Article 37 of the GDPR defines the Data Protection Officer as the person with expert knowledge of data protection law and practice who informs and advises the controller or processor, monitors compliance with the Regulation, cooperates with the supervisory authority and acts as its contact point. Article 38(3) requires the DPO to act independently: they must not receive instructions on how to carry out their tasks, may not be dismissed or penalised for performing them, and must report directly to the highest management level of the organisation. This is not a decorative role added to an org chart to tick a box; it is a function with concrete legal guarantees.
The obligation to appoint one has two layers. Article 37(1) GDPR imposes it in three general cases: where the processing is carried out by a public authority or body, except for courts acting in their judicial capacity; where the core activities of the controller or processor consist of processing operations which, by their nature, scope or purposes, require regular and systematic monitoring of data subjects on a large scale; or where the core activities consist of large-scale processing of special categories of data (Art. 9 GDPR) or data relating to criminal convictions and offences (Art. 10 GDPR). Article 34 of the Spanish LOPDGDD broadens this obligation in Spain to an additional list of controllers, regardless of whether the GDPR's general criteria are met: professional associations, entities operating large-scale electronic communications networks, information-society service providers that build large-scale profiles, entities in the financial, insurance and investment-services sectors, electricity and gas distributors, entities responsible for creditworthiness files, advertising and commercial-prospecting companies that build profiles, healthcare facilities legally required to keep medical records, and — the case most often misinterpreted — educational establishments.
The most common mistake is assuming that the obligation for schools depends on whether they process minors' data. It does not: Article 34.1.b) of the LOPDGDD designates as obliged entities "educational establishments offering regulated education under Organic Law 2/2006 of 3 May on Education, as well as public and private universities". The legal test is whether the education is regulated under Spain's Education Act (LOE), not the age of the students: the obligation covers pre-school, primary and secondary schools, vocational training centres, and also public and private universities, whose students are predominantly adults. It is one of the LOPDGDD Article 34 categories most frequently overlooked, precisely because of that misunderstanding.
Summum Calidad does not treat the DPO as an isolated appointment with a notarised seal, but as a function integrated into the information security management system and, where one exists, into the privacy PIMS of ISO/IEC 27701:2025. That means defining the DPO's position on the org chart, documenting their responsibilities as the standard itself requires, ensuring they have the resources needed to carry out their role, guaranteeing the direct reporting line to top management required by Article 38(3) GDPR, and involving them in risk analysis, internal audit and management review. A DPO with no management system behind them has little to oversee; a DPO embedded in the ISMS/PIMS moves from being a reactive figure to being an active participant in the continuous improvement cycle.
Specific training matters just as much as organisational position. The DPO must have in-depth knowledge of the GDPR, the LOPDGDD and the management system they rely on, and must keep that knowledge current as the regulatory landscape evolves. Avoiding conflicts of interest is equally important: Article 38(6) GDPR, read together with the independence principle of Article 38(3), makes the DPO role incompatible with any position that determines the purposes and means of data processing — they should not, for example, simultaneously be the person who decides which marketing or IT tools are deployed. We document these guarantees within the system as well, together with the formal appointment and its notification to the AEPD.
If what your company needs is precisely the pure outsourced-DPO service — the person appointed, trained and registered with the AEPD who performs that function for you — that is exactly the outsourced DPO service provided by our sister division, Summum Consultoría. Summum Calidad comes in when you want that role, whether internal or external, to rest on a real data protection management system — with a record of processing activities, procedures and audit — rather than on the appointment alone.