A single administrative oversight can cost your organisation up to €10 million or 2% of its global annual turnover: failing to appoint a Data Protection Officer when the General Data Protection Regulation (GDPR) requires it is a serious infringement. This is not a theoretical scenario. The Spanish Data Protection Authority (AEPD) has already sanctioned companies — including Glovo — for exactly this reason, issuing a €25,000 fine in 2020 for failing to designate a DPO despite being legally obliged to do so.
In a landscape where the GDPR has been fully in force for years and the new EU Artificial Intelligence Act (AI Act) is rolling out its obligations in phases, the DPO role has evolved from a paperwork formality into a strategic pillar of data governance. This guide explains what a DPO is, when one is mandatory, what profile the regulation demands, how to choose between an internal and external model, and why the role is expanding further with the rise of AI.
What Is a Data Protection Officer (DPO) and What Does the GDPR Say?
The Data Protection Officer — DPO, or Delegado de Protección de Datos (DPD) in Spanish — is the person responsible for independently overseeing that an organisation processes personal data in compliance with applicable law. This is not a ceremonial title or a rebranded "GDPR manager": the GDPR assigns the DPO concrete advisory, supervisory and liaison functions with the supervisory authority.
The role is governed by Articles 37 to 39 of the GDPR (EU Regulation 2016/679), supplemented in Spain by Organic Law 3/2018 on Personal Data Protection and Digital Rights Guarantee (LOPDGDD). The GDPR structures the DPO role around three axes:
- When to appoint (Article 37): the mandatory scenarios.
- The position held (Article 38): independence, resources and the absence of conflicts of interest.
- What the DPO does (Article 39): the minimum set of functions.
Unlike other compliance roles, the DPO enjoys reinforced protection: they cannot be dismissed or penalised for performing their duties and must report directly to the highest management level. That independence is, as we will see, the defining characteristic of the role.
The DPO does not decide on processing activities — they advise, monitor and supervise. Ultimate accountability for compliance remains with the data controller, i.e. the company's management.
When Is a DPO Mandatory? The Three Cases Under Article 37 and the LOPDGDD Article 34 List
This is the question that causes the most confusion, because the answer operates on two regulatory levels: the European (GDPR) and, in Spain, the national (LOPDGDD).
The Three Cases Under Article 37.1 of the GDPR
Article 37.1 of the GDPR requires the appointment of a Data Protection Officer in three situations:
- Public authorities and bodies. When processing is carried out by a public authority or body, with the sole exception of courts acting in their judicial capacity.
- Regular and systematic large-scale monitoring. When the core activities of the controller or processor consist of operations that, by their nature, scope or purpose, require regular and systematic monitoring of data subjects on a large scale.
- Large-scale processing of sensitive data. When core activities involve large-scale processing of special categories of data (Article 9 GDPR: health, ethnic origin, political opinions, biometric data, etc.) or data relating to criminal convictions and offences (Article 10).
The practical difficulty is that concepts such as "large scale" or "regular and systematic monitoring" are deliberately open-ended. To address this, the Spanish legislature took an additional step.
The Article 34 LOPDGDD List
This is where Spain adds legal certainty. Article 34 of the LOPDGDD extends and clarifies the obligation by listing — according to the AEPD's own FAQ documentation — 16 types of entities that must appoint a DPO in all cases. These include:
| Sector / entity type | Common examples |
|---|---|
| Healthcare providers | Hospitals, clinics, laboratories |
| Financial and insurance entities | Banks, insurers, fund managers |
| Energy distributors and retailers | Electricity and gas companies |
| Private security firms | Surveillance, alarm systems |
| Online gambling operators | Betting platforms, digital casinos |
| Professional associations | And their governing councils |
| Educational centres and universities | Public and private |
| Advertising and commercial prospecting firms | That build profiles on data subjects |
The implication is clear: even if a company is uncertain whether it falls within the open-ended GDPR categories, if it belongs to one of the sectors listed in Article 34 of the LOPDGDD, the appointment is mandatory — no room for interpretation.
The Obligation to Notify the AEPD
Appointing a DPO does not exhaust the compliance requirement. According to the AEPD, controllers and processors must notify appointments, changes and terminations of their DPO within 10 days to the Agency (or the relevant regional authority where one exists). This applies both to mandatory appointments and to voluntary ones: a company that chooses to appoint a DPO without being legally required to do so must also notify.
