alumniAlumni
userE-Campus
e-secretariaE-Secretaria
  • About UPF-BSM
  • Programs
  • Faculty and research
  • News & Events
alumnialumni
usere-campus
e-secretariae-secretaria

Postgraduate Course in Data Protection and Information Security

Postgrado en Protección de Datos y Seguridad de la Información UPF-BSM

Postgraduate Course in Data Protection and Information Security

UPF-BSMCoursesPostgraduate Course in Data Protection and Information Security

The Postgraduate Course in Data Protection and Information Security provides students with both legal and technical tools, and skills to develop with full transparency the functions inherent to the role of Data Protection Officer (DPO) and the management of personal data in companies and law firms inside and outside of Spain.

DPOOLPD
Next edition
Classes start: April 2024
LanguageSpanish
ModalityOn-campus
ScheduleAfternoons
Duration2 months
ECTS credits10
Price2500 €

The Postgraduate Course in Data Protection and Information Security from Pompeu Fabra University, taught by the UPF Barcelona School of Management, provides you with both education and the tools and legal skills necessary to develop with total transparency the functions corresponding to the data protection officer of a company or organization, both public and private in companies inside and outside Spain.

As a result of the entry into force of the General Data Protection Regulations (GDPR), on May 25, 2018, which reinforces privacy and provides for a legal regime for the protection of uniform personal data in the European Union, a proactive responsibility model for professional practice has been imposed which means that those responsible for data processing must apply the technical and organizational measures necessary to ensure compliance with the regulations, and also demonstrate a commitment to the protection of the personal data of interested parties.

The course on Data Protection complies with the duration requirement for hours foreseen in the certification scheme (Section 6.3) approved by the Spanish Data Protection Agency on June 13, 2018 and as such has been recognized by the Certification Institution ISMS Forum and the Certification Institution Bureau Veritas.

Once the course has finished, the students will be able to take the exam to obtain certification as a DPO in any of the authorized certifying entities.

Why choose this program

01

Gain access to training endorsed by the Spanish Data Protection Agency

The contents of the program comply with the legal requirement of duration in hours that the students must pass provided for in the Certification Scheme (Section 6.3) approved by the Spanish data protection regulations and as such has been recognized by the Certification Institution Bureau Veritas and by the Certification Institution ISMS Forum.

02

Get applied knowledge

This postgraduate prepares you to transparently identify if a certain legal activity, which involves personal data, complies with the GDPR and other applicable regulations, providing the technical and organizational knowledge to be able to comply with the provisions of the GDPR and other regulations applicable for lawyers and other professionals in the sector.

03

Learn from a multidisciplinary teaching team

A multidisciplinary team of teachers provides students with the legal knowledge necessary to train both in the field of law and in information and communication technologies.

04

Functions in great demand

The program prepares you at a professional level to develop the role of Data Protection Officer (DPO) in a company, one of the essential functions in any public or private organization.

Who is it for?

The Postgraduate Course in Data Protection and Information Security is aimed at those professionals (jurists, lawyers, engineers, and graduates in related disciplines) who already exercise or want to exercise the function of Data Protection Officer in companies within and outside of Spain, who want to specialize in the management of personal data, and/or want to be certified as a Data Protection Officer.

Accreditations

This course meets the maximum duration requirement in hours that the student must take (180h) provided for in the Certification Scheme (section 6.3) approved by the Spanish data protection regulations and as such has been recognized by the Certification Institution ISMS Forum (certificate) and by the Certification Institution Bureau Veritas (certificate). The UPF Barcelona School of Management complies with the Responsible Declaration and the Code of Ethics required by the Spanish Agency for Data Protection.

The course takes place On campus and Live and consists of 10 ETCS credits, which are equivalent to 250 hours of student dedication. According to the provisions of the AEPD-DPD scheme, 125 hours correspond to domain 1 (General data protection regulations, 5 ECTS), 75 hours to domain 2 (Active responsibility, 3 ECTS) and 50 hours to domain 3 (Techniques to guarantee compliance with data protection regulations and other knowledge, 2 ECTS).

 

ISMS Forum Spain logoBureau Veritas

Curriculum

The course at our university meets the maximum duration requirement in hours that the student must take (180h) provided for in the Certification Scheme (Section 6.3) approved by the Spanish data protection regulations and as such has been recognized by the ISMS Forum and Bureau Veritas.

It is structured through 3 large modules or domains oriented to the professional practice of lawyers and other related professions: General Data Protection Regulations (5 ECTS credits), Active Responsibility (3 ECTS credits) and Techniques for Information Security (2 ECTS credits).

