External data protection officer in medium-sized companies: prices, services and the CIVAC approach
Prices for external data protection officers vary between 350 and 2,400 euros per month in medium-sized businesses. This article explains the factors, the cost traps and the CIVAC model as a compliance platform and officer-as-a-service.
According to Section 38 BDSG, around 250,000 companies in Germany had to appoint a data protection officer at the end of 2025 because they employ more than 20 people with automated processing of personal data. Medium-sized companies make the majority of these mandatory appointments, and for most managing directors, appointing an external DPO is not a question of whether, but of price and performance. The range on the market is considerable: offers between 89 euros per month for purely online solutions without personal reference and 2,400 euros per month for a specialised law firm with an hourly quota are only a Google search click apart, and the differences in quality are hardly noticeable to laypeople.
This article explains how the price for an external data protection officer in medium-sized businesses is made up, and what services you can get for 600, 1,200 or 2,000 euros month and how you can recognise dubious offers. We then show how CIVAC, as a compliance platform and officer-as-a-service, calculates the price and why the appointment certificate with a clearly defined service catalogue is the core of a reliable DSB mandate. You will receive a comparison matrix, a total cost of ownership calculation of internal versus external DSB and specific questions that you should ask each provider to answer in writing before signing the contract. At the end you will know the market corridor for your size and industry.
Key Takeaways
- In medium-sized businesses, market-based flat rates for an external DPO are between 600 and 1,500 euros per month, depending on the number of employees, industry risk and depth of processing.
- Low-priced online DPOs without a named natural person do not comply with Section 38 BDSG and result in a de facto non-appointment in the event of an inspection by the supervisory authorities.
- CIVAC offers the appointment of an external DPO in combination with the workspace, so that the appointment certificate, reporting line and audit evidence can be accessed at any time.
When medium-sized businesses have to appoint a DSB
The DSB obligation arises primarily from Section 38 BDSG in conjunction with Art. 37 GDPR. An order is mandatory as soon as at least 20 people in a company are constantly involved in the automated processing of personal data. In practice, who is included in this count is often underestimated: in addition to permanent employees, this also includes working students, trainees, temporary workers and freelancers with permanent access to CRM, HR systems or email inboxes. An eight-person marketing team with a newsletter tool, a twelve-person sales team with a CRM and a five-person human resources department already meet the threshold. Management that only counts permanent employees regularly underestimates the actual obligation.
Regardless of the threshold value, an appointment is mandatory according to Art. 37 Para. 1 GDPR as soon as the core activity consists of extensive, regular monitoring of people or the processing of special categories according to Art. 9 GDPR. Practical examples include market research institutes, personnel service providers, medical care centres, pharmacy associations, tax offices with large databases and SaaS providers with personal data pipelines. For these companies, the obligation applies from the first employee who carries out the respective activity, i.e. effectively from the time they are founded.
Anyone who fails to place an order or delays it risks fines of up to 10 million euros or 2 percent of the group's turnover, whichever is higher, according to Art. 83 Para. 4 GDPR. Since 2024, the supervisory authorities in Bavaria, Baden-Württemberg and North Rhine-Westphalia have been carrying out more random inspections and requesting the appointment certificate and the report to the authority in accordance with Section 38 (3) BDSG. An order without notification is considered a formal error and in practice is treated as a non-order. CIVAC delivers the appointment certificate for the external data protection officer within two working days of signing the mandate, including notification to the authorities.
Market prices 2026: How much does an external DSB cost in medium-sized businesses
In practice, the price for an external data protection officer depends on four factors: number of employees, number of processing activities, industry risk and response time SLA. In medium-sized companies with 50 to 250 employees, the following ranges will have established themselves on the market in 2026. For companies with a manageable data protection risk, i.e. no e-commerce, no health data, no tracking data streams and no extensive third-country transfers, market-based flat rates are between 600 and 950 euros per month. These flat rates usually include the order, annual employee training, ongoing maintenance of the register of processing activities and answering inquiries from those affected with moderate effort.
For medium-risk companies such as B2C online shops, recruitment agencies, insurance brokers or IT service providers, the range is 950 to 1,500 euros per month. This typically includes data protection impact assessments in accordance with Art. 35 GDPR, order processing contracts with numerous subcontractors, cookie banner adjustments and regular audits. High-risk companies, such as healthcare, banks, large cloud platforms or market research, pay 1,500 to 2,400 euros per month, often combined with an hourly quota for event-related topics such as takeovers, joint ventures or data breaches with a third country connection.
