Sector analysis
We identify the sector's specific processing activities before proposing anything: the risks, data categories and working templates are not the same for a parish as for a dental clinic, a state-subsidised school or a town council.
We take on the role of outsourced Data Protection Officer (DPO) with dedicated tracks for healthcare, education, religious organisations, associations, hospitality and local government. A real breach channel answered in under 24 hours, formal registration with the Spanish Data Protection Agency (AEPD), and yearly training — not a DPO who only signs the appointment letter.
The Data Protection Officer (DPO) is the role that Article 37 of the General Data Protection Regulation (GDPR, EU 2016/679) and Article 34 of Spain's Organic Law 3/2018 on Data Protection and Digital Rights Guarantee (LOPDGDD) set aside to oversee regulatory compliance, act as the point of contact with the Spanish Data Protection Agency (AEPD), and advise internally on any personal data processing. It is not a decorative title: the AEPD can require the DPO's direct involvement during an inspection, and failing to appoint one — when it is mandatory — is itself a sanctionable infringement.
An outsourced DPO carries out exactly the same functions as an in-house one, with two practical differences: cost (you pay for the service, not for a full salary plus ongoing training) and independence (Article 38(3) GDPR requires that the DPO receive no instructions on how to exercise their tasks and not be dismissed for performing them, which is easier to guarantee under a service contract than under an employment relationship). We act as a registered third party before the AEPD, with different working templates for each sector — we do not apply the same procedure to a parish as to a dental clinic or a state-subsidised school — because data categories, risks and sector-specific rules change in each case.
Article 37(1) GDPR requires a DPO to be appointed in three cases: when processing is carried out by a public authority or body (except courts acting in their judicial capacity); when the core activities of the controller or processor require regular and systematic monitoring of data subjects on a large scale; and when the core activities consist of large-scale processing of special categories of data (health, ideology, trade-union membership, sexual orientation, biometric or genetic data) or of personal data relating to criminal convictions and offences.
Article 34(1) of the LOPDGDD develops these cases for Spain and adds a list of entities obliged in any case, regardless of whether they meet the large-scale thresholds of Article 37(1): professional associations and their general councils, schools offering regulated-level education and public and private universities, operators of electronic communications networks and services processing data on a large scale, information society service providers that profile users on a large scale, credit institutions, financial credit establishments and insurers, investment services firms, electricity and gas distributors and retailers, entities managing shared creditworthiness and credit files, entities carrying out advertising and commercial prospecting based on data subjects' preferences or profiling, healthcare centres legally required to keep patient records, entities issuing commercial reports on individuals, online gambling operators, private security firms, and sports federations when they process minors' data.
Outside these mandatory cases, appointing an outsourced DPO still makes sense: it strengthens the data protection system with a role formally registered with the AEPD, provides a consultation and incident-management channel the organisation would otherwise lack, and gets ahead of what many large clients now require before signing a contract.
The rules do not require the DPO to be an employee: Article 37(6) GDPR expressly allows the role to be fulfilled on the basis of a service contract. The real difference lies in cost (an in-house DPO with the legal-technical training the role demands typically costs more than an outsourced service sized to the organisation's actual needs), in availability (an outsourced DPO works across several clients and keeps up to date with cases from different sectors, which rarely happens with an in-house profile that only sees its own organisation), and in the functional independence required by Article 38(3), which is easier to sustain in a contractual relationship than in a hierarchical employment one.
It is also common to combine both roles: someone on the team acts as the day-to-day internal point of contact — logging incidents, coordinating training, keeping the records of processing up to date — while the outsourced DPO takes on the formal responsibility before the AEPD, periodically reviews the system, and steps in whenever an incident or an inspection arises. If you already have an in-house DPO, an outsourced one complements them as a second opinion and as backup at the most demanding moments, without replacing them.
