delegadodeprotecciondedatos.eu
ESPTEN

Frequently Asked Questions

Thirteen answers, grounded in Spanish law, about the Data Protection Officer.

Free GDPR DiagnosisContact
Is it mandatory to appoint a Data Protection Officer?

Designation is mandatory in the three cases of Article 37(1) GDPR — public authority or body; large-scale regular and systematic monitoring; large-scale processing of special categories or criminal data — and, in addition, for the broad list of entities in Article 34 LOPDGDD.

Which entities are obliged under Article 34 LOPDGDD?

Among others: professional associations, educational centres and universities, electronic communications operators, credit institutions and insurers, investment firms, energy and gas distributors, controllers of credit-scoring files, healthcare centres, gambling operators and private-security firms.

Must the appointment be communicated to the AEPD?

Yes. Article 34.3 LOPDGDD requires the AEPD — or the competent regional authority — to be notified of DPO designations, appointments and removals within ten days, whether the designation is mandatory or voluntary. The AEPD maintains a public register of DPOs.

Is the AEPD-DPD certification mandatory?

No. The AEPD-DPD Certification Scheme is voluntary and attests the DPO's professional qualification, through bodies accredited by ENAC. One may act as a DPO without certification, but it brings security and trust.

Can the DPO be external?

Yes. Article 37(6) GDPR allows the DPO to perform the role under a service contract, external to the organisation.

How does the DPO differ from the Compliance Officer?

The Compliance Officer ensures the organisation's general compliance and may hold management duties; the DPO is a specific data protection figure, with statutory independence, that does not decide the purposes or means of processing. Combining both may create a conflict of interests.

Can the DPO be removed for performing its tasks?

No. Article 36.2 LOPDGDD reinforces the GDPR guarantee: the DPO may not be removed or penalised for performing its tasks, save in cases of fraud or gross negligence.

What is the DPO's intervention in a claim?

Article 37 LOPDGDD allows the data subject to address the DPO before claiming to the AEPD; the DPO communicates the decision within a maximum of two months.

What qualification must the DPO have?

Article 37(5) GDPR requires expert knowledge of data protection law and practice; Article 35 LOPDGDD specifies that the qualification may be evidenced, among other means, by certification schemes such as the AEPD's.

What is a Data Protection Impact Assessment (DPIA)?

It is the assessment the controller must carry out, prior to processing, where it is likely to result in a high risk to rights and freedoms, under Article 35 GDPR.

How is a security breach notified?

To the AEPD without undue delay and, where feasible, within 72 hours (Art. 33); where it entails a high risk, it must also be communicated to data subjects (Art. 34).

What are the rights of data subjects?

Information, access, rectification, erasure, restriction, portability, objection and not being subject to automated decisions, under Chapter III GDPR, alongside the digital rights of Title X LOPDGDD.

Are there regional supervisory authorities?

Yes. Besides the AEPD, there are regional authorities: the APDCAT in Catalonia, the AVPD in the Basque Country and the Council for Transparency and Data Protection of Andalusia.

Can a group of undertakings designate a single DPO?

Yes. Article 37(2) GDPR allows it, provided the DPO is easily accessible from each establishment.

We use essential cookies and, with your consent, analytics cookies. See our Cookie Policy.