When an organisation decides to appoint a Data Protection Officer (DPO) — whether because Article 37 of the GDPR requires it or on a voluntary basis — the work does not end with signing the contract or the internal appointment letter. There is an administrative step that many companies overlook or complete too late: formally notifying the DPO to the Spanish Data Protection Agency (AEPD) and publishing the DPO's contact details, as required by Article 37.7 of the GDPR. The AEPD explains what a DPO is and when appointment is mandatory, but rarely details the operational procedure: which form to use, which digital certificate you need, what data you must provide and what happens if you are late. This guide covers exactly that last mile.
Why must the DPO be notified to the AEPD? The framework of Article 37.7 GDPR
Article 37.7 of the GDPR is explicit: "The controller or the processor shall publish the contact details of the data protection officer and communicate them to the supervisory authority." This obligation has two sides that should be treated separately, since they are fulfilled in different ways:
- Publication: the DPO's contact details must be accessible to any data subject — typically in the website's privacy policy, but also in contracts, data collection forms or any channel where data processing is disclosed.
- Notification to the supervisory authority: in Spain, this means registering the DPO with the AEPD through its Electronic Office (Sede Electrónica). It is a separate step from publication, and both are independently enforceable.
Failing to comply with either part of this obligation is not a minor formality: it forms part of the regulatory block of Article 37, whose breach is punishable under Article 83.4 of the GDPR, with fines of up to €10 million or 2% of annual worldwide turnover, whichever is higher.
Before notifying: formalise the DPO's internal appointment
Notifying the AEPD presupposes that a prior, documented designation already exists. Before going to the Electronic Office, you should have resolved:
- The appointment act: an internal document (a resolution of the governing body, a service agreement if the DPO is external, or an appointment letter if internal) with a certain date, full identification of the DPO and express acceptance of the role.
- Verification of suitability: Article 37.5 of the GDPR requires the DPO to be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practice. No specific qualification is required, but you should be able to evidence that suitability — training, experience, certification — if the AEPD asks during an inspection.
- Confirmation of independence: if the DPO is an internal employee, you must confirm that they do not perform duties that determine the purposes and means of processing (e.g. marketing director, or IT director with decision-making power), in line with Article 38.6 of the GDPR.
- A dedicated contact channel: a specific email address (for example, dpo@yourcompany.com) separate from the organisation's general inbox, and often also a phone number or postal contact address.
Only once these elements are resolved does it make sense to start the notification procedure, because the AEPD's form asks precisely for this data.
How to notify the DPO to the AEPD: step by step
Notification is carried out entirely online, through the Electronic Register of the AEPD's Electronic Office (sedeagpd.gob.es); legal entities are required to deal with Spanish public authorities electronically under Article 14.2 of Law 39/2015. The usual steps are:
- Access with a digital certificate. You must identify yourself with a recognised digital certificate, the Spanish electronic ID (DNIe) or the Cl@ve system, in the name of the person acting on behalf of the controller or processor (legal representative, proxy holder or the entity itself if it holds an electronic seal).
- Locate the DPO notification procedure. Within the Electronic Office, the AEPD provides a specific procedure for notifying the designation, modification or termination of the Data Protection Officer, accessible from the procedure catalogue or directly from the DPO section on the AEPD's institutional website.
- Complete the form. The form generally requests: identification of the controller or processor (company name, tax ID, registered address), full identification of the DPO (full name or company name if an entity, tax ID, contact address, email and phone number), type of designation (internal, external or shared with other entities of the group) and the date of designation.
- Attach supporting documentation if requested. In some cases it is useful to have the appointment document or the service agreement available, although it is not always mandatory to attach it to the notification itself.
- Submission and proof of registration. After submission, the Electronic Office generates a registration receipt with a file number and timestamp. This receipt is what proves, in a later inspection, that the notification was made and on what date.
Notification does not amount to substantive validation by the AEPD of the suitability of the DPO appointed: the Agency registers the notification, it does not certify the DPO. That responsibility remains with the controller.