The penalty regime under Article 83 GDPR sets two tiers. Lower-tier infringements — including failing to appoint a DPO when required under Article 37, not providing the DPO with the necessary resources, or not publishing their contact details — can reach €10 million or 2% of total worldwide annual turnover from the previous financial year, whichever is higher. Upper-tier infringements — breach of the processing principles, absence of a legal basis, or systematic failure to honour data subjects' rights — can reach €20 million or 4% of worldwide turnover.
The LOPDGDD, in Articles 72 to 74, classifies infringements as very serious, serious and minor, with limitation periods of three, two and one year respectively. The AEPD treats an active supervisory function (precisely the one exercised by the DPO), corrective action taken before any formal request, and the degree of cooperation with the investigation as mitigating factors. In practice, having a DPO — in-house or outsourced — is not only a legal obligation in certain cases: it is also the documentary evidence of diligence the AEPD expects to find when it opens an investigation.
Summum has been supporting organisations with regulatory compliance since 2007, with more than 2,000 digitalisation projects delivered and close to 200 ISO certification processes supported across the group — the same team that can take you, when you need it, to ISO 27001 or ISO 27701 through Summum Calidad, without changing point of contact. We work from five offices in Valladolid (headquarters), Burgos, Palencia, Aranda de Duero and Las Palmas de Gran Canaria, which lets us offer a DPO you meet in person, not an account managed from another province.
We do not promise a specific outcome before the AEPD, nor do we replace its judgment: we support the organisation so it reaches any inspection or request with the documentation, procedures and track record the regulator expects to find.
We do not publish a fixed rate because the real cost of an outsourced DPO depends on variables that vary a great deal from one organisation to another: the number of personal data processing activities carried out, whether special categories of data are processed (health, minors, biometric data), the number of sites or centres, whether the organisation operates in a sector with extra regulation (healthcare, education, financial), the volume of people whose data is processed, and whether the service fully replaces an in-house DPO or complements one as a second opinion and backup.
We always confirm it on an initial, free call, once we understand the organisation's actual processing activities — not before, since any figure given without that diagnosis would be an unhelpful guess. If you want a market benchmark and to see which variables move the price the most, we have published a dedicated analysis on the blog: Outsourced DPO pricing: variables and an indicative range for 2026.
Clinics, care homes and health practices process health data, a special category under Article 9 GDPR, with heightened security requirements and clinical records that never fit a generic template.
State-subsidised schools, academies and private vocational training process minors' data, which requires extra information and consent safeguards under the LOPDGDD and the AEPD's guidance on minors in education.
Parishes, congregations and affiliated associations fall under the specific regime of Article 91 GDPR for churches and denominations, alongside a dedicated agreement with the Catholic Church that shapes how data on parishioners is processed.
Foundations, NGOs and cultural or sports associations handle member and donor data — many under the tax regime of Law 49/2002 — and often rely on volunteers, which calls for simpler but equally enforceable procedures.
Restaurants running CRM systems, hotels and loyalty programmes process marketing data and guest profiles that require clear legal bases and proper handling of tracking cookies.
Town councils and inter-municipal bodies are data controllers by legal definition (art. 37(1)(a) GDPR) and often need to combine the DPO role with alignment to Spain's National Security Framework (ENS) when they provide digital services to citizens.
We identify the sector's specific processing activities before proposing anything: the risks, data categories and working templates are not the same for a parish as for a dental clinic, a state-subsidised school or a town council.
We register you with the Spanish Data Protection Agency as your DPO, with formal notification of the appointment to the organisation's governing body and publication of the contact details required by Article 37(7) GDPR.
Periodic review of the records of processing and security measures, a breach channel available around the clock, handling of queries from staff and data subjects, and yearly training with documented evidence.
At least one breach drill a year and a compliance review with a written record, so you reach an AEPD inspection — or a large client's due diligence — with the work already done, not still pending.
The operational detail: what we deliver as part of the engagement and what we keep active afterwards.
Appointment and notification to the AEPD
Formal registration as the organisation's DPO before the Spanish Data Protection Agency and internal notification of the appointment, as required by Article 37(7) GDPR.
