Canarias

Outsourced DPO in Las Palmas

Summum Consultoría is the only firm in the group's data protection practice with a physical presence in the Canary Islands: we act as outsourced Data Protection Officer (DPO) from Las Palmas de Gran Canaria for hotels and tourist accommodation, retail, clinics, schools and companies operating under the Canary Islands Special Zone (ZEC) across both provinces of the archipelago. Formal registration with the Spanish Data Protection Agency (AEPD), a breach channel answered in under 24 hours, and a DPO you can call and, when it helps, meet in person — not an account managed from the mainland with no one on the ground.

Applicable rulesGDPR art. 37 · LOPDGDD art. 34
Supervisory authorityAEPD — Spanish Data Protection Agency
Location and coveragePresence in Las Palmas de Gran Canaria · Service across the whole Canary archipelago

The Canary Islands have no regional data protection authority of their own: complaints and sanction proceedings against any organisation established in Las Palmas de Gran Canaria, in Tenerife or on any other island are handled by the AEPD, based in Madrid, under the same deadlines, criteria and sanction regime of Article 83 GDPR as anywhere else in Spain. The distance from the mainland doesn't reduce the obligation or the exposure to risk; in practice, it puts many organisations further from the natural point of contact that companies elsewhere in Spain rely on.

A growing number of organisations across the archipelago are legally required to appoint a DPO under Article 37 GDPR and Article 34 LOPDGDD: private clinics and health centres, schools offering officially regulated education at any level, insurers and financial entities, private security firms, and any public-sector body or entity, including town councils and organisations dependent on the Cabildo of Gran Canaria. Many others benefit from having this role even where it isn't mandatory: hotels and tourist apartments running loyalty programmes and CCTV systems, travel agencies, real estate agencies, retailers with customer profiling, and companies under the ZEC tax regime that handle customer and supplier data from outside the archipelago. The role formalises the point of contact with the AEPD and gets ahead of what many large clients now require before signing a contract.

Summum Consultoría carries out this role with a physical presence in Las Palmas de Gran Canaria — the only one within the group's data protection practice in the Canary Islands — with operational coverage that also reaches Tenerife and the rest of the islands. We act as a registered third party before the Agency, with different templates and procedures for each sector: we don't apply the same protocol to a hotel in Playa del Inglés as to a clinic in central Las Palmas, a professional firm or a tech company set up under the ZEC regime. When a project calls for it — an initial audit, staff training, preparing for an inspection — we arrange an in-person meeting; the rest of the relationship runs on a direct channel, not a generic form.

This service does not replace full GDPR adequacy when an organisation is starting from zero — for that, see our data protection service in Las Palmas, which covers the records of processing, privacy policies and agreements with suppliers and booking platforms. The outsourced DPO is the layer added on top once the appointment is mandatory for your sector, or when the organisation wants to strengthen its system with a role formally registered with the AEPD and able to liaise with it directly, without relying on a manager who has never set foot on the island.

The Outsourced DPO in Las Palmas process.

The process · four stages
01

Sector diagnosis in the Canary Islands

We review your organisation's personal data processing and check whether appointing a DPO is mandatory under Article 37 GDPR and Article 34 LOPDGDD, or a recommended improvement for your case, paying close attention to tourism, retail and companies under the ZEC regime.

02

Formal registration with the AEPD

We register the appointment on the Spanish Data Protection Agency's electronic office and notify the DPO's contact details as required by Article 37(7) GDPR, with an in-person meeting in Las Palmas when the project calls for it.

03

Ongoing operation

A breach channel available in under 24 hours, handling of staff queries, periodic review of the records of processing, and yearly training, tailored to hospitality, retail or healthcare as the case may be.

04

Yearly drill and audit

One breach drill a year and a compliance review with a written record, so you reach any AEPD inspection with the work already done, regardless of the distance to the Agency's headquarters.

What is included

What Outsourced DPO in Las Palmas includes.

The operational detail: what we deliver as part of the work and what we keep alive afterwards.

  • Appointment and notification to the AEPD

    Formal registration as DPO before the Spanish Data Protection Agency and notification of the appointment to the organisation's governing body, as required by Article 37(7) GDPR.

  • Breach channel under 24h with local support

    A direct point of contact, not an offshored call centre: in Las Palmas you can speak to the person acting as DPO, someone who knows the local business fabric.

  • Review of the records of processing

    Maintenance of the Article 30 GDPR document, updated whenever the organisation introduces a new processing activity, such as a booking platform or a CCTV system.

  • Yearly training tailored to the sector

    A staff training session, delivered in person in Las Palmas when the project calls for it or remotely for organisations spread across several islands.

  • Liaison with the AEPD

    The DPO acts as the single point of contact with the Agency: responding to requests and supporting the organisation if an investigation is opened, without the friction of managing it remotely with no knowledge of the case.

  • Handling data subjects' rights

    Procedure and response templates for access, rectification, erasure, objection, portability and restriction within the timelines of Article 12 GDPR, including requests from guests and customers based outside Spain.

Frequently asked questions about Outsourced DPO in Las Palmas.

Is a DPO mandatory for my company because it's based in Las Palmas?

It depends on the sector, not the archipelago: the obligation is set by Article 37 GDPR and Article 34 LOPDGDD (health centres required to keep clinical records, schools offering regulated education, professional associations, credit institutions and insurers, private security firms, among others; public authorities and bodies are required in all cases under Article 37(1)(a) GDPR), regardless of whether the organisation is in the Canary Islands or on the mainland. We check this during the free initial diagnosis. You can also read our guide on when an outsourced DPO is mandatory (in Spanish).

Does Summum Consultoría have a real presence in Las Palmas, or is this managed from the mainland?

We have a physical presence in Las Palmas de Gran Canaria, the only one within the group's data protection practice in the archipelago. For the initial diagnosis, staff training or any query you'd rather handle face to face, we arrange an in-person meeting; the rest of the relationship runs on direct phone and video-call support, without going through an offshored call centre.

Does the outsourced DPO in Las Palmas also cover my offices in Tenerife?

Yes. The service covers the whole organisation regardless of where its offices are located within the archipelago; we also provide outsourced DPO services in Tenerife for companies operating in the western province.

What's the difference between this service and GDPR adequacy in Las Palmas?

GDPR adequacy builds the full compliance system (records, policies, contracts); the outsourced DPO is the formal supervisory role before the AEPD. If your organisation doesn't yet have the system in place, we usually start with GDPR adequacy in Las Palmas and add the DPO once the sector requires it.

Do companies under the ZEC regime need different data protection treatment?

GDPR and LOPDGDD apply equally regardless of a company's tax regime, but organisations under the Canary Islands Special Zone typically handle customer, supplier and staff data from several countries, which calls for a closer look at international transfers and agreements with processors based outside Spain. We factor this into the initial diagnosis.

How is a security breach handled if it happens outside office hours in the Canary Islands?

The breach channel is available in under 24 hours regardless of the time zone; we assess the risk to those affected and, where required, notify the AEPD within the 72-hour window set by Article 33 GDPR, with the added advantage that our team knows first-hand the kind of processing activities common in Canary Islands hospitality and retail.

How much does an outsourced DPO in Las Palmas cost?

We don't publish a fixed rate because it depends on the organisation's size, the number of processing activities and any sector-specific requirements. We confirm it on the initial call or meeting. You can check the variables that move the price in our article on outsourced DPO pricing (in Spanish).