When must the DPO be notified? Deadlines and timing
The GDPR does not set a specific number of days for making the notification, but Spanish law does: Article 34.3 of the LOPDGDD requires designations, appointments and terminations of the data protection officer to be notified to the AEPD within ten days, whether the appointment is mandatory or voluntary. In practice, this means notifying in the days immediately following the signing of the appointment, not waiting for an inspection or a query to rush the process.
When the appointment of a DPO is mandatory because the organisation falls under one of the cases in Article 37.1 of the GDPR or Article 34 of the LOPDGDD (the Spanish data protection act), a late notification does not exempt the organisation from liability: the AEPD may consider that a period existed without an effective DPO, subject to the same sanctioning treatment as if none had been appointed at all.
Publishing the contact details: the parallel obligation that gets forgotten
Notifying the AEPD does not replace the obligation to publish. Many organisations complete the registration with the Agency and forget to update their privacy policy, which constitutes a partial breach that is immediately detectable in any inspection — a simple check of the website is enough. The DPO's contact details must appear, at minimum:
- In the website's privacy policy or legal notice.
- In personal data collection forms (contact forms, client onboarding, recruitment processes).
- In the Record of Processing Activities (RAT): Article 30.1(a) of the GDPR requires the DPO's contact details to be included in it.
- In communications involving the exercise of data subjects' rights (access, rectification, erasure, portability, objection and restriction).
It is not necessary to publish the full name of the individual if the DPO is external and acts as a representative of a service provider: it is common and acceptable to publish the name of the provider entity together with the dedicated contact channel.
Changes, terminations and renewals: notification must be repeated
Notifying the AEPD is not a one-off procedure. Any relevant change requires a new notification, also within the ten-day period of Article 34.3 of the LOPDGDD, which expressly covers designations, appointments and terminations:
- Change of DPO: replacement of the internal DPO with another person, or a change of external DPO provider.
- Termination without immediate replacement: a period without a DPO must be avoided when the appointment is mandatory; if it occurs, it must be notified and regularised as soon as possible.
- Change of contact details: a new email address, phone number or postal address for the DPO.
- Expansion or reduction of scope: for example, when an external DPO begins serving group subsidiaries too, or when two entities that shared a DPO stop doing so.
A common finding in audits is an outdated notification held by the AEPD, listing a DPO who has not held the role for months or years. That being out of date is, in itself, a detectable breach.
Common mistakes when appointing a DPO before the AEPD
Most incidents we detect when auditing new clients follow a recognisable pattern:
- Notifying late or not at all. The DPO is appointed internally and the contract with the external provider is signed, but registration with the AEPD is never completed. This is the most common mistake and the easiest to detect in an inspection.
- Not publishing the contact details. Notification to the authority is completed but the privacy policy update is forgotten, or incorrect or outdated details are published.
- Confusing the DPO with the controller. The DPO advises and supervises, but does not decide the purposes and means of processing and does not answer legally to the AEPD in the event of a sanction; that responsibility rests with the controller.
- Using a generic contact channel. Publishing only the company's general email address instead of a dedicated channel makes it harder for the AEPD and data subjects to clearly identify the data protection point of contact.
- Not updating after a change of provider. Switching external DPO providers without notifying the termination of the previous one and the appointment of the new one leaves the organisation, during that period, with an outdated notification before the AEPD.
- Appointing a DPO without verifying independence. Appointing someone who simultaneously decides on data processing invalidates the independence guarantee of Article 38 of the GDPR, even if the formal notification was carried out correctly.
What you risk if you fail to notify the DPO or do so incorrectly
Breach of Article 37 — including failure to notify and publish as required by Article 37.7 — is punishable under Article 83.4.a) of the GDPR, which provides for fines of up to €10 million or 2% of total worldwide annual turnover of the preceding financial year, whichever is higher; the higher tier of Article 83.5 — up to €20 million or 4% — is reserved for infringements such as those of the processing principles or data subjects' rights. For SMEs, the proportionality principle of Article 83.1 moderates the final amount, but the AEPD has sanctioned organisations that were required to appoint a DPO and failed to do so or failed to notify it correctly. Beyond the fine, the AEPD can require regularisation within a set deadline, with the reputational risk that a public sanctioning decision carries.
