Is it possible to sanction a public agency for not having a DPO?

12月 2021

Since the reform in 2018 of the Data Protection regulation, the emergence of the figure of the Data Protection Officer (DPO) has become an indispensable figure in most companies and public organisms.

The General Data Protection Regulation (EU Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016, whose transposition to Spain was in 2018) provides in its Article 37 the obligation to have a data protection officer when processing data. One of these cases in which the figure of the DPO is mandatory are the public organisms.

The importance of our data today is an evident and indisputable reality. Without going into the Artificial Intelligence modality – one of the clearest expressions of the previous statement – our data are today a vital and virtual means survival. Therefore, we require maximum protection and correct treatment by those to whom we provide them, whether it is a private company or a public agency.

Although in practice not everyone still complies with the mandatory requirement of having a DPO, it is important to know that this non-compliance can -and legally must- take its toll.

This has recently happened in a City Council of Murcia (Spain) in which the organism, after the retirement of the person who had been exercising this role, did not renew the DPO figure.

Consequently, this administration was sanctioned by the Spanish Data Protection Agency (AEPD for its acronym in Spanish) in a resolution of October 4, 2021 that we share below and that denotes the importance of this figure in an era clearly dominated by new technologies.


In the specific case, a complaint was filed against the aforementioned public agency for not having a DPO, as required by data protection regulations, based on the fact that the position and functions of such figure were temporarily attributed to a person who, for more than a year, had not been performing such functions.

There is even a resolution of retirement of the person who was performing the functions of the position. In addition, the administration did not file any allegations against the claim.


In view of the above, and the refusal of the City Council to respond, the AEPD was obliged to impose a warning sanction (despite of the serious nature), warning the offending administration of the possible consequences that it would have to bear in the event of not remedying the defect of not having this figure.

The supervisory authority requires this public organism to appoint a DPO and inform the AEPD within one month, since, taking into consideration that Public Administrations may act as data controllers or data processors, they must “comply with the obligations detailed in the RGPD, which include appointing a data protection officer, making their contact details public and communicating them to the AEPD“.

Thus, as indicated by the AEPD, Article 37.1.a) of the RGPD establishes that a DPO must be appointed when “the processing is carried out by a public authority or organism, except courts acting in the exercise of their judicial function”.

In this sense, the agencies of the Public Sector are obliged to designate a DPO with the appropriate qualifications, as well as to guarantee the necessary means for the exercise of their functions and to notify such designation to the AEPD for inclusion in the Public Register of DPOs.

That means that is not figure that is only obligatory for private companies, but also for public organisms.

This is why the resolution itself declares the infringement of Article 37 of the GDPR by the City Council in question, with the consequent imposition of the sanction.

What the AEDP intends with this sanction to a public administration is to give it the value it deserves and the importance that corresponds to the obligation to appoint a DPO when the law so provides because our personal data are one of the most precious and valuable assets.

Although the above refers to a case that has occurred within the framework of European regulations, more specifically within Spanish law, it is worth noting the importance of this figure in Latin America as well.

In Latin America, legislation such as that of Mexico, Ecuador and Uruguay establishes this figure, adjusting its competences to a greater or lesser extent to the European model. Colombia and Panama, by means of regulations, have participated in this exercise; and in Costa Rica, the project of integral reform to its current Personal Data Protection Law also considers the incorporation of the DPO, also requiring that all public institutions have such an appointment.

Sara del Río | Mauricio Garro