This notification creates a public register of DPOs that, in practice, allows the supervisory authority to check at a glance which organisations are compliant and which are not. It is also one of the channels through which the AEPD detects non-compliance.
DPO Functions and Profile: Independence, Expert Knowledge and Absence of Conflicts of Interest
The GDPR does not require a specific degree or mandatory certification to act as a Data Protection Officer. What Article 37.5 requires is that the DPO be appointed "on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices." In other words: demonstrable competence matters, not a credential for its own sake.
Expert Knowledge, Without Mandatory Certification
As sector reference materials — for example, analyses from Grupo Atico34 — clarify, a DPO does not need a mandatory certification, but must demonstrate specialised knowledge and genuine experience in data protection. In Spain, voluntary certification schemes accredited by ENAC under the AEPD framework exist and provide an additional quality signal, but they are not a legal requirement. The ideal profile combines:
- A solid legal grounding in the GDPR, the LOPDGDD and applicable sector-specific rules.
- Technical understanding of the organisation's information systems, security architecture and data flows.
- Communication skills to advise management and train staff at all levels.
The Minimum Functions Under Article 39
The GDPR assigns the DPO, as a minimum, the following functions:
- Inform and advise the controller, the processor and their employees on their obligations under data protection law.
- Monitor compliance with the GDPR, the LOPDGDD and internal policies, including the assignment of responsibilities and staff training.
- Advise on and oversee Data Protection Impact Assessments (DPIAs).
- Cooperate with the supervisory authority (the AEPD) and act as the point of contact for it.
- Handle enquiries from data subjects about the processing of their data and the exercise of their rights.
Independence and Absence of Conflicts of Interest
Article 38 of the GDPR is categorical: the DPO must act with full independence, have access to adequate resources and receive no instructions on how to perform their role. Furthermore, the DPO cannot simultaneously hold a position that leads them to determine the purposes and means of processing — that would create a direct conflict of interest. This is why a Chief Marketing Officer, a Head of IT or a CFO can rarely serve as their own organisation's DPO: they would effectively be supervising themselves.
This independence requirement is one of the strongest arguments in favour of the external model, as we will see next. If your organisation is building out its overall compliance programme, the DPO role should sit within a broader data protection and GDPR compliance strategy that covers policies, records of processing activities and incident response procedures.
Internal vs External DPO: Costs, Trade-offs and How to Choose for Your Organisation
The GDPR permits both models: the DPO can be an employee of the organisation or an external professional engaged under a service contract. The choice is not trivial and depends primarily on the organisation's size, complexity and sector.
The Cost Factor
The financial difference is significant. According to analyses by Grupo Atico34, hiring an internal DPO in Spain can cost between €45,000 and €75,000 per year (salary, employer social security contributions, continuing education and tooling). By contrast, an external DPO is typically three to ten times less expensive, enabling an SME to save between €30,000 and €60,000 annually without sacrificing legal coverage.
Model Comparison
| Criterion | Internal DPO | External DPO |
|---|---|---|
| Indicative annual cost | €45,000–€75,000 | 3 to 10 × cheaper |
| Business knowledge | Very high — day-to-day immersion | Requires an onboarding phase |
| Independence | Risk of conflict of interest | Structurally more independent |
| Availability | Full-time dedication | Shared across clients |
| Regulatory updates | Organisation's responsibility | Included in the service |
| Absence / holiday cover | Vulnerable to service gaps | Guaranteed by the provider |
| Best suited for | Large enterprises, highly regulated sectors | SMEs and mid-sized businesses |
Which to Choose
As a practical rule of thumb:
- Large enterprise or highly regulated sector (banking, healthcare, insurance, energy): the volume and sensitivity of processing activities typically justify an internal DPO — or even a team under their direction.
- SME or mid-sized business: the external DPO offers the best balance of cost, independence and technical rigour. It eliminates the conflict of interest that arises from doubling up an employee in a compliance role, and ensures continuity during absences or holidays.
Regardless of the model chosen, a DPO does not work in a vacuum: they need to rely on a functioning information security management system. Organisations already operating under a framework such as ISO 27001 certification have a head start, because many of the security controls, records and procedures the DPO must oversee are already documented and audited.
