Fine for Failing to Appoint a Data Protection Officer in Spain

Delegado Protección de Datos

The Data Protection Officer, also known as DPO, is a key GDPR role. Not every company must appoint one, but when the obligation applies, failing to do so can lead to significant fines, requests from the Spanish Data Protection Agency and a serious compliance gap.

The AEPD has already fined a private security company 50,000 euros for failing to appoint a Data Protection Officer, despite being required to do so because of its activity and the processing linked to CCTV systems.

What is a Data Protection Officer?

A DPO informs, advises and monitors data protection compliance within an organisation. The DPO does not replace the controller, but must act independently, with technical expertise and sufficient access to management.

The main legal framework is found in Article 37 GDPR and in Article 34 of the Spanish Data Protection Act (LOPDGDD).

When is appointing a DPO mandatory?

The GDPR requires a DPO where processing is carried out by a public authority or body, where the core activities require regular and systematic monitoring of individuals on a large scale, or where the core activities involve large-scale processing of special categories of data or data relating to criminal convictions and offences.

Spanish law also lists sectors where appointment is mandatory. These include:

  • Professional associations and their general councils.
  • Schools and universities.
  • Insurance and reinsurance companies.
  • Financial, credit and investment services entities.
  • Electronic communications providers when processing data on a large scale.
  • Information society service providers that create large-scale user profiles.
  • Healthcare centres, except individual professionals acting personally.
  • Private security companies.
  • Entities responsible for creditworthiness, fraud prevention or commercial report files.
  • Online gambling operators.
  • Sports federations when processing children’s data.

Why was the private security company fined?

In the sanctioned case, the company carried out an activity included among the cases where a DPO is mandatory. It also used CCTV systems that processed images of people entering or working at its premises.

The AEPD considered it proven that the company had not appointed a DPO despite being required to do so under the GDPR and Spanish law. The fine shows that the obligation is not merely formal: the appointment must be real, communicated and operational.

Common mistakes when appointing a DPO

  • Not assessing the obligation and assuming it only affects large companies.
  • Appointing someone without independence or with a conflict of interest.
  • Failing to notify the AEPD where required.
  • Not publishing clear contact details for individuals and authorities.
  • Not giving the DPO resources, access to information and management support.
  • Treating the DPO as a paperwork role rather than a real compliance function.

How should a company check whether it needs a DPO?

The company should carry out a documented assessment. This assessment should review the business sector, types of data processed, volume of individuals affected, systematic monitoring, technologies such as CCTV or profiling, and the presence of special category data.

If the obligation applies, the company must appoint a qualified DPO, notify the AEPD and involve the DPO in privacy governance: impact assessments, security breaches, data subject rights, processor agreements and policy reviews.

Frequently asked questions

Do all companies need a DPO?

No. The obligation depends on the type of organisation, sector and processing activities. However, many companies should document why they need one or why they do not.

Can the DPO be external?

Yes. The DPO may be internal or external, an individual or a legal entity. What matters is adequate expertise, independence and real ability to perform the role.

What if the appointed DPO has a conflict of interest?

The appointment may be considered incorrect. The DPO should not decide the purposes and means of processing that they are expected to supervise.

Must the DPO be notified to the AEPD?

Yes. When a DPO is appointed, the controller should notify the supervisory authority through the available procedure and provide accessible contact details.

Conclusion

Failing to appoint a DPO when mandatory can lead to fines and weaken the entire compliance framework. The key is to assess the obligation, document the decision and, where required, appoint an independent, qualified and operational DPO.

/0 Comments/by
0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *