Castilla y León

Data Protection in Burgos

Burgos hosts a diverse business fabric — agri-food industry, automotive supply chain, hospitality and professional services — in which data protection has been a legal obligation since the application of Regulation (EU) 2016/679 (GDPR) and the LOPDGDD (Organic Law 3/2018). At Summum Consultoría we support companies and SMEs in Burgos through genuine regulatory compliance: processing audits, documentation, training and ongoing support.

Applicable lawGDPR (EU) 2016/679 · LOPDGDD (LO 3/2018)
CoverageBurgos · Aranda de Duero · Miranda de Ebro · Castilla y León
ServiceIn-person in Burgos and remote for day-to-day matters

Burgos has a diversified productive fabric: the agri-food industry — black pudding and cheese with protected designations of origin, large meat-processing groups in the metropolitan area — coexists with an automotive supply chain centred on multinationals such as Grupo Antolín, headquartered in the city, and with a growing hospitality sector linked to Burgos Cathedral (a UNESCO World Heritage Site) and the Camino de Santiago. All these organisations, regardless of their size or sector, process personal data of customers, employees and suppliers and are fully subject to the GDPR and the LOPDGDD.

Genuine compliance goes far beyond downloading a privacy policy from the internet. It means identifying what data the organisation processes, on what legal basis (art. 6 GDPR), for how long and under what contracts with data processors when information is shared with third parties — accountancy firms, cloud software providers, communications agencies. In Burgos, many SMEs had their first contact with the subject through the Kit Digital programme, but that minimum level does not guarantee real compliance in the event of an inspection or a complaint filed with the Spanish Data Protection Authority (AEPD — Agencia Española de Protección de Datos).

At Summum Consultoría we support organisations in Burgos, Aranda de Duero, Miranda de Ebro and across the province through the full compliance process. We draw up the Record of Processing Activities (art. 30 GDPR), review processor contracts, update information notices and define security measures proportionate to the risk. We do not act in place of the AEPD nor do we guarantee outcomes in enforcement proceedings, but we do ensure the organisation acts with the diligence required by law.

Ongoing support is as important as the initial implementation. When the AEPD publishes new sector-specific guidelines, when the company introduces a new processing activity or when a security incident occurs, having a dedicated data protection consultant in Burgos who knows the organisation inside out allows a rapid response without starting from scratch. For organisations that require it, we also cover the role of external Data Protection Officer (arts. 37–39 GDPR), with direct communication with the supervisory authority.

The Data Protection in Burgos process.

The process · four stages
01

Processing audit

We analyse the organisation's personal data flows: what information is collected, for what purpose, on what legal basis and with which third parties it is shared. The outcome is a processing map that forms the basis for the Record of Processing Activities (art. 30 GDPR) and for all subsequent compliance work.

02

Documentary and contractual implementation

We draw up the Record of Processing Activities, processor agreements (art. 28 GDPR) and information notices for customers and employees (arts. 13–14 GDPR), tailored to the organisation's actual operations — not generic templates.

03

Security measures and training

We define and document technical and organisational measures proportionate to the risk of each processing activity (art. 32 GDPR) and train staff in their basic obligations: access management, handling of customer information and responding to data subject requests or incidents.

04

Ongoing support and periodic review

We provide permanent support to resolve day-to-day queries, handle data subject rights requests (arts. 15–21 GDPR), manage security breaches and update documentation when the organisation introduces new processing activities or when the AEPD publishes criteria applicable to the sector.

What is included

What Data Protection in Burgos includes.

The operational detail: what we deliver as part of the work and what we keep alive afterwards.

  • Record of Processing Activities

    Inventory of personal data processing operations required by article 30 of the GDPR, tailored to actual operations and updated whenever new processing activities are introduced.

  • Processor agreements

    Review and drafting of contracts with suppliers that access the organisation's data (art. 28 GDPR): accountancy firms, software platforms, security companies and marketing agencies.

  • Information notices and privacy policy

    Information clauses for customers and employees (arts. 13–14 GDPR), website privacy policy and cookie policy tailored to the organisation's specific activities.

  • Security measures (art. 32 GDPR)

    Definition and documentation of technical and organisational measures proportionate to the risk level: access control, password management, backups and internal security procedures.

  • External DPO

    External Data Protection Officer for organisations required by the GDPR or that choose this role as a permanent advisory arrangement, with direct communication with the AEPD.

  • Security breach management

    Incident response protocol: risk assessment, notification to the AEPD within 72 hours (art. 33 GDPR) where required, communication to affected individuals (art. 34) and documentary record of the incident.

Frequently asked questions about Data Protection in Burgos.

Which companies in Burgos are required to comply with the GDPR?

All organisations that process personal data are subject to the GDPR and the LOPDGDD, regardless of their size or sector. In Burgos, this ranges from a small restaurant managing reservations to an automotive supplier with an employee database, professional practices or retailers with loyalty programmes. What varies is the complexity of the measures required, which must be proportionate to the volume and sensitivity of the data processed.

What sanctions can the AEPD impose for non-compliance?

Article 83 of the GDPR establishes two tiers. The most serious infringements — processing data without a legal basis or breaching the GDPR's core principles — can lead to fines of up to €20 million or 4% of total annual global turnover. Less serious infringements — such as failing to maintain a formal record of processing activities or not having a processor agreement in place — can be sanctioned with up to €10 million or 2% of global turnover. The AEPD treats prior due diligence as a mitigating factor.

Is it mandatory for an SME in Burgos to appoint a DPO?

The obligation depends on the type of processing, not on size. Article 37 of the GDPR requires a DPO for public authorities and bodies, for those who carry out large-scale regular and systematic monitoring of data subjects, and for those who process special categories of data on a large scale. The LOPDGDD extends this obligation to sectors such as financial institutions, insurers and healthcare providers. For SMEs that are not obliged to appoint a DPO, an external DPO is an option that delivers permanent advisory support in a cost-efficient way.

Does the GDPR affect how companies in Burgos manage their employees' data?

Yes. Processing employment data — payroll, bank details, attendance tracking, CCTV or health data — requires an appropriate legal basis and express information to the worker. The LOPDGDD also regulates digital rights in the workplace (arts. 87–91): the right to privacy regarding the use of corporate devices, digital disconnection and video surveillance. Summum Consultoría supports companies in Burgos in adapting their HR procedures to these requirements.