Ficha

Versión en español

Course: 2025/2026

Supervision, control, audit and security measures

(12208)

Master in Telecommunications Law and Information Technology (Plan: 314 - Estudio: 299)

EPD

Coordinating teacher: SERNA BILBAO, MARIA NIEVES DE LA

Department assigned to the subject: Pascual Madoz Institute of Land, Urbanism and Environment

Type: Compulsory

ECTS Credits: 3.0 ECTS

Course: 1º

Semester: 1º

Requirements (Subjects that are assumed to be known)

(M2.A1) Fundamentals and Legal Framework of Personal Data Protection

Objectives

The main objective of this course is to provide specialized training in supervision, control, auditing, and the implementation of security measures in the field of personal data protection. The course addresses the study of proactive accountability measures, audits, risk analysis and management methodologies, sanctioning procedures, and judicial protection mechanisms. The goal is for students to acquire the necessary and up-to-date knowledge of the different components of the syllabus, supported by teaching delivered by experienced academics and industry professionals. Training includes not only the theoretical framework but also the practical and technical aspects required to meet the objectives of the professional specialization programme in privacy and data protection, as required by the Data Protection Officer (DPO) Certification Scheme of the Spanish Data Protection Agency (DPA). In light of this, the course aims to achieve the following general and specific objectives: General Objectives: - To fulfil, apply, and further develop the goals of the professional training programme in privacy and data protection, in accordance with the DPO Certification Scheme established by the Spanish Data Protection Agency. - To develop the ability to interpret the legal and organizational framework of data protection, with particular emphasis on proactive accountability and ISO standards. - To analyse, plan, evaluate, and manage the risks arising from non-compliance with data protection legislation, and to assess the appropriate proactive measures required in each case. - To foster critical analysis of legal texts for their correct interpretation and, where applicable, their practical application to the subject matter of the master¿s programme. - To assess regulatory impact and its relationship to users¿ rights in areas covered by the course. - To develop the ability to apply knowledge to real-life situations, identifying solutions aligned with legal frameworks and technological developments. Specific Objectives: - To understand supervision, control, auditing, and the adoption of security measures in the field of personal data protection. - To grasp the mechanisms involved in supervision, control, auditing, and security measures, and their impact on data protection, with particular emphasis on risk analysis and management, as well as ISO standards. - To understand the legal limits of technology use, ensuring its application does not infringe the right to personal data protection, and to become familiar with the necessary proactive security measures, controls, audits, and risk assessments. - To interpret, analyse, and assess applicable data protection regulations in order to provide informed legal advice on course-related matters. - To differentiate among the security measures that must be adopted (control mechanisms, audits, risk assessments, etc.) in order to protect data protection rights as well as related rights. - To identify and understand the roles, rights, and obligations of all stakeholders involved in data protection activities. - To identify and understand the institutions operating in this field, including their responsibilities, actions, and resolutions. - To be capable of providing legal advice on proactive measures and on the processes of supervision, control, and auditing to uphold the right to personal data protection. .

Learning Outcomes

Link to document

Description of contents: programme

II . Monitoring , control, audit and security measures ( 3 ECTS ) 1. Security measures and proactive accountability in personal data protection 2. The sanctioning procedure and judicial protection 3. Data audits of information systems 4. Risk analysis and management of personal data processing and methodologies 5. Practical case studies

Learning activities and methodology

Learning Activities ¿ Theoretical and practical classes ¿ Individual or group student work, including in-class presentation and defense of assignments ¿ Resolution of practical case studies Active student participation in sessions is essential. As this is an in-person Master's programme, class attendance is mandatory to receive a grade. Students must comply with the attendance requirements established in the Master's academic regulations and on Aula Global in order to be assessed. The methodology to be followed in this course is as follows: ¿ In-class presentations by various instructors, supported by digital and audiovisual media, where the main concepts of the subject are developed and recommended readings are provided to complement students¿ learning. ¿ Critical reading of texts recommended by the course lecturer to broaden and consolidate knowledge of the subject, which may be followed by class discussions. ¿ Resolution of practical cases or the drafting of legal reports, opinions, etc., as proposed by the lecturer, for individual or group resolution. ¿ Presentation and discussion in class¿moderated by the lecturer¿of training materials related to the subject, including the students' comprehension and exposition of those materials. Tutoring Students will have access to tutoring sessions with the course coordinator. The aim of tutoring is to support the teaching and learning process through interaction between the student and the instructor, with the following objectives: (i) To guide students in their independent and group work (ii) To explore specific aspects of the subject in greater depth (iii) To support the student¿s academic and holistic development Tutoring sessions will take place at the times and under the conditions specified in Aula Global.

Assessment System

% end-of-term-examination/test 50
% of continuous assessment (assigments, laboratory, practicals...) 50

Calendar of Continuous assessment

The purpose of the assessment is to determine the extent to which the intended learning objectives have been achieved. The final grade reflects the knowledge acquired by students through the course¿s assessment system, which combines the following components and weightings:

(i) Final Exam (50%) ¿ An individual multiple-choice test covering both theoretical content and practical case scenarios.
(ii) Continuous Assessment (50%) ¿ Based on various activities such as solving practical cases and exercises, comprehension, presentation, and oral defense of assigned tasks.

Students are required to attend all scheduled theoretical and practical sessions. They may only miss up to 15% of total in-class hours (not sessions or days) per subject without justification. In cases of justified absences, the total permitted may increase to 25%. Exceeding these limits will result in a grade of ¿0¿ in continuous assessment. Additionally, lower attendance within the allowed range may be taken into account to reduce the final continuous assessment score.

