Las Palmas de Gran Canaria hosts one of the most dynamic business ecosystems in the Atlantic: the Canary Islands Special Zone (ZEC) attracts internationally active companies that process personal data belonging to customers, suppliers and employees from multiple countries; the Port of La Luz is one of the busiest in the South Atlantic; and the tourism sector — with millions of overnight stays each year in hotels, apartments and holiday rentals — processes guest data from across Europe and beyond on a daily basis. Private clinics, professional offices, educational institutions and a network of commercial SMEs add to this ecosystem, collectively generating enormous volumes of personal data. For all of them, compliance with the GDPR and the LOPDGDD is not optional: it is a legal obligation enforceable from the very first data processing activity.
Unlike Catalonia, the Basque Country or Andalusia, the Canary Islands do not have a regional data protection authority of their own. The competent supervisory authority for all companies and entities established in the archipelago — including those operating under the Cabildo de Gran Canaria and the Government of the Canary Islands — is the AEPD (Agencia Española de Protección de Datos), headquartered in Madrid. Complaints from Canarian citizens and enforcement proceedings are handled by the AEPD under the same timelines and criteria that apply across all other autonomous communities. This means the regulatory framework is identical to that of the rest of Spain: GDPR obligations apply with the same intensity in Gran Canaria as in Valladolid or Burgos, and so does the penalty regime under Article 83 of the GDPR.
The sectors with the greatest compliance risk in Las Palmas are hospitality and tourism — processing of international guest data, CCTV in premises and use of booking management platforms —, private clinics and health centres handling special category data, advisory firms and professional offices acting as data processors on behalf of third parties, residents' associations in tourist developments, and e-commerce businesses serving European customers. The Government of the Canary Islands and the Cabildo de Gran Canaria are also driving digitalisation projects — e-government, shared electronic health records, tourism management platforms — in which private collaborators must comply with GDPR requirements as data processors.
Summum Consultoría delivers data protection services in Las Palmas primarily on a remote basis, using video calls for the gap analysis and planning phases, secure platforms for document exchange, and continuous support. For more complex projects — on-site audits, face-to-face team training, implementation of physical security measures — we arrange targeted visits. This model allows Canarian businesses to access expert guidance without the travel costs associated with a consultancy that maintains a permanent physical presence. We have been supporting organisations on data protection matters since 2007, and since the GDPR entered into force, guiding them through Regulation compliance; our experience in the tourism sector enables us to bring a practical, island-adapted approach to every engagement.