External Data Protection Officer: Appointment Obligation, Costs and Selection Criteria

Art. 37(6) GDPR (Regulation (EU) 2016/679) explicitly permits the appointment of a Data Protection Officer on the basis of a service contract. The external DPO has the same duties and rights as an internal officer: independence from instructions under Art. 38(3) GDPR, a direct reporting line to senior management, confidentiality obligations, and the right to support from the controller. What differs is the employment structure — and with it, often the de facto independence.

This article explains when the appointment obligation applies, why many SMEs opt for an external DPO, what a service contract must regulate, and how CIVAC enables a compliant appointment within two working days.

The obligation to appoint a Data Protection Officer arises from two parallel provisions: Art. 37(1) GDPR and § 38(1) BDSG. Art. 37 GDPR requires appointment where the core activities consist of large-scale, regular and systematic monitoring of individuals, or where special categories of data under Art. 9 GDPR are processed. § 38(1) BDSG significantly lowers the threshold for Germany: a DPO must be appointed once 20 individuals are regularly engaged in automated data processing.

The 20-person threshold does not cover only full-time employees — it includes part-time staff, temporary workers and trainees who regularly handle personal data in digital systems. A sales team using a CRM system, an HR department using payroll software, or a customer service team using a ticketing system typically already exceeds this threshold in organisations with 30 or more employees in total.

The internal DPO is an employee of the appointing organisation. They know the processes, systems and culture well. Their structural risks: they cannot simultaneously be DPO and IT manager, HR manager, managing director or CFO, as these roles give rise to conflicts of interest under Art. 38(6) GDPR. Furthermore, under Art. 38(3) GDPR they may not be dismissed or penalised for performing their DPO duties — which makes internal consequences in the event of conflicts of interest more difficult to manage.

The external DPO brings structural independence: no employment dependency, no role conflicts with operational functions, and cross-client compliance expertise. Their structural risk: they know the organisation less well than an internal employee, which may lead to a longer familiarisation period. For organisations between 20 and 250 employees, the external DPO is usually the more cost-effective and legally cleaner solution.

The cost of an external DPO depends on the scope of services, the size of the organisation and the complexity of processing activities. Market-standard flat-fee models for SMEs range from €250 to €1,200 per month. The price range reflects differences in service depth: a pure advisory package without an active workspace differs structurally from a full DPO mandate with availability guarantee, data breach on-call service and monthly reporting to management.

The following service components should be contractually specified in an external DPO mandate: advisory capacity (hours per month or unlimited); response times for data subject requests and data breach incidents; DPO availability for supervisory authority enquiries; training delivery and documentation; reporting format and frequency to management; and a deputy arrangement in the event of absence. Any mandate without these specifications is not a full DPO mandate within the meaning of Art. 39 GDPR.

The contract with an external DPO is not a data processing agreement under Art. 28 GDPR, but a service contract under §§ 611 ff. BGB. It must cover at minimum: scope of duties (advisory services, reporting obligations, training coordination, data breach response); remuneration and billing model; contract term and notice periods; deputy arrangements in case of absence; confidentiality obligation of the external DPO; independence from instructions under Art. 38(3) GDPR; liability provisions for breaches of duty.

Particularly important: the contract must explicitly guarantee the DPO's independence from instructions. Any contractual clause that allows the controller to instruct the DPO on the substance of their advisory work violates Art. 38(3) GDPR and renders the appointment formally non-compliant.

The appointment of the DPO need not necessarily be in writing under Art. 37 GDPR — but in practice, the written appointment document is the only reliable evidence. The document should contain: name and contact details of the appointed DPO; date of appointment; confirmation of duties under Art. 39 GDPR; confirmation of independence from instructions under Art. 38(3) GDPR; confirmation of the direct reporting line to senior management; signature of the controller (managing director).

The DPO must be notified to the supervisory authority under Art. 37(7) GDPR: name, contact details — not the full appointment document, but sufficient for the authority to make contact. The notification can be made online via the relevant state data protection authority portal. The contact details must also be published in the privacy policy.

Art. 37(7) GDPR requires the controller to publish the appointed DPO and communicate their contact details to the competent supervisory authority. At minimum, the following must be published: contact details of the DPO (email address or postal address) through which data subjects can contact the DPO directly. Name and institution of the DPO must be communicated on request, but need not be publicly visible.

Publication typically takes place in the website privacy policy. The name or function of the DPO and a direct contact address must be stated there. Many organisations also make the DPO contactable via a dedicated email address (e.g. datenschutz@company.de) which is routed directly to the DPO. This is recommended — it reduces the risk of data subject enquiries being misdirected and documented incorrectly.

Art. 39 GDPR exhaustively defines the DPO's minimum duties: informing and advising the controller, processors and employees of their obligations; monitoring compliance with the GDPR and other data protection provisions and with the internal policies of the controller; advising on data protection impact assessments under Art. 35 GDPR; cooperating with the supervisory authority; and acting as a contact point for the supervisory authority on data protection matters.

These duties are defined by law and cannot be restricted by contract. A service contract that limits the DPO's advisory function — for example, to specific processing activities or certain departments — does not satisfy the requirements of Art. 39 GDPR.

Art. 38(3) GDPR protects the DPO from dismissal or penalty for performing their duties. This does not mean that a change of DPO is generally excluded — for valid reasons (end of contract, capacity constraints, specialisation requirements) a change is permissible. Points to observe include: handover of the RoPA and all data protection documentation; updating the notification to the supervisory authority under Art. 37(7) GDPR; updating the privacy policy; and ensuring no protection gap in ongoing data breach proceedings or supervisory authority enquiries.

When transitioning from an internal to an external DPO, particular attention must be paid to continuity of the compliance documentation. All records, current projects, open data subject requests and pending training records must be transferred in full to the CIVAC workspace so that no supervisory authority enquiry falls into a gap.

CIVAC is a compliance platform and Officer-as-a-Service for all 25 officer roles. For the Data Protection Officer, this means: licence the workspace for your internal DPO — or appoint an external DPO from the certified CIVAC partner network. Both models use the same platform: task tracking, training modules with certification, audit templates, reporting line to management and automatic deadline management.

The CIVAC SLA: contract, person, appointment document within two working days. Instead of the typical lead time of two to six weeks for search, evaluation and onboarding of an external DPO, CIVAC delivers a qualified, ready-to-go appointment. info@civac.de.