Mandatory designation of the DPO
Who must appoint a Data Protection Officer in Spain.
The GDPR requires the designation of a Data Protection Officer in three general cases. The LOPDGDD, in Article 34, goes further and expressly lists a broad set of obliged entities, making Spain one of the most demanding legal orders.
Whether designated mandatorily or not, the entity must communicate the appointment — and removals — to the AEPD within ten days. The Agency maintains a public register of Data Protection Officers.
Obliged entities (Art. 34 LOPDGDD)
- Professional associations and their general councils
- Educational centres and universities, public and private
- Electronic communications network and service operators
- Credit institutions, insurers and investment firms
- Electricity and natural-gas distributors and retailers
- Controllers of credit-scoring and fraud-prevention files
- Healthcare centres required to keep clinical records
- Gambling operators and private-security firms
Representative list; Article 34 LOPDGDD contains the full set.