Personal Data: Appoint a DPO and a GDPR Representative in Spain

Under Article 27 of the General Data Protection Regulation (GDPR), appointing a GDPR representative in Spain is mandatory for data controllers and processors not established in the European Union who process personal data of individuals located in Spain.

Scope of Application

This obligation applies to non-EU companies that either:

Offer goods or services to individuals in Spain, or
Monitor the behaviour of individuals in Spain, for instance through the use of tracking technologies or behavioural profiling.

Crucially, this requirement applies even if the company has no physical presence within the EU. The Spanish Data Protection Authority (AEPD) enforces a strict interpretation of this scope. Limited exceptions exist but are narrowly construed. These include cases of occasional, low-risk processing that is unlikely to affect individuals’ rights and freedoms. Additionally, foreign public authorities are exempt, as provided in Article 27.2 GDPR.

Representative’s Duties

The EU Representative acts as the official point of contact in the EU for both data subjects and supervisory authorities, and is authorised to receive legal and administrative communications on behalf of the controller or processor.

Their responsibilities include:

Acting on behalf of the non-EU company in relation to its GDPR obligations (Art. 27).
Receiving and responding to data subject requests, regulatory notices, and legal communications.
Cooperating with supervisory authorities in investigations or audits.
Maintaining documentation on data protection compliance, including records of processing activities (RoPA) and evidence of lawful consent (Articles 27.4 and 30 GDPR).

Importantly, the GDPR requires that the identity and contact details of the EU Representative be clearly stated in the privacy policy provided to data subjects (Articles 13.1(a) and 14.1(a) GDPR). Failure to include this information may constitute a breach of GDPR transparency obligations.

The EU Representative must not be confused with the Data Protection Officer (DPO). While the DPO advises the organisation internally on privacy compliance and monitors implementation, the Representative is a designated external point of contact who acts under a mandate and does not hold an independent oversight or advisory function.

Specific Requirements in Spain

In Spain, the appointment of the GDPR Representative is an internal matter between the controller or processor and the designated representative. There is no requirement to formally notify or register the appointment with the AEPD.

However, the representative must be able to produce written documentation of their mandate upon request from the AEPD, particularly during an investigation or enforcement action. This mandate should be duly signed, dated, and retained by both parties as proof of compliance with Article 27 GDPR.

Although no formal registration is required, the representative should have:

A real and operational presence in Spain (especially if the company targets Spanish residents).
The capability to manage communications in Spanish with authorities and data subjects.
Sufficient technical and human resources to handle data protection queries in practice.

Sanctions and Enforcement

Spain’s Organic Law 3/2018 on Data Protection considers the failure to appoint a representative when required a serious infringement.

Such a breach can lead to:

Administrative fines of up to 2% of the company’s total global annual turnover, and
Fines of up to €10 million for providing incomplete or misleading information to the AEPD.

Our Services – Full GDPR Compliance Support in Spain

Lexing Spain offer comprehensive legal and operational assistance for non-EU companies that process personal data in Spain, including:

Full support in the designation of a GDPR Representative in accordance with Article 27.
Assistance with privacy documentation and compliance reporting.
Representation before the AEPD and handling of data subject requests.
Strategic advice on the use of AI tools, cookies, data transfers, and other digital processing matters.
Designation of external Data Protection Officers (DPOs) when required.

Contact Lexing Spain to ensure that your company’s data processing activities in Spain are fully compliant and professionally represented.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.