The business landscape of Valladolid is varied and dynamic: industrial and agri-food SMEs, law firms and tax advisory offices, clinics and health practices, homeowners' associations, real-estate agencies, educational centres and local retailers. All these organisations, regardless of their size or sector, process personal data belonging to customers, employees or suppliers and are subject to the General Data Protection Regulation and Organic Law 3/2018 on the Protection of Personal Data and the Guarantee of Digital Rights. The AEPD (Agencia Española de Protección de Datos — Spanish Data Protection Agency) supervises compliance throughout the national territory and may open investigative proceedings against any entity that has not implemented the technical and organisational measures required by law.
Summum Consultoría has a physical office at Fray Luis de León 3, 2B, 47002 Valladolid, which allows us to provide in-person support to our clients in Valladolid while also working remotely with organisations across the province and throughout Castilla y León. We have spent more than fifteen years guiding SMEs and regional organisations through GDPR compliance processes, and we have first-hand knowledge of both the regional regulatory environment and the economic sectors most prominent in the city: the automotive supply industry, agri-food, services and local retail.
Our starting point is always an honest assessment of the organisation's real situation: what personal data is processed, for what purposes, which third parties — data processors — have access to it, and what technical and organisational measures are already in place. From that assessment we design a compliance plan proportionate to the size and risk of the organisation, develop the mandatory documentation: records of processing activities, information notices, privacy policy, data processing agreements and procedures for handling data subject rights requests; and train the team members who handle personal data in their day-to-day work. We do not stand in for the AEPD or guarantee the outcome of any enforcement proceedings, but we do ensure that the organisation acts in an orderly manner and with the documentation that the regulator expects to find.
We frequently work with advisory firms and professional practices, clinics and health centres, real-estate agencies and property managers, educational and training centres, hospitality businesses and homeowners' associations across the province. We also work with bodies linked to the Junta de Castilla y León and the Diputación Provincial de Valladolid, which as data controllers are subject to the GDPR with the same rigour as the private sector. When the organisation requires it (or when the law makes it mandatory), we also provide an external Data Protection Officer (DPO) service, acting as the point of contact with the AEPD and continuously overseeing the data protection management system.