In León, the obligation to appoint a DPO doesn't depend on being based in the capital or in a rural district: it is set by Article 37 GDPR and Article 34 LOPDGDD, and it mainly affects two types of organisation that handle significant volumes of sensitive data. The first is the private healthcare sector: dental clinics, medical centres, laboratories and practices that complement public healthcare handle health data every day, a special category under Article 9 GDPR that triggers the appointment obligation when its large-scale processing is part of the core activity (Article 37(1)(c) GDPR); in Spain, Article 34.1.l LOPDGDD additionally requires every health centre legally obliged to keep patient medical records to appoint a DPO, the only exception being health professionals practising individually. The second is the advisory firms and law offices in the capital and in El Bierzo, which manage their clients' tax, employment and third-party data and need, even when not strictly required by law, a formal point of contact before the AEPD that reassures their own clients.
Summum Consultoría has no physical office in León — unlike our offices in Burgos, Palencia and Las Palmas de Gran Canaria — but we deliver the service through scheduled, recurring visits to the León capital and to the districts with the highest concentration of clients: El Bierzo and Ponferrada, La Bañeza and Sahagún. These visits cover the initial diagnosis, the yearly staff training and any meeting the client would rather handle face to face; the rest of the service — day-to-day queries, review of the records of processing, handling the breach channel — is provided remotely with the same response times as from any of our physical offices.
The outsourced DPO service does not replace full GDPR adequacy when an organisation is starting from zero: for that, see our data protection service in León, which covers the records of processing, informative clauses and supplier agreements. The outsourced DPO is the layer added on top once the appointment is mandatory for the sector — healthcare, education, insurance, professional associations, local government — or when an organisation wants to strengthen its system with a point of contact formally registered with the AEPD, with duties set out in Articles 37 to 39 GDPR that we explain in detail in our guide to the functions of the DPO (in Spanish).
We use different templates and procedures depending on the sector: the protocol for a clinic handling medical records is not the same as for an advisory firm managing payroll and tax data, nor the same as for a state-subsidised school subject to the reinforced protection criteria for minors. This service is coordinated with our outsourced DPO in Valladolid and with the group's general GDPR compliance framework, so an organisation with centres across several provinces of Castilla y León receives consistent handling at all its sites.