DPO Certification (AEPD-ENAC Scheme): What It Is and What It Guarantees

·

When a company sets out to hire or appoint a Data Protection Officer (DPO), it sooner or later runs into a term that circulates across the industry as though it were a legal requirement: DPO certification. Training academies, education providers and some consultancies present it as the decisive criterion for choosing a provider, and it is not unusual to see adverts implying that an "uncertified" DPO cannot legally perform the role. The regulatory reality is more precise and, for anyone who has to decide, far more useful: the AEPD's Data Protection Officer Certification Scheme, with certification bodies accredited by ENAC, does exist and is a serious credential — but Article 37.5 of the GDPR requires professional qualification, not a specific certificate. Understanding that distinction — what the scheme actually certifies, who issues it and what it does not replace — is what separates an informed selection criterion from a commercial argument repeated without nuance.

What is the AEPD's DPO Certification Scheme?

The Data Protection Officer Certification Scheme (Esquema AEPD-DPD) is a reference framework drawn up by the Spanish Data Protection Agency so that independent certification bodies can evaluate and certify, in a consistent way, the knowledge and professional competence of people who act, or want to act, as DPO. It is not an academic degree or a course: it is a personnel certification scheme, the same regulatory family used, for example, to certify management-system auditors or qualified welders, applied here to data protection.

The AEPD does not certify candidates directly. What the Agency does is define the scheme — access requirements, the content the assessment process must cover, renewal criteria — and make it available to certification bodies which, in order to issue valid certificates under that scheme, must be accredited by ENAC (Spain's National Accreditation Body) under the UNE-EN ISO/IEC 17024 standard, the international standard for personnel certification. That accreditation is what gives the process its reliability: ENAC periodically audits the certification body to verify that it applies the scheme rigorously, impartially and with full traceability, not merely that it sells a diploma.

The result, when the process is completed successfully, is a certificate issued to an individual — not to a company — attesting that the holder has passed a knowledge assessment and, depending on the certification body, in many cases a practical-experience assessment in data protection as well.

The legal framework: why does a certification scheme exist if the GDPR does not require it?

Article 37.5 of the GDPR establishes that the DPO "shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices" and the ability to carry out the tasks set out in Article 39. This wording is deliberately open: the European legislator did not fix a specific degree, an official exam or a mandatory certificate, because DPOs can come from very different backgrounds — law, auditing, information security, compliance — and a single formal requirement would have excluded valid profiles.

That regulatory openness created a real practical problem: without a reference standard, anyone can call themselves a "data protection expert" with no simple way to verify it. The Article 29 Working Party guidelines on the DPO (WP243), endorsed by the European Data Protection Board (EDPB), stress that the level of expertise must be commensurate with the sensitivity, complexity and volume of the processing, but they set no formal route for evidencing it and never turn any certification into a requirement. The AEPD designed its scheme precisely to fill that gap: to offer an objective, auditable and optional verification route, within a legal framework that deliberately does not impose a single path into the DPO role.

How the scheme works: ENAC accreditation, certification bodies and access requirements

The certification process is structured, with variations specific to each accredited certification body, around three blocks:

  1. Access requirements. The scheme requires candidates to demonstrate prior training and/or professional experience related to data protection before they can sit the assessment — there is no "exam with no experience" route here, unlike some other professional certifications.
  2. Competence assessment. An exam, usually combining multiple-choice questions and practical case studies, covering the legal framework (GDPR, LOPDGDD, sector-specific regulation), the principles and legal bases for processing, data subjects' rights, technical and organisational measures, security breach management and the specific duties of the role set out in Article 39 of the GDPR.
  3. Periodic renewal. The certification is not indefinite: the scheme requires renewal on a three-year cycle, conditional on demonstrating ongoing professional activity and up-to-date training, so the certificate does not remain a static snapshot of knowledge from years earlier.

Anyone considering getting certified, or wanting to check a provider's certification, can verify on the ENAC website which bodies are actually accredited for the AEPD-DPD scheme under the UNE-EN ISO/IEC 17024 standard. That is the one piece of information worth checking first-hand: not every entity that advertises "DPO certification" is accredited for the AEPD's official scheme, and some academies sell courses with the school's own certificate, which is a legitimate training document but of a different nature to a personnel certification accredited by ENAC.

Is certification mandatory to act as DPO? The nuance almost nobody explains

No. This is the central question of this article, and the answer, backed by the text of the GDPR itself, is unambiguous: AEPD-ENAC certification is voluntary. Article 37.5 of the GDPR does not mention any certificate as a designation requirement; it requires professional qualities and expert knowledge, something that can be evidenced through different routes — professional track record, university or postgraduate education, audited experience, publications or teaching in the field — none of which is, on its own, mandatory either.

The AEPD itself confirms this in the public documentation of its scheme: certification is a tool that facilitates demonstrating compliance with Article 37.5, not a legal condition for acting as DPO. An organisation can validly appoint, with full legal effect, a DPO without AEPD-ENAC certification, provided it can justify by other means their qualification and suitability for the role — something worth documenting internally regardless of whether the DPO holds a certificate, because it is the organisation itself that answers to the AEPD in an inspection if the appointed DPO turns out not to be suitable.

This nuance matters particularly in a market where some providers present certification as synonymous with the legal validity of the appointment. It is not. What the law requires is real, demonstrable competence; the certificate is one — solid, but not the only — way of demonstrating it.