Upon completion of the course, students will be able to sit the exam to become certified as an expert DPO in any of the accredited collaborating entities.

Download the program curriculum

General Data Protection Regulations

  • Privacy and data protection on the international scene.
  • Data protection in Europe.
  • Data protection in Spain.
  • Standards and good practices.
  • Scope of application.
  • Definitions.
  • Obliged parties.
  • The right/duty pairing in data protection.
  • Legality of processing.
  • Loyalty and transparency.
  • Limitation of the purpose.
  • Data minimization.
  • Accuracy.
  • Consent: granting and revocation.
  • Informed consent: purpose, transparency, preservation, information, and duty of communication to the interested party.
  • Children's consent.
  • Special categories of data.
  • Data related to criminal offences and convictions.
  • Processing that does not require identification.
  • Legal bases other than consent.
  • Transparency and legal information.
  • Access, rectification, deletion (right to be forgotten).
  • Opposition.
  • Automated individual decisions.
  • Portability.
  • Limitation of processing.
  • Exceptions to rights.
  • Data protection policies and their transparency.
  • Legal position of the parties. Responsibility, co-responsibility, managers, sub-manager of the processing and their representatives. Relations between them and formalization.
  • The registration of processing activities: identification and classification of data processing.
  • Privacy by design and by default. Fundamental principles.
  • Impact assessment related to data protection and prior consultation. High-risk processing.
  • Security of personal data. Technical and organizational security.
  • Security violations. Notification of security breaches.
  • The Data Protection Officer (DPO). Regulatory framework.
  • Codes of conduct and certifications.
  • Designation. Decision-making process. Formalities in the appointment, renewal, and dismissal. Analysis of conflicts of interest.
  • Obligations and responsibilities. Independence. Identification and reporting to management.
  • Procedures. Collaboration, prior authorizations, relationship with interested parties and claims management.
  • Communication with the data protection authority.
  • Professional competence. Negotiation. Communication. Budgets.
  • Training.
  • Personal skills, teamwork, leadership, team management.
  • The adequacy decision system.
  • Transfers through adequate guarantees.
  • Binding Corporate Rules.
  • Exceptions.
  • Authorization of the control authority.
  • Temporary suspension.
  • Contractual clauses.
  • Control Authorities.
  • Powers.
  • Sanctions regime.
  • European Committee for Data Protection.
  • Procedures followed by the AEPD.
  • Jurisdictional protection.
  • The right to compensation.
  • Guides  to GT Article 29.
  • Opinions of the European Data Protection Committee.
  • Criteria of jurisdictional bodies.
  • Sanitary, Pharmaceutical, and Research Company.
  • Protection of minors.
  • Equity Solvency.
  • Telecommunications.
  • Video surveillance.
  • Insurance.
  • Advertising, etc.
  • LSSI, Law 34/2002, of 11 July, on services for the information society and electronic commerce in Spain
  • LGT, Law 9/2014, of 9 May, General Telecommunications
  • E-signature Law, Law 59/2003, of 19 December, on electronic signatures
  • e-Privacy Directive: Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002, on the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) or e-Privacy Regulation when approved.
  • Directive 2009/136/EC of the European Parliament and of the Council, of 25 November 2009, which modifies Directive 2002/22/EC on universal service and the rights of users in relation to networks and electronic communications services, Directive 2002/58/EC on the processing of personal data and the protection of privacy in the electronic communications sector and Regulation (EC) No. 2006/2004 on cooperation in the field of consumer protection.
  • Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by the competent authorities for the purposes of prevention, investigation, detection, or prosecution of criminal offences or the execution of criminal sanctions, and the free circulation of said data and by which the Framework Decision 2008/977/JHA of the Council is repealed.
Information regarding the AEPD Scheme

Teachers: Antoni Rubí-Puig (1.1, 1.2, 1.3, 1.6, 1.11, 1.13, 1.14), Daniel Urbán (1.7), Carles San José (1.10), Esther Farnós (1.4), Rosa Milà (1.5), Sergi Gálvez (1.8), Daniel Caccamo (1.9), Jorge Monclús (1.12), Arnau Florensa (1.12)