How much does it cost to have a properly notified DPO
The cost of appointing and maintaining a DPO — internal or external — varies according to the volume and sensitivity of the processing activities, the sector, and whether the service includes management of the AEPD procedure itself. There is no fixed market rate. If you want to understand the factors that determine the price of an external DPO, see our guide on external DPO pricing: variables and indicative range.
Summary table: notifying the DPO to the AEPD
| Phase | What to do | Legal basis |
|---|---|---|
| Internal appointment | Designation document, verification of suitability and independence, dedicated contact channel | Arts. 37.5 and 38.6 GDPR |
| Notification to the AEPD | Online procedure via the Electronic Office with a digital certificate, DNIe or Cl@ve, within ten days | Art. 37.7 GDPR · Art. 34.3 LOPDGDD |
| Publication of contact details | Privacy policy, data collection forms and the Record of Processing Activities (RAT) | Art. 37.7 GDPR |
| Update | New notification on any change, termination or renewal of the DPO, within ten days | Art. 37.7 GDPR · Art. 34.3 LOPDGDD |
| Non-compliance | Fine of up to €10M or 2% of worldwide turnover | Art. 83.4.a) GDPR |
Frequently asked questions
Is it mandatory to notify the DPO to the AEPD even if the appointment is voluntary?
Yes. Article 34.3 of the LOPDGDD requires designations, appointments and terminations of the DPO to be notified to the AEPD both when the appointment is mandatory and when it is voluntary, within the same ten-day period. In addition, under Article 34.2 of the LOPDGDD, a voluntarily appointed DPO is subject to the same regime of position, functions and independence under the GDPR as if the appointment were mandatory, including the publication of contact details under Article 37.7. There is no "lighter" notification route for voluntary appointments.
Which digital certificate do I need to complete the procedure on the AEPD's Electronic Office?
Any digital certificate recognised by the @firma platform can be used, as can the Spanish electronic ID (DNIe) or the Cl@ve system, in the name of whoever acts on behalf of the controller or processor. If the procedure is carried out by an external DPO, the contract should clearly state who holds the necessary electronic representation, or the management of this task should be expressly delegated to the provider through a power of attorney.
Can I notify an external DPO shared among several entities of the same group?
Yes, Article 37.3 of the GDPR expressly allows a corporate group to appoint a single DPO for several entities, provided that the DPO is easily accessible from each establishment. The notification to the AEPD must clearly state which entities the DPO serves, and each entity of the group must independently publish its own contact details in its own privacy policy.
What happens if the AEPD finds that I notified the DPO but did not publish their contact details on the website?
This is a partial breach of Article 37.7, and the AEPD treats it as such in its investigation procedures: notification to the authority does not replace the obligation to publish for data subjects. In practice, remediation within a set deadline is usually required before considering the opening of a sanctioning procedure, unless there are signs of repeated non-compliance or bad faith.
Can the external DPO itself handle the entire notification procedure before the AEPD?
Yes, provided it holds the necessary representation, usually formalised in the service agreement through an express power of attorney. In well-structured external DPO services, managing the registration and its updates forms part of the contracted scope, so the organisation does not have to handle the administrative procedure itself.
Does the DPO need to be re-notified every year, even without any changes?
No. Notification to the AEPD does not expire and does not require automatic periodic renewal. A new notification is only necessary when an actual change occurs: replacement of the DPO, changes to their contact details, expansion or reduction of scope, or termination of the role. That said, an internal annual review is recommended to confirm that the notified and published details remain accurate.
What is the difference between appointing a DPO and hiring an external DPO service?
Appointing a DPO is the formal act — internal or through a contract — by which a person or entity takes on the functions of Article 39 of the GDPR for your organisation. Hiring an external DPO service is the usual way to fulfil that appointment without needing a dedicated internal employee, by contracting a specialised third party who, in addition to performing the role's functions, usually also handles the AEPD procedure itself. If your organisation has not yet decided who will act as DPO, you can find out how we structure the service on our external DPO for organisations page.
If your company, town hall or entity needs to appoint a DPO and correctly complete the procedure before the AEPD — or review whether a previous notification remains valid and up to date — at Summum Consultoría we support this process from start to finish, from the appointment to managing the registration and its updates. If your organisation is a public administration or a local entity, you can also see our dedicated service for DPO for public administrations.