The DPO's New Role Under the EU AI Act: AI Governance and High-Risk Systems
The DPO role was designed for the world of personal data, but the rise of artificial intelligence is extending its scope of responsibility. The reason is straightforward: most enterprise AI systems are trained and operated using personal data, placing AI governance squarely at the intersection of the DPO's existing mandate.
The AI Act Timeline
The EU Artificial Intelligence Act — AI Act (EU Regulation 2024/1689) — applies in stages. According to the official timeline documented in analyses from firms such as Audidat:
- 2 February 2025: Chapters I and II enter into force, covering prohibited AI practices and AI literacy obligations.
- 2 August 2025: Governance obligations and those relating to general-purpose AI (GPAI) models begin to apply.
- Throughout 2026: The most stringent rules roll out, particularly those affecting high-risk AI systems.
This progression directly expands the DPO's role in AI risk assessment, because high-risk systems require risk management, data governance and documentation that overlap substantially with traditional data protection functions.
What Changes for the DPO?
Although the AI Act does not automatically turn the DPO into the "AI compliance officer," in practice the role takes on new responsibilities wherever AI processes personal data:
- Contributing to impact assessments that combine Data Protection Impact Assessment (DPIA) requirements with AI risk evaluation.
- Overseeing the quality and lawful basis of data used to train and run AI models.
- Monitoring transparency towards data subjects who interact with automated systems.
- Ensuring traceability of automated decisions and respect for the rights under Article 22 of the GDPR.
The AEPD itself has reinforced this connection. In 2025 it published a new guide on AI agents and the processing of personal data which, according to analysis by the firm ECIJA, strengthens the DPO's supervisory role over AI use involving personal data. The regulatory signal is unambiguous: the DPO of the near future will also be a central actor in AI governance.
Penalties for Not Appointing a DPO: What Your Organisation Is Risking and How to Comply
We return to the point that opened this guide — but now with full context. Failing to appoint a DPO when required is not a minor oversight: it is an infringement with real financial and reputational consequences.
The Penalty Framework
Under Article 83.4 of the GDPR, failing to designate a Data Protection Officer when mandatory is treated as a serious infringement, punishable by fines of up to €10 million or 2% of global annual turnover — whichever is higher. For a multinational company, that 2% can comfortably exceed the fixed ceiling.
The Glovo Case: Theory Becomes a Fine
The most cited precedent in Spain is Glovo. The AEPD imposed a €25,000 fine on GlovoApp in 2020 for failing to designate a DPO despite being legally obliged to do so, as documented in specialist analyses such as the case review by Trebia Abogados. The case is instructive for two reasons: it shows that the AEPD actively monitors this specific failure, and that sanctions can reach even companies with established legal departments.
How to Comply: Step by Step
To eliminate the risk, the path is straightforward:
- Assess whether you are obligated. Review the three cases under Article 37.1 of the GDPR and the 16-sector list under Article 34 of the LOPDGDD.
- Choose your model. Decide between an internal or external DPO based on your size, sector and budget.
- Appoint a competent profile. Evidence expert knowledge and genuine independence; avoid conflicts of interest.
- Notify the AEPD within 10 days. Do not overlook this formal obligation — it applies even to voluntary appointments.
- Provide adequate resources. Guarantee access to senior management, a working budget and the necessary tools.
- Prepare for AI. Evolve the DPO's role to meet the phased obligations of the AI Act.
Appointing a DPO is not the finish line — it is the starting point of a living compliance programme. The role only delivers value, and genuine protection against sanctions, when it is embedded in real data governance.
Conclusion
The Data Protection Officer has moved beyond a box-ticking exercise to become a strategic function that bridges GDPR compliance, information security and — increasingly — AI governance under the EU AI Act. For most European SMEs and mid-sized companies, the external model delivers the best balance of rigour, independence and cost; for large organisations in regulated sectors, a well-resourced internal DPO is essential. In both cases, what the supervisory authorities penalise is not uncertainty — it is inaction.
Not sure whether your organisation is required to appoint a DPO, or how to integrate this role into your compliance and AI governance strategy? At Technova Partners we help organisations design and implement robust data protection programmes — from DPO designation through to full GDPR and AI Act compliance. Talk to our compliance team and turn a legal obligation into a competitive advantage.
