Canarias

Outsourced DPO in Tenerife

We act as outsourced Data Protection Officer (DPO) for hotels, inbound travel agencies, private clinics and professional firms in Tenerife. We work from our office in Las Palmas de Gran Canaria, with remote support as the main channel and occasional trips to the island for the initial diagnosis, staff training or any meeting you'd rather handle face to face: formal registration with the Spanish Data Protection Agency (AEPD), a breach channel answered in under 24 hours, and a DPO who knows the tourism and private healthcare sectors of the Canary Islands, not a generic account managed from mainland Spain.

Applicable rulesGDPR arts. 37-39 · LOPDGDD art. 34
Supervisory authorityAEPD — Spanish Data Protection Agency
Location and coverageOffice in Las Palmas de Gran Canaria · Remote and on-site service in Tenerife

Tenerife brings together two sectors where appointing a Data Protection Officer stops being a recommendation and, in many cases, becomes a legal obligation. The first is tourism: hotels, holiday apartments, inbound travel agencies and tour operators process international guest data every day — bookings, passports, payment cards, data linked to the Ministry of the Interior's SES.Hospedajes system — at a volume that can trigger Article 37(1)(b) GDPR when customer tracking is systematic and large-scale, on top of the general video surveillance duties under Article 22 LOPDGDD in reception areas, common spaces and car parks. The second is private healthcare: clinics, medical centres, dental practices and physiotherapy practices in Santa Cruz de Tenerife and the tourist areas of the south of the island process health data, a special category protected under Article 9 GDPR, which makes the appointment mandatory under Article 37(1)(c) when processing is large-scale and, under Spanish law, under Article 34(1)(l) LOPDGDD for centres legally required to keep clinical records, with the exception of professionals practising individually.

Outside these two reinforced obligation scenarios, other organisations in Tenerife still benefit from an outsourced DPO even where it isn't strictly required by law: estate agencies with an international client base, homeowners' associations in tourist complexes, accounting and consultancy firms acting as data processors for third parties, and retailers with loyalty programmes. In these cases, the outsourced DPO formalises the point of contact with the AEPD and brings the same level of documentary rigour a regulated sector requires, without the organisation needing to hire dedicated staff for the role.

Summum Consultoría delivers this service from its office in Las Palmas de Gran Canaria, with a support model built for organisations outside Gran Canaria: the main channel is remote — video calls for diagnosis and planning, documentation delivered through secure platforms, a phone-based breach channel — and we reserve trips to Tenerife for what genuinely needs an in-person presence: the initial diagnosis when the organisation prefers it on site, yearly staff training, or preparing for an AEPD inspection. We do not have a physical office in Tenerife and we do not advertise one; the service is run from our Canary Islands base with declared, effective coverage across the whole island, in line with the model we already apply through our GDPR consultancy in Tenerife and our outsourced DPO service in Las Palmas.

This service does not replace full GDPR adequacy when an organisation is starting from zero: for that, see our data protection service in Tenerife, which covers the records of processing, privacy notices and processor agreements. The outsourced DPO is the layer added on top once the appointment is mandatory for the sector, or when the organisation wants to strengthen its system with a role formally registered with the AEPD, carrying out the information, advisory, monitoring and cooperation functions set out in Article 39 GDPR, with the independence and freedom from conflicts of interest required by Article 38(6).

The Island Council of Tenerife and the island's town councils — Santa Cruz, San Cristóbal de La Laguna, Arona, Adeje — are entities bound by the GDPR and, in most cases, must appoint a Data Protection Officer under Article 37(1)(a). Tourism and healthcare businesses that contract with these public bodies, or that take part in digitalisation projects run by the Canary Islands Government, must demonstrate their own regulatory compliance as part of the usual tender requirements; having a formally registered outsourced DPO makes that demonstration easier.

Article 34 LOPDGDD extends the Spanish catalogue of mandatory appointment scenarios beyond the general list in Article 37 GDPR, expressly including schools offering regulated education at any level, professional associations and their governing councils, and credit institutions and insurers — all of them present in Tenerife's business fabric beyond the tourism and healthcare axis. Before formalising any registration, we check whether your organisation falls under one of these reinforced Spanish-law scenarios, not just the general European framework, because the two lists don't fully overlap and a superficial review can miss real obligations. In hospitality specifically, outsourcing booking management to a platform or tour operator doesn't make the controller status disappear: the establishment remains responsible for having a processor agreement under Article 28 GDPR in place with every provider that accesses its guests' data, and the outsourced DPO is who periodically checks that these agreements are in force and cover the actual activity.

The Outsourced DPO in Tenerife process.

The process · four stages
01

Sector diagnosis in Tenerife

We review your organisation's personal data processing — hotel, inbound agency, clinic or firm — and check whether appointing a DPO is mandatory under Articles 37 to 39 GDPR and Article 34 LOPDGDD, or a recommended improvement for your case.

