I'm Anna, the program advisor for this program. Contact me if you have any questions.

Postgraduate Course in Data Protection and Information Security

The Postgraduate Course in Data Protection and Information Security provides students with both legal and technical tools, and skills to develop with full transparency the functions inherent to the role of Data Protection Officer (DPO) and the management of personal data in companies and law firms inside and outside of Spain.

  • DPO
  • OLPD
Next edition
Classes start
23 March, 2023
Program ends
17 June, 2023 (To be confirmed)
Thursdays from 6:30 pm to 9 pm and Saturdays from 9 am to 2:30 pm.
ECTS credits
2210 €

The Postgraduate Course in Data Protection and Information Security from Pompeu Fabra University, taught by the UPF Barcelona School of Management, provides you with both education and the tools and legal skills necessary to develop with total transparency the functions corresponding to the data protection officer of a company or organization, both public and private in companies inside and outside Spain.

As a result of the entry into force of the General Data Protection Regulations (GDPR), on May 25, 2018, which reinforces privacy and provides for a legal regime for the protection of uniform personal data in the European Union, a proactive responsibility model for professional practice has been imposed which means that those responsible for data processing must apply the technical and organizational measures necessary to ensure compliance with the regulations, and also demonstrate a commitment to the protection of the personal data of interested parties.

The course on Data Protection complies with the duration requirement for hours foreseen in the certification scheme (Section 6.3) approved by the Spanish Data Protection Agency on June 13, 2018 and as such has been recognized by the Certification Institution ISMS Forum and the Certification Institution Bureau Veritas.

Once the course has finished, the students will be able to take the exam to obtain certification as a DPO in any of the authorized certifying entities.

Why choose this program


Gain access to training endorsed by the Spanish Data Protection Agency

The contents of the program comply with the legal requirement of duration in hours that the students must pass provided for in the Certification Scheme (Section 6.3) approved by the Spanish data protection regulations and as such has been recognized by the Certification Institution Bureau Veritas and by the Certification Institution ISMS Forum.


Get applied knowledge

This postgraduate prepares you to transparently identify if a certain legal activity, which involves personal data, complies with the GDPR and other applicable regulations, providing the technical and organizational knowledge to be able to comply with the provisions of the GDPR and other regulations applicable for lawyers and other professionals in the sector.


Learn from a multidisciplinary teaching team

A multidisciplinary team of teachers provides students with the legal knowledge necessary to train both in the field of law and in information and communication technologies.


Functions in great demand

The program prepares you at a professional level to develop the role of Data Protection Officer (DPO) in a company, one of the essential functions in any public or private organization.

Who is it for?

The Postgraduate Course in Data Protection and Information Security is aimed at those professionals (jurists, lawyers, engineers, and graduates in related disciplines) who already exercise or want to exercise the function of Data Protection Officer in companies within and outside of Spain, who want to specialize in the management of personal data, and/or want to be certified as a Data Protection Officer.

Admission and enrolment


This course meets the maximum duration requirement in hours that the student must take (180h) provided for in the Certification Scheme (section 6.3) approved by the Spanish data protection regulations and as such has been recognized by the Certification Institution ISMS Forum (certificate) and by the Certification Institution Bureau Veritas (certificate). The UPF Barcelona School of Management complies with the Responsible Declaration and the Code of Ethics required by the Spanish Agency for Data Protection.

The course takes place On campus and Live and consists of 10 ETCS credits, which are equivalent to 250 hours of student dedication. According to the provisions of the AEPD-DPD scheme, 125 hours correspond to domain 1 (General data protection regulations, 5 ECTS), 75 hours to domain 2 (Active responsibility, 3 ECTS) and 50 hours to domain 3 (Techniques to guarantee compliance with data protection regulations and other knowledge, 2 ECTS).


ISMS Forum Spain logo
Bureau Veritas


6The course at our university meets the maximum duration requirement in hours that the student must take (180h) provided for in the Certification Scheme (Section 6.3) approved by the Spanish data protection regulations and as such has been recognized by the ISMS Forum and Bureau Veritas.

