Data Protection Officer (DPO)

The Data Protection Officer (DPO) is the figure introduced by GDPR (arts. 37-39) for entities whose data processing is large-scale or involves special categories. Functions: inform and advise the controller and employees on their obligations, monitor GDPR/LOPDGDD compliance, advise on impact assessments, cooperate with the supervisory authority (AEPD in Spain) and act as contact point for data subjects.

Must have specific data-protection training, act independently and report to the highest management level. Can be internal (dedicated employee) or external (contracted firm). Contact details are published and reported to the AEPD.

Mandatory when: 1) the controller's core activity requires regular and systematic large-scale monitoring of data subjects, or 2) when special categories of data (health, biometric, orientation) are processed at large scale. For the vast majority of amateur Spanish sports clubs a formal DPO is NOT mandatory, but it is strongly advisable to have an internal GDPR contact point (even without the formal DPO status).

• Confusing DPO with DPI: DPO is from GDPR; DPI from LOPIVI. They can be different people.
• Appointing a DPO without training them: the AEPD requires verifiable training and demonstrable experience.
• Not publishing the DPO's contact: if appointed, you must notify the AEPD and publish it in the privacy policy.
• Thinking it's mandatory when it isn't: many small clubs appoint one 'just in case' when not formally required.

If you care about this term, you probably also wonder about these:

• GDPR

  Legal

• LOPDGDD (Spanish Data Protection Act)

  Legal

• Child Protection Officer (DPI)

  Legal

• Record of Processing Activities (RAT)

  Legal

• Personal Data Breach

  Legal

Long-form guides and product pages where we cover this topic in depth:

• GDPR for sports clubs — Full 2026 guide

  Full guide