Caution is advised with flat-rate offers under 300 euros per month. These models usually bundle several hundred mandates to a single person, which makes accessibility in accordance with Art. 38 GDPR impossible in practice. During the inspection by the supervisory authority, this is seen as an indication of a lack of functionality and, in case of doubt, leads to a complaint such as non-appointment. CIVAC works with a maximum limit of 25 mandates per designated person and uses the workspace to bundle the operational load into templates, audit templates and automated reminders, leaving human consultation time reserved for the specialist.
Flat rate, hourly model or hybrid: which contract model suits when
External DSBs are generally offered in three contract models: monthly flat rate, pure hourly model and hybrid models with basic flat rate plus hourly quota. The monthly flat rate is the most frequently chosen model among medium-sized businesses. It gives the company budget security and the provider planning. The flat rate usually includes a defined quota of hours for ongoing advice, maintaining the directory, annual training and answering inquiries from those affected up to a certain number per year. What is important is the written definition of what applies if the quota is exceeded: four hours of goodwill or immediate hourly billing at the deposited rate.
The pure hourly model with rates between 180 and 320 euros net per hour makes sense for very small companies with minimal processing or for temporary projects such as a one-off data protection impact assessment. The model is unsuitable for medium-sized companies because monthly routine advice is not covered and requests from those affected with a hard deadline, usually one month according to Art. 12 Para. 3 GDPR, lead to uncontrolled peak bills. Anyone who chooses the model should agree on at least an upper hour limit per quarter in order to avoid budget shocks.
Hybrid models with a reduced basic fee of around 400 euros per month plus hourly billing for defined special activities are a good fit for companies with very fluctuating volumes, such as project companies or holding companies with selective needs. What is important here is a clear definition of which services are included in the flat rate and which are billed separately. In the CIVAC model, the monthly flat rate is fixed and includes platform usage with 490 templates. Large, selective projects such as a group-wide DPIA or a third country transfer impact assessment are calculated as a separate project and approved in writing in advance. Licence the workspace for your internal representatives, or have our representatives order it.
What must be included in the price: The service catalogue
A market-driven DSB contract defines the scope of services in a service catalogue that becomes part of the mandate contract. This catalogue should contain at least the following seven points. Firstly, the order itself, i.e. the legally valid appointment certificate according to Section 38 BDSG, as well as the report to the responsible supervisory authority with a confirmation letter for the client file. Secondly, ongoing advice to management and departments on all data protection-related questions, with a defined response time for inquiries, usually 24 to 48 hours during business hours and a maximum of 8 hours for urgent cases.
Thirdly, maintaining the register of processing activities in accordance with Art. 30 GDPR. This directory is the central evidence to the supervisory authority and must be updated in the event of changes in the IT landscape, new tools, new business processes or new suppliers. Fourthly, support with data protection impact assessments in accordance with Art. 35 GDPR, in the assessment of order processing contracts in accordance with Art. 28 GDPR and with third country transfers in accordance with Art. 44 ff. GDPR. Fifthly, employee training, usually once a year with a list of participants and knowledge test, as well as the processing of inquiries from those affected in accordance with Art. 15 to 22 GDPR within the statutory deadline.
Sixth and particularly important, support in the event of data protection violations with the 72-hour reporting path in accordance with Art. 33 GDPR. The clock starts on awareness. Seventh, the obligation to report to management, usually as a quarterly report with specific recommendations and a status overview of outstanding measures. In the CIVAC workspace, all seven points are represented in 490 ready-to-use audit templates, so that the appointment certificate, signed, filed and verifiable, is ready when the auditor calls. The reporting line to the management is documented via automated quarterly templates.
Recognizing cost traps: What you should pay attention to
The most common cost traps in DSB contracts can be grouped into five categories. Firstly, unclear definition of the hourly quota in the flat rate. Anyone who signs a contract in which the quota included is not quantified in hours or consulting units risks additional bills after three to four months that exceed the original flat rate. Ask for a clear number, for example eight hours of advice per month or four affected person inquiries per year included. Also have the subsequent price per hour after the exceedance guaranteed in writing, ideally with a cap.
Secondly, omission clauses in the small print. In some contracts, the on-site inspection is not included, or it is limited to one appointment per year. If your company has multiple locations, you should clarify the frequency and travel expense mode. Thirdly, long minimum terms of 24 or 36 months without special right of termination in the event of the provider's insolvency or cessation of business. A minimum term of 12 months with a notice period of three months and an express clause for the release of data at the end of the contract is usual in the market.
Fourthly, hidden surcharges in the event of data breaches. Some providers charge an additional flat rate of 1,500 to 3,500 euros for processing a data breach in accordance with Art. 33 GDPR, which quickly leads to the annual costs doubling in medium-sized incidents. Clarify in writing whether reporting within the 72-hour period is included in the flat rate. Fifth, lack of professional liability. An external DPO must provide proof of professional liability for at least 1 million euros, standard market practice is 3 million euros. In the CIVAC model, professional liability and data breach notification are part of the standard flat rate, and the SLA is two business days for the appointment certificate instead of the industry standard two to six weeks. Others run compliance like a filing cabinet. We run it like software.