It is structured through 3 large modules or domains oriented to the professional practice of lawyers and other related professions: General Data Protection Regulations (5 ECTS credits), Active Responsibility (3 ECTS credits) and Techniques for Information Security (2 ECTS credits).

Upon completion of the course, students will be able to sit the exam to become certified as an expert DPO in any of the accredited collaborating entities.

Complete program curriculum.

General Data Protection Regulations

Regulatory context
  • Privacy and data protection on the international scene.
  • Data protection in Europe.
  • Data protection in Spain.
  • Standards and good practices.
The European Data Protection Regulation and updating of the LOPD. Fundamentals
  • Scope of application.
  • Definitions.
  • Obliged parties.
The European Data Protection Regulation and updating of the LOPD. Principles
  • The right/duty pairing in data protection.
  • Legality of processing.
  • Loyalty and transparency.
  • Limitation of the purpose.
  • Data minimization.
  • Accuracy.
The European Data Protection Regulation and updating of the LOPD. Legitimation
  • Consent: granting and revocation.
  • Informed consent: purpose, transparency, preservation, information, and duty of communication to the interested party.
  • Children's consent.
  • Special categories of data.
  • Data related to criminal offences and convictions.
  • Processing that does not require identification.
  • Legal bases other than consent.
Rights of individuals
  • Transparency and legal information.
  • Access, rectification, deletion (right to be forgotten).
  • Opposition.
  • Automated individual decisions.
  • Portability.
  • Limitation of processing.
  • Exceptions to rights.
The European Data Protection Regulation and updating of the LOPD. Compliance measures
  • Data protection policies and their transparency.
  • Legal position of the parties. Responsibility, co-responsibility, managers, sub-manager of the processing and their representatives. Relations between them and formalization.
  • The registration of processing activities: identification and classification of data processing.
The European Data Protection Regulation and updating of the LOPD. Proactive accountability
  • Privacy by design and by default. Fundamental principles.
  • Impact assessment related to data protection and prior consultation. High-risk processing.
  • Security of personal data. Technical and organizational security.
  • Security violations. Notification of security breaches.
  • The Data Protection Officer (DPO). Regulatory framework.
  • Codes of conduct and certifications.
The European Data Protection Regulation. Data Protection Officers (DPD, DPO or Data Privacy Officer)
  • Designation. Decision-making process. Formalities in the appointment, renewal, and dismissal. Analysis of conflicts of interest.
  • Obligations and responsibilities. Independence. Identification and reporting to management.
  • Procedures. Collaboration, prior authorizations, relationship with interested parties and claims management.
  • Communication with the data protection authority.
  • Professional competence. Negotiation. Communication. Budgets.
  • Training.
  • Personal skills, teamwork, leadership, team management.
The European Data Protection Regulation and updating of the LOPD. International data transfers
  • The adequacy decision system.
  • Transfers through adequate guarantees.
  • Binding Corporate Rules.
  • Exceptions.
  • Authorization of the control authority.
  • Temporary suspension.
  • Contractual clauses.
The European Data Protection Regulation and updating of the LOPD. Control Authorities
  • Control Authorities.
  • Powers.
  • Sanctions regime.
  • European Committee for Data Protection.
  • Procedures followed by the AEPD.
  • Jurisdictional protection.
  • The right to compensation.
GDPR interpretation guidelines
  • Guides  to GT Article 29.
  • Opinions of the European Data Protection Committee.
  • Criteria of jurisdictional bodies.
Sectoral regulations affected by data protection
  • Sanitary, Pharmaceutical, and Research Company.
  • Protection of minors.
  • Equity Solvency.
  • Telecommunications.
  • Video surveillance.
  • Insurance.
  • Advertising, etc.
Spanish regulations with data protection implications
  • LSSI, Law 34/2002, of 11 July, on services for the information society and electronic commerce in Spain
  • LGT, Law 9/2014, of 9 May, General Telecommunications
  • E-signature Law, Law 59/2003, of 19 December, on electronic signatures
European regulations with data protection implications
  • e-Privacy Directive: Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002, on the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) or e-Privacy Regulation when approved.
  • Directive 2009/136/EC of the European Parliament and of the Council, of 25 November 2009, which modifies Directive 2002/22/EC on universal service and the rights of users in relation to networks and electronic communications services, Directive 2002/58/EC on the processing of personal data and the protection of privacy in the electronic communications sector and Regulation (EC) No. 2006/2004 on cooperation in the field of consumer protection.
  • Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by the competent authorities for the purposes of prevention, investigation, detection, or prosecution of criminal offences or the execution of criminal sanctions, and the free circulation of said data and by which the Framework Decision 2008/977/JHA of the Council is repealed.
Information regarding the AEPD Scheme
Hours of dedication: 125 hours – 5 ECTS.

