When people talk about data protection fines, the conversation usually revolves around security breaches or processing data without consent. There is a less visible but equally real infringement: failing to appoint a Data Protection Officer (DPO) when the regulation requires one, failing to notify the appointment to the Spanish Data Protection Agency (AEPD), or failing to publish the DPO's contact details. This is not a decorative requirement tucked into Article 37 of the GDPR: it is an obligation with its own sanctioning regime, and the AEPD has repeatedly included it in its inspection criteria. This guide explains the exact legal fit of this infringement, how Spanish law grades it, and what you can do to avoid facing it.
What infringement is actually committed by not having a DPO?
It is worth separating three failures that often get lumped together under a single "fine for not having a DPO" headline, because the law treats them as distinct obligations within the same Article 37 of the GDPR:
- Failing to appoint a DPO when the organisation is required to do so under Article 37.1 of the GDPR or Article 34 of the LOPDGDD, which in Spain extends mandatory appointment beyond the three general GDPR scenarios (public authorities, large-scale regular and systematic monitoring, or large-scale processing of special categories of data).
- Failing to notify the appointment to the AEPD, as required by Article 37.7 of the GDPR, even when a DPO has been correctly appointed. In Spain this step is completed through the AEPD's Electronic Office and has a ten-day deadline set by Article 34.3 of the LOPDGDD.
- Failing to publish the DPO's contact details somewhere accessible to data subjects — a privacy policy, data collection forms, contracts — which is the second half of that same Article 37.7 obligation.
All three are autonomous infringements: you can appoint the DPO correctly and still be sanctioned for failing to notify or publish, and vice versa. The AEPD assesses them independently when it opens a file.
The legal fit: Article 83.4.a) of the GDPR
The GDPR's sanctioning regime distinguishes two fine tiers according to the severity of the obligation breached. Infringements relating to the controller's and processor's obligations set out in Articles 8, 11, 25 to 39, 42 and 43 — which include Article 37 on the designation, position and communication of the DPO — are sanctioned under Article 83.4.a) of the GDPR, with administrative fines of up to €10,000,000 or, for a company, an amount equivalent to 2 % of its total worldwide annual turnover of the preceding financial year, whichever is higher.
This is the same tier applied to other GDPR management failures — such as not keeping a record of processing activities or not notifying a security breach on time — and sits one step below the aggravated regime of Article 83.5, reserved for the most serious infringements of processing principles and data subject rights. Not having a DPO is therefore not the harshest infringement in the GDPR catalogue, but it is far from trivial: its ceiling is the same as that of a badly managed security breach.
How Spain grades this infringement: Articles 73 and 74 of the LOPDGDD
The GDPR sets the maximum ceilings, but it is Organic Law 3/2018 on the Protection of Personal Data and the Guarantee of Digital Rights (LOPDGDD) that, in its Title IX, translates that framework into a three-tier internal grading system — very serious (Article 72), serious (Article 73) and minor (Article 74) — which drives both the AEPD's proportionality assessment and the limitation period for the infringement.
Within that framework, the LOPDGDD itself expressly codifies the two behaviours:
- Failing to appoint a DPO when required: expressly codified as a serious infringement in Article 73.v) of the LOPDGDD (failure to comply with the obligation to appoint a data protection officer when its appointment is required), insofar as it undermines the organisation's ability to oversee and demonstrate compliance.
- Failing to notify the appointment to the AEPD or publish the contact details when the DPO has in fact been correctly appointed: expressly codified as a minor infringement in Article 74.p) of the LOPDGDD, since it is a formal failure that does not affect the existence of the role or its independence, unless it coincides with other failures that aggravate the overall case.
This distinction has practical consequences: the LOPDGDD itself (Articles 72 to 74) sets different limitation periods depending on the classification — three years for very serious infringements, two years for serious ones and one year for minor ones — so not having a DPO when required exposes the organisation for longer than a simple delay in the notification step.
Who can open a file and how the failure is detected
Missing a DPO is rarely the original trigger for an inspection; it is usually uncovered within a procedure opened for another reason. The most common sources are:
- A data subject's complaint, when someone cannot find the DPO's contact details in the privacy policy or exercises a data protection right without receiving a response through an identifiable channel.
