Appointing an External DPO: When the External Solution Beats the Internal Post

Appointing a data protection officer is mandatory under Art. 37 GDPR and § 38 BDSG as soon as at least 20 people in a company are constantly engaged in the automated processing of personal data, or a data protection impact assessment under Art. 35 GDPR becomes necessary. Anyone who misses the deadline risks fines of up to EUR 10 million or 2% of global annual turnover under Art. 83(4) GDPR.

Many companies decide against an internal appointment in favour of an external data protection officer. This article explains when a DPO must be appointed externally, what costs are realistic, how liability and the reporting line are governed, and which proof of qualifications you should check before engaging one. At the end, you will see how the appointment, the catalogue of tasks and the documentation can be mapped operationally in a compliance workspace.

The obligation to appoint a data protection officer arises on two levels. Art. 37(1) GDPR requires a DPO where the core activity consists of extensive, regular and systematic monitoring of data subjects, or of processing special categories under Art. 9 GDPR. § 38 BDSG adds the German threshold: 20 people who are constantly engaged in the automated processing of personal data.

In practice, the 20-person threshold is the most common trigger for the mid-market. Full-time, part-time, working students and freelancers are counted, provided they regularly work with customer, personnel or supplier data. Even two hours a day spent maintaining a CRM list meets the threshold. On top of this comes the obligation to carry out a data protection impact assessment under Art. 35 GDPR, for example with video surveillance in public spaces, the use of AI models for candidate selection, or systematic profiling in online retail.

The external data protection officer is appointed by means of a written appointment certificate that governs tasks, powers, the reporting line and termination terms. The name and contact details must be reported to the competent supervisory authority under Art. 37(7) GDPR and published in the legal notice as well as in the privacy policy.

The decision between an internal and an external appointment follows four criteria: cost structure, availability of qualified staff, absence of conflicts, and the allocation of liability.

An internal DPO makes sense when the company grows beyond 500 employees, operates several sites, or processes special categories of data on a large scale, for example clinics or large staffing agencies. The internal DPO sits close to management and the departments, knows the processes and the shadow IT, but depends on continuous further training and, because of Art. 38(6) GDPR, may not carry out any tasks involving a conflict of interest. IT management, HR management and the management board are therefore ruled out as dual roles.

The external solution scores where the company has fewer than 250 employees, sites are distributed, or specialised advice is needed, for example on processing on behalf in the cloud, international data transfers under Chapter V GDPR, or employee data protection under § 26 BDSG. The external DPO brings a market overview, is free from instructions, and, in the event of poor performance, can be replaced with a notice period of typically three months. The reporting line leads directly to management and is fixed in the appointment certificate. Conflicts with day-to-day operations arise less often, because the external DPO carries no line responsibility.

The statutory minimum catalogue is set out in Art. 39 GDPR. It covers informing and advising the controller and the employees, monitoring compliance with the GDPR and other data protection provisions, advising in connection with the data protection impact assessment, and cooperating with the supervisory authority.

In implementation, this typically means in the first year: recording and maintaining the record of processing activities under Art. 30 GDPR, reviewing all processing agreements under Art. 28 GDPR, auditing the technical and organisational measures under Art. 32 GDPR, employee training with documented attendance, handling data subject requests under Art. 12 to 22 GDPR, and establishing the 72-hour notification process for data breaches under Art. 33 GDPR.

An external DPO usually delivers these services as an annual package with defined hour quotas, a fixed point of contact and a quarterly report to management. Anyone wishing to accelerate operationalisation uses a compliance platform with audit templates, record templates and a prepared 72-hour notification path. This shortens the setup phase to a few weeks, and in the event of an incident the supervisory authority receives an auditable file rather than a hotchpotch of email attachments and Excel lists.

The remuneration of external data protection officers follows two models in the German market. First, the flat-rate model with a monthly fee that covers requests, advice, training and a fixed audit rhythm. Second, the hourly model, in which a daily rate of between EUR 950 and 1,800 is charged.

For SMEs with 20 to 100 employees, the market-standard flat rate lies between EUR 250 and 700 per month. Companies between 100 and 500 employees typically pay EUR 700 to 1,500 per month, depending on the number of sites, data intensity and sector risk. Cloud-oriented tech companies, healthcare and HR service providers are at the upper end, classic B2B industrial businesses without end-customer data at the lower end.

The price drivers, in order of their impact, are: the number of processors, international data transfers outside the EU, the use of AI procedures with a personal-data link, high employee turnover, and sectors with supervisory visits such as healthcare, finance or pharmaceuticals. Anyone reviewing the flat rate should fix the hourly rate for additional services, the response time for data breaches, the training frequency and the reporting obligations transparently in the contract. Hidden extra costs often arise from audit support, correspondence with authorities and on-site appointments.