Teachers: Antoni Rubí-Puig (1.1, 1.2, 1.3, 1.6, 1.11, 1.13, 1.14), Daniel Urbán (1.7), Carles San José (1.10), Esther Farnós (1.4), Rosa Milà (1.5), Sergi Gálvez (1.8), Daniel Caccamo (1.9), Jorge Monclús (1.12), Arnau Florensa (1.12)

Active Responsibility

Analysis and risk management of personal data processing
  • Introduction. General framework for risk assessment and management. General concepts.
  • Risk evaluation. Inventory and valuation of assets. Inventory and assessment of threats. Existing safeguards and assessment of their protection. Resulting risk.
  • Risk management. Concepts. Implementation. Selection and assignment of safeguards to threats. Protection assessment. Residual risk, acceptable risk, and unacceptable risk.
Risk analysis and risk management methodologies
Data Protection and Security compliance program in an organization
  • The design and implementation of the data protection program in the context of the organization.
  • Objectives of the compliance program.
  • Accountability: the traceability of the compliance model.
Information security
  • Regulatory framework. National Security Scheme and NIS directive: Directive (EU) 2016/1148 relating to measures aimed at guaranteeing a high common level of security for information networks in the Union. Scope of application, objectives, main elements, basic principles, and minimum requirements.
  • Cybersecurity and governance of personal data. Generalities, Mission, effective governance of Information Security (IS). Concepts of IS. Scope. IS government metrics. State of IS. IS strategy.
  • Implementation of data protection. Security by design and by default. The life cycle of Information Systems. Integration of security and privacy in the life cycle. Quality control of IS.
Data Protection Impact Assessment (DPIA)
  • Introduction and fundamentals of DPIA: origin, concept and characteristics of DPIA. Scope and need. Standards.
  • Carrying out an impact assessment. Preparatory and organizational aspects, analysis of the need to carry out the evaluation, and prior consultations.
Information regarding the AEPD Scheme
Hours of dedication: 75 hours – 3 ECTS.

Teachers: Genís Margarit (2.1, 2.2, 2.3, 2.4, 2.5)

Techniques for Information Security

The data protection audit
  • The audit process. General questions and approximation. Basic characteristics.
  • Preparation of the audit report. Basic aspects and importance of the data protection officer report.
  • Execution and monitoring of corrective actions.
Information Systems Audit
  • The Audit Function in Information Networks. Basic concepts. IS D25 Standards and Guidelines in a professional environment.
  • Internal control and continuous improvement. Good practices. Integration of data protection in the IS audit.
  • Planning, execution, and monitoring.
The management of the security of processing
  • National Security Scheme, ISO/IEC 27001:2013 (UNE ISO/IEC 27001:2014: Requirements of Information Security Management Systems, ISMS).
  • Asset Security Management. Logical and procedural security. Security applied to IT and documentation.
  • Disaster Recovery and Business Continuity. Protection of technical and documentary assets. Planning and Management of Disaster Recovery.
Other knowledge
  • Cloud computing.
  • Smartphones.
  • Internet of things (IoT).
  • Big data and profiling.
  • Social media.
  • User tracking technologies.
  • Blockchain and latest technologies.
Information regarding the AEPD Scheme
Hours of dedication: 50 hours – 2 ECTS.

