When a company sets out to hire or appoint a Data Protection Officer (DPO), it sooner or later runs into a term that circulates across the industry as though it were a legal requirement: DPO certification. Training academies, education providers and some consultancies present it as the decisive criterion for choosing a provider, and it is not unusual to see adverts implying that an "uncertified" DPO cannot legally perform the role. The regulatory reality is more precise and, for anyone who has to decide, far more useful: the AEPD's Data Protection Officer Certification Scheme, with certification bodies accredited by ENAC, does exist and is a serious credential — but Article 37.5 of the GDPR requires professional qualification, not a specific certificate. Understanding that distinction — what the scheme actually certifies, who issues it and what it does not replace — is what separates an informed selection criterion from a commercial argument repeated without nuance.
What is the AEPD's DPO Certification Scheme?
The Data Protection Officer Certification Scheme (Esquema AEPD-DPD) is a reference framework drawn up by the Spanish Data Protection Agency so that independent certification bodies can evaluate and certify, in a consistent way, the knowledge and professional competence of people who act, or want to act, as DPO. It is not an academic degree or a course: it is a personnel certification scheme, the same regulatory family used, for example, to certify management-system auditors or qualified welders, applied here to data protection.
The AEPD does not certify candidates directly. What the Agency does is define the scheme — access requirements, the content the assessment process must cover, renewal criteria — and make it available to certification bodies which, in order to issue valid certificates under that scheme, must be accredited by ENAC (Spain's National Accreditation Body) under the UNE-EN ISO/IEC 17024 standard, the international standard for personnel certification. That accreditation is what gives the process its reliability: ENAC periodically audits the certification body to verify that it applies the scheme rigorously, impartially and with full traceability, not merely that it sells a diploma.
The result, when the process is completed successfully, is a certificate issued to an individual — not to a company — attesting that the holder has passed a knowledge assessment and, depending on the certification body, in many cases a practical-experience assessment in data protection as well.
The legal framework: why does a certification scheme exist if the GDPR does not require it?
Article 37.5 of the GDPR establishes that the DPO "shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices" and the ability to carry out the tasks set out in Article 39. This wording is deliberately open: the European legislator did not fix a specific degree, an official exam or a mandatory certificate, because DPOs can come from very different backgrounds — law, auditing, information security, compliance — and a single formal requirement would have excluded valid profiles.
That regulatory openness created a real practical problem: without a reference standard, anyone can call themselves a "data protection expert" with no simple way to verify it. The Article 29 Working Party guidelines on the DPO (WP243), endorsed by the European Data Protection Board (EDPB), stress that the level of expertise must be commensurate with the sensitivity, complexity and volume of the processing, but they set no formal route for evidencing it and never turn any certification into a requirement. The AEPD designed its scheme precisely to fill that gap: to offer an objective, auditable and optional verification route, within a legal framework that deliberately does not impose a single path into the DPO role.
How the scheme works: ENAC accreditation, certification bodies and access requirements
The certification process is structured, with variations specific to each accredited certification body, around three blocks:
- Access requirements. The scheme requires candidates to demonstrate prior training and/or professional experience related to data protection before they can sit the assessment — there is no "exam with no experience" route here, unlike some other professional certifications.
- Competence assessment. An exam, usually combining multiple-choice questions and practical case studies, covering the legal framework (GDPR, LOPDGDD, sector-specific regulation), the principles and legal bases for processing, data subjects' rights, technical and organisational measures, security breach management and the specific duties of the role set out in Article 39 of the GDPR.
- Periodic renewal. The certification is not indefinite: the scheme requires renewal on a three-year cycle, conditional on demonstrating ongoing professional activity and up-to-date training, so the certificate does not remain a static snapshot of knowledge from years earlier.
Anyone considering getting certified, or wanting to check a provider's certification, can verify on the ENAC website which bodies are actually accredited for the AEPD-DPD scheme under the UNE-EN ISO/IEC 17024 standard. That is the one piece of information worth checking first-hand: not every entity that advertises "DPO certification" is accredited for the AEPD's official scheme, and some academies sell courses with the school's own certificate, which is a legitimate training document but of a different nature to a personnel certification accredited by ENAC.