Active Responsibility

  • Introduction. General framework for risk assessment and management. General concepts.
  • Risk evaluation. Inventory and valuation of assets. Inventory and assessment of threats. Existing safeguards and assessment of their protection. Resulting risk.
  • Risk management. Concepts. Implementation. Selection and assignment of safeguards to threats. Protection assessment. Residual risk, acceptable risk, and unacceptable risk.
  • The design and implementation of the data protection program in the context of the organization.
  • Objectives of the compliance program.
  • Accountability: the traceability of the compliance model.
  • Regulatory framework. National Security Scheme and NIS directive: Directive (EU) 2016/1148 relating to measures aimed at guaranteeing a high common level of security for information networks in the Union. Scope of application, objectives, main elements, basic principles, and minimum requirements.
  • Cybersecurity and governance of personal data. Generalities, Mission, effective governance of Information Security (IS). Concepts of IS. Scope. IS government metrics. State of IS. IS strategy.
  • Implementation of data protection. Security by design and by default. The life cycle of Information Systems. Integration of security and privacy in the life cycle. Quality control of IS.
  • Introduction and fundamentals of DPIA: origin, concept and characteristics of DPIA. Scope and need. Standards.
  • Carrying out an impact assessment. Preparatory and organizational aspects, analysis of the need to carry out the evaluation, and prior consultations.
Information regarding the AEPD Scheme

Teachers: Genís Margarit (2.1, 2.2, 2.3, 2.4, 2.5)

Techniques for Information Security

  • The audit process. General questions and approximation. Basic characteristics.
  • Preparation of the audit report. Basic aspects and importance of the data protection officer report.
  • Execution and monitoring of corrective actions.
  • The Audit Function in Information Networks. Basic concepts. IS D25 Standards and Guidelines in a professional environment.
  • Internal control and continuous improvement. Good practices. Integration of data protection in the IS audit.
  • Planning, execution, and monitoring.
  • National Security Scheme, ISO/IEC 27001:2013 (UNE ISO/IEC 27001:2014: Requirements of Information Security Management Systems, ISMS).
  • Asset Security Management. Logical and procedural security. Security applied to IT and documentation.
  • Disaster Recovery and Business Continuity. Protection of technical and documentary assets. Planning and Management of Disaster Recovery.
  •  
  • Cloud computing.
  • Smartphones.
  • Internet of things (IoT).
  • Big data and profiling.
  • Social media.
  • User tracking technologies.
  • Blockchain and latest technologies.
  •  
Information regarding the AEPD Scheme

Teachers: Genís Margarit (3.1, 3.2, 3.3), Ana Maria Freire (3.4), Albert Bel (3.4), Carlos Gómez (3.4).

Note on the Curriculum

The information contained in these pages is for information purposes only and may be subject to change in the adaptation of each academic year. The definitive guide will be available to students in the virtual space before the start of each subject.

Complementary activities

The Postgraduate Course in Data Protection and Information Security also includes the possibility of participating in practical activities and activities for personal and professional growth such as:

  • UPF-BSM Inside: is a group of interdisciplinary subjects (applied data, communication, creativity, innovation and project management, sustainability and leadership among others) that, if you take this program, you can access at no additional cost. They are 100% online and you can take them throughout the academic year at your own pace, as they have been designed as self-study subjects.

Qualification obtained

Once you have passed the program, you will obtain an electronic degree (e-Título) for Curso de Postgrado en Protección de Datos y Seguridad de la Información, issued by Pompeu Fabra University.

The e-Título is an authentic digital degree, issued in pdf format and electronically signed, with the same legal validity as if it were in paper format.

Faculty

Students receive interdisciplinary training given by lawyers and other law professionals from Pompeu Fabra University and experts in data protection, as well as in information and communication technology.

Academic directors

Faculty

Collaborating faculty

  • Albert Bel
    Engineer in Telecommunication.
    Pompeu Fabra University Lecturer. Department of Information Technologies and Communications.
  • Esther Farnós
    Professor of civil law at UPF.
  • Arnau Florensa
    Graduated in Law. Pompeu Fabra University Lawyer specialized in Data Protection and Privacy
  • Daniel Caccamo
    Attorney. Legal advice on innovation and privacy at CaixaBank. Specialist in personal data protection.
  • Sergi Galvez
    Graduated in Law. Pompeu Fabra University-Master in Law. Esade Business & Law school.
    Cuatrecasas. Associate Department of Intellectual Property and Data Protection
  • Rosa Milà
    Law degree and LL.M. in Private and Business Law from Pompeu Fabra University.
  • Jorge Monclús
    Senior partner attorney of the Intellectual Property and Information Technology department at Cuatrecasas.
  • Genís Margarit
    Technological security auditor and cybersecurity consultant. Telecommunications Engineer and Electronic Systems Engineer.
  • Carles San José
    Head of inspection of the Catalan Data Protection Agency (ACPD). (TBC)
  • Daniel Urbán
    Bachelor of Laws. Universidad de Barcelona
    Director of Corporate Counsel. TYPEFORM, SL

Methodology

Completely face-to-face mode of education. It includes theoretical and practical training by teachers using the discussion of simulated cases and the active participation of the student.

