Data Protection Officer

All public bodies and their affiliated or dependent entities that act as controllers or processors of personal data are required to appoint a data protection officer (DPO). This may be an employee of the public administration (internal DPO) or an organisation/company outside the public administration (external DPO). The appointment of the DPO must be notified to the APDCAT using the corresponding registration form.

The obligation of public administrations to have a data protection delegate does not affect municipal companies under private law. This is without prejudice to its mandatory nature in the event that the company's activity involves regular and systematic observation of people on a large scale, or that it involves the large-scale processing of special categories of data or data relating to criminal convictions and offences.

It is also mandatory if the company is engaged in any of the activities provided for in article 34 of the LOPDGDD.

For more information on this issue, you can consult the opinion CNS 39/2019.

Yes. In accordance with the LOPDGDD, professional colleges and the general councils of colleges are required to appoint a data protection officer.

The GDPR does not establish a specific qualification for the data protection officer. However, they must have specialised legal knowledge of national and European data protection legislation and practices, and a thorough understanding of the GDPR. Likewise, they must have practical experience in data protection in order to identify the risks associated with processing operations, taking into account the nature, scope, context and purposes of the processing.

Therefore, it must be determined in accordance with the data processing operations carried out and the protection required for the personal data processed.

In any case, it must have knowledge of the sector in question, the organisation, the processing operations carried out and the information systems.

The data controller may contract the services of a data protection officer offered by a professional, organisation or company external to its organisational structure, provided that the professional qualifications referred to in the GDPR are accredited and that no conflict of interest arises.

The appointment of this external Data Protection Officer requires formalising a data processing contract, so that they can access the personal information they need to carry out their duties and which is the responsibility of the contracting authority.

Once the Data Protection Officer has been appointed, their contact details must be published so that interested parties can contact them easily and directly. This appointment must also be notified to the APDCAT, via the following form.

If you would like more information on this issue, you can consult the opinion CNS 31/2018.

Yes. Provincial councils, in exercising their powers to provide technical assistance and cooperation to municipalities, can provide the Data Protection Officer service to local authorities. A council may designate a body or person within the county council's service as a data protection officer, provided there is no conflict of interest.

Regarding these issues, you can consult the opinion CNS 23/2018.

The Data Protection Officer may be part of the controller's or processor's staff, or may carry out their duties under a contract for services. They may perform other tasks and functions other than those strictly related to the Data Protection Officer's role.

However, to ensure independence in the exercise of its functions, the controller or processor must avoid any conflict of interest arising from the performance of these other tasks and functions. Consequently, a person who also has tasks involving participation in the decision-making process regarding processing, or in its implementation, in such crucial aspects as the implementation of security measures, as is the case with the Information Security Officer, cannot be appointed as a Data Protection Officer.