Fines for Not Having a DPO: What You Risk Under the GDPR and Spain's LOPDGDD

·

When people talk about data protection fines, the conversation usually revolves around security breaches or processing data without consent. There is a less visible but equally real infringement: failing to appoint a Data Protection Officer (DPO) when the regulation requires one, failing to notify the appointment to the Spanish Data Protection Agency (AEPD), or failing to publish the DPO's contact details. This is not a decorative requirement tucked into Article 37 of the GDPR: it is an obligation with its own sanctioning regime, and the AEPD has repeatedly included it in its inspection criteria. This guide explains the exact legal fit of this infringement, how Spanish law grades it, and what you can do to avoid facing it.

What infringement is actually committed by not having a DPO?

It is worth separating three failures that often get lumped together under a single "fine for not having a DPO" headline, because the law treats them as distinct obligations within the same Article 37 of the GDPR:

All three are autonomous infringements: you can appoint the DPO correctly and still be sanctioned for failing to notify or publish, and vice versa. The AEPD assesses them independently when it opens a file.

The legal fit: Article 83.4.a) of the GDPR

The GDPR's sanctioning regime distinguishes two fine tiers according to the severity of the obligation breached. Infringements relating to the controller's and processor's obligations set out in Articles 8, 11, 25 to 39, 42 and 43 — which include Article 37 on the designation, position and communication of the DPO — are sanctioned under Article 83.4.a) of the GDPR, with administrative fines of up to €10,000,000 or, for a company, an amount equivalent to 2 % of its total worldwide annual turnover of the preceding financial year, whichever is higher.

This is the same tier applied to other GDPR management failures — such as not keeping a record of processing activities or not notifying a security breach on time — and sits one step below the aggravated regime of Article 83.5, reserved for the most serious infringements of processing principles and data subject rights. Not having a DPO is therefore not the harshest infringement in the GDPR catalogue, but it is far from trivial: its ceiling is the same as that of a badly managed security breach.

How Spain grades this infringement: Articles 73 and 74 of the LOPDGDD

The GDPR sets the maximum ceilings, but it is Organic Law 3/2018 on the Protection of Personal Data and the Guarantee of Digital Rights (LOPDGDD) that, in its Title IX, translates that framework into a three-tier internal grading system — very serious (Article 72), serious (Article 73) and minor (Article 74) — which drives both the AEPD's proportionality assessment and the limitation period for the infringement.

Within that framework, the LOPDGDD itself expressly codifies the two behaviours:

This distinction has practical consequences: the LOPDGDD itself (Articles 72 to 74) sets different limitation periods depending on the classification — three years for very serious infringements, two years for serious ones and one year for minor ones — so not having a DPO when required exposes the organisation for longer than a simple delay in the notification step.

Who can open a file and how the failure is detected

Missing a DPO is rarely the original trigger for an inspection; it is usually uncovered within a procedure opened for another reason. The most common sources are:

  1. A data subject's complaint, when someone cannot find the DPO's contact details in the privacy policy or exercises a data protection right without receiving a response through an identifiable channel.
  2. A security breach notification: when the AEPD processes an incident report under Article 33 of the GDPR, it systematically checks whether the organisation has a DPO appointed and notified.
  3. Sector-wide inspections launched ex officio, particularly in sectors where appointment is legally mandatory — healthcare, banking, insurance, telecommunications, public administrations — where the AEPD cross-checks its register of notified DPOs against the census of obliged entities.
  4. Information requests within another sanctioning procedure, where verifying the existence of a DPO is a standard step of the investigation.

In any of these scenarios, not having a DPO does not automatically trigger a fine on its own: the AEPD opens a procedure, grants a hearing and weighs the circumstances of the case before ruling, under the sanctioning procedure set out in Title VIII of the LOPDGDD.

Circumstances that aggravate or mitigate the fine

The final amount within the legal range is not discretionary: the AEPD applies the grading criteria of Article 83.2 of the GDPR, which weigh, among other factors, the nature and gravity of the infringement, whether it was intentional or negligent, the measures taken to mitigate its effects, the degree of responsibility given the technical and organisational measures in place, and whether the infringement is repeated. For a detailed look at how these criteria are applied in practice and what fine ranges typically result, see our guide on how AEPD fines are graded.

Applied specifically to the absence of a DPO, the AEPD tends to treat as an aggravating factor that the organisation belongs to a sector with an express legal obligation — for example, credit institutions or insurers under Article 34 of the LOPDGDD — and that it failed to act after a prior request. As a mitigating factor, it tends to weigh a voluntary appointment made after the failure was detected, active cooperation with the investigation, and the absence of actual harm to data subjects resulting from the missing appointment.

Common mistakes that lead to this fine without organisations realising it

Most files opened for this reason are not the result of a deliberate decision to breach the rules, but of recurring management gaps:

For the details of the correct notification procedure, with deadlines and steps through the Electronic Office, see our guide on how to notify a DPO to the AEPD.