- A security breach notification: when the AEPD processes an incident report under Article 33 of the GDPR, it systematically checks whether the organisation has a DPO appointed and notified.
- Sector-wide inspections launched ex officio, particularly in sectors where appointment is legally mandatory — healthcare, banking, insurance, telecommunications, public administrations — where the AEPD cross-checks its register of notified DPOs against the census of obliged entities.
- Information requests within another sanctioning procedure, where verifying the existence of a DPO is a standard step of the investigation.
In any of these scenarios, not having a DPO does not automatically trigger a fine on its own: the AEPD opens a procedure, grants a hearing and weighs the circumstances of the case before ruling, under the sanctioning procedure set out in Title VIII of the LOPDGDD.
Circumstances that aggravate or mitigate the fine
The final amount within the legal range is not discretionary: the AEPD applies the grading criteria of Article 83.2 of the GDPR, which weigh, among other factors, the nature and gravity of the infringement, whether it was intentional or negligent, the measures taken to mitigate its effects, the degree of responsibility given the technical and organisational measures in place, and whether the infringement is repeated. For a detailed look at how these criteria are applied in practice and what fine ranges typically result, see our guide on how AEPD fines are graded.
Applied specifically to the absence of a DPO, the AEPD tends to treat as an aggravating factor that the organisation belongs to a sector with an express legal obligation — for example, credit institutions or insurers under Article 34 of the LOPDGDD — and that it failed to act after a prior request. As a mitigating factor, it tends to weigh a voluntary appointment made after the failure was detected, active cooperation with the investigation, and the absence of actual harm to data subjects resulting from the missing appointment.
Common mistakes that lead to this fine without organisations realising it
Most files opened for this reason are not the result of a deliberate decision to breach the rules, but of recurring management gaps:
- Assuming that, because the organisation does not process especially sensitive data, it will never be required to appoint a DPO, without reviewing the extended scenarios of Article 34 of the LOPDGDD, which include professional associations, schools, financial institutions and private security companies, among others.
- Appointing the DPO internally but forgetting the notification step to the AEPD, assuming the internal appointment is enough on its own.
- Notifying the appointment but never updating the privacy policy with the DPO's contact details, leaving the website out of step with the AEPD's register.
- Failing to re-notify a resignation or renewal of the DPO, so the AEPD keeps on record someone who no longer holds the role.
- Delegating the role to someone without genuine guarantees of independence — for example, someone who decides on the purposes and means of processing — which can turn an apparently correct appointment into a substantive breach of Article 38.6 of the GDPR.
For the details of the correct notification procedure, with deadlines and steps through the Electronic Office, see our guide on how to notify a DPO to the AEPD.
How to avoid the fine: appoint, notify and publish in the right order
Avoiding this infringement means closing the full loop of Article 37 of the GDPR, not just its first step. In practice, this involves:
- Determining whether there is an obligation to appoint a DPO, reviewing both the three general scenarios of Article 37.1 of the GDPR and the additional scenarios of Article 34 of the LOPDGDD. Our guide on when an external DPO is mandatory breaks these down sector by sector.
- Formalising the appointment with a document that certifies the DPO's professional suitability, their independence from decisions on the purposes and means of processing, and an operational contact channel.
- Notifying the appointment to the AEPD within the ten-day deadline set by Article 34.3 of the LOPDGDD, through the Electronic Office, using a digital certificate, DNIe or Cl@ve.
- Publishing the DPO's contact details in the privacy policy and in any channel where data processing is disclosed.
- Keeping the register up to date, notifying any change, resignation or renewal within the same deadline as the initial appointment.
The cost of avoiding the fine versus the cost of paying it
The cost of appointing and maintaining a DPO — internal or external — depends on the volume and sensitivity of the processing, the sector of activity and whether the service includes managing the AEPD notification itself; there is no single market rate. What is comparable is the scale: against a fine ceiling of up to €10 million or 2 % of worldwide turnover under Article 83.4.a) of the GDPR, the cost of a correctly appointed, notified and published external DPO is a marginal fraction. You can review the factors that determine the price in our guide to the cost of an external DPO, or resolve the full appointment with our external DPO service.
