The Data Protection Officer (DPO) is one of the key figures in the General Data Protection Regulation (GDPR) in Spain.
It is important for companies to understand the role of the DPO and, above all, in which cases they are obligated to designate one. It is also beneficial for foreign companies to know the advantages of appointing a DPO in Spain.
Who is the Data Protection Officer (DPO)?
The DPO, or Data Protection Officer, is a professional who assists the data controller, data processor, and supervisory authority. They are a legal advisor specialized in data protection who ensures the proper application of the GDPR.
It is mandatory to appoint a Data Protection Officer when:
What are the tasks of the Data Protection Officer?
The DPO provides assistance to the company in conducting impact assessments. These assessments aim to identify risks early on and implement preventive measures. They should be carried out whenever data processing activities pose risks to the rights and freedoms of individuals.
These professionals must be involved in all matters relating to the protection of personal data. They should have access to the necessary information and tools to perform their duties.
The DPO's functions must be exercised independently, so the data controller and data processor must ensure that the DPO does not receive instructions regarding the performance of their tasks. Naturally, this level of autonomy subjects the DPO to a strict regime of confidentiality.
Basic functions of the DPO According to the GDPR, the basic functions of the DPO include:
What requirements must a DPO fulfill?
The General Data Protection Regulation emphasizes that the DPO must be capable of carrying out their functions independently. This does not prohibit them from being an employee of the company itself, but it emphasizes the necessary autonomy that should characterize this role in order to provide services correctly.
The contact details of the Data Protection Officer must be made public. It is important to provide these details when obtaining data directly from the data subject or from third parties. They should also be recorded in the records of processing activities and in communications of security breaches.
The appointment of the DPO is based on their professional qualities and specialized knowledge of data protection law and practices.
The appointment of the DPO When appointing a Data Protection Officer, corporate groups can choose a single professional as long as they are easily accessible from each establishment. Therefore, it is important for foreign companies to have DPOs in Spain who can work for all the company's branches, subsidiaries, or offices in the country.
Why should I appoint a DPO in Spain if my company is foreign?
As mentioned earlier, the GDPR rewards the accessibility of the Data Protection Officer. This allows them to provide their services to different entities under the same parent company.
In addition, most of the DPO's tasks require cooperation with the supervisory authority (in our case, the AEPD). Therefore, it is beneficial for these professionals to be familiar with the organizational structure, procedures, and administrative practices of the authority.
It is also advantageous for the DPO to be fluent in Spanish, as they will not only have to interact with the AEPD but also with all stakeholders of the company.
Lastly, training and awareness tasks require knowledge of the local culture. Specifically, Spanish companies tend to overlook data protection (although this trend is decreasing). This means that the DPO must effectively convey the importance of respecting what is ultimately a fundamental right for European Union citizens.
How do I choose my Data Protection Officer?
Since a professional criterion must be followed when appointing a DPO, it is common to select a lawyer specialized in data protection. Their deep understanding of the regulatory framework at the community level will provide the company with the necessary legal certainty in this matter.
However, it should be noted that there are different ways to incorporate legal professionals or teams into the company. Traditionally, the creation of in-house teams has been chosen, which has proven to be extremely rigid at times.
At Attolon, as an ALSP (Alternative Legal Service Provider), we are proposing a new way of working in the legal sector. We are a legal outsourcing company (legal staffing) that has specialized lawyers in various areas of law and can create ad hoc teams that perfectly meet our clients' needs.
If you need a Data Protection Officer or DPO in Spain, we recommend that you contact us. We will explain how legal staffing can help you achieve a more specialized and technical service with a reduced, streamlined, and transparent cost policy.