Castilla y León

Data Protection in Salamanca

Salamanca hosts a diverse business and professional ecosystem — law firms, clinics, accountancy practices, agri-food companies and entities connected to the University of Salamanca — in which the processing of personal data is a daily activity and compliance with Regulation (EU) 2016/679 (GDPR) and Organic Law 3/2018 on Personal Data Protection and Digital Rights Guarantee (LOPDGDD) is a legal obligation. At Summum Consultoría we guide Salamancan organisations through their compliance journey: we diagnose their current situation, implement the documentation the law requires and help them maintain compliance over time.

Applicable regulationGDPR (EU) 2016/679 · LOPDGDD Organic Law 3/2018
CoverageSalamanca and province · Castilla y León
Service deliveryIn-person and remote

Salamanca is a service-oriented, knowledge-based city whose daily activity generates a constant flow of personal data. SMEs and self-employed professionals across the province — from medical practices and physiotherapists to accountancy firms, language schools and hotels in the historic quarter — process data belonging to clients, employees and suppliers that falls under the GDPR. The obligation does not depend on company size: any business that collects an email address, manages payroll or retains client records must comply with the regulation, document that compliance and be able to demonstrate it to the Spanish Data Protection Agency (Agencia Española de Protección de Datos, AEPD).

The Salamancan healthcare sector — anchored by the University Care Complex of Salamanca (Complejo Asistencial Universitario de Salamanca, CAUSA) as the main public reference, and complemented by a dense network of private clinics, psychology practices and physiotherapy centres — is subject to heightened obligations, as health data constitutes a special category under art. 9 of the GDPR. Similarly, the city's law firms and solicitors — with a deep legal tradition tied to one of Spain's oldest law faculties — handle particularly sensitive information requiring confidentiality clauses, data-processor agreements and rigorous internal protocols. The agri-food sector, with emblematic products such as Guijuelo Iberian ham and Arribes del Duero wines, is increasingly adding direct sales channels and e-commerce operations that bring additional obligations under Spain's Information Society Services Act (LSSI) and the GDPR itself with regard to buyer data.

At Summum Consultoría we support Salamancan organisations from a practical standpoint: we start with a genuine diagnostic that identifies ongoing processing activities, missing documentation and priority risks. From there we implement the record of processing activities (art. 30 GDPR), adapt information clauses, review website privacy policies, formalise agreements with suppliers acting as data processors (art. 28 GDPR) and train the team. We do not guarantee a specific outcome before the AEPD, but we do ensure that the organisation will be able to demonstrate, in the event of an inspection, that it has acted diligently and with full documentation — as required by the accountability principle of art. 5.2 of the GDPR.

The Data Protection in Salamanca process.

The process · four stages
01

Initial compliance diagnostic

We analyse the organisation's data processing activities, existing documentation and actual level of compliance with the GDPR and LOPDGDD. We identify priority gaps and draw up a concrete action plan with timelines and responsible parties, tailored to the size and sector of the Salamancan business.

02

Documentary compliance

We draft or update the record of processing activities (art. 30 GDPR), information clauses (arts. 13-14 GDPR), the website privacy policy, data-processor agreements (art. 28 GDPR) and internal procedures. We also review the technical and organisational security measures in place.

03

Team training and implementation

We work alongside staff to put the implemented procedures into practice: handling data subject rights requests, identifying potential security breaches and using digital tools correctly. Training is delivered in person or online, depending on the client's needs.

04

Ongoing compliance monitoring

The GDPR is a living system: when business activities change, new suppliers come on board or new technologies are adopted, documentation must be updated. We offer periodic reviews, day-to-day query support and assistance in the event of an incident or an AEPD requirement.

What is included

What Data Protection in Salamanca includes.

The operational detail: what we deliver as part of the work and what we keep alive afterwards.

  • Record of processing activities

    A complete inventory of the organisation's data processing activities (art. 30 GDPR): purposes, legal bases, data categories, recipients and retention periods, ready to be presented to the AEPD.

  • Information clauses and consent management

    Drafting and reviewing privacy notices for forms, contracts and client and employee records, in line with the transparency requirements of arts. 13 and 14 of the GDPR and tailored to the sector of activity.

  • Data-processor agreements

    Review and formalisation of agreements with suppliers who access personal data (art. 28 GDPR): management software, external accountants, IT companies, email marketing platforms or any other processor.

  • Privacy policy and legal notice

    Adaptation of the website's legal texts to the GDPR and LSSI: privacy policy, cookie policy, legal notice and configuration of the consent banner in line with AEPD guidelines.

  • Data subject rights management

    Implementation of channels and procedures for handling access, rectification, erasure, restriction, portability and objection requests (arts. 15-22 GDPR) within the one-month deadline set out in art. 12 of the GDPR.

  • Security breach protocol

    Design and implementation of the internal procedure for detecting and managing incidents affecting personal data, including notification to the AEPD within 72 hours (art. 33 GDPR) and communication to data subjects when the risk is high (art. 34 GDPR).

Frequently asked questions about Data Protection in Salamanca.

Which businesses in Salamanca are required to comply with the GDPR?

Every organisation — company, self-employed professional, association, clinic or law firm — that processes personal data in the course of its activities is subject to the GDPR and the LOPDGDD, regardless of its size or sector. In Salamanca this covers everything from physiotherapy practices to tax advisory firms, as well as estate agents, language schools, hospitality businesses and agri-food companies with an online shop. The obligation arises from the processing of data, not from turnover or number of employees.

Is it mandatory to appoint a Data Protection Officer for my business?

Appointing a DPO is mandatory in the cases set out in art. 37 of the GDPR and art. 34 of the LOPDGDD: among others, private healthcare centres, insurance entities, organisations structured as companies that process data on a large scale, and educational institutions. Outside these mandatory cases, appointing an external DPO is good practice that provides legal certainty and a dedicated expert point of contact with the AEPD.

What penalties can the AEPD impose for GDPR non-compliance?

Art. 83 of the GDPR establishes a tiered sanctions regime. The most serious infringements — processing data without an adequate legal basis or violating data subjects' rights — may be sanctioned with fines of up to 20 million euros or 4% of total annual worldwide turnover. Less serious infringements carry a ceiling of 10 million euros or 2% of turnover. The LOPDGDD also provides for a formal warning as an alternative to a fine for SMEs in certain remediable situations (art. 58.2 GDPR). Summum Consultoría helps organisations implement measures that reduce the risk of committing these infringements.

Does Summum Consultoría offer in-person services in Salamanca?

Yes. Although our main office in Castilla y León is located in Valladolid, we serve organisations throughout the region, including Salamanca and its province, both in person — travelling to the client's premises — and remotely. The bulk of documentary compliance work and periodic follow-up is handled efficiently by digital means, without any reduction in the depth or quality of our support.

What happens if the AEPD inspects my business in Salamanca?

In the event of an inspection — triggered by a data subject complaint or on the regulator's own initiative — the organisation must be able to demonstrate that it has taken proactive compliance measures. The accountability principle of art. 5.2 of the GDPR requires that compliance not only exists but can be proven with documentation: an up-to-date record of processing activities, signed data-processor agreements, current information clauses and evidence of staff training. At Summum Consultoría we prepare organisations to respond to any AEPD requirement with a solid, well-organised compliance file.