Under Art. 38(3) GDPR, the DPO is free from instructions in carrying out their tasks and reports directly to the highest management level. This rule draws a clear line between responsibility and oversight: the controller remains the owner of the processing and is primarily liable for breaches. The DPO monitors, documents and advises.

Independent liability of the external DPO arises only in the case of gross breach of duty, for example where a clearly recognisable breach was not reported, a data protection impact assessment was omitted despite being mandatory, or a data breach was concealed against better knowledge. In practice, external DPOs protect themselves with professional indemnity insurance with minimum cover of EUR 1 million per claim. The client should ask to see this policy before awarding the mandate.

The reporting line must be recorded organisationally. The external DPO has direct access to management, is not subordinate to IT or HR management, and may not be dismissed for criticism or for a report to the supervisory authority. The termination terms belong in the appointment certificate, which in turn must lie in the compliance file as an appointment certificate, signed, filed, verifiable. In the event of a dispute, this file is the first thing the supervisory authority wants to see.

Art. 37(5) GDPR requires professional qualifications and expert knowledge in the field of data protection law. The wording is open, but the market has agreed on auditable standards.

The minimum standard is TÜV, ISACA or Udis certified training as a data protection officer with regular refreshers. For complex mandates, IT security certificates are added, for example Lead Auditor under ISO/IEC 27001:2022 or a CISSP qualification. In-depth legal expertise in IT law is an advantage in cases involving international data transfers.

Besides certificates, three operational factors count. First, sector experience: anyone who looks after hospital chains knows the special provisions under § 22 BDSG and the law on healthcare professions. Second, availability: a response time within 24 hours for data breaches is the market standard and belongs in the contract. Third, the tools: anyone who maintains a record of processing activities in an email Excel file is not audit-ready. Anyone who uses a compliance platform with versioning, an authorisation concept and EU data residency documents in an auditable way. Before engaging a provider, ask to be shown sample audits, report samples and a reference-customer contact. That filters out providers who only sell hours from those who deliver robust documentation.

Professional onboarding follows a clear rhythm. In the first two weeks, the external DPO compiles an inventory: which processing operations exist, which processors are connected, which third-country transfers exist, and which technical and organisational measures are already documented.

In weeks three to six, the record and the processing agreements are consolidated. Incomplete contracts under Art. 28 GDPR are the most common audit finding. In parallel, the data subject rights processes are set up, that is access, rectification, erasure, data portability and objection. An SLA for response deadlines under Art. 12(3) GDPR, that is one month from receipt, is anchored internally.

In weeks seven to twelve, the employee rollout follows: mandatory training with proof of attendance, a confidentiality undertaking under Art. 28(3)(b) GDPR, and the establishment of the 72-hour notification path for data breaches. A compliance platform with ready-made audit templates shortens this period considerably, because the templates for the record, the processing-agreement review and proof of training do not have to be reinvented each time. At the end of the first 90 days, there is a documented status that will withstand a supervisory enquiry. The auditor calls, the evidence is ready.

The data protection officer does not work in a vacuum. Three interfaces are operationally decisive.

The first interface is the information security officer. The technical and organisational measures under Art. 32 GDPR overlap considerably with the controls under ISO/IEC 27001:2022. Anyone who aligns both roles cleanly avoids duplicate documentation and reuses audit results several times. It is important that the DPO and the ISO are not the same person, because tasks and reporting lines can overlap.

The second interface is the internal reporting office under the Whistleblower Protection Act (HinSchG). Reports of data protection breaches often arrive there first. The reporting office must operate confidentially, free from instructions, and with its own intake documentation. The DPO is a recipient of relevant reports, not the operator of the reporting office.

The third interface is the compliance function, for example the anti-money laundering or LkSG officer. Data protection is cross-cutting: employee data, supplier screening, risk analysis, access rights. In a compliance platform with a shared role and file structure, these interfaces can be documented without a media break. The DPO's file contains references to relevant matters of other roles, without duplicating original files.

CIVAC is a compliance platform and officer-as-a-service based in Germany with EU data residency. The platform covers 25 officer roles, including the data protection officer, with 37 ready-to-use audit templates, a prepared 24/72 notification path for data breaches and NIS-2 incidents, and a central workspace for the appointment certificate, the record, the processing-agreement file and training records.

You have two ways to deploy this. License the workspace for your internal officers, or have our officers appointed. In the first case, your own data protection teams work with the templates, the versioning and the authorisation concept. In the second case, CIVAC takes over the external DPO function including the appointment certificate and the reporting line to management. The SLA standard is to take up the work within two business days, where classic search processes take two to six weeks.

If you want to know what an auditable DPO file looks like specifically in your company, contact us via the contact form or write to info@civac.de. Turn reading into a mandate.