Data Protection Officer (DPO)

What Is a DPO?

A Data Protection Officer (DPO) — Delegado de Protección de Datos (DPD) in Spanish — is a role created and defined by GDPR Articles 37–39 and supplemented by Spain’s LOPD-GDD. The DPO is not a simple compliance officer: the role carries specific legal characteristics, including independence, direct access to senior management, and protection from dismissal or penalty for carrying out their tasks.

The DPO serves three principal constituencies: the organisation they work for (advising on compliance), the individuals whose data the organisation processes (acting as a first contact for rights requests), and the supervisory authority (the AEPD in Spain, acting as a liaison and facilitating cooperation).

When Is a DPO Mandatory?

Under GDPR Article 37, a DPO is mandatory in three situations:

1. Public authorities and bodies (with limited exceptions for courts)
2. Large-scale systematic monitoring of individuals as a core activity (e.g., behavioural advertising networks, employee monitoring at scale, CCTV operations, telecommunications providers)
3. Large-scale processing of special categories of data or criminal conviction data as a core activity (e.g., hospitals and health insurers processing health data at scale, HR platforms processing data on disabilities or trade union membership)

The key phrase is “core activity” — processing personal data incidentally to another primary business purpose does not automatically trigger the requirement. However, the AEPD’s guidance applies a broad interpretation of “large scale.”

Spain-Specific Extensions (LOPD-GDD)

Spain’s LOPD-GDD Article 34 significantly extends the mandatory DPO obligation beyond GDPR’s baseline, requiring DPO designation for:

• Credit and insurance entities
• Investment services firms and collective investment institutions
• Energy and communications network operators
• Gambling operators
• Security services companies
• Entities processing data of vulnerable individuals at large scale (health, children, financial exclusion)
• Advertising agencies and market research firms
• Educational centres (primary through university)
• Sports federations
• Pharmaceutical companies

This LOPD-GDD extension means that a much broader set of Spanish businesses face mandatory DPO designation than in many other EU member states.

Key Functions of the DPO

Under GDPR Article 39, the DPO must:

• Inform and advise the organisation and its employees of their data protection obligations
• Monitor compliance with GDPR, national law, and the organisation’s own data protection policies, including assignments of responsibilities, awareness-raising, training, and audits
• Advise on and monitor Data Protection Impact Assessments (DPIAs), where requested
• Cooperate with the AEPD and act as the primary contact point
• Handle data subject rights requests as the point of contact for individuals

Independence and Accountability

The DPO must be functionally independent: they report directly to the highest management level and cannot receive instructions from the organisation about how to perform their tasks. They cannot be dismissed or penalised for performing their role (Article 38(3)). This is a hard legal rule, not a soft guidance principle — AEPD has investigated cases where DPOs were dismissed following advice the organisation disagreed with.

The DPO may be an employee or an external provider. They must be accessible to data subjects (contact details must be published) and must be registered with the AEPD.

Outsourced DPO: The External Model

Many Spanish companies — particularly SMEs and mid-sized businesses — use an outsourced DPO (DPO-as-a-Service) model. This is fully permitted under GDPR Article 37(6), which allows a “service contract” arrangement. An outsourced DPO:

• Can serve multiple organisations simultaneously (subject to no conflicts of interest)
• Must have a formal service contract defining the scope of activities
• Must be registered with the AEPD under the same conditions as an internal DPO
• Must be genuinely accessible to staff and data subjects — not just a name on paper

The outsourced model is particularly well-suited to companies that need to satisfy the LOPD-GDD mandatory designation requirement but do not have sufficient volume of data protection work to justify a full-time internal role.

Consequences of Non-Designation

Failure to designate a mandatory DPO is itself an infringement of GDPR Article 37, attracting fines of up to €10 million or 2% of global annual turnover. The AEPD has sanctioned organisations for this specific infringement. Beyond the fine risk, operating without a mandatory DPO leaves the organisation without the structured internal compliance oversight that the role provides.

How BMC Can Help

We provide outsourced DPO services to companies across all sectors, managing AEPD registration, maintaining ROPA registers, advising on DPIAs, handling data subject rights requests, training staff, and acting as the primary liaison with the AEPD in the event of investigations or complaints.