02

Formal registration with the AEPD

We register the appointment on the Spanish Data Protection Agency's electronic office and notify the DPO's contact details as required by Article 37(7) GDPR, with an in-person meeting in Tenerife if you prefer, to review the scope of the service.

03

Ongoing operation

A breach channel available in under 24 hours, handling of staff queries, periodic review of the Article 30 GDPR records of processing, and yearly training — in person in Tenerife or online, as suits the organisation.

04

Yearly drill and audit

One breach drill a year and a compliance review with a written record, so you reach any AEPD inspection with the work already done and documented under the accountability principle of Article 5(2) GDPR.

What is included

What Outsourced DPO in Tenerife includes.

The operational detail: what we deliver as part of the work and what we keep alive afterwards.

  • Appointment and notification to the AEPD

    Formal registration as DPO before the Spanish Data Protection Agency within the ten-day period set by Article 34(3) LOPDGDD, and publication of the DPO's contact details as required by Article 37(7) GDPR.

  • Breach channel under 24h with tourism and healthcare expertise

    A direct phone line, not a generic form: you can speak to the person acting as DPO and familiar with the particularities of hospitality and private healthcare, with notification to the AEPD within 72 hours when Article 33 GDPR requires it.

  • Review of the records of processing

    Maintenance of the Article 30 GDPR document, updated whenever the organisation introduces a new processing activity — a booking platform, a digital check-in system, or a new clinical records provider, for example.

  • Yearly in-person training in Tenerife

    A staff training session, tailored to the sector — hotel reception, clinical staff or a professional firm — delivered at your premises during our periodic trips to the island, or online.

  • Liaison with the AEPD

    The DPO acts as the single point of contact with the Agency under Article 39(1)(e) GDPR: responding to requests and supporting the organisation if an investigation is opened.

  • Handling data subjects' rights

    Procedure and response templates for access, rectification, erasure, restriction, portability and objection within the one-month timeline set by Article 12 GDPR, tailored to international guests and patients.

Frequently asked questions about Outsourced DPO in Tenerife.

Is a DPO mandatory for my company because it's based in Tenerife?

It depends on the sector, not the island: the obligation is set by Articles 37 to 39 GDPR and Article 34 LOPDGDD. In Tenerife it frequently applies to hotels and inbound agencies with systematic guest tracking, private clinics and health centres, schools offering regulated education, and local public bodies, regardless of where the organisation is registered. We check this during the free initial diagnosis.

Does Summum Consultoría have an office in Tenerife?

No. Our office in the Canary Islands is in Las Palmas de Gran Canaria. The outsourced DPO service in Tenerife is delivered mainly remotely, with periodic trips to the island for the initial diagnosis, staff training, or any meeting you'd rather handle face to face.

Does this service cover hotels and inbound agencies handling international guest data?

Yes. It's one of the most common profiles in Tenerife: hotels and agencies managing bookings, passports and data linked to the SES.Hospedajes system, at volumes that can trigger the DPO obligation through systematic, large-scale monitoring under Article 37(1)(b) GDPR.

What about clinics or private health centres on the island?

Also covered. Clinics, dental practices and physiotherapy practices process health data, a special category under Article 9 GDPR; the DPO appointment is mandatory under Article 37(1)(c) when processing is large-scale and, under Spanish law, under Article 34(1)(l) LOPDGDD for centres legally required to keep clinical records.

What exactly does the DPO do under the GDPR?

Article 39 GDPR gives the DPO the functions of informing and advising the controller and its staff, monitoring compliance, advising on impact assessments, cooperating with the supervisory authority, and acting as the contact point with the AEPD. Article 38(6) requires that these functions be carried out independently and free of conflicts of interest with any other tasks the DPO may perform within the organisation.

What's the difference between this service and GDPR adequacy in Tenerife?

GDPR adequacy builds the full compliance system — records of processing, notices, processor agreements — while the outsourced DPO is the formal supervisory role before the AEPD. If your organisation doesn't yet have the system in place, we usually start with GDPR adequacy in Tenerife and add the DPO once the sector requires it.

What penalties does the AEPD apply if an organisation required to have a DPO doesn't appoint one?

Failing to appoint a DPO when required is treated as a breach of Articles 37 to 39 GDPR and is punishable under Article 83(4), with fines of up to €10,000,000 or 2% of total worldwide annual turnover, whichever is higher. If the processing principles or data subjects' rights are also breached, the stricter regime of Article 83(5) applies.

Does the outsourced DPO review contracts with booking platforms and other tourism providers?

Yes. Outsourcing booking management or digital check-in to a platform or tour operator doesn't shift the establishment's status as controller: a processor agreement under Article 28 GDPR is still required with every provider that accesses guest data. We periodically check that these agreements are in force and match your establishment's actual activity.

How much does an outsourced DPO in Tenerife cost?

We don't publish a fixed rate because it depends on the organisation's size, the number of processing activities and any sector-specific requirements. We confirm it on the initial call or meeting. You can check the variables that move the price in our article on outsourced DPO pricing (in Spanish).