Sector público

DPO for public administrations and town councils

Article 37(1)(a) GDPR leaves no room for interpretation: every public authority or body must appoint a Data Protection Officer, regardless of any processing-volume threshold that would otherwise apply to a private company. The obligation applies equally to the town council of a provincial capital and to that of a village of two hundred people, to provincial councils, to local autonomous bodies and to service joint boards. Summum Consultoría supports public administrations across Castilla y León and the Canary Islands with the appointment, registration with the AEPD and ongoing exercise of this role, including the shared-DPO arrangement for several bodies when staff size doesn't justify a dedicated officer.

Applicable rulesGDPR art. 37(1)(a) (no exception) · LOPDGDD art. 34
Supervisory authorityAEPD — Spanish Data Protection Agency
ScopeTown councils, joint boards, provincial councils and public bodies in Castilla y León and the Canary Islands

In the private sector, the duty to appoint a DPO depends on the activity carried out: large-scale processing of special categories of data, systematic monitoring of data subjects, or one of the cases listed in Article 34 of the LOPDGDD for professional associations, schools, financial entities or insurers, among others. In the public sector there is no such filter. Article 37(1)(a) GDPR imposes the appointment on any public authority or body simply because it is one, with the sole exception of courts acting in their judicial capacity. A town council of two hundred people that keeps the population register, issues certificates and processes social assistance is just as bound as a government ministry. In practice, a considerable number of small municipalities and joint boards in Castilla y León handle this obligation incompletely: they informally hand it to a member of staff who doesn't hold the qualification required under Article 37(5) GDPR, assume the provincial council already covers it without any formal appointment existing, or simply never notify the appointment to the AEPD as required under Article 37(7).

The GDPR itself provides the way out for bodies that cannot take on a full-time officer. Article 37(3) expressly allows a public authority or body to appoint a single DPO for several entities, "taking account of their organisational structure and size". This European provision applies directly in Spain and allows town councils, joint boards and consortia to share one officer instead of duplicating the cost at each entity; each body's appointment is notified to the AEPD within the ten-day period set by Article 34(3) of the LOPDGDD. It's the arrangement that makes most sense for the majority of municipalities under five thousand inhabitants in the region: a single outsourced DPO covers the town council, its sports or culture autonomous body if one exists, and the joint board it belongs to, through one coordinated appointment and a single point of contact with the Agency.

Summum Consultoría, active since 2007, works with local public bodies in Castilla y León and the Canary Islands on matters that share the same interlocutor — the secretary-treasurer, the procurement officer, the mayor's office — as our transparency law and public procurement services. That familiarity with how a small town council actually operates is what's missing from most outsourced-DPO offers designed for private companies: drafting the records of processing for a clinic is not the same as drafting one for a town hall that handles population register data, local police, public-space video surveillance, social assistance, administrative procurement and institutional social media accounts all at once. The service is also procured like any other local-authority supply or service: through a minor contract or a simplified open procedure depending on its amount, under the same framework of Law 9/2017 on Public Sector Contracts that we already apply in the procurement processes we manage for SMEs.

The DPO for public administrations and town councils process.

The process · four stages
01

Diagnosis of the body and its processing activities

We review the processing activities specific to municipal or public-body activity: population register, incoming/outgoing correspondence register, local police, public-space video surveillance, social assistance and benefits, administrative procurement, subsidies and institutional social media accounts. We check whether an appointment already exists (in-house or delegated to the provincial council) and under what terms.

02

Formal appointment and notification to the AEPD

We formalise the appointment through an agreement of the competent body (mayor's office, governing board or plenary session, as applicable) and notify it to the Spanish Data Protection Agency under Article 37(7) GDPR. If the entity is part of a joint board or wants to share an officer with neighbouring municipalities, we coordinate the joint appointment enabled by Article 37(3) GDPR. See the step-by-step procedure in our <a href="https://summumconsultoria.es/blog/2026-07-10-nombrar-dpo-aepd">guide to appointing a DPO with the AEPD</a> (in Spanish).

03

Records of processing and ongoing operation

We maintain the Article 30 GDPR records of processing adapted to local-authority activity, handle citizens' rights requests within the Article 12 timelines, and provide a breach channel answered in under 24 hours, with notification to the AEPD within the 72-hour window of Article 33 when the risk assessment requires it.

04

Yearly training and a report for the plenary session

We deliver yearly training for municipal staff — with particular weight on local police, social services and the registry — and prepare an activity report from the DPO that the secretary's office can present to the plenary session or governing board, leaving a documented record of compliance for any AEPD request.

