All public administrations and their related or dependent public bodies that act as personal data controllers or processors must appoint a data protection officer (DPO). This may be an employee of the public administration (internal DPO) or an organisation/company outside the public administration (external DPO).
The APDCAT must be notified of the appointment of the DPO using this form.
The obligation of public administrations to have a data protection officer does not apply to municipal companies governed by private law. However, such companies are subject to this obligation if their activity involves regular and systematic observation of people on a large scale, or if it involves the large-scale processing of special categories of data or data relating to criminal convictions and offences.
It is also mandatory if the company is engaged in any of the activities provided for in Article 34 of the LOPDGDD.
For more information on this issue, please refer to CNS ruling 39/2019.
Yes. According to the LOPDGDD, professional associations and their general councils must appoint a data protection officer.
The GDPR does not establish specific qualifications for data protection officers. However, they must have specialised knowledge of law, of national and European legislation and practices in the field of data protection, and in-depth knowledge of the GDPR. They also need to have experience in data protection to be able to identify the risks associated with processing operations, taking into account the nature, scope, context and purposes of the processing.
Therefore, they must be selected bearing in mind the data processing operations that are carried out and the protection required for the personal data that is processed.
As well as this, they must have knowledge of the sector of activity in question, the organisation, the processing operations that are carried out and the information systems.
Is it possible to hire an external data protection officer? What guarantees must be adopted in this case?
The controller may contract the data protection officer services offered by a professional, organisation or company outside its organisational structure, provided that the professional competencies referred to in the GDPR are accredited and it can be guaranteed that there are no conflicts of interest.
The appointment of this external data protection officer must be formalised by means of a data processing contract, so that the officer can access the personal data required for carrying out their duties and for which the contracting Administration is the controller.
Once the data protection officer has been appointed, their contact details must be published so that they can be easily and directly contacted by data subjects. The APDCAT must also be informed of the appointment using this form.
For more information on this subject, please refer to ruling CNS 31/2018.
Can a municipal council appoint a body or person employed by the provincial council as its data protection officer?
Provincial councils are enabled to provide assistance and technical cooperation to municipal councils, and as such they may provide the services of a data protection officer to local entities. Municipal councils can appoint a body or person employed by the provincial council as their data protection officer, provided there is no conflict of interest.
For more information on this matter, see ruling CNS 23/2018.
The data protection officer may be a member of staff of the controller or processor, or perform their duties under a service contract. They may also perform tasks and functions other than those strictly related to the role of Data Protection Officer.
However, in order to guarantee independence in the performance of their duties, the controller or processor must ensure that the performance of these other tasks and functions does not give rise to any conflicts of interest. Consequently, a person who is also responsible for tasks that involve participating in the decision-making process regarding processing or its implementation, or in such crucial aspects as the implementation of security measures – as is the case of the head of information security – cannot be appointed as data protection officer.