The Canary Islands have no regional data protection authority of their own: complaints and sanction proceedings against any organisation established in Las Palmas de Gran Canaria, in Tenerife or on any other island are handled by the AEPD, based in Madrid, under the same deadlines, criteria and sanction regime of Article 83 GDPR as anywhere else in Spain. The distance from the mainland doesn't reduce the obligation or the exposure to risk; in practice, it puts many organisations further from the natural point of contact that companies elsewhere in Spain rely on.
A growing number of organisations across the archipelago are legally required to appoint a DPO under Article 37 GDPR and Article 34 LOPDGDD: private clinics and health centres, schools offering officially regulated education at any level, insurers and financial entities, private security firms, and any public-sector body or entity, including town councils and organisations dependent on the Cabildo of Gran Canaria. Many others benefit from having this role even where it isn't mandatory: hotels and tourist apartments running loyalty programmes and CCTV systems, travel agencies, real estate agencies, retailers with customer profiling, and companies under the ZEC tax regime that handle customer and supplier data from outside the archipelago. The role formalises the point of contact with the AEPD and gets ahead of what many large clients now require before signing a contract.
Summum Consultoría carries out this role with a physical presence in Las Palmas de Gran Canaria — the only one within the group's data protection practice in the Canary Islands — with operational coverage that also reaches Tenerife and the rest of the islands. We act as a registered third party before the Agency, with different templates and procedures for each sector: we don't apply the same protocol to a hotel in Playa del Inglés as to a clinic in central Las Palmas, a professional firm or a tech company set up under the ZEC regime. When a project calls for it — an initial audit, staff training, preparing for an inspection — we arrange an in-person meeting; the rest of the relationship runs on a direct channel, not a generic form.
This service does not replace full GDPR adequacy when an organisation is starting from zero — for that, see our data protection service in Las Palmas, which covers the records of processing, privacy policies and agreements with suppliers and booking platforms. The outsourced DPO is the layer added on top once the appointment is mandatory for your sector, or when the organisation wants to strengthen its system with a role formally registered with the AEPD and able to liaise with it directly, without relying on a manager who has never set foot on the island.