Data Protection Officer — the DPD function in Spain
The Data Protection Officer (DPD), who informs, advises and monitors compliance with the GDPR and the LOPDGDD in the Spanish legal order, before the Spanish Data Protection Agency, with independence.
The function
The Data Protection Officer is the figure to whom the General Data Protection Regulation entrusts informing and advising the organisation, monitoring compliance and cooperating with the supervisory authority. It does not decide the purposes or means of processing — that responsibility lies with the controller — but ensures, with technical independence, that data protection is taken seriously across the organisation.
Solutions
“We don't know whether we must appoint a DPO.”
A screening of the obligation under Article 37 GDPR and Article 34 LOPDGDD, with a documented conclusion.
“We have no record of processing activities.”
The construction of the Article 30 record and the data protection programme.
“We receive rights requests and claims and cannot handle them.”
Procedures and the DPO's intervention in claims prior to the AEPD (Art. 37 LOPDGDD).
“We had a breach and don't know whether to notify.”
A response procedure with the assessment and the 72-hour notification to the AEPD.
“We are launching a product or AI system that processes a lot of data.”
A Data Protection Impact Assessment under Article 35 GDPR.
“Our internal DPO is in a conflict of interests.”
An external DPO, independent and under a service contract, optionally certified under the AEPD-DPD Scheme.
“Our teams are not aware of data protection duties.”
Professional technical training and awareness programmes.
Anchored in the GDPR and the LOPDGDD
Before the AEPD and the regional authorities.
Services
| Service | Description | |
|---|---|---|
| External DPO (DPO-as-a-Service) | The Data Protection Officer function provided under a service contract, with the qualification, independence a… | View data sheet › |
| Data Protection Impact Assessment (DPIA) | Where processing is likely to result in a high risk to rights and freedoms, the controller must carry out a pr… | View data sheet › |
| GDPR · LOPDGDD Readiness Diagnosis | A structured assessment of the organisation's maturity: the record of processing activities, the lawful bases,… | View data sheet › |
| Personal Data Breach Response | A personal data breach must be notified to the AEPD without undue delay and, where feasible, within 72 hours; … | View data sheet › |
| Training and Awareness | Awareness and training are a task of the DPO. We design and deliver programmes for staff and management on the… | View data sheet › |
Sectors / Market
Public Sector and Administrations
For public authorities and bodies designation is mandatory; the LOPDGDD reinforces the duty across the state, regional and local public sector.
GDPR Art. 37; LOPDGDD Art. 34
Health, Associations and Universities
Healthcare centres, professional associations and universities are among the entities expressly required to appoint a DPO by Article 34 LOPDGDD.
LOPDGDD Art. 34
Banking, Insurance and Energy
Credit institutions, insurers, investment firms and energy and gas distributors are subject to mandatory designation.
LOPDGDD Art. 34
Technology, SaaS and Marketing
Platforms with large-scale systematic monitoring and providers that build profiles, at the intersection of the GDPR and the LSSI-CE.
GDPR Art. 37(1)(b); Law 34/2002
Data Protection Brief
The GDPR, the LOPDGDD and the AEPD, periodically.