The Data Protection Officer (DPO) is one of the most consequential figures introduced by the Regulation (EU) 2016/679 (GDPR) into the compliance structure of European organisations. The role is neither decorative nor purely documentary: the regulation assigns specific functions, guarantees functional independence, and establishes the DPO as the official link between the organisation and the Spanish Data Protection Authority (AEPD). Nevertheless, significant misconceptions persist about what a DPO can and cannot do, when designation is mandatory, and what the role delivers in practice. This guide answers those questions with normative rigour.
What does the law say about the DPO? The framework of Articles 37-39 of the GDPR
Articles 37 to 39 of the GDPR regulate the DPO as a complete unit: designation, position, and functions. These are not advisory provisions: they are directly applicable obligations across all EU Member States since 25 May 2018. Organic Law 3/2018 on Personal Data Protection and guarantee of digital rights (LOPDGDD) completes the picture in the Spanish context, with Article 34 expanding the mandatory designation scenarios.
The key point to understand first is that the GDPR frames the DPO as an internal independent supervisory function, not as a decision-maker regarding data processing activities. Ultimate responsibility for processing always rests with the controller (the company, entity, or body). The DPO advises, supervises, informs, and facilitates — but does not decide on behalf of the organisation.
When is designating a DPO mandatory? The scenarios under Article 37 of the GDPR
Article 37.1 of the GDPR sets out three scenarios that make designation mandatory:
- Public authorities or bodies (except courts acting in their judicial capacity).
- Controllers or processors whose core activities consist of processing operations that, by virtue of their nature, scope, or purposes, require regular and systematic monitoring of data subjects on a large scale: insurance, banking, large-scale digital platforms, employee or customer location-tracking services, and similar.
- Controllers or processors whose core activities consist of large-scale processing of special categories of data (Article 9: health, political opinions, ethnic origin, sexual orientation, biometrics, criminal convictions) or data relating to criminal offences.
The LOPDGDD expands these scenarios in Article 34 for the Spanish context. Entities expressly listed include healthcare centres processing patient data, entities that build commercial profiles at scale, educational institutions, political parties, and operators of critical infrastructure. If your organisation falls within any of these categories, designation is not optional.
Outside mandatory scenarios, the GDPR does not prohibit — and actively encourages — voluntary designation of a DPO. In such cases, the same independence and positional obligations apply as if designation were mandatory (Article 37.4).
What are the DPO's functions under Article 39 of the GDPR?
Article 39 of the GDPR lists the DPO's minimum functions. These represent a floor, not a ceiling: the organisation may expand them by contract or internal policy, but may never reduce them. The five statutory functions are as follows:
1. Informing and advising the controller, processor, and employees
The DPO is obliged to keep the organisation up to date on its obligations under the GDPR, the LOPDGDD, and any other applicable data protection rules. This includes flagging relevant regulatory developments — such as new AEPD or European Data Protection Board (EDPB) guidelines — advising on the design of new processing activities (the data protection by design principle, Article 25 GDPR), and clarifying queries from personnel with access to personal data.
2. Monitoring compliance with the GDPR and internal policies
The DPO has an ongoing control function: verifying that the organisation's processing activities are carried out in accordance with the regulatory framework and internal data protection policies. This covers reviewing the Record of Processing Activities (RoPA), checking that legal bases are correctly identified, ensuring retention periods are respected, and confirming that data subject rights (access, rectification, erasure, portability, objection, restriction) are handled within statutory timeframes. Article 39.1.b explicitly notes that this supervision includes the assignment of responsibilities, staff training, and related audits.
3. Advising on Data Protection Impact Assessments (DPIAs)
Where processing is likely to result in high risk to individuals, Article 35 of the GDPR requires a Data Protection Impact Assessment (DPIA). Article 35.2 establishes that the controller must seek the advice of the DPO when carrying out the DPIA. The DPO does not conduct it alone: they advise on methodology, review the risk analysis, and issue a documented opinion on residual risks. If they conclude that the residual risk remains unacceptable, they may recommend prior consultation with the AEPD (Article 36 GDPR). Their opinion, and whether or not it was followed, must be documented.
