Castilla y León

Outsourced DPO in Burgos

Burgos brings together clinics and health practices, hospitality businesses linked to the Camino de Santiago and the Cathedral, and an agri-food and industrial base — from cured meat production with a protected designation of origin to the automotive supply chain — that processes personal data every day. Summum Consultoría acts as outsourced Data Protection Officer (DPO) for organisations in Burgos and its province, with formal registration with the Spanish Data Protection Agency (AEPD), a breach channel answered in under 24 hours, and a DPO you speak to directly, not a switchboard that routes your case to another region.

Applicable rulesGDPR art. 37-39 · LOPDGDD art. 34
Supervisory authorityAEPD — Spanish Data Protection Agency
CoverageBurgos city · Aranda de Duero · Miranda de Ebro · province

Several sectors with a strong presence in Burgos are legally required to appoint a Data Protection Officer, not by choice: clinics and health centres, laboratories and dental practices, professional associations, insurers and financial entities, and any local government body under Article 37(1)(a) GDPR. Many other Burgos organisations — hospitality businesses with loyalty programmes and online bookings, automotive supply chain companies processing data for thousands of employees, retailers with customer profiling — benefit from formalising this role even where it isn't mandatory by sector, because it gets ahead of what many large industrial clients now require before signing a supply contract.

A large share of the outsourced-DPO offers reaching Burgos businesses come from firms based in Madrid or Barcelona that replicate the same generic landing page for every province, changing only the city name. The result is predictable: when a real issue arises — a security breach on a Friday afternoon, an AEPD inspection notice, a client's request about the records of processing — the Burgos organisation ends up talking to a centre based elsewhere that knows neither its sector nor its day-to-day reality. Summum Consultoría works differently: as a firm with an established presence across Castilla y León, we support organisations in Burgos with in-person meetings whenever the case calls for it, and with a fixed point of contact who knows the local business fabric, not a rotating account handled in shifts.

We act as a registered third party before the AEPD, with different procedures depending on the sector: we don't apply the same protocol to a dental clinic in the centre of Burgos as to an automotive supplier with hundreds of shift workers, or to a hotel on the Camino de Santiago that manages bookings through an outside platform. This service does not replace full GDPR adequacy when an organisation is starting from zero — for that, see our data protection service in Burgos, which covers the records of processing, privacy policies and supplier agreements. The outsourced DPO is the layer added on top once the appointment is mandatory for your sector, or when the organisation wants to strengthen its system with a role formally registered with the AEPD and able to liaise directly with the regulator.

The Outsourced DPO in Burgos process.

The process · four stages
01

Sector diagnosis in Burgos

We review your organisation's personal data processing and check whether appointing a DPO is mandatory under Article 37 GDPR and Article 34 LOPDGDD, or a recommended improvement for your specific case, at no cost and with no obligation.

02

Formal registration with the AEPD

We register the appointment on the Spanish Data Protection Agency's electronic office and publish the DPO's contact details, communicating them to the supervisory authority, as required by Article 37(7) GDPR.

03

Ongoing operation

A breach channel available in under 24 hours, handling of staff queries, periodic review of the records of processing, and yearly training, with an in-person meeting in Burgos when the case warrants it or remotely for day-to-day matters.

04

Yearly drill and audit

One breach drill a year and a compliance review with a signed record, so you reach any AEPD inspection with the work already done and documented.

What is included

What Outsourced DPO in Burgos includes.

The operational detail: what we deliver as part of the work and what we keep alive afterwards.

  • Appointment and notification to the AEPD

    Formal registration as DPO before the Spanish Data Protection Agency within the ten-day deadline set by Article 34.3 LOPDGDD, and publication of the DPO's contact details as required by Article 37(7) GDPR.

  • Breach channel under 24h with direct support

    A direct phone line, not a form that ends up at a switchboard in another province: in Burgos you speak to the person acting as DPO, who knows your sector and your history.

  • Review of the records of processing

    Maintenance of the document required by Article 30 GDPR, updated every time the organisation adds a new processing activity or changes technology provider.

  • Yearly training adapted to your sector

    A training session for your team, using real-world cases from the Burgos business fabric — healthcare, agri-food, industry or hospitality — in person when the team needs it or online if it is spread out.

  • Liaison with the AEPD

    The DPO acts as the single point of contact before the Agency: responding to requests and supporting the organisation if an investigation or inspection is opened.

  • Handling of data subject rights

    Procedure and response templates for access, rectification, erasure, restriction, portability and objection requests, within the deadlines of Article 12 GDPR.

Frequently asked questions about Outsourced DPO in Burgos.

Is a DPO mandatory if my business is in Burgos?

It depends on the sector, not the province: the obligation is set by Article 37 GDPR and Article 34 LOPDGDD (healthcare, insurers and financial entities, local government, professional associations, among others), regardless of where the organisation is based. You can find the exact criteria in our article on when an outsourced DPO is mandatory (in Spanish), and we check it at no cost during the initial diagnosis.

Will I always deal with the same DPO, or a different switchboard each time?

You always deal with the same person. Unlike national platforms that rotate cases between different technicians, at Summum Consultoría the DPO assigned to your organisation is the one who handles the breach channel, the yearly training and day-to-day queries, and who travels to Burgos when the case requires it.

Does the outsourced DPO in Burgos also cover my offices in Aranda de Duero or Miranda de Ebro?

Yes. The service covers the whole organisation regardless of where its offices are within the province of Burgos, and coordinates with our service across the rest of Castilla y León if your company also has premises in Valladolid, Palencia or other provinces.

What is the difference between this service and GDPR adequacy in Burgos?

GDPR adequacy builds the complete compliance system: records of processing, privacy policies and supplier agreements. The outsourced DPO is the formal supervisory role before the AEPD that sits on top of that system. If your organisation doesn't have the system in place yet, we usually start with GDPR adequacy in Burgos and add the DPO once it is mandatory or advisable for your sector.

What happens if my Burgos business suffers a security breach outside office hours?

The breach channel is available in under 24 hours, including outside office hours. The DPO assesses the risk to the people affected and, where applicable, coordinates the notification to the AEPD within the 72-hour deadline set by Article 33 GDPR, alongside preparing the communication to data subjects required by Article 34 where necessary.

How much does an outsourced DPO cost in Burgos?

We don't publish a fixed rate, because it depends on the size of the organisation, the number of processing activities and whether the sector requires additional measures, as is the case in healthcare or financial services. We confirm it during the initial call or meeting. You can review the variables that affect the price in our article on outsourced DPO pricing (in Spanish).

Can an agri-food company in Burgos need a DPO even without handling health data?

Yes, if one of the cases in Article 37 GDPR applies, such as large-scale processing of employee data through time-tracking and video surveillance systems, common in shift-based production plants. Outside those cases, many companies in the sector still choose an outsourced DPO because large clients and distribution chains ask for it as a supplier approval requirement.