Skip to content

Training Program Data Protection Officer


In Articles 37 to 39 of the GDPR, the legislator has elaborated on the role and necessity of appointing a Data Protection Officer (DPO) by controllers (companies and institutions) and processors (companies to whom work has been outsourced). In short, a DPO monitors the effective protection of personal data by controllers and processor(s). The DPO is also the point of contact for data subjects (employees, citizens, patients and consumers, for example) whose personal data are processed. The DPO also has an important advisory role towards the controller and processor.

The role description of the DPO is broad, which is confirmed by case law and the guidelines of the European Data Protection Board (EDPB). It is the responsibility of the controller and processor to appoint a DPO appropriate to the business activities and the resulting data protection risks.

The two-year post-bachelor level data protection officer training is in line with this broad role description in the GDPR. In addition to theoretical and legal knowledge, this training also provides practical skills aimed at taking effective management and security measures in a risk-oriented manner and organizing compliance with legal and contractual obligations.


We recognize the following categories of courses:

In consultation with the Duthler Academy training coordinator, the student determines a learning path for taking the 30 courses from the categories mentioned above. After this, the student, or rather the aspiring DPO (ADPO), starts the DPO training program. Every time a course is completed, the ADPO takes an exam and the teacher assesses the answers or papers.

An overview of the training:

Formal Legal

The GDPR came into effect in 2016. The GDPR became applicable in 2018. Case law, fine decisions from supervisors and guidelines from the EDPB now provide further details on the GDPR. The development of European and national related legislation and regulations does not stand still. We note that the formal legal framework for protecting personal data is continuing to develop.

An overview of the category of Formal Legal courses.

  • Overview of current privacy laws and regulations
  • Case law, decisions and guidelines
  • Monitoring and enforcement of the GDPR
  • The GDPR in an international perspective: Europe and transfers to third countries
  • The GDPR in an international perspective: tools for transfers to third countries
  • Privacy and related national legislation
  • Privacy and related international law

Governance & Compliance

Organizing the effective protection of personal data requires the continuous attention of company management, management and employees. The legal role of the DPO fits the company management into the organization of the existing governance. The nature and scope of the business activities and how they are effectively organized with business processes that include internal control measures have an impact on the tasks of the DPO. The GDPR assumes that a risk analysis is carried out on business activities and the associated data processing. We also call this a DPIA. The results of the DPIA determine the structure of an organization’s governance and compliance.

An overview of the category of Governance & Compliance courses:

  • The DPO: position, duties, powers and responsibilities
  • Peer consultation
  • The GDPR, the privacy policy, the standards framework and privacy framework
  • Internal and external privacy policy
  • Governance and compliance: legislation in a broader perspective
  • Governance and compliance: further elaborated
  • A data breach and being prepared for it
  • How can and should I act after a data breach?

Organizing business activities

This section focuses on the impact of the GDPR on the organization of business activities. Business activities are carried out with business processes. Business processes are supported by IT systems and controlled by management and employees. The internal controls, or “non-functional requirements” are included “by design” in the IT systems and employees are aware and trained to ensure that personal data is effectively protected. There is “compliance by default” with legal and contractual obligations, in particular the protection of personal data. These legislator requirements for controllers require new organizational concepts, IT architectures and IT systems. With the arrival of cloud service providers that systematically and rigidly apply the “zero trust” architecture, a good step in the right direction is to ensure that the processing of company and personal data is compliant with legal obligations.

An overview of the category of courses Organizing business activities:

  • Overview and insight into responsibilities & liabilities
  • Transparency and rights of data subjects
  • Information security, the basis for privacy protection
  • Information security, detailed
  • Lifecycle data protection management
    • Architectures and principles
    • Models and Attribute Based Credentials
    • Setting up an appointment complex
  • Privacy by design and privacy by default
  • Retention periods
  • Data portability
  • Profiling

Assessments & Audits

The legal context of data protection affects the social accountability framework of financial and tax reporting. How can company management justify the effective operation of management and security measures when processing personal data? Generally accepted accounting is needed. A practical set of instruments is needed for carrying out assessments (Data Privacy Impact Assessment, DPIA). The effective protection of personal data will be included in the social accountability of the company management and the confirmation of this by a certified auditor.

An overview of the category of courses of Assessments and Audits.

  • Privacy accounting
  • DPIA, theoretical framework
  • DPIA, practical application
  • From assessments to auditing

Organization of the training

We offer all participants in the Data Protection Officer training program a personal learning environment. The Data Protection Officer training program can be followed in this learning environment. Does the participant wish to use a company-specific learning environment? Please contact us.

The theory for each course of the training can be found in the learning environment. Each course has a workshop in which the theory is explained in more detail, in which a case is discussed, practical examples are discussed and in which there is plenty of room to ask questions.


Since the entry into force of the GDPR, there has been a permanent demand from companies and institutions for Data Protection Officers (DPOs). Company management must be able to assume that the knowledge level of the DPO to be appointed is appropriate. Duthler Academy offers company management the comfort of solid training for a DPO, which includes a permanent education program.

We are happy to mediate between aspiring DPOs and companies that are looking for a suitable DPO. We would also like to talk to aspiring DPOs about their career prospects and how they can prepare for them.

DPO Register and the PE program

All participants in the Data Protection Officer training will be included in the DPO Register. The DPO Register contains both certified DPOs and aspiring DPOs. After successfully completing the first seven modules of the DPO training, you can already be included as a prospective DPO in the DPO Register of Duthler Academy.

A registered Data Protection Officer (RDPO) follows the PE program to remain registered as an RDPO.

Registration and investment

Interested parties who would like to receive further training in one or more parts of this course are very welcome to follow one or more courses of this course.

Each course costs €500 (excluding VAT). Private individuals and government institutions are exempt from VAT.

For the awareness training, the three-day training on protecting personal data or the data protection officer training, we consult with you about what you want and how we can best meet your expectations.

Complete the registration form and we will contact you.