Castilla y León

Outsourced DPO in Salamanca

We act as outsourced Data Protection Officer (DPO) for law and notary firms, clinics and health practices, language academies and organisations linked to Salamanca's university environment. We work from our main office in Castilla y León, in Valladolid, with regular in-person visits to Salamanca and prompt remote support the rest of the time: formal registration with the Spanish Data Protection Agency (AEPD), a breach channel answered in under 24 hours, and a DPO who understands the sector, not a generic account managed from outside the region.

Applicable rulesGDPR arts. 37-39 · LOPDGDD art. 34
Supervisory authorityAEPD — Spanish Data Protection Agency
Location and coverageOffice in Valladolid · In-person and remote service across Salamanca and its province

Salamanca has a professional fabric in which appointing a Data Protection Officer is no longer optional but a legal requirement across several sectors. The city's law and notary firms, heirs to a legal tradition tied to one of the oldest law faculties in Europe, frequently handle special-category data and processing volumes that can trigger Article 37(1)(c) GDPR whenever large-scale processing of those categories is part of their core activity. Private clinics, psychology practices and physiotherapy centres in the city process health data, a special category under Article 9 GDPR, which makes appointment mandatory under Article 37(1)(c) GDPR where processing is large-scale and, in Spain, under Article 34.1.l LOPDGDD for health centres legally obliged to keep patient medical records, the only exception being health professionals practising individually. Add to that a dense university environment — the University of Salamanca, its colegios mayores, Spanish-language academies for foreign students and student residences — which handles data belonging to minors and international students under reinforced protection regimes.

Outside the strict cases of mandatory appointment, other organisations in Salamanca benefit from an outsourced DPO even where the law doesn't require it: non-regulated training academies, smaller firms and practices that don't reach the large-scale thresholds, retailers with loyalty programmes, and SMEs starting to receive data protection requirements from larger clients before signing a contract. In these cases, the outsourced DPO role formalises the point of contact with the AEPD and brings the same level of documentary rigour a regulated sector requires, without adding dedicated in-house staff for this function.

Summum Consultoría provides this service from its main office in Castilla y León, in Valladolid, with a support model designed for organisations outside the capital: regular in-person meetings in Salamanca — for the initial diagnosis, yearly staff training or preparing for an inspection — and a prompt remote channel for day-to-day matters, without relying on constant travel. We don't have a physical office in Salamanca and don't advertise one; the service is run from our Valladolid base with declared and effective coverage across the whole province, following the same model we already apply in Valladolid.

This service does not replace full GDPR adequacy when an organisation is starting from zero: for that, see our data protection service in Salamanca, which covers the records of processing, information clauses and processor agreements. The outsourced DPO is the layer added on top once appointment is mandatory for your sector, or when the organisation wants to strengthen its system with a role formally registered with the AEPD, carrying out the information, advisory, monitoring and cooperation duties set out in Article 39 GDPR, with the independence and absence of conflicts of interest required by Article 38(6).

Article 34 LOPDGDD extends the Spanish list of mandatory appointment cases beyond the general list in Article 37 GDPR, and expressly includes schools offering regulated education at any level and professional associations and their general councils, two categories very present in Salamanca. Before formalising any registration, we check whether your organisation falls under one of these reinforced Spanish-law cases, not only the general European framework, because the two lists don't fully overlap and a superficial review can miss real obligations.

The Outsourced DPO in Salamanca process.

The process · four stages
01

Sector diagnosis in Salamanca

We review your organisation's personal data processing — law firm, clinic, school or an entity linked to the university environment — and check whether appointing a DPO is mandatory under Articles 37 to 39 GDPR and Article 34 LOPDGDD, or a recommended improvement for your case.

02

Formal registration with the AEPD

We register the appointment on the Spanish Data Protection Agency's electronic office and notify the DPO's contact details as required by Article 37(7) GDPR, with an in-person meeting in Salamanca if you'd rather review the scope of the service face to face.

03

Ongoing operation

A breach channel available in under 24 hours, handling of staff queries, periodic review of the Article 30 GDPR records of processing, and yearly training — in person in Salamanca or online, as suits the organisation.

