necessary characteristics and that additional measures or sanctions will be applied.

If you have come to the conclusion that it is possible that your DPO does not comply with the requirements established by the regulation, you should consider hiring an external DPO to avoid surprises and possible sanctions. Perhaps your appointed DPO is adequate but needs extra help, in which case you should accompany the company’s DPO.

In either case, Metricson can help you because we are lawyers specialised in privacy and data protection. If you have any doubts and you want to make sure that your company complies with all the regulations, do not hesitate to contact us.

Write to us at or call us on 918 228 031. We look forward to talking to you!

Talk with us

958 558 442


Tuset, 19 - 2º, 3ª
08006 Barcelona
931 594 620

Javier Ferrero 10,
28002 Madrid
918 228 031

Paseo de Ruzafa 11, 6º, 12ª
46002 Valencia
960 500 761

Av. de la República Argentina, 25
41011 Sevilla

    Responsable: Metricson S.L.P.U.
    · Finalidad: Resolver tu petición o duda.
    · Legitimación:  Interés legítimo en responder cualquier cuestión planteada por ti.
    · Destinatarios: Prestadores de servicios tecnológicos, como encargados del tratamiento, que seguirán siempre nuestras instrucciones.
    · Derechos: Puedes acceder, rectificar, suprimir o solicitar la portabilidad de tus datos personales, así como oponerte o limitar el tratamiento de los mismos dirigiéndote a