How to avoid the fine: appoint, notify and publish in the right order

Avoiding this infringement means closing the full loop of Article 37 of the GDPR, not just its first step. In practice, this involves:

  1. Determining whether there is an obligation to appoint a DPO, reviewing both the three general scenarios of Article 37.1 of the GDPR and the additional scenarios of Article 34 of the LOPDGDD. Our guide on when an external DPO is mandatory breaks these down sector by sector.
  2. Formalising the appointment with a document that certifies the DPO's professional suitability, their independence from decisions on the purposes and means of processing, and an operational contact channel.
  3. Notifying the appointment to the AEPD within the ten-day deadline set by Article 34.3 of the LOPDGDD, through the Electronic Office, using a digital certificate, DNIe or Cl@ve.
  4. Publishing the DPO's contact details in the privacy policy and in any channel where data processing is disclosed.
  5. Keeping the register up to date, notifying any change, resignation or renewal within the same deadline as the initial appointment.

The cost of avoiding the fine versus the cost of paying it

The cost of appointing and maintaining a DPO — internal or external — depends on the volume and sensitivity of the processing, the sector of activity and whether the service includes managing the AEPD notification itself; there is no single market rate. What is comparable is the scale: against a fine ceiling of up to €10 million or 2 % of worldwide turnover under Article 83.4.a) of the GDPR, the cost of a correctly appointed, notified and published external DPO is a marginal fraction. You can review the factors that determine the price in our guide to the cost of an external DPO, or resolve the full appointment with our external DPO service.

Summary table: fine for not having a DPO

Failure Legal basis Typical classification Maximum fine
Not appointing a DPO when mandatory Art. 37.1 GDPR · Art. 34 LOPDGDD Serious infringement (Art. 73.v LOPDGDD) Up to €10M or 2 % worldwide turnover (Art. 83.4.a GDPR)
Not notifying the appointment to the AEPD Art. 37.7 GDPR · Art. 34.3 LOPDGDD Minor infringement (Art. 74.p LOPDGDD) Up to €10M or 2 % worldwide turnover (Art. 83.4.a GDPR)
Not publishing contact details Art. 37.7 GDPR Minor infringement (Art. 74.p LOPDGDD) Up to €10M or 2 % worldwide turnover (Art. 83.4.a GDPR)
Limitation period Arts. 73 and 74 LOPDGDD 1 year (minor) · 2 years (serious)

Frequently asked questions

Can the AEPD fine an organisation even without a security breach or a complaint from a data subject?

Yes. Failing to appoint, notify or publish the DPO is an autonomous infringement of Article 37 of the GDPR, independent of whether a security incident has occurred. The AEPD can detect it and open a file even without any material harm resulting, although the absence of harm is usually weighed as a mitigating factor in the final grading of the fine under Article 83.2 of the GDPR.

Is the fine the same whether the DPO was never appointed or was appointed but never notified to the AEPD?

The legal ceiling is the same — up to €10 million or 2 % of worldwide turnover under Article 83.4.a) of the GDPR — but the effective amount is usually very different. Failing to appoint a DPO when mandatory is expressly codified as a serious infringement under Article 73.v) of the LOPDGDD, while a purely formal failure to notify or publish, with the DPO correctly appointed, is codified as a minor infringement under Article 74.p), resulting in proportionally lower fines and shorter limitation periods.

What if my company does not fall under the GDPR's mandatory scenarios but does under the LOPDGDD's?

Article 34 of the LOPDGDD extends the three general scenarios of Article 37.1 of the GDPR in Spain to additional categories of entities — professional associations, schools, credit institutions, insurers, private security companies, among others. If your organisation fits any of these extended scenarios, the obligation to appoint a DPO is equally enforceable, and failing to comply is sanctioned under the same framework of Article 83.4.a) of the GDPR.

Does a voluntarily appointed DPO also need to be notified to the AEPD?

Yes. Article 34.3 of the LOPDGDD requires notifying the AEPD of appointments, both mandatory and voluntary, within the same ten-day deadline. Once notified, a voluntary DPO is subject to the same regime of position, functions and independence as a mandatory one, including the obligation to publish their contact details.

How long does the AEPD have to sanction this failure?

It depends on the classification of the infringement: under Articles 73 and 74 of the LOPDGDD, two years if classified as serious — the typical criterion when no DPO has been appointed despite being mandatory — and one year if classified as minor — the typical criterion for notification or publication failures where a DPO has already been appointed. The period is counted from the day the infringement was committed or, in continuing infringements, from when the infringing conduct ceased.

Does hiring an external DPO eliminate the risk of a fine entirely?

It reduces the risk significantly, provided the provider manages all three stages — appointment, notification and publication — and keeps the register updated whenever something changes, but it does not eliminate other causes of GDPR fines unrelated to the DPO role, such as processing without a lawful basis or badly managed security breaches. What it does eliminate, when done correctly, is specifically the infringement covered in this guide.

Is not having a DPO the same as failing to respond to data subject rights requests?

No. These are distinct infringements with different legal bases. Not having a DPO is sanctioned under Article 37 and Article 83.4.a) of the GDPR; failing to handle data subject rights requests on time is sanctioned under Articles 12 to 22 of the GDPR and can reach the aggravated regime of Article 83.5. In practice, however, the two often coincide: without an identifiable, published DPO, rights requests frequently fail to be processed on time, which can turn a single organisational gap into two simultaneous sanctioning files.