Summary table: fine for not having a DPO
| Failure | Legal basis | Typical classification | Maximum fine |
|---|---|---|---|
| Not appointing a DPO when mandatory | Art. 37.1 GDPR · Art. 34 LOPDGDD | Serious infringement (Art. 73.v LOPDGDD) | Up to €10M or 2 % worldwide turnover (Art. 83.4.a GDPR) |
| Not notifying the appointment to the AEPD | Art. 37.7 GDPR · Art. 34.3 LOPDGDD | Minor infringement (Art. 74.p LOPDGDD) | Up to €10M or 2 % worldwide turnover (Art. 83.4.a GDPR) |
| Not publishing contact details | Art. 37.7 GDPR | Minor infringement (Art. 74.p LOPDGDD) | Up to €10M or 2 % worldwide turnover (Art. 83.4.a GDPR) |
| Limitation period | Arts. 73 and 74 LOPDGDD | 1 year (minor) · 2 years (serious) | — |
Frequently asked questions
Can the AEPD fine an organisation even without a security breach or a complaint from a data subject?
Yes. Failing to appoint, notify or publish the DPO is an autonomous infringement of Article 37 of the GDPR, independent of whether a security incident has occurred. The AEPD can detect it and open a file even without any material harm resulting, although the absence of harm is usually weighed as a mitigating factor in the final grading of the fine under Article 83.2 of the GDPR.
Is the fine the same whether the DPO was never appointed or was appointed but never notified to the AEPD?
The legal ceiling is the same — up to €10 million or 2 % of worldwide turnover under Article 83.4.a) of the GDPR — but the effective amount is usually very different. Failing to appoint a DPO when mandatory is expressly codified as a serious infringement under Article 73.v) of the LOPDGDD, while a purely formal failure to notify or publish, with the DPO correctly appointed, is codified as a minor infringement under Article 74.p), resulting in proportionally lower fines and shorter limitation periods.
What if my company does not fall under the GDPR's mandatory scenarios but does under the LOPDGDD's?
Article 34 of the LOPDGDD extends the three general scenarios of Article 37.1 of the GDPR in Spain to additional categories of entities — professional associations, schools, credit institutions, insurers, private security companies, among others. If your organisation fits any of these extended scenarios, the obligation to appoint a DPO is equally enforceable, and failing to comply is sanctioned under the same framework of Article 83.4.a) of the GDPR.
Does a voluntarily appointed DPO also need to be notified to the AEPD?
Yes. Article 34.3 of the LOPDGDD requires notifying the AEPD of appointments, both mandatory and voluntary, within the same ten-day deadline. Once notified, a voluntary DPO is subject to the same regime of position, functions and independence as a mandatory one, including the obligation to publish their contact details.
How long does the AEPD have to sanction this failure?
It depends on the classification of the infringement: under Articles 73 and 74 of the LOPDGDD, two years if classified as serious — the typical criterion when no DPO has been appointed despite being mandatory — and one year if classified as minor — the typical criterion for notification or publication failures where a DPO has already been appointed. The period is counted from the day the infringement was committed or, in continuing infringements, from when the infringing conduct ceased.
Does hiring an external DPO eliminate the risk of a fine entirely?
It reduces the risk significantly, provided the provider manages all three stages — appointment, notification and publication — and keeps the register updated whenever something changes, but it does not eliminate other causes of GDPR fines unrelated to the DPO role, such as processing without a lawful basis or badly managed security breaches. What it does eliminate, when done correctly, is specifically the infringement covered in this guide.
Is not having a DPO the same as failing to respond to data subject rights requests?
No. These are distinct infringements with different legal bases. Not having a DPO is sanctioned under Article 37 and Article 83.4.a) of the GDPR; failing to handle data subject rights requests on time is sanctioned under Articles 12 to 22 of the GDPR and can reach the aggravated regime of Article 83.5. In practice, however, the two often coincide: without an identifiable, published DPO, rights requests frequently fail to be processed on time, which can turn a single organisational gap into two simultaneous sanctioning files.