New sanction to a City Council for not having DPD

Penalties for not having a data protection officer

The Spanish Data Protection Agency(AEPD) imposes a sanction on the City Council of San Fernando de Henares for failing to appoint a Data Protection Officer(DPD / DPO).

And there are already three sanctioned city councils in Madrid.

The first sanction imposed on a City Council, for this reason, was in June 2020 to the City Council of Huercal de Almería.

The sanctions follow one after another and now the AEPD requires the City Council of San Fernando de Henares, to prove within 1 month that it has made such designation and has been communicated to the Register of Data Protection Delegates.

Obligation to designate a DPD

The legal basis for the sanction derives from the General Data Protection Regulation Data (EU) 679/2016 known as GDPR, specifically in its Article 37.1, determines that the controller and the processor shall appoint a data protection officer provided that:

“(a) the processing is carried out by a public authority or body, except for courts acting in their judicial role.”

The same article includes other cases:

(b) the main activities of the controller or processor consist of processing operations which, by virtue of their nature, scope and/or purposes, require regular and systematic monitoring of data subjects on a large scale; or

(c) the main activities of the controller or processor consist of large-scale processing of special categories of personal data pursuant to Article 9 and of data relating to criminal convictions and offences referred to in Article 10.

It should not be forgotten that the Organic Law on Personal Data Protection and guarantees of digital rights (LOPD-GDD) 3/2018, in its Article 34 includes the professional activities that are obliged to appoint a data protection delegate(educational or health centers, marketers or distributors of energy or natural gas, the subjects obliged to the Law on prevention of money laundering, private security, sports federations with data of minors, professional associations, etc.) and that such appointment must be communicated to the AEPD within 10 days in the DPD Register.

However, any entity not included in these cases may voluntarily appoint a DPD.

Who can be a DPD?

The Data Protection Officer (DPO) shall be appointed on the basis of his/her professional qualifications and, in particular, his/her specialized knowledge of data protection law and practice and his/her ability to perform the duties set out in Article 39 of the GDPR.

The data protection officer may be a natural or legal person, be a member of the staff or perform his/her duties under a service contract, and may be full-time or part-time, depending, among other criteria, on the volume of processing, the special category of data processed or the risks to the rights or freedoms of data subjects.

DPD in Valencia

Business Adapter® may be your Data Protection Officer in Valencia* assuming all the functions established in article 38 and 39 of the RGPD.

*ofrecemos también cobertura nacional

[su_button url=”https://businessadapter.es/contacto” target=”blank” background=”#f6f903″ color=”#181818″ size=”7″ center=”yes” icon_color=”#000000″]DPD Budget[/su_button]






Contact us, we will be pleased to help you.
error: Content is protected !!