In Spain, the law defines the types of organisations that must appoint a data protection officer, whether they are acting as controllers or processors:
a) professional associations and their general councils
b) educational establishments providing education at one of the levels laid down in the education laws, as well as public and private universities
c) organisations operating networks and providing electronic communications services within the meaning of the law when they routinely and systematically process personal data on a large scale
d) information society service providers who profile users on a large scale
e) financial institutions, pursuant to Article 1 of Law 10/2014 of 26 June
f) financial institutions
g) insurance and reinsurance companies
h) investment service providers subject to financial market legislation
i) energy suppliers and marketers of electrical energy as well as energy suppliers and marketers of natural gas
j) entities processing common data for the purpose of assessing the financial situation or creditworthiness or combating fraud, including those responsible for processing data for the purpose of combating money laundering and terrorist financing under related legislation
k) companies which carry out advertising campaigns or commercial research, including commercial and market research, if they carry out processing operations based on the preferences of the parties concerned or carry out activities involving the creation of their profiles
l) health centres that are legally obliged to keep patient files. Exceptions are health professionals, who are legally obliged to keep patient files, but who carry out their activities as individuals.
m) companies whose object is the publication of annual reports which may relate to natural persons
n) gambling operators operating on electronic, computerised, telematic and interactive channels
o) private security companies
p) sports federations, if these process data of minors