The Data Protection Officer, also known as DPO, is a key GDPR role. Not every company must appoint one, but where the obligation exists, failing to do so can lead to sanctions, requests from the Spanish Data Protection Authority and serious compliance problems.

In this article we will discuss...
When appointing a DPO is mandatory
Article 37 GDPR requires a DPO where processing is carried out by a public authority or body, where the core activities require regular and systematic monitoring of individuals on a large scale, or where the core activities consist of large-scale processing of special categories of data or data relating to criminal convictions and offences.
In Spain, the LOPDGDD also identifies sectors and entities that must appoint a DPO, such as certain educational centres, financial institutions, insurance companies, gambling operators, private security companies, electronic communications service providers and other specific cases.
Main functions of the DPO
- Inform and advise the controller or processor and their staff.
- Monitor compliance with the GDPR, LOPDGDD and internal policies.
- Advise on data protection impact assessments where required.
- Cooperate with the AEPD and act as a contact point.
- Handle internal queries and queries from affected individuals.
Common mistakes
- Appointing a DPO only formally, without independence or resources.
- Failing to notify the appointment to the AEPD.
- Not publishing the DPO’s contact details.
- Confusing the DPO with a security manager or external consultant without real functions.
- Not involving the DPO in projects, contracts, breaches or impact assessments.
Recommended official sources
- AEPD: Data Protection Officer.
- AEPD: when to appoint a DPO.
- EDPB: Data Protection Officer.
- BOE: LOPDGDD.
Conclusion
Before deciding whether you need a DPO, analyse activity, volume, data categories and sector. If the appointment is mandatory, it must be done properly: with notification, independence, resources and real involvement in compliance.