Canarias

GDPR Consulting in Las Palmas de Gran Canaria

Las Palmas de Gran Canaria is home to the largest business community in the Canary Islands: international tourism, companies operating under the Canary Islands Special Zone (ZEC — Zona Especial Canaria), Atlantic trade, and a growing healthcare and education sector. All these organisations are subject to Regulation (EU) 2016/679 — the GDPR — and to the LOPDGDD (Organic Law 3/2018 on Personal Data Protection and Guarantee of Digital Rights), with the same obligations as any other Spanish company. Summum Consultoría supports businesses and entities in Las Palmas throughout their GDPR compliance journey: gap analysis, implementation, external DPO and ongoing maintenance, delivered primarily remotely with occasional on-site visits when the project requires it.

Applicable lawGDPR (EU) 2016/679 · LOPDGDD 3/2018
CoverageLas Palmas de Gran Canaria and service area across the Canary Islands
Supervisory authorityAEPD — Spanish Data Protection Agency (Agencia Española de Protección de Datos)

Las Palmas de Gran Canaria hosts one of the most dynamic business ecosystems in the Atlantic: the Canary Islands Special Zone (ZEC) attracts internationally active companies that process personal data belonging to customers, suppliers and employees from multiple countries; the Port of La Luz is one of the busiest in the South Atlantic; and the tourism sector — with millions of overnight stays each year in hotels, apartments and holiday rentals — processes guest data from across Europe and beyond on a daily basis. Private clinics, professional offices, educational institutions and a network of commercial SMEs add to this ecosystem, collectively generating enormous volumes of personal data. For all of them, compliance with the GDPR and the LOPDGDD is not optional: it is a legal obligation enforceable from the very first data processing activity.

Unlike Catalonia, the Basque Country or Andalusia, the Canary Islands do not have a regional data protection authority of their own. The competent supervisory authority for all companies and entities established in the archipelago — including those operating under the Cabildo de Gran Canaria and the Government of the Canary Islands — is the AEPD (Agencia Española de Protección de Datos), headquartered in Madrid. Complaints from Canarian citizens and enforcement proceedings are handled by the AEPD under the same timelines and criteria that apply across all other autonomous communities. This means the regulatory framework is identical to that of the rest of Spain: GDPR obligations apply with the same intensity in Gran Canaria as in Valladolid or Burgos, and so does the penalty regime under Article 83 of the GDPR.

The sectors with the greatest compliance risk in Las Palmas are hospitality and tourism — processing of international guest data, CCTV in premises and use of booking management platforms —, private clinics and health centres handling special category data, advisory firms and professional offices acting as data processors on behalf of third parties, residents' associations in tourist developments, and e-commerce businesses serving European customers. The Government of the Canary Islands and the Cabildo de Gran Canaria are also driving digitalisation projects — e-government, shared electronic health records, tourism management platforms — in which private collaborators must comply with GDPR requirements as data processors.

Summum Consultoría delivers data protection services in Las Palmas primarily on a remote basis, using video calls for the gap analysis and planning phases, secure platforms for document exchange, and continuous support. For more complex projects — on-site audits, face-to-face team training, implementation of physical security measures — we arrange targeted visits. This model allows Canarian businesses to access expert guidance without the travel costs associated with a consultancy that maintains a permanent physical presence. We have been supporting organisations on data protection matters since 2007, and since the GDPR entered into force, guiding them through Regulation compliance; our experience in the tourism sector enables us to bring a practical, island-adapted approach to every engagement.

The GDPR Consulting in Las Palmas de Gran Canaria process.

The process · four stages
01

Compliance gap analysis

We analyse the organisation's data processing activities, existing documentation, implemented security measures and relationships with third parties (data processors). The output is a gap analysis report identifying compliance shortfalls, ranked by risk level and accompanied by prioritised recommendations tailored to the organisation's sector and size.

02

GDPR compliance plan

Building on the gap analysis, we design the compliance plan: the record of processing activities (art. 30 GDPR), legal bases for each processing activity, information documentation (privacy policy, notices, forms), data processing agreements with processors (art. 28 GDPR) and assessment of whether a Data Protection Impact Assessment is required. We agree the implementation timeline with the organisation.

03

Implementation and training

We accompany the implementation of every element in the plan: we draft the documentation, advise on technical and organisational security measures, and train the team on their GDPR obligations and internal procedures. Training is tailored to the profile and sector of each organisation — the programme for a hotel differs from that designed for a clinic or a law firm.

