DPO Data Protection Officer: obligation and roles.

The Data Protection Officer (DPO) is a key figure under GDPR whose appointment is mandatory for many Spanish companies. However, confusion about who is obliged, what its functions are and whether it can be outsourced remains widespread. This guide clears up the questions with a practical approach.

When is appointing a DPO mandatory?

Article 37 of GDPR establishes that appointing a DPO is mandatory in three cases. When the processing is carried out by a public authority or body (except courts in their judicial function). When the controller's core activities consist of processing operations requiring regular and systematic monitoring of data subjects on a large scale. And when the core activities consist of large-scale processing of special categories of data (health data, biometric data, criminal records data, etc.).

Spanish LOPDGDD (article 34) significantly extends this list with a catalogue of obliged entities including professional associations, educational centres, entities operating electronic communications networks, information-society service providers profiling on a large scale, financial and insurance institutions, private security companies, sports federations when processing minors' data, and health entities required to maintain clinical records.

In practice, many SMEs not in this list voluntarily appoint a DPO as a good practice and as a demonstration of accountability to the AEPD.

DPO functions

The DPO's functions are defined in article 39 of GDPR. The DPO must inform and advise the controller and the employees about their data-protection obligations. Monitor compliance with GDPR and the controller's policies, including the assignment of responsibilities, staff awareness and training, and the corresponding audits. Provide advice on data protection impact assessments (DPIAs) and monitor their performance. Cooperate with the supervisory authority (AEPD). And act as point of contact with the AEPD on any issue relating to data processing.

A fundamental point: the DPO is not responsible for GDPR compliance (that responsibility lies with the controller, i.e. the company). The DPO advises and oversees, but does not decide or execute. The DPO must have functional independence and cannot be penalised for performing their duties.

Internal DPO vs external DPO

GDPR allows the DPO to be a member of the controller's staff (internal DPO) or an external professional contracted under a services contract (external DPO). Both options are valid, and the choice depends on the size and resources of the organisation.

The internal DPO has the advantage of knowing the organisation from within and being continuously available. However, they must meet independence requirements (they cannot be the IT director, HR director or any person whose role may conflict with data-protection oversight), they require specialised training and continuous updates, and they generate a permanent fixed cost.

The external DPO brings cross-sector experience, guaranteed up-to-date training, full independence from the organisation and a variable cost that adapts to the actual dedication required. It is the most common option for SMEs that cannot justify a full-time DPO.

DPO costs

A full-time internal DPO has a labour cost between €35,000 and €55,000 per year, depending on experience and location. An external DPO for an SME typically costs between €2,000 and €8,000 per year, depending on the complexity of the processing, the data volume and the dedication required.

For companies that also need to comply with ISO 27001 and ENS (Spanish National Security Framework), a consultant combining the DPO role with management of the information security system offers significant efficiency by covering both responsibilities with a single point of contact.

What criteria to follow when selecting a DPO?

Article 37.5 of GDPR requires the DPO to be appointed on the basis of professional qualities and, in particular, expert knowledge of data protection law and practice. The fundamental selection criteria are accredited training in data protection (programmes certified by the AEPD or recognised bodies), practical experience (not just theoretical), knowledge of the company's sector of activity, ability to communicate intelligibly with management and staff, and availability to handle enquiries and oversee compliance on an ongoing basis.

Communication to the AEPD

Once the DPO is appointed, their identity and contact details must be communicated to the AEPD through the Electronic Office. This communication is mandatory both for mandatory DPOs and for voluntarily appointed ones. The DPO's details must be made public and provided to data subjects.

Frequently asked questions

What is the DPO Data Protection Officer?

The DPO is a key figure under GDPR whose appointment is mandatory for many Spanish companies.

What are the sanctions?

Sanctions can reach €20 million or 4% of annual global turnover. The DPO is not responsible for GDPR compliance; that responsibility lies with the company as controller.

How much does it cost to implement?

For an SME, typical costs range from €3,000 to €15,000 depending on scope, including external consultancy, tools and training.

Do you need an external Data Protection Officer combining GDPR experience with cybersecurity and ISO 27001 knowledge? Let's talk. I offer an external DPO service tailored to the size and needs of your company.