Burgos has a diversified productive fabric: the agri-food industry — black pudding and cheese with protected designations of origin, large meat-processing groups in the metropolitan area — coexists with an automotive supply chain centred on multinationals such as Grupo Antolín, headquartered in the city, and with a growing hospitality sector linked to Burgos Cathedral (a UNESCO World Heritage Site) and the Camino de Santiago. All these organisations, regardless of their size or sector, process personal data of customers, employees and suppliers and are fully subject to the GDPR and the LOPDGDD.
Genuine compliance goes far beyond downloading a privacy policy from the internet. It means identifying what data the organisation processes, on what legal basis (art. 6 GDPR), for how long and under what contracts with data processors when information is shared with third parties — accountancy firms, cloud software providers, communications agencies. In Burgos, many SMEs had their first contact with the subject through the Kit Digital programme, but that minimum level does not guarantee real compliance in the event of an inspection or a complaint filed with the Spanish Data Protection Authority (AEPD — Agencia Española de Protección de Datos).
At Summum Consultoría we support organisations in Burgos, Aranda de Duero, Miranda de Ebro and across the province through the full compliance process. We draw up the Record of Processing Activities (art. 30 GDPR), review processor contracts, update information notices and define security measures proportionate to the risk. We do not act in place of the AEPD nor do we guarantee outcomes in enforcement proceedings, but we do ensure the organisation acts with the diligence required by law.
Ongoing support is as important as the initial implementation. When the AEPD publishes new sector-specific guidelines, when the company introduces a new processing activity or when a security incident occurs, having a dedicated data protection consultant in Burgos who knows the organisation inside out allows a rapid response without starting from scratch. For organisations that require it, we also cover the role of external Data Protection Officer (arts. 37–39 GDPR), with direct communication with the supervisory authority.