Teachers: Genís Margarit (3.1, 3.2, 3.3), Ana Maria Freire (3.4), Albert Bel (3.4), Carlos Gómez (3.4).

Qualification obtained

Once you have passed the program, you will be awarded the electronic degree (e-Título) for the Curso de Postgrado en Protección de Datos y Seguridad de la Información, issued by Pompeu Fabra University.

The e-Título is an authentic digital degree, issued in pdf format and electronically signed, with the same legal validity as if it were in paper format.


Students receive interdisciplinary training given by lawyers and other law professionals from Pompeu Fabra University and experts in data protection, as well as in information and communication technology.

Academic directors

Antoni Rubí Puig

Associate Professor UPF


Ana Maria Freire Veiga

Senior Lecturer UPF-BSM
Director of the Academic Department of Operations, Technology & Science

Carlos Gómez Ligüerre

Associate Professor UPF


Completely face-to-face mode of education. It includes theoretical and practical training by teachers using the discussion of simulated cases and the active participation of the student.


Theoretical basis

The program of our university offers the student a theoretical basis on the role of the data protection officer through the modules or domains that make up its study plan, necessary for the optimal acquisition of knowledge and skills by the student who wishes to gain access to an expert position.


Practical cases

Together with the theoretical base taught by the teachers, the learning about data protection is strongly based on the resolution of problems by the student, through the discussion of hypothetical cases and the decisions of courts and data protection agencies.


Active student participation

The educational methodology of the program implies an active participation by the student in an expert educational environment made up of criminal law professionals and information technology professionals.


Adheres to the certification scheme

Both the content of data protection and its structure adhere to the Certification Scheme proposed by the AEPD, so that at the end of the postgraduate course, the participant does not have any difficulty in passing the certification exam as a DPO and accessing professions such as that of lawyer.


The evaluation of the different modules or domains that make up the postgraduate education program follows the guidelines set out by the AEPD Certification Scheme so that the course meets the requirements, and the students can take the certification exam and undertake professional practice as lawyers.

The three domains will be evaluated separately. Consequently, each student will have a separate grade for each of them. The value of each of the evaluations on the course is the following: Domain 1 (50%); Domain 2 (34%); and Domain 3 (16%).

The evaluation of the different Domains will consist of the following:

  1. General legal regulations on data protection: carrying out a multi-answer test of between 30 and 40 questions, on the different aspects discussed in the classes.
  2. Proactive responsibility: group realization of a practical case and presentation of its defence.
  3. Techniques for data protection: carrying out a multi-answer test of between 20 and 25 questions, on the different aspects discussed in the classes.

Any student who fails one of the domains will be able to carry out a recovery activity. Exceptionally, in the case of having obtained a grade higher than 4 and lower than 5 in one of the domains, the student may compensate the grade with the grades obtained in the other domains. It is necessary to obtain, at least, a 5 as a global postgraduate mark to pass it. Likewise, it is necessary to have attended 80% of the sessions.


The On-Campus&Live methodology allows you to follow the program in person and also remotely.

In this modality, two stable subgroups are opened that will coexist throughout the course: one face-to-face and the other with 100% remote students. The remote students (a maximum of 15 places per course) will follow the program in a synchronous way with the face-to-face students. That is, they will share the same school calendar and schedule as the face-to-face students.

Project-oriented learning and the combination of lectures and active methodologies such as case studies, flipped learning, solving real problems, and professional simulations allow the student to connect theory and practice, acquire advanced skills, and achieve learning which is transferable to the job. The face-to-face modality is enriched with elements of online programs (virtual learning environment, multimedia resources, among others) so that the learning experience of the two subgroups is equally satisfactory.

