Protection of personal data

It is a new figure incorporated by the RGPD (General Data Protection Regulation), a specialist in Data Protection Law, which is configured alongside the figures of the data controller and the data processor.

The controller and the processor shall ensure that the DPO is involved in an appropriate and timely manner in all matters relating to the protection of personal data. Support you in the performance of your duties by providing you with the necessary resources and access to personal data and processing operations. Likewise, they shall guarantee the independence of the DPD, who may not be dismissed or sanctioned for the performance of his duties, unless he is guilty of fraud or gross negligence.

The interested parties may contact the DPD in relation to the processing of their personal data and the exercise of their rights, and the DPD shall maintain confidentiality in its functions, without prejudice to the possibility of being part of the staff performing other tasks, provided that they do not give rise to a conflict of interest.

The functions of the DPD are as follows:

• Inform and advise the controller or processor and its employees of their obligations, derived from both European and Spanish legislation.
• Monitor compliance with such legislation and with the controller’s or processor’s policies on personal data protection, including the allocation of responsibilities, awareness and training of personnel involved in processing operations and related audits.
• Provide advice as requested on the data protection impact assessment and monitor its implementation in accordance with the law.
• Cooperate with the supervisory authority (Spanish Data Protection Agency).
• To act as a point of contact for the supervisory authority for questions relating to processing and to consult, where appropriate, on any other matter.

The controller and the processor shall appoint a DPO provided that:

• The processing is carried out by a public authority or body, except for courts acting in the exercise of their judicial function
• The main activities of the controller or processor consist of processing operations requiring regular and systematic observation of data subjects on a large scale
• The main activities of the controller or processor consist of large-scale processing of special categories of personal data (art. 9 LOPD) and of data relating to criminal convictions and offenses (art. 10 LOPD).
• Or in the case of any of the entities listed in Article 34 of the LOPD.

A business group may appoint a single DPD as long as it is easily accessible from each establishment.

Where the controller or processor is a public authority or body, a single DPO may be appointed for several such authorities or bodies, taking into account their organizational structure and size.

In different cases, the controller or processor or associations and other bodies representing categories of controllers or processors may appoint a DPO or must appoint a DPO if required by Union or Member State law. The DPD may act on behalf of these associations and other bodies representing controllers or persons in charge.

The DPO shall be appointed on the basis of his/her professional qualifications and, in particular, his/her specialized knowledge of data protection law and practice and his/her ability to perform the above-mentioned duties.

Compliance with the requirements established by law for the appointment of the DPO, whether a natural or legal person, may be demonstrated, among other means, through voluntary certification mechanisms that will take into account the obtaining of a university degree that accredits expertise in data protection law and practice.

The DPD will act as the interlocutor of the data controller or data processor before the Spanish Data Protection Agency and the regional data protection authorities. It may inspect the procedures related to its functions and issue recommendations within the scope of its competencies.