Is certification mandatory to act as DPO? The nuance almost nobody explains
No. This is the central question of this article, and the answer, backed by the text of the GDPR itself, is unambiguous: AEPD-ENAC certification is voluntary. Article 37.5 of the GDPR does not mention any certificate as a designation requirement; it requires professional qualities and expert knowledge, something that can be evidenced through different routes — professional track record, university or postgraduate education, audited experience, publications or teaching in the field — none of which is, on its own, mandatory either.
The AEPD itself confirms this in the public documentation of its scheme: certification is a tool that facilitates demonstrating compliance with Article 37.5, not a legal condition for acting as DPO. An organisation can validly appoint, with full legal effect, a DPO without AEPD-ENAC certification, provided it can justify by other means their qualification and suitability for the role — something worth documenting internally regardless of whether the DPO holds a certificate, because it is the organisation itself that answers to the AEPD in an inspection if the appointed DPO turns out not to be suitable.
This nuance matters particularly in a market where some providers present certification as synonymous with the legal validity of the appointment. It is not. What the law requires is real, demonstrable competence; the certificate is one — solid, but not the only — way of demonstrating it.
What certification actually guarantees (and what it does not)
It is worth precisely separating what certification attests from what it cannot attest:
- It does guarantee that the individual has passed, at a given point in time, an assessment of regulatory and technical knowledge designed under a scheme audited by ENAC, with minimum access requirements verified by a party independent of whoever hires them.
- It is a reasonable indicator of up-to-date familiarity with the legal framework, as long as the certification is valid — remember the three-year renewal cycle — and has not lapsed without being renewed.
- It does not guarantee the DPO's independence from the controller, which Article 38.6 of the GDPR requires and which depends on the person's position within the organisation, not on their training.
- It does not, on its own, guarantee the hiring organisation's regulatory compliance: under Article 39, the DPO advises and monitors compliance, but does not decide the purposes and means of processing and does not bear legal liability in the event of a sanction — that responsibility rests with the controller or processor.
- It does not replace sector-specific knowledge — healthcare, education, banking, public administration — which in many cases proves just as decisive as general regulatory knowledge for performing the role well.
Put differently: certification is an objective, verifiable data point within a broader set of suitability criteria, not a shortcut that exempts anyone from assessing the rest.
Certification versus qualification: how to verify a DPO's suitability without requiring a certificate
If certification is not mandatory, how does an organisation verify that its DPO — internal or external — genuinely meets Article 37.5? In practice, it is worth combining several elements, with or without a certificate:
- Documented professional track record: years of practice, sectors served, type of processing activities managed (special-category data, minors, video surveillance, large-scale processing).
- Verifiable specific training: master's degrees, specialised courses or certifications — AEPD-ENAC or other internationally recognised ones — with a verifiable syllabus and teaching hours.
- Up-to-date knowledge: familiarity with recent AEPD criteria, sanctioning decisions, sector-specific guidance and Court of Justice of the European Union case law on data protection.
- Demonstrated ability to perform the Article 39 tasks: informing and advising, monitoring compliance, cooperating with the supervisory authority and acting as a point of contact, beyond theoretical knowledge.
To dig deeper into what a DPO should actually do day to day — and to check it against a candidate's or provider's track record — it is worth reviewing in detail the DPO tasks under Article 39 of the GDPR. And if the goal is not certification itself but choosing the right external DPO provider to take on the role, certification is only one of the ten criteria worth reviewing systematically, as set out in the guide on how to choose an external DPO provider.
How much does it cost to get certified as a DPO (and why that is not the same as the price of the service)
The cost of obtaining AEPD-ENAC certification — exam fees, preparatory training if contracted, three-year renewal — is borne by the individual or by the certification body issuing it, and varies by provider; there is no single market rate, and it is not a cost that necessarily has to be passed on to the price of the external DPO service a company hires. These are two distinct financial questions that should not be conflated when comparing proposals: the cost of getting certified is one thing, and the cost of hiring the external DPO service itself — with its recurring fees, scope of duties and level of dedication — is another. If you want to understand which variables determine that second cost, the guide on external DPO pricing: variables and indicative range covers in detail the factors that influence the fee, without publishing fixed figures that would not reflect the reality of every organisation.