01

Theoretical basis

The program of our university offers the student a theoretical basis on the role of the data protection officer through the modules or domains that make up its study plan, necessary for the optimal acquisition of knowledge and skills by the student who wishes to gain access to an expert position.

02

Practical cases

Together with the theoretical base taught by the teachers, the learning about data protection is strongly based on the resolution of problems by the student, through the discussion of hypothetical cases and the decisions of courts and data protection agencies.

03

Active student participation

The educational methodology of the program implies an active participation by the student in an expert educational environment made up of criminal law professionals and information technology professionals.

04

Adheres to the certification scheme

Both the content of data protection and its structure adhere to the Certification Scheme proposed by the AEPD, so that at the end of the postgraduate course, the participant does not have any difficulty in passing the certification exam as a DPO and accessing professions such as that of lawyer.

Evaluation

The evaluation of the different modules or domains that make up the postgraduate education program follows the guidelines set out by the AEPD Certification Scheme so that the course meets the requirements, and the students can take the certification exam and undertake professional practice as lawyers.

The three domains will be evaluated separately. Consequently, each student will have a separate grade for each of them. The value of each of the evaluations on the course is the following: Domain 1 (50%); Domain 2 (34%); and Domain 3 (16%).

The evaluation of the different Domains will consist of the following:

  1. General legal regulations on data protection: carrying out a multi-answer test of between 30 and 40 questions, on the different aspects discussed in the classes.
  2. Proactive responsibility: group realization of a practical case and presentation of its defence.
  3. Techniques for data protection: carrying out a multi-answer test of between 20 and 25 questions, on the different aspects discussed in the classes.
     

Any student who fails one of the domains will be able to carry out a recovery activity. Exceptionally, in the case of having obtained a grade higher than 4 and lower than 5 in one of the domains, the student may compensate the grade with the grades obtained in the other domains. It is necessary to obtain, at least, a 5 as a global postgraduate mark to pass it. Likewise, it is necessary to have attended 80% of the sessions.

Tools

The On-Campus&Live methodology allows you to follow the program in person and also remotely.

In this modality, two stable subgroups are opened that will coexist throughout the course: one face-to-face and the other with 100% remote students. The remote students (a maximum of 15 places per course) will follow the program in a synchronous way with the face-to-face students. That is, they will share the same school calendar and schedule as the face-to-face students.

Project-oriented learning and the combination of lectures and active methodologies such as case studies, flipped learning, solving real problems, and professional simulations allow the student to connect theory and practice, acquire advanced skills, and achieve learning which is transferable to the job. The face-to-face modality is enriched with elements of online programs (virtual learning environment, multimedia resources, among others) so that the learning experience of the two subgroups is equally satisfactory.

You will have:

  • Master's or postgraduate work to learn by doing
  • A personal mentor to monitor your Master's Final Project (TFM) or Postgraduate Final Project (TFP)
  • Digital resources to achieve transversal skills
  • Interdisciplinary activities and workshops
  • Digital resources and audiovisual blocks for online learning
  • Active methodologies for transferable learning
 

Professional Future

The credits of the degree prepare you following the AEPD certification scheme and, with the help of the teachers, they provide you with the tools and legal and technical skills to develop the functions inherent to the role of Data Protection Officer (DPO).

Student profile

Students who register are mainly senior, with several years of professional experience in law firms and in positions related to the data protection officer and of local origin. Students come mainly from the area of Law, although there are also profiles from other areas such as Economics, Business Administration and Management, Political Science, and Public Administration, as well as technology and communications. Students usually have some experience and knowledge as a DPO.

42

Average age

81%

Previous training in Law

Career opportunities

Due to the number of credits of the university program on Data Protection, there is not an option to undertake extracurricular internships. The Postgraduate course complies with the duration requirement for hours foreseen in the certification scheme (Section 6.3) approved by the Spanish Data Protection Agency of 13 June 2018 and as such has been recognized by the Certification Institution ISMS Forum and by the Certification Institution Bureau Veritas.

Once the course is completed, students will be able to take the exam to obtain the DPD certification under the AEPD Certification Scheme.

  • Data Protection Officer in any organization or company of a public or private nature, inside or outside of Spain.