Comparison matrix: Three provider types for medium-sized businesses
There are three dominant provider types for external DSB mandates in medium-sized companies on the market. The first type is the specialised law firm. It provides a high level of legal depth, is strong in fine proceedings and correspondence with supervisory authorities and is advantageous in complex corporate structures, but costs 1,800 to 2,400 euros per month in the upper market segment. The operational maintenance of the directory or employee training is often outsourced to junior lawyers or external trainers, which lengthens the response time and reduces the consistency of advice. This model is usually oversized for medium-sized companies without a current history of fines.
The second type is the classic data protection consulting firm with certified DPOs. The prices are between 750 and 1,400 euros per month, the legal depth is lower than with a law firm, but the operational routine is higher. Training, directory maintenance and audits are usually carried out by the same person, which ensures continuity. The weak point of this model is often the lack of software: directories and audit trails are maintained in Word and Excel files, which causes tedious processing time in the event of a request from the supervisory authorities.
The third type is the compliance platform with an officer-as-a-service model. Depending on platform usage, the price here is between 590 and 1,200 euros per month. The difference: The platform takes care of the structured data storage, the templates, the reminders and the audit evidence, freeing up human consulting time for strategic questions. CIVAC belongs to the third type and bundles 25 representative roles on one platform. Anyone who licences the workspace retains the internal DPO and only uses the software for appointment certificate, audit templates, reporting line and 72-hour data breach reporting path. Anyone who chooses the full officer-as-a-service model will also receive a named natural person as an external data protection officer. The CIVAC FAQ shows in which constellations which model is typically advantageous.
TCO invoice: External DSB against internal body
The question of whether a medium-sized company appoints an internal or external DPO is primarily a total cost of ownership question. An internal DPO requires a specialist with DPO certification in accordance with Section 38 BDSG, appropriate remuneration and freedom to give instructions to management on data protection-related topics. Market-based annual salaries for an experienced internal DPO in 2026 are between 68,000 and 95,000 euros gross, plus the employer's share of around 22 percent, plus a training budget of 3,000 to 6,000 euros per year and software licences of 1,500 to 4,000 euros annually. In total, annual costs range from 95,000 to 130,000 euros for 0.8 to 1.0 full-time equivalents.
In contrast, costs for an external DPO in medium-sized companies range between 7,200 and 18,000 euros per year. Depending on the case, the difference is 80,000 to 110,000 euros per year. The external DSB is financially worthwhile for almost all companies with fewer than 500 employees. Only when there are 750 to 1,000 employees, with a high processing density and a group-wide structure, does an internal DPO become more mathematically attractive, especially if special topics such as international data transfers, joint controllership or group order processing have to be managed on a long-term basis at the same time.
The qualitative dimension is important in addition to the pure invoice. An internal DPO knows the processes better, sits closer to management and is immediately available in crisis situations. An external DPO brings cross-industry experience, economies of scale in templates and training and is not involved in internal politics, which brings advantages in the event of a conflict with management. The CIVAC model combines both strengths via the workspace: an internal DPO also benefits from the 490 audit templates, the 72-hour reporting path and the ISO 27001:2022-compliant documentation. The platform costs between 290 and 690 euros per month, depending on the module chosen and the number of clients. Licence the workspace for your internal representatives, or have our representatives order it.
Selection process: Seven questions before signing the contract
Before you sign a DPO mandate, you should have seven questions answered in writing, ideally in the offer or in the draft contract itself. First question: Who is the named natural person appointed as DPO and what qualifications does he or she have? Don’t accept a blanket answer like our team did. Ask for their name, certification, years of relevant work experience, and a short resume. Second question: How many mandates does this person manage at the same time? Over 50 mandates per person is a clear warning signal that you should have justified in writing.
Third question: What is the SLA response time for a data breach according to Art. 33 GDPR? A maximum of 8 hours during business hours is acceptable; 4 hours with 24/7 on-call availability are ideal, at least on weekdays from 8 a.m. to 8 p.m. Fourth question: What are the exact contents of the flat rate, expressed in hours or consulting units, and which activities are charged separately? Fifth question: What professional liability is proven, with what insured amount, and who is liable in the event of a fine by the supervisory authority?
