Canarias

Data Protection in Tenerife

Tenerife is home to one of the most dynamic business communities in the Canary Islands: hotels, tourism services, real estate agencies, clinics and retailers process large volumes of personal data every day. At Summum Consultoría we support companies and institutions across the island in their compliance with the GDPR (EU) 2016/679 and the LOPDGDD (Organic Law 3/2018 — Spain's national data protection act), providing remote assistance and on-site visits whenever the situation calls for it.

Applicable regulationGDPR (EU) 2016/679 · LOPDGDD LO 3/2018
CoverageTenerife and the entire Canary Islands — service area, remote assistance
Supervisory authorityAEPD — Spanish Data Protection Agency (Agencia Española de Protección de Datos)

Tenerife hosts one of the most active tourism economies in Spain: hotels, holiday apartments, incoming travel agencies and retailers process large volumes of personal data every day — reservations, passports, payment details — all of which fall within the scope of the GDPR (EU) 2016/679 and the LOPDGDD (LO 3/2018). Both regulations require every organisation, regardless of size, to implement adequate technical and organisational measures and to keep compliance documentation up to date.

Beyond tourism, the business fabric of Santa Cruz de Tenerife includes professional practices, clinics, estate agencies, homeowners' associations and hospitality businesses, each with their own obligations: the healthcare sector processes health data that are specially protected under Article 9 of the GDPR; premises with security cameras are subject to Article 22 of the LOPDGDD; and tourist accommodation manages records linked to the SES.Hospedajes system of the Spanish Ministry of the Interior. Non-compliance can lead to enforcement proceedings under the sanctioning regime established in Article 83 of the GDPR.

From our office in Las Palmas de Gran Canaria, with remote assistance and occasional on-site visits to Tenerife, Summum Consultoría guides companies and organisations on the island through GDPR compliance: initial diagnostic, record of processing activities (art. 30 GDPR), data processing agreements, information clauses and an external DPO service. The majority of the work is carried out remotely without the need for physical presence at every stage of the project.

The Cabildo Insular de Tenerife (Island Council) and the municipalities of the island — Santa Cruz, San Cristóbal de La Laguna, Arona, Adeje — are subject to the GDPR and, in most cases, must appoint a Data Protection Officer in accordance with Article 37.1.a) of the Regulation. Companies that contract with the Tenerife administration must demonstrate their regulatory compliance as part of the standard tendering requirements.

The Data Protection in Tenerife process.

The process · four stages
01

Initial compliance diagnostic

We assess the organisation's actual standing against the requirements of the GDPR and the LOPDGDD: we inventory existing processing activities, review the technical and organisational security measures in place, identify compliance gaps and deliver a report setting out the priorities for remediation. This diagnostic is the essential starting point for designing a realistic plan tailored to the company's size and sector.

02

Design of the data protection system

We draw up the record of processing activities (art. 30 GDPR), determine the legal basis for each processing activity, design the privacy policy and information notices (arts. 13 and 14 GDPR), and draft data processing agreements (art. 28 GDPR) tailored to the organisation's specific providers: booking platforms, accounting firms, cloud tools and POS systems.

03

Implementation and training

We support the organisation throughout the effective implementation of the system: updating legal texts on the website and in physical and digital forms, signing data processing agreements, establishing a protocol for handling data subject rights requests and defining technical security measures. We train the responsible team so that compliance works in day-to-day practice, not just on paper.

04

Ongoing maintenance and external DPO

The GDPR requires continuous compliance, not a one-off exercise. We provide periodic reviews of the system, documentation updates when regulations or the organisation's activities change, security incident management and an external Data Protection Officer service for entities that are legally required to appoint one or that choose this role as an additional guarantee of legal certainty.

What is included

What Data Protection in Tenerife includes.

The operational detail: what we deliver as part of the work and what we keep alive afterwards.

  • GDPR diagnostic and audit

    Inventory of processing activities, review of security measures and a compliance gap report with priorities tailored to the organisation's sector and size.

  • Record of Processing Activities

    Preparation of the record required by Article 30 of the GDPR: legal basis, categories of data, recipients, international transfers and retention periods.

  • Privacy policy and legal notices

    Drafting of the information texts required by Articles 13 and 14 of the GDPR: website privacy policy, clauses in forms and notices in premises with security cameras.

  • Data processing agreements

    Data processing agreements (art. 28 GDPR) with providers that access personal data: tourism booking platforms, accounting firms, cloud solutions and POS systems.

  • External DPO (Data Protection Officer)

    External DPO service for entities with a legal obligation (art. 37 GDPR) or that opt for this role: public bodies, healthcare entities and organisations with large-scale processing activities.

  • Data subject rights management

    Protocol for handling within the statutory deadlines requests for access, rectification, erasure, portability and objection from data subjects, in accordance with Articles 15 to 22 of the GDPR.

Frequently asked questions about Data Protection in Tenerife.

Which companies in Tenerife are required to comply with the GDPR?

Every entity — company, self-employed individual, association or public authority — that processes personal data in the course of its activities is required to comply with the GDPR and the LOPDGDD, regardless of its size or sector. In Tenerife this applies to everything from a family-run hostel to a large hotel chain or a private clinic. The obligation arises from the mere fact of processing data relating to identified or identifiable natural persons.

When is it compulsory to appoint a DPO in Tenerife?

Article 37 of the GDPR requires a Data Protection Officer to be appointed in three situations: public authorities and bodies — the island council, municipalities and public health centres —, organisations that carry out large-scale processing of special categories of data such as health or biometric data, and those that engage in systematic large-scale monitoring of individuals. Outside these situations, many businesses in Tenerife voluntarily opt for an external DPO as an additional guarantee of legal certainty.

How long does it take for an SME in Tenerife to achieve GDPR compliance?

It depends on the complexity of the processing activities and the organisation's starting point. For a service-sector SME with straightforward processing activities, the initial compliance project can be completed in four to eight weeks. For more complex organisations — multi-service hotels, clinics — the process may extend over several months. Summum Consultoría carries out an initial diagnostic to estimate the actual scope before committing to timelines.

What fines can the AEPD impose on a company in Tenerife for breaching the GDPR?

Article 83 of the GDPR establishes two tiers: up to 10 million euros or 2% of total annual worldwide turnover for less serious infringements, and up to 20 million euros or 4% of total global turnover for the most serious ones. The AEPD (Spanish Data Protection Agency) takes into account as mitigating factors cooperation with the regulator, prior compliance measures and the diligence shown in remedying the breach. Summum Consultoría supports the organisation throughout the process without replacing the role of legal counsel or the supervisory authority.