Presentation and objectivesThe Spanish constituent was ahead of its time by providing in art. 18.4 of the Constitution, the legal limitation of the use of information technology to guarantee the full use of fundamental rights. This is recognized, moreover, by the Explanatory Memorandum of Organic Law 3/2018, of December 5, on the Protection of Personal Data and Guarantee of Digital Rights, stating that “the constituents of 1978 already sensed the enormous impact that technological advances would cause in our society and, in particular, in the enjoyment of fundamental rights ”.
The right to the protection of personal data is also recognized by article 8 (1) of the Charter of Fundamental Rights of the European Union, and by article 16 (1) of the Treaty on the Functioning of the European Union (TFEU) , and at the UN level, two resolutions have been adopted on the right to privacy in the digital age. These resolutions condemn large-scale surveillance activities and highlight their implications for fundamental rights to privacy and freedom of expression, as well as for the functioning of a democratic society. Although they are not legally binding, they led to the appointment of a Special Rapporteur on the right to privacy, with a mandate to promote and protect this right.
Precisely, as the United Nations Special Rapporteur, Mr. F. La Rue, has stated, access to the Internet has been recognized as an instrumental right derived from freedom of opinion, expression, information and communication. In his view, the right to freedom of opinion and expression is much more than a fundamental right, since by itself it can 'enable' other rights, including rights of economic, social and cultural content, such as the right to education, the right to participate in cultural life and enjoy the benefits of scientific progress and its applications. In this sense, it acts as a 'catalyst' for the exercise by citizens of their right to freedom of opinion and expression as well as other human rights [United Nations. General Assembly. Human Rights Council. Report of the Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression (16 May 2011)].
However, at the same time, the Internet is becoming an area in which the rights of citizens are exposed to new threats against which public powers must develop adequate protection mechanisms. This affects, in particular, personal data and the possible risks to which they are exposed both from the perspective of the assignment and the transfer of data.
In the field of personal data transfer, the European Union has once again established a milestone in the history of personal data protection, through the approval of Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 February April 2016, regarding the protection of natural persons with regard to the processing of personal data and the free circulation of these data and by which Directive 95/46 / EC (known as the General Data Protection Regulation) is repealed , hereinafter RGPD), whose entry into force took place on May 25, 2018. As is known, in development of the provisions of the RGPD, Organic Law 3/2018, of December 5, on Protection of Personal Data has been approved and Guarantee of Digital Rights (LOPDGDD). The new regulation maintains the consideration of personal data, with respect to all information about an identified or identifiable natural person, such as a name, an identification number, location data, an online identifier or one or more elements of the identity physical, physiological, genetic, psychic, economic, cultural or social of said person, although it is not a right of an absolute nature and can be weighed against other fundamental rights in accordance with the principle of proportionality.
From these premises, the RGPD is based on two pillars. On the one hand, it aims to achieve effective protection of the personal data of Union citizens by reinforcing and specifying the rights of the data subjects and the obligations of those responsible and those in charge of processing personal data. On the other hand, it aims to establish coherent and uniform rules that favor the free circulation of personal data within the internal market or European Economic Area (EEA). As referred to in point 2 of the Scientific Technical Report, this objective of the RGPD, specified as detailed, constitutes the starting hypothesis of the Project that is requested.
In order to harmonize the free circulation of personal data in the EEA with the adequate guarantee of this fundamental right, the RGPD incorporates as a novelty with respect to Directive 95/46 / CE, the principle of active responsibility or accountability (art. 5.2) . This responsibility model supposes the passage from the previous checklist system, in which the European and national legislator exhaustively enunciated the objectives to be met by the operators and they simply had to verify compliance with these obligations, to a responsibility model in the that the operators, taking into account the treatment operations that are intended to be carried out, and based on an approach that must take into account, essentially, the risk to personal data derived from that treatment, must determine which are the obligations to comply.
Thus, the Statement of Motives of the LOPDGDD recognizes that the greatest novelty of the RGPD consists of “the evolution of a model based, fundamentally, on the control of compliance to another that rests on the principle of active responsibility, which requires a prior assessment by the person in charge or by the person in charge of the treatment of the risk that the treatment of personal data could generate in order, based on said assessment, to adopt the appropriate measures ”.
