Does your business need a Data Protection Officer in Spain? Learn the 16 mandatory DPO sectors under the LOPDGDD, GDPR requirements, penalties, and practical steps to comply.
The question seems straightforward: does my business need a Data Protection Officer?
In most European Union countries, the answer for small and medium-sized enterprises is usually no — unless they carry out large-scale systematic monitoring or process sensitive data on a large scale. In Spain, the answer is considerably more complex.
Spain has one of the broadest mandatory Data Protection Officer (DPO) designation regimes in the entire European Union. Article 34 of the LOPDGDD — Spain's data protection law — requires the designation of a Data Protection Officer (DPO) in 16 specific sectors, regardless of company size or the scale of processing. A self-employed individual running a private language academy has the same obligation to designate a Data Protection Officer (DPO) as a national hospital. A three-person healthcare clinic faces the same requirement as a large insurance company.
Many businesses operating in these sectors are unaware of this obligation. And the AEPD is enforcing it.
This guide explains exactly who needs a Data Protection Officer (DPO) in Spain, what the EU Digital Omnibus Package proposes to change — and, critically, what it does not change — and what your business should do based on its situation.
To understand the full framework of how the GDPR and the LOPDGDD interact for businesses in Spain, start with our pillar guide: EU GDPR Compliance for Businesses: Complete 2026 Guide.
What Is a Data Protection Officer and What Do They Actually Do?
A Data Protection Officer is an independent expert responsible for ensuring that your organisation complies with the GDPR and Spain's LOPDGDD. The role was created by the GDPR in 2018 and formalised in Spain through the LOPDGDD.
The Data Protection Officer (DPO) is not the person responsible for implementing the GDPR — that responsibility remains with the business owner or the data controller. The DPO's role is to advise, supervise, and act as a bridge between your organisation, the individuals whose data you process, and the AEPD.
Under Article 39 of the GDPR, the core duties of a Data Protection Officer (DPO) include:
- Informing and advising the business and its staff on their data protection obligations.
- Monitoring ongoing compliance with the GDPR, the LOPDGDD, and internal data protection policies.
- Advising on and supervising Data Protection Impact Assessments (DPIAs) for high-risk processing.
- Acting as a point of contact with the AEPD for regulatory enquiries and investigations.
- Handling data subject rights requests directed at the organisation.
A Data Protection Officer (DPO) must be independent. They cannot receive instructions on how to perform their duties, cannot be dismissed for carrying them out, and must report directly to the highest level of management. Under Spanish law, DPOs employed directly by the organisation have enhanced protection against dismissal, except in cases of wilful misconduct or gross negligence.
Importantly, the DPO can be an internal employee or an external provider. Article 37(6) of the GDPR expressly allows businesses to fulfil the Data Protection Officer (DPO) role through an external provider under a service contract. For most Spanish SMEs, an outsourced DPO-as-a-service model is typically the most practical and cost-effective option.
The Two Layers: GDPR First, Then the LOPDGDD
To determine whether your business needs a Data Protection Officer (DPO) in Spain, you must review two separate legal frameworks. Either one can independently trigger the obligation.
Under Article 37 of the GDPR, a DPO is mandatory for any organisation that falls into one of three categories:
Public authorities and bodies.: All government entities, municipalities, and public institutions must designate a DPO, regardless of size.
Organisations whose core activities require regular and systematic monitoring of individuals on a large scale: This includes businesses whose primary business model depends on tracking, profiling, or monitoring individuals. The AEPD's 2020 fine against Glovo — the delivery platform — made clear that daily processing of thousands of customer profiles and geolocation data constitutes large-scale processing, even when the company does not consider itself a large organisation. The AEPD concluded that Glovo had breached Article 37(1)(b) of the GDPR because its core activities consisted of processing operations which required regular and systematic observation of data subjects on a large scale, based on the number of customers and the personal identifiers processed daily.
Organizations whose core activities involve large-scale processing of special categories of data: This includes health data, biometric data, genetic data, data relating to criminal convictions and offences, and data revealing racial or ethnic origin, political opinions, religious beliefs, or sexual orientation.