04

Yearly drill and audit

One breach drill a year and a compliance review with a written record, so you reach any AEPD inspection with the work already done and documented in line with the accountability principle of Article 5(2) GDPR.

What is included

What Outsourced DPO in Salamanca includes.

The operational detail: what we deliver as part of the work and what we keep alive afterwards.

  • Appointment and notification to the AEPD

    Formal registration as DPO before the Spanish Data Protection Agency within the ten-day deadline set by Article 34.3 LOPDGDD, and publication of the DPO's contact details as required by Article 37(7) GDPR.

  • Breach channel under 24h with sector knowledge

    A direct phone line, not a generic form: in Salamanca you can speak to the person acting as DPO, who knows the particulars of your activity, with notification to the AEPD within 72 hours whenever Article 33 GDPR requires it.

  • Review of the records of processing

    Maintenance of the Article 30 GDPR document, updated whenever the organisation introduces a new processing activity, such as a new digital client-acquisition channel or a new technology provider.

  • Yearly in-person training in Salamanca

    A staff training session, tailored to the sector — law firm, clinic or school — delivered at your premises during our regular visits to the city, or online.

  • Liaison with the AEPD

    The DPO acts as the single point of contact with the Agency under Article 39(1)(e) GDPR: responding to requests and supporting the organisation if an investigation is opened.

  • Handling data subjects' rights

    Procedure and response templates for access, rectification, erasure, restriction, portability and objection within the one-month timeline set by Article 12 GDPR.

Frequently asked questions about Outsourced DPO in Salamanca.

Is a DPO mandatory for my organisation because it's based in Salamanca?

It depends on the sector, not the province: the obligation is set by Articles 37 to 39 GDPR and Article 34 LOPDGDD. In Salamanca this often affects private clinics and health centres, professional firms processing data at scale, state-subsidised schools, insurers and financial entities, regardless of where the organisation is registered. We check this during the free initial diagnosis.

Does Summum Consultoría have an office in Salamanca?

No. Our main office in Castilla y León is in Valladolid. The outsourced DPO service in Salamanca is delivered through regular visits to the city for the initial diagnosis, staff training, or any meeting you'd rather handle face to face, combined with prompt remote support for day-to-day queries.

What exactly does a DPO do under the GDPR?

Article 39 GDPR assigns the DPO duties of informing and advising the controller and its staff, monitoring compliance, advising on data protection impact assessments, cooperating with the supervisory authority, and acting as the point of contact with the AEPD. Article 38(6) requires the DPO to perform these tasks independently and without conflicts of interest arising from other duties within the organisation.

What's the difference between this service and GDPR adequacy in Salamanca?

GDPR adequacy builds the full compliance system — records of processing, information clauses, processor agreements; the outsourced DPO is the formal supervisory role before the AEPD. If your organisation doesn't yet have the system in place, we usually start with GDPR adequacy in Salamanca and add the DPO once the sector requires it.

Does this service cover state-subsidised schools in Salamanca?

Yes. State-subsidised schools are among the organisations most commonly required to appoint a DPO. We've published a dedicated analysis of this case in our article on the DPO in state-subsidised schools (in Spanish), which also applies to schools in Salamanca and its province.

What penalties can the AEPD impose if an organisation required to have a DPO doesn't appoint one?

Failing to appoint a DPO when required is treated as a breach of Articles 37 to 39 GDPR and is sanctioned under Article 83(4), with fines of up to 10,000,000 euros or 2% of annual global turnover, whichever is higher. If the breach also affects processing principles or data subjects' rights, the stricter regime under Article 83(5) applies.

Can the outsourced DPO also be the firm's or clinic's regular legal or IT adviser?

It shouldn't, if that creates a conflict of interest. Article 38(6) GDPR requires the DPO to perform their duties independently of other tasks within the organisation; the role should therefore normally sit with an external party, separate from whoever already provides legal, IT or management advisory services, unless it can be shown there is no conflict in determining the purposes and means of processing.

How much does an outsourced DPO in Salamanca cost?

We don't publish a fixed rate because it depends on the organisation's size, the number of processing activities and any sector-specific requirements. We confirm it on the initial call or meeting. You can check the variables that move the price in our article on outsourced DPO pricing (in Spanish).