In this context, the figure of the Data Protection Delegate acquires outstanding importance in Regulation (EU) 2016/679, of the European Parliament and of the Council, of April 27, 2016, regarding natural persons with regard to the processing of personal data and the free circulation of these data and by which Directive 95/46 / CE (General Data Protection Regulation) is repealed.
Specifically, it contemplates its existence:when the data processing is carried out by a public authority or body
When the data processing consists of operations that, due to their nature, scope or purposes, require a regular and systematic observation of interested parties on a large scale, or
when special categories of personal data are processed on a large scale that reveal ethnic or racial origin, political opinions, religious or philosophical convictions, union affiliation and the processing of genetic data, biometric data aimed at uniquely identifying a person physical data, data related to your health or data related to your life or sexual orientation, as well as data related to convictions and criminal offenses, provided that the consent of the interested party mediates, the treatment is necessary for the fulfillment of obligations and enjoyment of rights in the field of labor relations and social security and protection, is necessary for the protection of vital interests of the interested party, in the case of data that the interested party has made manifestly public, the treatment is necessary for the formulation, exercise or defense of claims or the courts act in the exercise of the judicial function, the treatment is necessary by r essential public interest reasons, for preventive or occupational medicine purposes, or for public interest archiving purposes (arts. 37, in relation to arts. 9 and 10 General Data Protection Regulation (EU)).In development of art. 37 of the General Data Protection Regulation (EU), Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights, dedicates its Title III to the regulation of the figure of the Protection Delegate of Data in Spain, foreseeing its designation in (art. 34):Professional Associations and General Councils;
Teaching Centers at any of the levels provided for in the LOE, as well as in public and private Universities;
Entities that operate networks and provide electronic communication services when processing personal data on a large scale;
Providers of services of the information society when they elaborate on a large scale user profiles;
Organization, supervision and solvency entities of credit institutions;
Insurance and reinsurance entities;
Investment services companies regulated by the Securities Market legislation;
Distributors and marketers of electricity and natural gas;
Entities that carry out advertising and commercial prospecting activities, including commercial and market research activities when preparing profiles of those affected;
Issuing entities of commercial reports relating to natural persons;
Operators that carry out activities related to gambling through electronic, computer, telematic and interactive channels;
Private security companies;
Sports federations when they process data of minors.Likewise, Spanish legislation has provided in detail for the qualification of the Data Protection Delegate, providing (art. 35) his designation through certification mechanisms that will take into account the obtaining of a university degree that accredits specialized knowledge in law and practice of data protection.
As a development, in turn, of this legal provision, the Spanish Agency for Data Protection has developed a Data Protection Certification Scheme (AEPD-DPD Scheme), in order to establish general lines that regulate the Certification of Persons for the category of Data Protection Delegate, and the interrelationships between the different Agents that will be involved in said certification.
Consequently, the figure of the Data Protection Delegate has a wide field of intervention foreseen by Spanish legislation, which also translates into terms of job offers in multiple economic and institutional sectors that, from now on, must be covered to comply to legal requirements.Access RequirementsBe in possession of a Bachelor's degree, prove professional experience in the treatment of data protection, or the performance of work activity that involves processing of personal data.Admission criteriaApplications submitted to study the Diploma of Specialization in Data Protection in the Digital Society in accordance with the requirements set by the UNIA, will be evaluated by the Academic Committee based on previous professional experience in the field of accredited data protection and, in its default, to the official academic record. Exceptionally, at the request of the interested party, the Postgraduate Commission may authorize a conditional enrollment for those students who certify that they have passed at least ninety percent of the credits of one of the required degrees, excluding the Final Degree Project and external practices .
In this situation, obtaining the degree is conditional on the applicant meeting the requirements for access to the postgraduate degree in a period that may not exceed two years from the date of completion of the studies (Rgtº EP and FC UNIA )Academic program30 ECTS, distributed in the following modules:Module 1. Data protection at the international, supranational and national level. General and sectoral regulations (14 ECTS). 12/01/2020 to 03/12/2021
Module 2. Active responsibility in the protection of personal data (7 ECTS) 03/15/2021 to 05/07/5021
Module 3. Active responsibility and techniques to guarantee compliance with the Data protection regulations (4 ECTS) 05/10/2021 to 07/02/2021
Final Project (5 ECTS) 07/07/2021 to 07/14/2021