Records of processing activities
Ongoing maintenance of the Article 30 GDPR document: every processing activity, its purpose, legal basis, data categories, disclosures and retention periods, updated whenever a process changes.
Data protection impact assessments (DPIAs) where required
When a new processing activity meets the high-risk criteria set by the European Data Protection Board, we carry out the impact assessment required by Article 35 GDPR before it goes live.
Handling data subjects' rights
Procedure and timelines for access, rectification, erasure, objection, portability and restriction (arts. 12–22 GDPR), with response templates and a log of every request handled.
Breach channel under 24h and notification to the AEPD
Detection and containment in under 24 hours through a direct channel — not a web form — with risk assessment and, where applicable, notification to the AEPD within the 72-hour window of Article 33 GDPR and communication to affected individuals when the risk is high (art. 34).
Yearly staff training + drill
An annual training session tailored to the sector and to each role, with a test and a written record that serves as compliance evidence, plus a breach drill to test the procedure before you actually need it.
Ongoing liaison with the AEPD
The DPO acts as the single point of contact with the Agency: answering queries, responding to requests and, if an investigation is opened, accompanying the organisation through the whole procedure.
Periodic system audits
Scheduled review of the technical and organisational measures in place, of processor agreements (art. 28 GDPR) with suppliers, and of the consistency between what is documented and what happens day to day.
Client management platform
Access to the status of the service at any time: current documents, logged breaches, training delivered and audits performed, without having to request the information by email.
Article 37 of the GDPR and Ley 2/2023 when a whistleblowing channel is in place.
As your organisation grows, ISO 27001 or ENS are the natural next steps.
It depends on the sector and the scale of processing. It is mandatory in the three cases of Article 37(1) GDPR (public administration, large-scale systematic monitoring, large-scale processing of special categories of data) and in the additional list of Article 34 LOPDGDD, which includes schools, healthcare entities, professional associations, insurers, financial entities and other regulated sectors regardless of size. Outside these cases, it remains good practice. We clarify this during the initial, free diagnosis.
Failing to appoint a DPO when the law requires it falls under Article 83(4) GDPR: up to €10 million or 2% of worldwide annual turnover, whichever is higher. The AEPD treats an adequacy plan and prior diligence as mitigating factors.
A GDPR consultant helps bring the organisation into line with the rules (documentation, training, procedures), but does not take on the formal supervisory and liaison role with the AEPD required by Article 37 GDPR unless also appointed DPO. Our outsourced DPO service includes both: the compliance work and the ongoing exercise of the role.
Yes. We complement them: the in-house DPO keeps up with day-to-day work and business knowledge, and the outsourced DPO provides a second opinion, independent review and backup at the most demanding moments, such as an inspection or a serious breach.
Yes. If your organisation has more than 50 employees — or is otherwise obliged — we set up the whistleblowing channel in coordination with the group's criminal compliance service, with a designated officer and documentation for Spain's Independent Whistleblower Protection Authority (AIPI).
Article 37(7) GDPR requires the DPO's contact details to be notified to the supervisory authority and published. We handle the registration on the AEPD's electronic office as part of the initial appointment, at no extra cost.
The records of processing, documentation and breach history belong to your organisation, not the provider. If you decide to change outsourced DPO, we hand over the full documentary file and coordinate the formal deregistration with the AEPD and the registration of the new DPO with no gap in coverage.
Yes, when the organisation is starting from zero. In that case the first quarter of the service includes the diagnosis and implementation described in our GDPR and LOPDGDD compliance service, and from there the DPO keeps the system alive.
There is no fixed number of hours: the sizing depends on the volume and risk of the processing activities. What is fixed is the availability of the breach channel (under 24 hours) and the frequency of the yearly review and training, regardless of the organisation's size.
Yes. We have a dedicated track for town councils and inter-municipal bodies, which can be combined with alignment to Spain's National Security Framework (ENS) offered by Summum Calidad when the entity provides services to the public sector.