These GDPR thresholds are deliberately broad and not precisely defined. Terms such as "large scale" and "systematic monitoring" have no exact figures in the regulation. EDPB guidelines identify relevant factors — number of individuals affected, volume of data, duration of processing, and geographical scope — but the final determination requires a legal analysis of your specific operations.
LOPDGDD — Spain's Mandatory Sector List
This is where Spain clearly differs from the rest of the European Union.
Article 34 of the LOPDGDD requires the designation of a Data Protection Officer (DPO) in 16 specific sectors, regardless of company size or the scale of processing. If your organisation falls under any of the following categories, the obligation to designate a DPO applies automatically. No threshold analysis or "large-scale" assessment is required.
The mandatory sectors under Article 34 of the LOPDGDD are:
Professional associations and their general councils. This includes medical colleges, bar associations, engineering colleges, pharmaceutical councils, and any other officially recognised professional body.
Educational institutions at all levels, including public and private universities. This includes schools, universities, and training centres. A small language academy with three teachers has the same legal DPO requirement as a major hospital. Private tutoring academies, vocational training centres, driving schools that process student data, and language schools fall under this category.
Telecommunications operators and providers of electronic communications networks. Entities operating networks and providing electronic communications services when they process personal data regularly and systematically on a large scale.
Information society service providers that carry out large-scale user profiling. Digital platforms, applications, and online services that build user profiles on a large scale. This is the category under which Glovo was sanctioned.
Credit institutions. Banks, savings banks, credit cooperatives, and similar financial entities regulated under Spanish banking legislation.
Insurance and reinsurance undertakings. All authorised insurers and reinsurers, including brokers and intermediaries that process policyholder data.
Investment services firms and collective investment institutions. Securities firms, fund managers, and similar financial entities.
Entities responsible for common creditworthiness files. Credit reference agencies and organisations managing debt and solvency databases.
Private security companies. All private security and surveillance companies, including those operating video surveillance systems as a core part of their business.
Sports federations. National and regional sports federations that process member, athlete, and competition data.
Gambling and betting entities. Companies holding gaming licences under Spanish gambling legislation.
Advertising and market research firms engaged in profiling. Any organisation whose core activity involves building profiles of individuals for advertising, segmentation, or research purposes.
Healthcare centres, establishments, and providers. Hospitals, clinics, medical practices, dental clinics, pharmacies, physiotherapy centres, medical laboratories, and any healthcare entity that processes patient data. This applies regardless of the number of patients or employees.
Entities managing large-scale common Social Security systems. Entities administering occupational pension plans and similar collective social welfare schemes.
Entities operating critical infrastructure. Organisations designated as national critical infrastructure operators under Spanish security legislation.
Energy distribution companies. Electricity and natural gas distributors subject to specific sectoral regulation.
This list does not exhaust every case where a Data Protection Officer (DPO) may be legally required. It represents the sectors where the LOPDGDD creates an automatic obligation regardless of size. Organisations in other sectors may also need a DPO if they meet the GDPR Article 37 criteria described above.
What the EU Digital Omnibus Proposes — and What It Does Not Touch
The EU Digital Omnibus Package, published in November 2025, has received significant attention for its proposals to change GDPR compliance requirements for smaller businesses. Many business owners have asked whether this proposal reduces the obligation to designate a Data Protection Officer (DPO) for SMEs.
The direct answer is no.
The Digital Omnibus proposals, if adopted, would deliver administrative savings primarily by expanding exemptions relating to Records of Processing Activities and through lighter compliance regimes for SMEs and small mid-cap companies. The obligation to designate a DPO under Article 37 of the GDPR is not among the provisions earmarked for amendment.
More importantly for businesses in Spain: the Digital Omnibus does not propose changes to national legislation. The LOPDGDD's 16-sector mandatory DPO designation list sits in Spanish national law. EU-level proposals do not automatically amend national law. Even if the Digital Omnibus is adopted as proposed, Article 34 of the LOPDGDD will remain unchanged unless the Spanish Government pursues separate domestic legislation to amend it.
The Digital Omnibus Package will progress through the European Union trilogue legislative process, with adoption expected by mid-2026. However, its content is likely to change, and for now, organisations are not required to implement any changes to their compliance frameworks.
