Privacy and security

Data Protection Officer (DPO)

The Data Protection Officer (DPO) is the role that oversees GDPR compliance within your organisation, advises management and acts as the point of contact with the Spanish Data Protection Agency (AEPD). The GDPR and the Spanish LOPDGDD require its appointment in certain cases — and many companies that believe they are exempt are not. Summum Calidad places the DPO within the information security management system: not as an isolated role with a rubber stamp, but as a trained function with a real position within the ISMS and the privacy PIMS (ISO 27701).

RegulationGDPR art. 37-39 · Spanish LOPDGDD art. 34-37
ApproachDPO embedded in your ISMS/PIMS (ISO 27001/27701)
ModeTraining, organisational position and ongoing accompaniment

Article 37 of the GDPR defines the Data Protection Officer as the person with expert knowledge of data protection law and practice who informs and advises the controller or processor, monitors compliance with the Regulation, cooperates with the supervisory authority and acts as its contact point. Article 38(3) requires the DPO to act independently: they must not receive instructions on how to carry out their tasks, may not be dismissed or penalised for performing them, and must report directly to the highest management level of the organisation. This is not a decorative role added to an org chart to tick a box; it is a function with concrete legal guarantees.

The obligation to appoint one has two layers. Article 37(1) GDPR imposes it in three general cases: where the processing is carried out by a public authority or body, except for courts acting in their judicial capacity; where the core activities of the controller or processor consist of processing operations which, by their nature, scope or purposes, require regular and systematic monitoring of data subjects on a large scale; or where the core activities consist of large-scale processing of special categories of data (Art. 9 GDPR) or data relating to criminal convictions and offences (Art. 10 GDPR). Article 34 of the Spanish LOPDGDD broadens this obligation in Spain to an additional list of controllers, regardless of whether the GDPR's general criteria are met: professional associations, entities operating large-scale electronic communications networks, information-society service providers that build large-scale profiles, entities in the financial, insurance and investment-services sectors, electricity and gas distributors, entities responsible for creditworthiness files, advertising and commercial-prospecting companies that build profiles, healthcare facilities legally required to keep medical records, and — the case most often misinterpreted — educational establishments.

The most common mistake is assuming that the obligation for schools depends on whether they process minors' data. It does not: Article 34.1.b) of the LOPDGDD designates as obliged entities "educational establishments offering regulated education under Organic Law 2/2006 of 3 May on Education, as well as public and private universities". The legal test is whether the education is regulated under Spain's Education Act (LOE), not the age of the students: the obligation covers pre-school, primary and secondary schools, vocational training centres, and also public and private universities, whose students are predominantly adults. It is one of the LOPDGDD Article 34 categories most frequently overlooked, precisely because of that misunderstanding.

Summum Calidad does not treat the DPO as an isolated appointment with a notarised seal, but as a function integrated into the information security management system and, where one exists, into the privacy PIMS of ISO/IEC 27701:2025. That means defining the DPO's position on the org chart, documenting their responsibilities as the standard itself requires, ensuring they have the resources needed to carry out their role, guaranteeing the direct reporting line to top management required by Article 38(3) GDPR, and involving them in risk analysis, internal audit and management review. A DPO with no management system behind them has little to oversee; a DPO embedded in the ISMS/PIMS moves from being a reactive figure to being an active participant in the continuous improvement cycle.

Specific training matters just as much as organisational position. The DPO must have in-depth knowledge of the GDPR, the LOPDGDD and the management system they rely on, and must keep that knowledge current as the regulatory landscape evolves. Avoiding conflicts of interest is equally important: Article 38(6) GDPR, read together with the independence principle of Article 38(3), makes the DPO role incompatible with any position that determines the purposes and means of data processing — they should not, for example, simultaneously be the person who decides which marketing or IT tools are deployed. We document these guarantees within the system as well, together with the formal appointment and its notification to the AEPD.

If what your company needs is precisely the pure outsourced-DPO service — the person appointed, trained and registered with the AEPD who performs that function for you — that is exactly the outsourced DPO service provided by our sister division, Summum Consultoría. Summum Calidad comes in when you want that role, whether internal or external, to rest on a real data protection management system — with a record of processing activities, procedures and audit — rather than on the appointment alone.

The Data Protection Officer (DPO) process.

