Art. 34 (1) Organic Law 3/2018 provides for additional categories of companies that must appoint a DPO: vocational schools, schools and public and private universities, telecom providers and network operators, information society service providers, entities supervising credit institutions, credit institutions, insurance companies, investment service companies, utility providers, credit rating agencies, entities carrying out advertising and commercial prospecting/market research, health institutions required to maintain patient records, the gambling and gaming sector, business report agencies, sports associations (processing minors’ personal data) and the private security sector.

Art. 36 (2) Organic Law 3/2018 awards directly employed DPOs with elevated dismissal protection, except in cases of deliberate fraud or gross negligence.

A DPO is not responsible for data protection infringements of the controller or processor. DPOs are therefore expressly excluded from regulatory sanctions pursuant to Art. 70 (2) Organic Law 3/2018.

Notification of the Data Protection Officer to the authorities

Pursuant to Art. 34 (3) Organic Law 3/2018, any entity, irrespective of its obligation to appoint a DPO or not, needs to notify the AEPD within 10 days of appointments and removals of a DPO.