04

Ongoing maintenance and review

GDPR compliance is not a one-off project: processing activities change, regulations evolve and the AEPD publishes guidelines and resolutions that update compliance criteria. We provide a maintenance service that includes periodic system review, documentation updates, handling of data subjects' rights requests and support for any incident or query that arises in day-to-day operations.

What is included

What GDPR Consulting in Las Palmas de Gran Canaria includes.

The operational detail: what we deliver as part of the work and what we keep alive afterwards.

  • Record of processing activities

    Preparation and maintenance of the record of processing activities (art. 30 GDPR): a complete inventory of all data processing activities, including purposes, legal bases, data categories, recipients and retention periods adapted to the organisation's activities in Las Palmas.

  • Privacy documentation

    Drafting or review of the privacy policy, legal notice, information notices and data collection forms, adapted to the GDPR, the LOPDGDD and the organisation's specific activity: tourism, healthcare, retail, professional services or others.

  • Data processing agreements

    Identification of suppliers acting as data processors — booking platforms, point-of-sale systems, accountants, cloud software — and drafting or review of the Article 28 GDPR contracts governing their access to the organisation's data.

  • External DPO (Data Protection Officer)

    External Data Protection Officer service for organisations required to appoint one under Article 37 of the GDPR — public authorities, clinics, educational centres, security companies — or that wish to strengthen their compliance with a qualified point of contact before the AEPD.

  • Data subjects' rights management

    Internal procedure for handling within the statutory deadlines all requests for access, rectification, erasure, objection, portability and restriction of processing that may be submitted by employees, customers, guests and any other individuals whose data the organisation processes.

  • Team training and awareness

    Training sessions for staff on GDPR obligations, good data handling practices and the organisation's internal procedures, tailored to the sector — hospitality, healthcare, retail, services — and to the profile of the attendees.

Frequently asked questions about GDPR Consulting in Las Palmas de Gran Canaria.

Do companies established in Las Palmas have the same data protection obligations as those on the Spanish mainland?

Yes. The GDPR (EU 2016/679) and the LOPDGDD (Organic Law 3/2018) apply throughout Spanish territory, including the Canary Islands archipelago, with identical scope and without any exceptions based on geographical location. Companies in Las Palmas de Gran Canaria must fulfil the same obligations as any other Spanish company: record of processing activities, information to data subjects, valid legal bases, adequate security measures and procedures to handle data subjects' rights requests, among others.

Does the Canary Islands have its own data protection agency?

No. Unlike Catalonia (Autoritat Catalana de Protecció de Dades), the Basque Country (Agencia Vasca de Protección de Datos) or Andalusia (Consejo de Transparencia y Protección de Datos de Andalucía (CTPDA)), the Canary Islands does not have a regional supervisory authority for data protection matters. The competent supervisory authority for all companies and entities established in the archipelago is the AEPD (Agencia Española de Protección de Datos). Complaints from Canarian citizens and enforcement proceedings against companies in the islands are handled entirely by the AEPD.

Which sectors in Las Palmas face the greatest risk of GDPR fines?

The sectors subject to the highest volume of AEPD enforcement actions across the country include CCTV with an excessive angle or without the required information signage, sending commercial communications without valid consent and processing personal data without a sufficient legal basis. In Las Palmas, the tourism and hospitality sector — handling large volumes of international guest data and routinely using cameras in premises — and e-commerce businesses are particularly exposed. The penalty regime under Article 83 of the GDPR provides for fines of up to €20 million or 4% of total global annual turnover, although the AEPD takes the size and financial capacity of the company into account when determining the penalty.

When is it mandatory to appoint a Data Protection Officer (DPO) in Las Palmas?

Article 37 of the GDPR establishes the obligation to appoint a DPO for public authorities and bodies, for controllers or processors carrying out large-scale systematic monitoring of individuals, and for those processing special categories of data on a large scale — health, biometrics, ethnic origin, political opinions, criminal convictions data. In Las Palmas, private clinics and medical centres, educational institutions with large student populations, private security companies and large accommodation operators may fall within one of these cases. The appointment of the DPO must be communicated to the AEPD through its electronic office.

How does Summum Consultoría's data protection service work in Las Palmas?

The service is delivered primarily on a remote basis: initial gap analysis by video call, document exchange and review via secure platforms, and ongoing support by email and phone. For projects requiring physical presence — on-site audits, face-to-face training for senior management or implementation of physical security controls — we arrange targeted visits. This model allows Canarian businesses to receive the same level of expert support as companies in Castilla y León, where Summum Consultoría has a direct presence, without unnecessary travel costs in day-to-day operations.