When organisations assess whether they are required to appoint a data protection officer (DPO), the starting point is usually Article 37 GDPR. However, businesses operating in Spain should be aware that Spanish law goes further and imposes additional mandatory DPO requirements.
The Spanish Data Protection Act requires a wide range of organisations to appoint a DPO, regardless of whether they would otherwise fall within the mandatory appointment criteria under the GDPR.
The list includes, among others:
- Professional associations and their governing bodies
- Educational institutions, schools and universities
- Telecommunications and electronic communications providers processing personal data at scale
- Online service providers carrying out large-scale user profiling
- Banks and credit institutions
- Consumer finance companies
- Insurance and reinsurance undertakings
- Investment firms and financial services providers
- Electricity and natural gas distributors and suppliers
- Creditworthiness, fraud prevention and anti-money laundering databases
- Marketing, advertising and market research organisations engaged in profiling activities
- Healthcare organisations required to maintain patient records
- Commercial reporting agencies
- Online gambling operators
- Private security companies
- Sports federations processing personal data relating to minors
For organisations operating in these sectors, the appointment of a DPO is not optional. Failure to comply may expose the organisation to regulatory scrutiny and potential enforcement action.
Importantly, appointing a DPO should not be viewed merely as a formal compliance requirement. The DPO plays a central role in supporting privacy governance, monitoring compliance, advising on data protection obligations, facilitating engagement with supervisory authorities and promoting a culture of data protection within the organisation.
Businesses operating across multiple jurisdictions should also be mindful that local implementation measures can create obligations that go beyond the GDPR itself. The Spanish DPO requirements provide a useful example of how national legislation can supplement the European data protection framework.
At Cornerstone Counsel, we regularly advise organisations on DPO appointment requirements and act as outsourced DPO for clients operating in a range of sectors. Organisations uncertain about their obligations under Spanish or European data protection law should seek advice at an early stage to ensure compliance with applicable regulatory requirements.