4. Cooperating with the AEPD and acting as the point of contact
The DPO is the organisation's official interlocutor with the AEPD (Article 39.1.d). This means that in the event of an investigation, inspection, or enforcement procedure, the AEPD will address the DPO. It also means that individuals may contact the DPO to exercise their rights or raise privacy queries before approaching the AEPD. Article 37.7 requires the DPO's contact details to be published and communicated to the supervisory authority. Failure to register is itself a sanctionable infringement.
5. Managing and notifying personal data breaches
Although the GDPR does not list breach management explicitly as a DPO function in Article 39, it is one of their central practical responsibilities. Article 33 of the GDPR obliges the controller to notify the AEPD of data breaches within a maximum of 72 hours of becoming aware of them. Where a breach is likely to result in high risk to individuals' rights and freedoms, Article 34 adds the obligation to communicate the breach to the affected individuals without undue delay. The DPO coordinates this process internally: assessing the impact, preparing documentation, managing the AEPD notification, and, where required, drafting communications to data subjects.
What can the DPO NOT do? The independence provisions of Article 38
Article 38 of the GDPR regulates the DPO's position and sets out independence guarantees that the organisation must respect:
- The DPO shall not receive instructions from the controller or processor regarding the exercise of their tasks (Article 38.3). If the DPO concludes that a processing activity is unlawful, they must say so even if inconvenient.
- The DPO shall not be dismissed or penalised for performing their tasks (Article 38.3). A DPO who can be fired for flagging non-compliance has no real independence.
- The DPO shall not have conflicts of interest: if internal, they cannot simultaneously hold functions that involve determining the purposes and means of data processing (they cannot be both DPO and Head of Marketing with decision-making power over customer databases, for example).
- The controller must provide the DPO with access to the data, systems, and resources necessary to perform their tasks (Article 38.2).
These guarantees are also why many organisations opt for an external DPO: the structural independence of an external provider is easier to demonstrate to the AEPD than that of an employee who reports hierarchically to the same management layer they are supposed to supervise.
Summary table: DPO functions under the GDPR
| Function | Legal basis (GDPR) | Practical implication |
|---|---|---|
| Inform and advise | Art. 39.1.a | Staff training, regulatory alerts, design of new processing activities |
| Monitor compliance | Art. 39.1.b | RoPA audit, legal basis review, retention period and data subject rights control |
| Advise on DPIAs | Arts. 35.2 and 39.1.c | Risk analysis review, documented opinion, prior consultation recommendation where needed |
| Cooperate with supervisory authority | Arts. 39.1.d and 39.1.e | Contact point in inspections, registration with AEPD, complaints management |
| Data breach management | Arts. 33 and 34 (coordination) | Impact assessment, 72-hour AEPD notification, communication to affected individuals when high risk |
| Functional independence | Art. 38.3 | No instructions from management; cannot be dismissed for performing tasks |
What professional profile must a DPO have?
Article 37.5 of the GDPR requires that the DPO be designated on the basis of professional qualities, in particular expert knowledge of data protection law and practice, and the ability to fulfil the tasks set out in the Regulation. No specific qualification is mandated, but the AEPD's guidance on the DPO notes that the required knowledge level is proportionate to the sensitivity and complexity of the organisation's processing activities.
In practice, an effective DPO for a medium or large organisation must be proficient in: the GDPR and LOPDGDD, EDPB and EU Court of Justice case law on data protection, AEPD sector-specific guidance (CCTV, cookies, breaches, DPIAs), the technical foundations of information security (to engage meaningfully with IT teams), and applicable sector regulation (health data, employment data, children's data, financial data). When the DPO is external, the provider must demonstrate verifiable experience in the organisation's sector.
CCTV, cookies and other sensitive processing: what the DPO supervises
Beyond the general framework, certain processing activities trigger specific obligations that the DPO must know and supervise:
- CCTV surveillance: Article 22 of the LOPDGDD regulates the use of cameras for security purposes; Article 89 of the LOPDGDD covers cameras in the workplace. In both cases, a mandatory information notice must be displayed in a visible location before entering the monitored area, and employees must be informed before cameras are installed. Retention of footage may not exceed thirty days as a general rule (Article 22.3 LOPDGDD), unless required by law enforcement or a judicial authority. The DPO monitors compliance with these retention limits and the presence of the required notice.
- Cookies and digital tracking: Article 22.2 of Law 34/2002 on Information Society Services and Electronic Commerce (LSSI-CE) requires informed consent for non-essential cookies. The AEPD's Guide on the use of cookies (updated 2023) sets out the requirements: no pre-ticked boxes, rejecting cookies must be as easy and accessible as accepting them, and users must be able to withdraw consent at any time. The DPO verifies that the cookie policy and consent management platform comply with these requirements.
