The General [Data Protection](/en/glossary/data-protection-spain) Regulation ([GDPR](/en/glossary/gdpr-spain)) requires, under Art. 37, the designation of a [Data Protection](/en/legal/data-protection/) Officer in specific circumstances. Since the GDPR came into force in May 2018, Spain's data protection authority — the Agencia Española de Protección de Datos (AEPD) — has imposed fines for failure to designate when the obligation applies. However, determining exactly when the obligation is triggered is not always straightforward.
The mandatory cases under the GDPR
Art. 37.1 GDPR sets out three categories of organisations required to designate a DPO:
1. Public authorities and bodies
Regardless of the nature of their processing activities, all public authorities and bodies must have a DPO. In the private sector, companies exercising public authority functions (such as certain public service concessionaires) may also fall within this category.
2. Processing requiring regular and systematic monitoring of data subjects on a large scale
This category applies to organisations whose core activity involves the ongoing monitoring of individuals: digital advertising platforms, insurance companies using telematics, geo-location applications, extensive CCTV systems, loyalty programme platforms with customer profiling. The key is the conjunction of three elements: regular (not occasional), systematic (organised) and large scale.
3. Large-scale processing of special categories or criminal data
Special categories are data relating to health, racial or ethnic origin, religious beliefs, political opinions, sexual orientation, genetic data or biometric data. Organisations whose core activity involves processing these categories on a large scale — clinics, health insurers, sports centres with biometric data, cybersecurity firms accessing criminal records files — must designate a DPO.
Mandatory designation under Spanish law
Spain’s LOPDGDD extends the mandatory designation cases beyond the GDPR. Spanish law includes among the required organisations: credit institutions, insurance companies, telecommunications operators, educational centres, professional associations, sports federations and other categories that process data about their members or customers on a regular basis.
When a DPO should be designated even if not mandatory
Even if the organisation does not fall within any of the mandatory categories, voluntary DPO designation is advisable when:
- The organisation processes sensitive data, even if not at large scale (for example, employee health data)
- The organisation carries out regular international data transfers
- The organisation has a high reputational risk profile in relation to data
- The organisation operates in sectors with high data privacy litigation
- The organisation wishes to prepare for conducting Data Protection Impact Assessments (EIPDs) on an ongoing basis
Internal DPO vs external DPO: when to outsource
The GDPR allows the DPO to be an employee of the organisation or an external professional providing the service under a contract. The decision depends on several factors:
An internal DPO is preferable when:
- The organisation is large and has a high volume of data queries and incidents
- There is already a legal or IT team capable of absorbing the role
- Senior management values immediate availability and internal process knowledge
An external DPO is preferable when:
- The organisation is an SME without the capacity to hire a specialist technical-legal profile
- Independence from management is important (an external DPO has fewer conflicts of interest)
- Access to a team with up-to-date knowledge of AEPD guidance and CJEU case law is required
- The workload does not justify a full-time dedicated role
How BMC can help
Our outsourced DPO service includes formal designation with the AEPD, continuous GDPR compliance monitoring, handling requests from data subjects exercising their rights, co-ordinating Data Protection Impact Assessments and acting as contact point with the AEPD in the event of an inspection or investigation.
If you have doubts about whether your company is required to designate a DPO, or want to review the adequacy of your current data protection system, contact us for a no-obligation initial assessment.
Specific regulatory framework
The DPO designation obligation derives from Article 37 of Regulation (EU) 2016/679 (GDPR), which sets out the three mandatory cases in para. 1. Article 38 GDPR governs the DPO’s position (independence, resources, confidentiality) and Article 39 their functions.
In Spain, Ley Orgánica 3/2018, de 5 de diciembre (LOPDGDD) extends the mandatory cases in Art. 34, including credit institutions, insurers, telecoms operators, educational centres, professional associations, sports federations and private security companies.
The interpretive guidelines are the EDPB Guidelines 07/2020, which clarify what “large scale” and “core activity” mean. The AEPD has published a Guide on the Data Protection Officer (2021) adapting these guidelines to the Spanish context.
Designation must be notified to the AEPD under Art. 37.7 GDPR and Art. 34.3 LOPDGDD, through the AEPD’s portal. Failure to designate when mandatory constitutes an infringement subject to a fine of up to €10 million or 2% of total annual worldwide turnover under Art. 83.4.a) GDPR.
Practical example: dental clinic with three surgeries
Case: Clínica Dental Blanca Sonrisa SL has three surgeries in Madrid (15 professionals), processes health data for approximately 4,500 active patients and uses a clinical management platform for appointments, records and invoicing.
Mandatory obligation analysis:
| Art. 37.1 GDPR criterion | Application | Conclusion |
|---|---|---|
| Public authority or body | Not applicable | — |
| Regular and systematic large-scale monitoring of data subjects | Not applicable (no systematic behavioural monitoring) | Not mandatory |
| Large-scale processing of special categories (health) | Applies: health data of 4,500 patients; core activity is healthcare | Mandatory |
Additional analysis (Art. 34.1.c) LOPDGDD): healthcare service providers are expressly listed among those required to designate a DPO under Spanish law, regardless of their size.
Decision: Clínica Blanca Sonrisa must designate a DPO. As an SME of 15 professionals, the external DPO is the most efficient option: estimated cost of €200–350/month, versus a minimum fine of €10,000 for failure to designate.
Common mistakes that BMC corrects
-
Believing that the LOPDGDD does not add cases beyond the GDPR. The LOPDGDD extends the obligation to categories such as educational centres, professional associations and private security companies. Some companies review only the GDPR and incorrectly conclude they are not required, overlooking the Spanish extension.
-
Appointing the HR Director or Legal Director as DPO without checking for conflicts of interest. Art. 38.6 GDPR prohibits the DPO from taking on functions that create a conflict of interest. An HR Director who decides on attendance monitoring systems and employee data processing cannot be an independent DPO. This error, identified by the AEPD, generates additional fines for invalid designation.
-
Not notifying the DPO designation to the AEPD. Art. 37.7 GDPR requires publication of the DPO’s contact details and notification to the supervisory authority. Failure to notify is a separate infringement from failure to designate.
-
Confusing the DPO with the Information Security Officer (CISO). The DPO oversees GDPR regulatory compliance; the CISO manages technical security. They are distinct roles with different functions, responsibilities and independence requirements. Organisations that need both roles must keep them separate.
-
Not providing the DPO with the resources needed to perform their functions. Art. 38.2 GDPR requires the controller to provide the DPO with the necessary resources: dedicated time, access to information about processing operations, ongoing training and participation in relevant data decisions. An external DPO without real access to processes cannot legally fulfil their function.
Next steps
- Review whether your company’s activity falls within the cases of Art. 37.1 GDPR or Art. 34 LOPDGDD (especially the Spanish extended cases)
- Consult EDPB Guidelines 07/2020 and the AEPD’s Guide on the DPO (2021) to verify whether your processing qualifies as “large scale”
- If a DPO already exists, verify there is no conflict of interest and that the designation is notified on the AEPD register
- If opting for an external DPO, enter into a data processing agreement compliant with Art. 28 GDPR with the service provider
- Communicate the DPO’s contact details to all employees (Art. 37.7 GDPR) as the contact point for exercising rights
- Ask the designated DPO to prepare the Record of Processing Activities as the first deliverable