Summary table: AEPD-ENAC certification of the DPO
| Aspect | What it means | Legal basis |
|---|---|---|
| Nature of the scheme | Certification of an individual, issued by bodies accredited by ENAC under UNE-EN ISO/IEC 17024, in line with the scheme defined by the AEPD | Esquema AEPD-DPD |
| Mandatory status | Voluntary; not a legal requirement for being appointed DPO | Art. 37.5 GDPR |
| What the law requires instead | Professional qualities and expert knowledge, which can be evidenced through various routes | Art. 37.5 GDPR |
| Validity | Periodic renewal on a three-year cycle, with proof of ongoing activity and continuous training | Esquema AEPD-DPD |
| What it does not guarantee | DPO independence, the hiring organisation's regulatory compliance, or exemption from the controller's liability | Arts. 38.6 and 39 GDPR |
| Breach of Art. 37 (inadequate appointment) | Fine of up to €10M or 2% of total worldwide annual turnover | Art. 83.4.a) GDPR |
Frequently asked questions
Is it mandatory for my DPO to hold AEPD-ENAC certification?
No. Article 37.5 of the GDPR requires professional qualities and expert knowledge of data protection, but it does not impose a specific certificate as a designation requirement. AEPD-ENAC certification is a voluntary tool that facilitates demonstrating that knowledge, not a legal condition for holding the role.
What role does ENAC play in DPO certification?
ENAC — Spain's National Accreditation Body — does not certify individuals directly. It accredits the certification bodies that issue the AEPD-DPD certificate, verifying that they apply the AEPD's scheme in line with the UNE-EN ISO/IEC 17024 standard. It is the seal that gives the process its reliability, periodically checking that the certification body maintains rigour and impartiality.
What requirements must be met to sit the DPD certification exam?
Accredited certification bodies require, with variations specific to each one, a minimum of prior training and/or professional experience related to data protection before admitting a candidate to the assessment. It is not an open exam with no prior track record: the scheme is designed to certify competence already developed, not to train candidates from scratch.
How long does the certification last, and does it need to be renewed?
The certification is not indefinite. The AEPD-DPD scheme provides for renewal on a three-year cycle, conditional on demonstrating ongoing professional activity and up-to-date training, precisely to prevent the certificate from becoming outdated as the AEPD's regulations and criteria evolve.
Does certification replace the DPO's continuous training?
No. Not even within the scheme itself: the three-year renewal requires evidence of continued training and activity, which confirms that the certificate is not an endpoint but a milestone within an ongoing process of updating knowledge, given how frequently AEPD criteria, European case law and sector-specific regulation evolve.
What happens if I hire an external DPO without AEPD-ENAC certification?
Nothing different, from a legal standpoint, as long as that DPO can demonstrate by other means — track record, training, sector-specific experience — the qualification required under Article 37.5 of the GDPR. The absence of a certificate does not invalidate the appointment; what would be problematic is appointing someone with no demonstrable evidence of expert knowledge at all, certified or not.
How can I verify that a certification body is genuinely accredited by ENAC for the DPD scheme?
By checking directly in the accredited-body search tool on the ENAC website, which shows the exact scope of each accreditation. It is the only way to distinguish a personnel certification under the AEPD's official scheme from an academy's own training certificate, which may be a serious course but is not equivalent to certification accredited by ENAC.
Does certification protect my company against AEPD sanctions?
Not automatically. Certification attests to the qualification of the individual acting as DPO — a relevant factor if the AEPD reviews the suitability of the appointment under Article 37.5 — but it does not exempt the organisation from its liability as controller or processor, nor does it replace effective management of the rest of the GDPR and LOPDGDD obligations.
If your company is weighing up how to verify its DPO's suitability, or how to choose an external DPO provider using solid criteria — certification included, but not as the only filter — at Summum Consultoría we support that process from appointment through to the day-to-day performance of the Article 39 GDPR tasks, with a specialised, track-record-audited team. See our external DPO service for organisations to find out how we structure the qualification and independence of the team that would take on the role.