Sixth question: What software is used, and does the documentation recorded in the software belong to the client? Only accept a clear yes, ideally with a data export clause in the contract and a deadline for handover at the end of the contract of a maximum of 14 days. Seventh question: Where is the data hosted and who has access? For tenants with EU data residency requirements, the platform must host in the EU and disclose the subprocessor list. CIVAC uses EU data residency and provides a complete export of all client documents, including the audit trail, at the end of the contract. The Overview of all CIVAC officer roles shows which additional roles can be bundled in the same workspace, which results in significant efficiency gains for several compliance topics.
Turn reading into an assignment
The price for an external data protection officer in medium-sized companies is not determined by the flat rate, but by the question of whether the appointment will hold up in the event of an audit. An appointment certificate in accordance with Section 38 BDSG, a report to the supervisory authority, a maintained directory in accordance with Art. 30 GDPR, documented annual training with a list of participants and a verifiable 72-hour reporting path in accordance with Art. 33 GDPR form the core. Anyone who pays 600 euros a month and has these five building blocks in a documented, accessible form is better positioned than a company that pays 1,500 euros and can only show Excel files and email threads in the audit. Structure suggests consulting hours if the auditor wants to see written evidence.
CIVAC is a German compliance platform and officer-as-a-service. We offer the external data protection officer in two models. In the platform model, you licence the workspace, keep your internal DPO and use 490 audit templates, the 93 controls according to ISO/IEC 27001:2022, the EU data residency and the 72-hour reporting path. In the service model, CIVAC also appoints a named natural person as an external DPO, with an appointment certificate within two working days instead of the industry-standard two to six weeks. Both models can be combined with other officer roles, such as information security, compliance or money laundering prevention.
If you are looking for an external DPO that is priced in line with the market for your medium-sized business, let us create an offer with specific service items that is structured according to the seven selection questions above. The auditor calls, the evidence is ready. Send a short inquiry to info@civac.de or using the contact form on civac.de, stating your number of employees and industry. We will respond within one working day with an initial indication and a suggestion for a 30-minute initial consultation to clarify your needs. Turn reading into an assignment.
FAQ
How much will an external data protection officer cost in a medium-sized business in 2026?
Market-based flat rates are between 600 and 1,500 euros per month for medium-sized companies with 50 to 250 employees. Sectors with increased risk such as healthcare, banking or online trading are at the upper end of the corridor, while classic manufacturing companies without intensive personal processing are at the lower end. Flat rates below 300 euros usually indicate non-functional orders without a named natural person and should be examined critically.
What services must a DSB contract contain at least?
At a minimum, this must include the appointment certificate in accordance with Section 38 BDSG with notification to the authorities, ongoing consultation with a defined SLA response time, maintenance of the directory in accordance with Art. 30 GDPR, annual employee training with a list of participants, the processing of requests from those affected in accordance with Art. 15 to 22 GDPR and the 72-hour reporting path for data breaches in accordance with Art. 33 GDPR. Proven professional liability insurance of at least 1 million euros is the market standard; 3 million euros is common.
Is an internal DPO worth it for a company with 200 employees?
With 200 employees, an external DPO is economically advantageous in almost all cases. An internal DSB, including the employer's contribution, training budget and software, costs between 95,000 and 130,000 euros annually for a full-time equivalent. An external DPO costs 9,000 to 16,000 euros per year and also brings cross-industry experience. An internal DSB only becomes mathematically more attractive when there are 750 employees with a high processing density or multiple locations.
How does the CIVAC model differ from a classic data protection law firm?
CIVAC combines a compliance platform with the appointment of a natural person as an external DPO. The platform includes 37 audit templates, 93 ISO/IEC 27001:2022 controls, EU data residency and an automated 72-hour reporting path. Traditional law firms work with individual Word documents and hourly billing, which is more expensive for routine work and less structured for audits. In the event of an audit, the evidence is available to CIVAC immediately; at the office it first has to be compiled from files.
How quickly can an appointment certificate be issued in accordance with Section 38 BDSG?
It is usual for the market to take two to six weeks between signing the contract and issuing the appointment certificate, because preliminary discussions, registering and training planning take place first. CIVAC delivers the appointment certificate within two working days of signing the mandate. The operational induction with directory creation, audit templates and training then takes place in a structured manner via the platform and is usually completed after four to six weeks.
What happens in the event of a data breach according to Art. 33 GDPR in the CIVAC model?
In the event of a data breach, the client activates the reporting path in the workspace with two clicks and CIVAC creates the report to the supervisory authority within 72 hours of becoming aware of it. The deadline runs as soon as it is known, so accessibility via the workspace is crucial. Templates for reporting are stored, the reporting line to management is documented, and the entire process including correspondence is archived for audit purposes.
Sounds like a lot of work?
Officer duties, deadlines, paperwork — that's exactly what we take off your hands. Say hello and we'll show you how.
Turn this into a mandate.
Let us carry the operational weight. External officer, templates and documentation in one workspace. No obligation.