We share recent press appearances by our senior associate az Tech, Antonia Nudman, where she discussed in detail the new Regulation on the Infringement Prevention Model for data protection compliance programs.
The new regulation, which establishes guidelines and certification for data protection compliance programs, as provided for in Article 49 of the Personal Data Protection Law, is in the final stages of approval.
According to Antonia Nudman, Senior Associate az Tech at Albagli Zaliasnik, “the regulations aim to establish the requirements, modalities, and procedures for the implementation, registration, and supervision of Infringement Prevention Models. Although their adoption is voluntary, it is made clear that this does not exempt those responsible from the duty to implement actions to prevent infringements and comply with the provisions of the Data Law.”
Compliance programs correspond to the Infringement Prevention Model and can be adopted by any data controller, whether a natural or legal person. Their main contents include:
- Identification of the data controller and their legal representative
- Appointment of the Data Protection Officer (DPO), with definition of their means and powers.
- The “DPO as a Service” modality is contemplated, with the obligation to always appoint a natural person in the contract.
- Characterization of the personal data processed, including categories, purposes, sources, legal bases, retention periods, and the existence of automated decisions.
- Possibility of compliance with the Processing Activity Log (RAT) with minimum content defined in the regulation.
- Identification of higher-risk processing activities, incorporating them into a risk matrix graded according to the penalties provided for by law.
- Specific protocols, rules, and procedures for persons involved in processing activities or processes to perform their tasks while preventing violations.
- Internal reporting and complaint mechanisms to the DPO, guaranteeing the confidentiality of the complainant’s identity and prohibiting unfavorable measures against them.
- Internal administrative sanctions and sanctioning procedures applicable for violations of internal regulations.
- Internal dissemination clauses and effective communication channels to ensure understanding and compliance with the program.
- Any other provision necessary or useful for compliance with the rules applicable to the protection of personal data.
Data Protection Officer (DPO) – Enhanced Functions
The document sets out in detail the role of the DPO, who becomes the technical and legal pillar of the MPI. Their functions and obligations include, among others:
- Informing and advising the controller, third-party processors/agents, and employees on the legal provisions applicable to the processing of personal data.
- Participating in the review and modification of the compliance program, proposing adjustments when risks or opportunities for improvement are detected.
- Promoting the dissemination, knowledge, understanding, and compliance with the policy issued by the controller in the area of data protection.
- Supervising regulatory compliance, periodically evaluating the effectiveness of the measures adopted and verifying the correction of possible deviations.
- Directly report to the competent authority any infringement of the applicable data processing regulations of which they become aware, without interference from the controller.
- Promote ongoing training and education of staff in data protection matters.
- Advise the controller on identifying the risks associated with the processing activities carried out by the entity and on adopting preventive measures.
- Ensure secure and confidential channels of communication with data subjects, internal staff, and third parties, ensuring the confidentiality of whistleblowers’ identities.
Certification and supervision
The provision establishes the procedure for the approval, certification, registration, implementation, and supervision of compliance programs.
Certification will be granted by the agency through a procedure initiated by the interested party, with a validity of three years and grounds for expiration such as revocation, dissolution of the legal entity, or voluntary cessation of activity.
Antonia Nudman warns that “although certification of the Infringement Prevention Model is formally optional, it is important to bear in mind that much of the content of the regulation corresponds to legal obligations that will come into force together with the new Personal Data Protection Law in 2026. In other words, it is not just a voluntary standard: several of the requirements included, such as the characterization of the data processed, transparency and information to data subjects, the identification of risky activities, and the existence of protocols and reporting channels, derive directly from the Law and must be complied with by all data controllers.”
The expert adds that “certification adds value as a mitigating factor and as a seal of good practice, but it does not exempt compliance with these measures. In practice, this regulation serves as a guide for structuring and demonstrating compliance, strengthening data governance, trust among data subjects and authorities, and proactive management of regulatory risks.”
Check out the different mentions in the press:
Portal Innova, September 17. [See here]
G5 Noticias, September 18. [See here]
Agricultura, September 21. [See here]