What is included

What DPO for public administrations and town councils includes.

The operational detail: what we deliver as part of the work and what we keep alive afterwards.

  • Appointment and notification to the AEPD

    Formal registration as DPO before the Spanish Data Protection Agency and notification of contact details under Article 37(7) GDPR, with the competent municipal body's resolution already drafted.

  • Shared DPO across several entities

    Appointment of a single officer for the town council, its autonomous bodies and the joint board it belongs to, under Article 37(3) GDPR, notified to the AEPD within the ten-day period of Article 34(3) of the LOPDGDD, without duplicating the cost at each entity.

  • Records of processing adapted to the public sector

    Article 30 GDPR document covering the processing activities specific to municipal work: population register, local police, video surveillance, social assistance, procurement and institutional social media.

  • Breach channel and 72-hour notification

    Incidents handled in under 24 hours and, when the risk requires it, notification to the AEPD within the Article 33 GDPR timeline, with the file already prepared for the plenary session.

  • Support with data protection impact assessments

    Support with DPIAs under Article 35 GDPR, common in urban video surveillance projects, access control or new case-management systems.

  • Coordination with transparency and public procurement

    The DPO works alongside our <a href="./ley-transparencia.html">transparency law</a> service so that active disclosure doesn't breach the GDPR, and with <a href="./licitaciones-publicas.html">public procurement</a> when the outsourced officer's own contract is processed through a public procedure.

Frequently asked questions about DPO for public administrations and town councils.

Does a small town council have to have a DPO?

Yes, with no exception for size. Article 37(1)(a) GDPR requires every public authority or body to appoint a DPO, regardless of population or the volume of processing activities. The GDPR's only exception is courts acting in their judicial capacity. A municipality of a few hundred people is just as bound as a provincial council.

Can a municipality share its DPO with other town councils or with a joint board?

Yes. Article 37(3) GDPR expressly allows several public authorities or bodies to appoint a single Data Protection Officer, taking account of their organisational structure and size. Each entity notifies its own appointment to the AEPD within the ten-day period set by Article 34(3) of the LOPDGDD. It's the most common and most economical arrangement for small town councils and service joint boards, and the one we apply most often across Castilla y León.

Does the DPO have to be a public employee, or can it be an outside company?

It can be either. Article 37(6) GDPR allows the officer to be a staff member of the organisation or to carry out the role under a service contract, that is, outsourced. Many small town councils choose outsourcing precisely because they don't have staff with the qualification and specialist knowledge required under Article 37(5) GDPR, nor enough workload to justify a full-time in-house role.

How is the DPO's appointment notified to the AEPD?

Notification is made through the Spanish Data Protection Agency's electronic office, with the officer's contact details, as required by Article 37(7) GDPR, and must be made within ten days of the appointment under Article 34(3) of the LOPDGDD. The appointment must be backed by a resolution from the competent municipal body. See the step-by-step procedure in our guide to appointing a DPO with the AEPD (in Spanish).

What does the DPO actually do inside a town council?

The same duties Article 39 GDPR sets out for any organisation: informing and advising the council and its staff on their obligations, monitoring compliance, advising on data protection impact assessments where applicable, and cooperating with the AEPD as its point of contact. We cover each duty in detail in our article on the DPO's functions (in Spanish).

What happens if a public administration doesn't appoint a DPO?

The penalty regime differs from that of private companies. When the infringer is a public administration, the LOPDGDD sets out a specific regime in its Article 77: instead of the fines under Article 83 GDPR — expressly excluded since the reform introduced by Law 11/2023 — the AEPD issues a decision declaring the infringement and setting the corrective measures, can propose that disciplinary proceedings be opened against the individuals responsible, and publishes the decision on its website identifying the infringing body. Not having appointed a DPO also exposes the council to formal requests and a weak position against any citizen complaint.

Can the outsourced DPO be procured through a public tender?

Yes, and it's the usual route: since it's a service to a public-sector entity, procuring an outsourced DPO is subject to Law 9/2017 on Public Sector Contracts, normally through a minor contract if the amount allows it, or a simplified open procedure if it exceeds that threshold. We support the administration itself through that process, the same way we do in our public procurement service for companies bidding for public contracts.

How much does an outsourced DPO cost for a town council or joint board?

We don't publish a fixed rate because it depends on how many entities share the officer, the volume of processing activities and whether there are higher-risk services such as video surveillance or local police. We confirm it during the initial diagnosis. The variables that move the price for any organisation, public or private, are explained in our article on outsourced DPO pricing (in Spanish).