You will have:

  • Master's or postgraduate work to learn by doing
  • A personal mentor to monitor your Master's Final Project (TFM) or Postgraduate Final Project (TFP)
  • Digital resources to achieve transversal skills
  • Interdisciplinary activities and workshops
  • Digital resources and audiovisual blocks for online learning
  • Active methodologies for transferable learning

Professional Future

The credits of the degree prepare you following the AEPD certification scheme and, with the help of the teachers, they provide you with the tools and legal and technical skills to develop the functions inherent to the role of Data Protection Officer (DPO).

Student profile

Students who register are mainly senior, with several years of professional experience in law firms and in positions related to the data protection officer and of local origin. Students come mainly from the area of Law, although there are also profiles from other areas such as Economics, Business Administration and Management, Political Science, and Public Administration, as well as technology and communications. Students usually have some experience and knowledge as a DPO.


Average age


Previous training in Law

Career opportunities

Due to the number of credits of the university program on Data Protection, there is not an option to undertake extracurricular internships. The Postgraduate course complies with the duration requirement for hours foreseen in the certification scheme (Section 6.3) approved by the Spanish Data Protection Agency of 13 June 2018 and as such has been recognized by the Certification Institution ISMS Forum and by the Certification Institution Bureau Veritas.

Once the course is completed, the students may take the examination to obtain legal certification as a DPO.

  • Data Protection Officer in any organization or company of a public or private nature, inside or outside of Spain.

Admission and enrolment

Our admission process consists of a rigorous evaluation of each application to preserve the quality of the group as well as the training, experience, and work capacity of all students.

Who can apply?

You must be a university graduate or a higher graduate.

Other students without the required university degree may take part in the selection process for the data protection course by virtue of their academic or professional merits and the place of work they occupy

Those students who do not have Spanish as one of their mother tongues or who did not have it as a teaching language in their training studies, must prove during the enrolment period that they have at least a B2 level of Spanish (Common European Framework of Reference), as well as fluently take part in a personal interview with the academic director, if necessary.

How to apply?

To apply for admission to this program, students must read and accept the Terms and Conditions of Contract once they start the application for admission through the following form.

Application for admission

Complete your application within the next admission rounds:

RoundApplication deadlineAdmission resolution

Applications for admission will be evaluated when you complete the following steps:

  • Complete the online admission form.
  • Pay the €120 admission fee. This amount will be returned if you are not admitted.
  • Send the following documents through the online platform e-registrar:
    • Presentation letter or video
    • CV
    • Scanned copy of university degree (if you are in the last year of your degree, you can provide your academic records)
    • Scanned copy of Transcript of Records. Make sure that it includes your GPA (Grade Point Average)
    • Scanned copy of ID Card or Passport
    • Passport-size photo (jpg format)

Additional documents may be requested in certain cases.
Application rounds are subject to the number of places available on the program.


  • The Admissions Committee will select the candidates on the basis of a personal or CV-based interview.
  • You will be notified of the admission decision in writing.


  • Registration must be paid within a 15 days after the admission.
  • Once the letter of acceptance to the program has been received, you will need to submit the following original documents before the course begins:
    • Stamped and/or authenticated photocopy of your university degree.
  • If you have a foreign degree you may need to submit additional documents.
  • Paying the reservation fee (25% of the program's tuition fees) is essential in order to reserve your place
  • If you pay the tuition fees by bank transfer you will be required to introduce the program code. The program code for this course is 3329.
  • The remaining tuition fees must be paid 2 weeks before the start of the course.

Grants, scholarships and financing


The UPF Barcelona School of Management offers you different means of financing so that you can take any of our programs without worry. We offer you the opportunity to finance part of your program, either by rewarding your talent through scholarships, through grants from entities dedicated to promoting education or through collaboration agreements with financial entities.

Grants and discounts

Application for admission
You are applying for admission to the program:
Postgraduate course in Data Protection and Information Security
Modality: On-campus&Live
Language: Spanish
Price: 2210
Admission fee: 120
We will deduct this amount from the total registration fee if your application is accepted. If your application is rejected, we will reimburse you.

Postgraduate Course in Data Protection and Information Security