Data Protection Officer (DPO)
External Data Protection Officer service for public and private sector entities: ongoing compliance monitoring, specialist advice and support in dealings with users and supervisory authorities. Reference figure for privacy matters within the organisation.
How we work
Our methodology for this service
Assessment of requirement and profile
We determine whether the organisation is required to appoint a DPO and in any case assess whether voluntary appointment would add value, defining the profile and functions to be performed in their context.
Formal appointment and registration
We manage the formal appointment of the external DPO, their notification to the AEPD and their integration into the organisation's privacy governance structure as the point of contact with supervisory authorities.
Ongoing supervision and advice
As external DPO, we continuously monitor GDPR compliance, advise staff and management on privacy matters and act as the point of contact for data subjects and authorities.
Handling requests and complaints
We manage data subject rights requests — access, rectification, erasure, portability — and complaints to the AEPD, ensuring appropriate responses within statutory deadlines.
Who this is for
Public administrations, hospitals, insurers, financial institutions and other organisations legally required to appoint a Data Protection Officer. Also companies that, while not required, want a specialist external DPO who brings the technical rigour and independence the regulations demand.
Discover more by sector
Why MES Legal?
- Specialist lawyers with proven expertise in each practice area
- Offices in Barcelona and Madrid with national coverage throughout Spain
- Results-oriented, practical approach with clear risk management
- Direct professional relationship — no large-firm layers or intermediaries
Other services in this area
-
GDPR and LOPDGDD implementation
Design and implementation of a data protection policy tailored to the client's operational reality, whatever their sector: commercial, financial, real estate, healthcare, educational, legal, technology or industrial. Preparation of all documentation required for effective and proportionate compliance.
-
Privacy legal and contractual documentation
Drafting and review of data processing agreements, information notices, privacy policies, legal disclaimers, internal protocols and other legal and organisational documents required for the client's activity.
-
Records of Processing Activities (RoPA)
Preparation, review and ongoing maintenance of the Records of Processing Activities, ensuring it accurately reflects the processing carried out by the entity and remains aligned with the evolution of its operations and regulatory obligations.
-
Risk analysis and Data Protection Impact Assessments (DPIA)
Audits, risk analyses and Data Protection Impact Assessments for processing operations that may significantly affect individuals' rights and freedoms. Identification of vulnerabilities and corrective measures to anticipate contingencies and strengthen compliance.