For businesses covered by the 16 mandatory sectors, the DPO obligation does not change. For businesses outside those sectors, the GDPR Article 37 criteria do not change either. The only proposed change in this area concerns the expansion of the Records of Processing Activities exemption — not the Data Protection Officer (DPO) requirements.
What Happens If You Fail to Designate a DPO When Required
Failing to designate a mandatory Data Protection Officer (DPO) is a serious infringement under the GDPR and the LOPDGDD. And the AEPD enforces it.
Under Article 73 of the LOPDGDD, failing to have a DPO in accordance with GDPR requirements can be classified as a serious infringement, carrying an administrative fine of up to €10 million or 2% of total annual worldwide turnover — whichever is higher.
The AEPD's track record confirms this is not theoretical. In June 2020, the AEPD imposed a €25,000 fine on Glovo for failing to designate a Data Protection Officer. The proceedings were initiated following two complaints filed in May and November 2019. Although Glovo notified the AEPD of a DPO designation on 31 January 2020, the AEPD acknowledged the proactive step but concluded it was not sufficient to avoid the penalty.
The Glovo case established several principles that remain relevant today:
Designating a DPO after an investigation begins does not eliminate liability for prior non-compliance.The AEPD expressly acknowledged Glovo's late designation but still sanctioned the company for the period during which no DPO existed.
An internal committee performing DPO-like functions does not replace a formally designated Data Protection Officer (DPO). Glovo argued that its Data Protection Committee fulfilled all DPO functions. The AEPD rejected this argument because no DPO was formally registered with the agency and no mention appeared in the company's public privacy policy.
Failing to notify the AEPD of a DPO designation constitutes a separate infringement. Under Spanish law, data controllers and processors must notify the AEPD of any DPO designation, modification, or cessation within ten days — whether the designation is mandatory or voluntary. Glovo was sanctioned both for failing to designate a DPO and for failing to notify in time.
Being a repeat offender substantially increases risk. Once a company has been sanctioned for any GDPR infringement, subsequent infringements are assessed with an aggravating circumstance that can significantly increase the amount of fines. A company sanctioned for not having a Data Protection Officer that subsequently faces any other compliance issue enters the AEPD process in a structurally worse position.
How to Designate a Data Protection Officer (DPO) in Spain: Practical Steps
If you have determined that your business needs a DPO — or have decided to designate one voluntarily — this is the process to follow.
Step 1 — Identify your DPO. Your Data Protection Officer (DPO) can be an existing employee, a hired specialist, or an external provider. The DPO must have expert knowledge of data protection law — both GDPR and LOPDGDD — and a sufficient understanding of your company's processing activities. There is no mandatory certification in Spain, although the AEPD's Data Protection Officer Certification Scheme, version 1.4, is widely used as a benchmark.
Step 2 — Ensure independence. The DPO must not have a conflict of interest with their compliance oversight role. They cannot simultaneously hold a position that determines the purposes or means of data processing. For example, an IT director who decides what data is collected cannot also act as the Data Protection Officer. The Belgian data protection authority fined a company €50,000 for designating its Head of Compliance as DPO in a role that created a structural conflict of interest. Outsourcing the DPO function to an external provider is an effective way to ensure independence.
Step 3 — Formalise the designation. If using an internal employee, formally document the designation. If using an external provider, execute a written service contract defining the scope of the DPO's duties and access rights.
Step 4 — Notify the AEPD within 10 days. The AEPD maintains an up-to-date electronic register of DPOs, and data controllers and processors are required to notify designations, modifications, and cessations within ten days — for both mandatory and voluntary designations. This notification is submitted through the AEPD's online portal. Failure to notify constitutes a separate infringement, independent of the obligation to designate.
Step 5 — Publish the DPO's contact details. The Data Protection Officer's contact information — typically a dedicated email address — must be published in your privacy policy and in any other relevant communications. Individuals exercising their data protection rights may direct their requests directly to the DPO. The contact details do not need to include the DPO's personal name.
