Overview
What the Data Protection Officer is in Spain, and why the law makes it indispensable.
The Data Protection Officer is the figure to whom the General Data Protection Regulation entrusts informing and advising the organisation, monitoring compliance and cooperating with the supervisory authority. It does not decide the purposes or means of processing — that responsibility lies with the controller — but ensures, with technical independence, that data protection is taken seriously across the organisation.
The figure arises from the Regulation itself, in Articles 37 to 39, and is developed in Spain by Articles 34 to 37 of Organic Law 3/2018 (LOPDGDD). Spanish law substantially broadens the cases of mandatory designation, requires the appointment to be communicated to the Spanish Data Protection Agency within ten days, and provides for a specific intervention of the DPO in the event of a claim.
Its position is surrounded by guarantees of independence: it receives no instructions, cannot be removed or penalised for performing its tasks — save in cases of fraud or gross negligence — and is bound by professional secrecy. Spain also promotes an AEPD-DPD Certification Scheme that attests professional qualification, granted by bodies accredited by ENAC.
The DPO's tasks
The statutory tasks of the DPO, under Art. 39 GDPR and Art. 37 LOPDGDD.
Inform and advise
Inform and advise the controller, the processor and staff of their obligations under the GDPR and the LOPDGDD.
GDPR Art. 39(1)(a)
Monitor compliance
Monitor compliance with the GDPR, the LOPDGDD and the controller's policies, including staff training and awareness.
GDPR Art. 39(1)(b)
Advise on the DPIA
Provide advice, where requested, on the data protection impact assessment and monitor its performance.
GDPR Art. 39(1)(c)
Cooperate with the AEPD
Cooperate with the Spanish Data Protection Agency and act as point of contact, including the prior consultation under Article 36.
GDPR Art. 39(1)(d)–(e)
Intervention in claims
Handle, prior to a claim before the authority, claims addressed by the data subject, communicating the decision within a maximum of two months.
LOPDGDD Art. 37
Point of contact for data subjects
Act as the point of contact for data subjects on all matters relating to processing and the exercise of their rights.
GDPR Art. 38(4)
The position of the DPO (Art. 38 GDPR · Art. 36 LOPDGDD)
Timely involvement
The DPO is involved properly and in a timely manner in all data protection matters.
GDPR Art. 38(1)Resources and access
The organisation provides the necessary resources, access to data and the means to maintain expert knowledge.
GDPR Art. 38(2)Independence — no instructions
The DPO receives no instructions on performing its tasks and reports to the highest management level.
GDPR Art. 38(3)Reinforced protection from removal
The DPO may not be removed or penalised for performing its tasks, save in cases of fraud or gross negligence.
LOPDGDD Art. 36(2)Professional secrecy
The DPO is bound to maintain secrecy or confidentiality in performing its tasks.
GDPR Art. 38(5)No conflict of interests
The DPO may perform other tasks provided they create no conflict; it cannot hold a position that determines the purposes and means of processing.
GDPR Art. 38(6); WP243