In the resit session, students who followed continuous assessment are entitled to retain their continuous assessment grade (if it is beneficial). Students who did not follow continuous assessment may take a final exam worth 70% of the total course grade.

Students who do not take the final exam in either the ordinary or extraordinary session will be recorded as Not Submitted.

Guidelines on the Use of Artificial Intelligence Tools

In this course, artificial intelligence tools may be used under the terms set forth by the University Library: https://uc3m.libguides.com/TFM/IAGenerativa. It is mandatory to include a properly completed ¿Declaration of Use of Generative AI¿: http://uc3m.libguides.com/ld.php?content_id=35415901.
In addition, all AI-generated content included in the submitted work must be explicitly and clearly cited, in accordance with the guidelines published by the Library. Failure to submit this declaration, or submitting a false one, will result in a failing grade (0) and may lead to disciplinary proceedings and other possible consequences.

Basic Bibliography

Lefebvre. Memento Protección de Datos y Derechos Digitales . Lefebvre ISBN: 978-84-19573-41-4. ultima edición
GALÁN PASCUAL, C. La certificación como mecanismo de control de la inteligencia artificial en Europa¿. Instituto Español de Estudios Estratégicos ¿ . Instituto Español de Estudios Estratégicos ¿ Ministerio de Defensa . Mayo, 2019
GALÁN PASCUAL, C.. Guía de Seguridad de las TIC - CCN-STIC 801 ENS: Responsabilidades y Funciones.¿. Centro Criptológico Nacional ¿ Centro Nacional de Inteligencia - Ministerio de Defensa . (Marzo, 2019)
GALÁN PASCUAL, C.. ¿Un libro blanco para la cooperación público-privada en ciberseguridad¿. . Real Instituto Elcano (Junio, 2019). (Junio, 2019)
JAVIER PUYOL. LIBRO DE TEST DELEGADO DE PROTECCIÓN DE DATOS (DPO) DOMINIO II. TIRANT LO BLANCH. ULTIMA EDICIÓN
JAVIER PUYOL. Estudios sobre derecho de compliance . TIRANT LO BLANCH. ULTIMA EDICIÓN
JAVIER PUYOL MONTERO. El Modelo de Evaluación de Riesgos en la Protección de Datos EIPD/PIAs (Guías Prácticas). TIRANT LO BLANCH. ULTIMA EDICIÓN
VVAA. Comentario al Reglamento General de Protección de Datos y a la Ley Orgánica de Protección de Datos personales y Garantía de los Derechos Digitales. Civitas, 2021, ISBN: 978-84-9197-927-2. 2021

Electronic Resources *

AEPD · GUIA DE SEGURIDAD DE DATOS : http://https://www.agpd.es/portalwebAGPD/canaldocumentacion/publicaciones/common/Guias/GUIA_SEGURIDAD_2010.pdf
ALICANTE · AUDITORIA : http://http://www.telecomunicacionesalicante.com/informatica/la_auditoria_de_proteccion_de_datos.html
Agencia de la Unión Europea para la Ciberseguridad (ENISA) · INGENIERÍA DE LA PROTECCIÓN DE DATOS De la teoría a la práctica (2022), : http://https://www.aepd.es/documento/enisa-ingenieria-de-la-proteccion-de-datos.pdf
BOE · -Código Electrónico de Protección de Datos- BOE-: : http:// https://www.boe.es/biblioteca_juridica/codigos/codigo.php?modo=2&id=055_Proteccion_de_Datos_de_Caracter_Personal
CNI · CENTRO CRIPTOLOGICO : http://https://www.ccn-cert.cni.es/es/
Guardia Civil. Grupo de Delitos Telemáticos · DELITOS TELEMATICOS : https://www.gdt.guardiacivil.es/webgdt/home_alerta.php
INCIBE · INCIBE : http://https://www.incibe.es/
INTERNET NEGRO · RECOMENDACIONES PAPAS : http://http://trankipapas.blogspot.com.es/2016/
POLICIA · ¿BRIGADA DE INVESTIGACIÓN TECNOLÓGICA : http://www.policia.es/org_central/judicial/udef/bit_alertas.html
UE · El Manual del DPD (Delegado de Protección de Datos) Guía para los Delegados de Protección de Datos en los sectores públicos y semi-públicos sobre cómo garantizar el cumplimiento del RGPD UE : http://https://www.aepd.es/documento/el-manual-del-dpd-korffgeorges-esp.pdf
UE · ENISA : http://- https://european-union.europa.eu/institutions-law-budget/institutions-and-bodies/search-all-eu-institutions-and-bodies/european-union-agency-cybersecurity-enisa_es

Additional Bibliography

PUYOL MONTERO, J. Libro de Test Delegado de Protección de Datos (DPO). Tirant Lo Blanch. utlima edición
PUYOL MONTERO, J. Libro de Test Delegado de Protección de Datos (DPO). Tirant Lo Blanch. 2018
TOURIÑO A . Derecho digital: De la protección de datos a la ciberseguridad. The Valley, Digital Business School.. 2018
Velasco Núñez, Eloy. Delitos cometidos a través de internet. Cuestiones procesales. Ed. La Ley. 2010

Electronic Resources *

(*) Access to some electronic resources may be restricted to members of the university community and require validation through Campus Global. If you try to connect from outside of the University you will need to set up a VPN

The course syllabus may change due academic events or other reasons.

More information: https://www.uc3m.es/master/derecho-telecomunicaciones