Step 6 — Provide the DPO with adequate resources. The Data Protection Officer (DPO) must have access to all relevant processing activities, receive adequate training, and be given the time and tools needed to perform their role. Designating a DPO in name only without providing resources is not a compliance solution. The AEPD assesses whether DPOs are actually performing their function when it investigates complaints.
Should Your Business Designate a Data Protection Officer Voluntarily?
If your sector does not appear on the LOPDGDD Article 34 list and your processing does not meet the GDPR Article 37 thresholds, you are not legally required to designate a DPO. But that does not necessarily mean you should not have one.
Voluntary designation of a Data Protection Officer (DPO) makes practical sense for businesses that:
- Manage significant volumes of customer or employee personal data.
- Use AI tools, profiling systems, or automated decision-making in their operations.
- Operate in sectors where clients or partners contractually require evidence of strong data protection governance.
- Process any special categories of sensitive data, even if not at a scale that triggers a mandatory obligation.
- Are growing rapidly and expect their processing activities to evolve.
If you decide to designate a DPO voluntarily, you must follow the same steps as those who are legally required to do so, including notification to the AEPD. Additionally, the DPO must meet the same standards of expert knowledge and independence.
A voluntary Data Protection Officer (DPO) designation also cannot be reversed without notification. If you register a DPO with the AEPD and subsequently remove them without appointing a replacement, that withdrawal must be notified within ten days. And if the AEPD later concludes that your processing did in fact require a mandatory DPO, the withdrawal creates additional exposure.
The DPO-as-a-Service Model: What Spanish SMEs Are Choosing
For most small and medium-sized enterprises in Spain that need a Data Protection Officer (DPO) — whether through the mandatory sector list or voluntarily — the outsourced DPO model has become the dominant option.
An external DPO brings certified expertise, independence from internal conflicts of interest, and scalable support without the cost of a full-time hire. The service contract specifies the scope of duties, which typically includes maintaining the Record of Processing Activities, advising on DPIAs, handling data subject rights requests, monitoring regulatory changes, acting as liaison with the AEPD, and delivering annual compliance reports.
The cost of an outsourced Data Protection Officer service varies depending on the complexity of your processing activities and the level of support required. For a small business in a mandatory sector with straightforward processing, it typically represents a fraction of the cost of a single non-compliance event. For organisations managing medical records, student data, insurance portfolios, or financial data, the comparison against the legal risk of not designating one is clear.
Do Not Assume You Are Exempt
Spain's approach to Data Protection Officer obligations is different from the rest of Europe — and significantly broader than most business owners expect. The LOPDGDD's mandatory 16-sector list has no equivalent in most European Union Member States. And the AEPD has demonstrated, from the Glovo case onwards, that it will sanction organisations that assume they are exempt without properly assessing their position.
If your business operates in any of the 16 mandatory sectors — education, healthcare, financial services, insurance, private security, advertising that profiles individuals, or any of the others — you need a Data Protection Officer (DPO) today. Not when you grow larger. Not when the Digital Omnibus becomes law. Today.
If you are outside those sectors but process significant volumes of personal data, use AI or profiling tools, or handle special categories of sensitive data, voluntarily designating a DPO may be the most effective risk management decision for your business.
The EU GDPR Compliance and Data Protection for Businesses course from the Spanish Compliance Institute covers the Data Protection Officer obligation in detail, including the LOPDGDD's sector-specific requirements, what a DPO does in practice, how to assess whether your business needs one, and 18 downloadable compliance templates you can start using immediately.
Regularise your DPO compliance →
Frequently Asked Questions
01
Does every business in Spain need a Data Protection Officer?
+
02
Which sectors require a mandatory DPO in Spain, regardless of company size?
+
03
Does a small language school or private academy need a DPO in Spain?
+
04
What is the fine for not having a DPO when it is mandatory?
+
05
Can I designate an employee as DPO, or must it be an external person?
+
06
How do I notify the AEPD of a DPO designation?
+
07
Does the EU Digital Omnibus reduce or eliminate the DPO obligation for SMEs?
+
08
What qualifications does a DPO need in Spain?
+
09
Can a DPO be shared among several companies?
+
10
What happens after designating a DPO? What should they do first?
+
11
Is a voluntary DPO designation reversible?
+