What certification actually guarantees (and what it does not)

It is worth precisely separating what certification attests from what it cannot attest:

Put differently: certification is an objective, verifiable data point within a broader set of suitability criteria, not a shortcut that exempts anyone from assessing the rest.

Certification versus qualification: how to verify a DPO's suitability without requiring a certificate

If certification is not mandatory, how does an organisation verify that its DPO — internal or external — genuinely meets Article 37.5? In practice, it is worth combining several elements, with or without a certificate:

To dig deeper into what a DPO should actually do day to day — and to check it against a candidate's or provider's track record — it is worth reviewing in detail the DPO tasks under Article 39 of the GDPR. And if the goal is not certification itself but choosing the right external DPO provider to take on the role, certification is only one of the ten criteria worth reviewing systematically, as set out in the guide on how to choose an external DPO provider.

How much does it cost to get certified as a DPO (and why that is not the same as the price of the service)

The cost of obtaining AEPD-ENAC certification — exam fees, preparatory training if contracted, three-year renewal — is borne by the individual or by the certification body issuing it, and varies by provider; there is no single market rate, and it is not a cost that necessarily has to be passed on to the price of the external DPO service a company hires. These are two distinct financial questions that should not be conflated when comparing proposals: the cost of getting certified is one thing, and the cost of hiring the external DPO service itself — with its recurring fees, scope of duties and level of dedication — is another. If you want to understand which variables determine that second cost, the guide on external DPO pricing: variables and indicative range covers in detail the factors that influence the fee, without publishing fixed figures that would not reflect the reality of every organisation.

Summary table: AEPD-ENAC certification of the DPO

Aspect What it means Legal basis
Nature of the scheme Certification of an individual, issued by bodies accredited by ENAC under UNE-EN ISO/IEC 17024, in line with the scheme defined by the AEPD Esquema AEPD-DPD
Mandatory status Voluntary; not a legal requirement for being appointed DPO Art. 37.5 GDPR
What the law requires instead Professional qualities and expert knowledge, which can be evidenced through various routes Art. 37.5 GDPR
Validity Periodic renewal on a three-year cycle, with proof of ongoing activity and continuous training Esquema AEPD-DPD
What it does not guarantee DPO independence, the hiring organisation's regulatory compliance, or exemption from the controller's liability Arts. 38.6 and 39 GDPR
Breach of Art. 37 (inadequate appointment) Fine of up to €10M or 2% of total worldwide annual turnover Art. 83.4.a) GDPR

Frequently asked questions

Is it mandatory for my DPO to hold AEPD-ENAC certification?

No. Article 37.5 of the GDPR requires professional qualities and expert knowledge of data protection, but it does not impose a specific certificate as a designation requirement. AEPD-ENAC certification is a voluntary tool that facilitates demonstrating that knowledge, not a legal condition for holding the role.

What role does ENAC play in DPO certification?

ENAC — Spain's National Accreditation Body — does not certify individuals directly. It accredits the certification bodies that issue the AEPD-DPD certificate, verifying that they apply the AEPD's scheme in line with the UNE-EN ISO/IEC 17024 standard. It is the seal that gives the process its reliability, periodically checking that the certification body maintains rigour and impartiality.

What requirements must be met to sit the DPD certification exam?

Accredited certification bodies require, with variations specific to each one, a minimum of prior training and/or professional experience related to data protection before admitting a candidate to the assessment. It is not an open exam with no prior track record: the scheme is designed to certify competence already developed, not to train candidates from scratch.

How long does the certification last, and does it need to be renewed?

The certification is not indefinite. The AEPD-DPD scheme provides for renewal on a three-year cycle, conditional on demonstrating ongoing professional activity and up-to-date training, precisely to prevent the certificate from becoming outdated as the AEPD's regulations and criteria evolve.

Does certification replace the DPO's continuous training?

No. Not even within the scheme itself: the three-year renewal requires evidence of continued training and activity, which confirms that the certificate is not an endpoint but a milestone within an ongoing process of updating knowledge, given how frequently AEPD criteria, European case law and sector-specific regulation evolve.

What happens if I hire an external DPO without AEPD-ENAC certification?

Nothing different, from a legal standpoint, as long as that DPO can demonstrate by other means — track record, training, sector-specific experience — the qualification required under Article 37.5 of the GDPR. The absence of a certificate does not invalidate the appointment; what would be problematic is appointing someone with no demonstrable evidence of expert knowledge at all, certified or not.

How can I verify that a certification body is genuinely accredited by ENAC for the DPD scheme?

By checking directly in the accredited-body search tool on the ENAC website, which shows the exact scope of each accreditation. It is the only way to distinguish a personnel certification under the AEPD's official scheme from an academy's own training certificate, which may be a serious course but is not equivalent to certification accredited by ENAC.

Does certification protect my company against AEPD sanctions?

Not automatically. Certification attests to the qualification of the individual acting as DPO — a relevant factor if the AEPD reviews the suitability of the appointment under Article 37.5 — but it does not exempt the organisation from its liability as controller or processor, nor does it replace effective management of the rest of the GDPR and LOPDGDD obligations.

If your company is weighing up how to verify its DPO's suitability, or how to choose an external DPO provider using solid criteria — certification included, but not as the only filter — at Summum Consultoría we support that process from appointment through to the day-to-day performance of the Article 39 GDPR tasks, with a specialised, track-record-audited team. See our external DPO service for organisations to find out how we structure the qualification and independence of the team that would take on the role.