The process · four stages
01

Obligation assessment

We assess whether your organisation falls under any of the cases in Article 37(1) GDPR or Article 34 LOPDGDD, paying particular attention to the real "regulated education" test for schools, rather than the narrower and often misapplied "minors' data" criterion.

02

Designing the DPO's position

We define whether the DPO will be internal or external, their place on the org chart, the resources available to them, the direct reporting line to management and the independence guarantees required by Article 38 GDPR.

03

Training and appointment

Specific training in the GDPR, the LOPDGDD and the management system (ISO 27701/27001), drafting the formal appointment and notifying/registering the designation with the AEPD.

04

Integration into the ISMS/PIMS and follow-up

The DPO takes part in internal audit, management review and risk analysis, with documented evidence of their oversight activity throughout the year.

What is included

What Data Protection Officer (DPO) includes.

The operational detail: what we deliver as part of the work and what we keep alive afterwards.

  • Obligation assessment

    Reasoned analysis under Article 37(1) GDPR and Article 34 LOPDGDD, with the detail of each applicable case.

  • Definition of duties and independence guarantees

    Articles 38 and 39 GDPR documented within the system: direct reporting, absence of instructions and absence of conflicts of interest.

  • Notification and registration of the DPO with the AEPD

    Processing of the AEPD's specific form and documentary evidence of the notification.

  • Specific DPO training

    GDPR, LOPDGDD and the ISO 27701/27001 management system, updated as regulations evolve.

  • Integration into the ISMS/PIMS org chart

    The DPO's position, resources and reporting line documented within the management system.

  • Participation in internal audit and management review

    Annual evidence of the DPO's oversight activity within the continuous improvement cycle.

Frequently asked questions about Data Protection Officer (DPO).

When is it mandatory to appoint a Data Protection Officer?

Article 37(1) of the GDPR requires appointing a DPO in three cases: where processing is carried out by a public authority or body (except courts acting in their judicial capacity); where the core activity of the controller or processor consists of operations requiring regular and systematic monitoring of data subjects on a large scale; or where the core activity consists of large-scale processing of special categories of data (Art. 9 GDPR) or data relating to criminal convictions and offences (Art. 10 GDPR). In addition, Article 34 of the Spanish LOPDGDD extends this obligation in Spain to additional categories of controllers, regardless of whether the GDPR's general criteria are met.

Is it mandatory for all schools, or only those that process minors' data?

It is a common mistake to think the obligation depends on the students being minors. It does not: Article 34.1.b) of the LOPDGDD designates as obliged entities "educational establishments offering regulated education under Organic Law 2/2006 of 3 May on Education, as well as public and private universities". The legal test is whether the education is regulated under Spain's Education Act, not the age of the students: this covers pre-school, primary and secondary schools, vocational training centres, and also public and private universities, regardless of their students being adults.

Can the DPO be an internal employee, or must they be external?

The GDPR allows both options. Article 37(6) establishes that the DPO may be a staff member of the controller or processor, or may fulfil the role on the basis of a service contract (outsourced DPO). What matters is not their employment relationship, but that they have expert knowledge, act independently under Article 38(3), and avoid conflicts of interest with any other role they hold in the organisation — for example, they should not simultaneously be the person who decides on marketing or IT tools.

What if my company is not required to have a DPO, but I want one anyway?

Nothing prevents it: Article 37(4) of the GDPR allows a DPO to be appointed voluntarily even where none of the mandatory cases apply. Once voluntarily appointed, however, the DPO is subject to the same requirements and independence guarantees as if the appointment were mandatory. This is a common decision among companies that want to send a clear signal of data-protection maturity to clients and partners, even without a legal obligation to do so.

Is the DPO personally liable if the company breaches the GDPR?

No. The DPO is an advisory and oversight role, not the controller. Liability for GDPR compliance rests with the controller or processor — the organisation itself — under the principle of proactive accountability in Article 24 GDPR. The DPO informs, advises and oversees; they do not make decisions on the purposes and means of processing, nor do they replace management's legal responsibility.

How is the DPO's appointment notified to the Spanish Data Protection Agency?

Article 37(7) GDPR requires notifying the identity and contact details of the DPO to the supervisory authority. The AEPD provides a specific notification form on its electronic portal, and this information must be kept up to date and also published in a way that is easily accessible to data subjects — typically within the controller's privacy policy.