Home / News / New obligations żDoes you company need a DPO?

New obligations żDoes you company need a DPO?

One of the obligations imposed by the new European Data Protection Regulation (GDPR) is the designation of a Data Protection Officer (DPO) when the company or entity that processes the data is included in one of the three following cases:

 The processing is carried out by a public authority / body (except for courts);

  The main activities of the controller or the processor consist in processing operations which require regular and systematic monitoring of data subjects on a large scale, or;

 The core activities of the controller or the processor consist in processing on a large scale of special categories of data. 

Now, the new Spanish data protection law states in its article 34 those entities required to appoint a data protection officer, which are:

*Professional associations and their general councils;

*Teaching centers, public and private universities;

*Entities that exploit networks and provide electronic communications services with large-scale data;

*Service providers of the information society when they develop large-scale profiles of service users;

*Entities included in article 1 of Law 10/2014, of June 26, on the Organization, Supervision and Solvency of Credit institutions;

*Credit financial establishments;

*Insurance and reinsurance entities;

*Investment services companies;

*Distributors and marketers of electric power and the distributors and marketers of natural gas;

*Responsible entities for assessing asset and credit solvency or fraud prevention, including prevention of money laundering and financing of terrorism; 

*Entities that develop advertising and commercial prospection when they carry out processing activities based on the preferences of those affected or perform activities that involve profiling;

*Health centers legally required to maintain patient`s medical records (except for those who exercise their activity individually);

*Entities that own as one of their objects the issuance of commercial reports that may refer to natural persons;

*Operators that develop the game activity through electronic, IT, telematic and interactive channels, in accordance with the rules of game regulation; 

*Private security 

*Sports federations when dealing with minors` data.

Beyond the mandatory assumptions, a company can appoint a DPO on a voluntary basis, by assessing that it will help the effective compliance with the GDPR and, therefore, demonstrate that it has fulfilled its obligation to enforce the organizational measures to ensure that the processing is in accordance with article 24.1. In effect, the appointment of a DPO is a positive image factor, which creates trust, as a preventive measure to guarantee the protection of a valuable asset such as the personal data of customers, users, employees ... Actually, the new data protection law contemplates the existence of a DPO as an assumption to take into account for the graduation of the sanction

At Abril Abogados we are experts in the enforcement of the regulations on Personal Data Protection and Privacy, advising companies, institutions and individuals. In addition, our office has been constituted as an External Data Protection Officer of important companies in which its existence is mandatory, and also of companies that voluntarily wish to have such figure as preventive advice.

The service offered by Abril Abogados includes face-to-face and remote (phone, email) advice for consultations and technical and legal advice, based on a number of hours previously agreed with the client.

You can request more information by sending an email to: ameseguer@abrilabogados.com


Suscribe online our Abril Informa
Agente de la Propiedad Industrial Colegiado