- Health data and children's data: these are special categories (Article 9 GDPR) or require enhanced protection (Article 8 GDPR for children under 14 in Spain, per the LOPDGDD). The DPO ensures that legal bases are appropriate and that security measures are proportionate to data sensitivity.
The risk of not having a DPO when designation is mandatory
Failing to designate a DPO where required constitutes a serious infringement of Article 37 of the GDPR. The enforcement regime under Article 83.4 of the GDPR provides for fines of up to 10 million euros or 2% of total worldwide annual turnover, whichever is higher. The proportionality principle moderates that ceiling for SMEs, but AEPD resolutions show meaningful sanctions even against small organisations. The AEPD can also order the suspension of processing until the infringement is corrected.
Registering the DPO with the AEPD is equally mandatory: failure to register is an independent infringement, separate from whether a DPO exists at all. The DPO's contact details must appear in the organisation's privacy policy and be communicated to the supervisory authority through the AEPD's Electronic Headquarters portal.
External DPO: when it makes sense and how the service is structured
The GDPR allows the DPO to be an internal employee or an external service provider (Article 37.6). The external option is particularly appropriate when the organisation lacks internal staff with the required technical-legal profile, when demonstrating an internal employee's independence would be difficult, or when the volume of processing does not justify a full-time dedicated role.
An external DPO service is typically structured around an ongoing service contract that includes: formal designation and registration with the AEPD, maintenance and updating of the RoPA, advice on new processing activities, periodic staff training, management of data subject rights requests, DPIA advisory support, and coordination in security incidents. Pricing depends on complexity and processing volume; no fixed market tariff exists and ranges vary considerably by sector and organisation size.
If your organisation needs to designate a DPO or wants to assess whether your current DPO meets the requirements of Article 39, Summum Consultoría has been supporting businesses in Castilla y León and the Canary Islands with regulatory compliance since 2007. You can find out more through our external DPO service.
Frequently asked questions
Is the DPO personally liable if the organisation receives a sanction from the AEPD?
Not directly. Legal liability towards the AEPD always falls on the controller (the organisation), not the DPO. The DPO performs an advisory and supervisory function: if they fulfilled that role correctly — flagged the risk, documented their opinions, and the organisation chose not to follow their recommendations — that documentation is relevant when the AEPD assesses the infringement. The DPO may, however, face contractual liability towards the organisation if they failed to exercise their functions with due diligence.
Can the DPO hold other roles within the organisation?
Article 38.6 of the GDPR expressly permits this, provided the other functions do not give rise to a conflict of interest. The DPO cannot simultaneously hold functions that involve deciding on the purposes and means of data processing: for example, they cannot be both DPO and Head of Marketing with decision-making power over customer databases, or Head of IT with control over the systems that host the data. In practice, an internal DPO in a small organisation may take on general compliance or legal advisory functions, provided those roles do not involve executive decisions over processing activities.
Must the DPO be registered with the AEPD even if external?
Yes. Article 37.7 of the GDPR requires the DPO's contact details to be communicated to the supervisory authority regardless of whether the role is internal or external. In Spain, this is done through the AEPD's Electronic Headquarters. The contact details published are those of the DPO in their capacity as an institutional point of contact, not their full personal data: typically a dedicated contact email and the DPO's name or the name of the external service provider.
What if the external DPO identifies a serious infringement and the organisation does not act?
The DPO is obliged to document their opinions and recommendations. If the organisation decides not to follow them, that disagreement must be recorded in writing. In the event of an inspection or enforcement procedure, that documentation may be relevant both for the organisation (which can argue the infringement was not due to ignorance) and for the DPO (who can demonstrate they fulfilled their advisory role). If the organisation persistently ignores serious infringement warnings, the external DPO may terminate the contract to avoid being associated with a pattern of systemic non-compliance.
Is there an official DPO certification in Spain?
The GDPR does not require any specific certification. However, the AEPD has developed a DPO certification scheme through ENAC-accredited certification bodies, which provides objective verification of the candidate's knowledge level. This certification is not mandatory, but it is a valued credential before the AEPD and for organisations seeking an external DPO with verifiable technical competence.