External DPO: when is it mandatory and what does it cost in 2026

·

The Data Protection Officer (DPO) is one of the most common compliance roles since the General Data Protection Regulation (GDPR, EU Regulation 2016/679) entered into application in May 2018. However, eight years on, two frequent misconceptions persist among organisations: believing that a DPO is mandatory for any organisation that processes personal data, or, conversely, thinking that it only applies to public authorities. The reality is more nuanced and has real economic and sanctioning consequences. In this article we answer precisely: When is it mandatory to appoint an external DPO, when is it merely advisable, and what does it cost in the Spanish market in 2026?

What the DPO is — and what it is not

The DPO is an internal supervision and advisory figure, not an executive decision-maker. Its main function is to inform and advise the controller or processor on their data protection obligations, monitor compliance with the GDPR and internal policies, cooperate with the supervisory authority (in Spain, the AEPD) and act as a point of contact for data subjects.

It is worth stressing what the DPO is not: it is not legally responsible for data protection infringements (that responsibility falls on the controller), it is not the drafter of the privacy policy or the manager of processor contracts, nor the equivalent of a general compliance officer. Its role is specifically technical-regulatory in the field of personal data processing.

The DPO may be a natural person employed by the organisation (internal DPO) or an external professional or entity engaged under contract (external DPO). The external model — more common in SMEs and medium-sized entities — allows organisations to have the role without the costs of a highly qualified employment contract, to meet the functional independence requirement imposed by the GDPR, and to access specialised knowledge that is difficult to sustain in-house.

The three mandatory designation cases under the GDPR

Article 37 of the GDPR sets out exactly three cases in which appointing a DPO is mandatory for both controllers and processors:

  1. Public authorities or bodies, except for courts acting in their judicial capacity. This covers the entire Spanish public administration: ministries, regional governments, town councils, public agencies, public enterprises, etc.
  2. Controllers or processors whose core activities consist of processing operations which, by virtue of their nature, scope and/or purposes, require regular and systematic monitoring of data subjects on a large scale. Clear examples: digital marketing companies with mass user profiling, online behavioural tracking platforms, telecommunications companies, financial institutions that continuously monitor transactions.
  3. Controllers or processors whose core activities consist of processing on a large scale of special categories of data (those listed in Art. 9 GDPR: health, racial or ethnic origin, religious beliefs, genetic or biometric data, sexual life, trade union membership, political opinions) or data relating to criminal convictions and offences (Art. 10 GDPR). This covers clinics, hospitals, laboratories, criminal law firms, health insurers, etc.

The LOPDGDD (Organic Law 3/2018 of 5 December) extends in its Article 34 the list of entities required under Spanish law, expressly adding professional associations and their governing bodies, educational institutions, entities operating electronic communications networks and services, information society service providers that build large-scale user profiles, insurance and reinsurance companies, credit financial establishments and payment institutions, electricity and natural gas distributors and suppliers, and private security companies, among others.

The concepts of «large scale» and «core activities»: where the threshold lies

The two most debated concepts in the practical application of Article 37 are precisely those that determine whether an SME falls inside or outside the mandatory case: large scale and core activities.

The European Data Protection Board (EDPB) in its Guidelines on DPOs (WP243 rev.01, adopted as EDPB guidelines) notes that to assess whether processing is «on a large scale», factors such as the number of data subjects (in absolute terms or as a proportion of the relevant population), the volume of data processed, the duration or permanence of the processing, and its geographical extent must be considered. There is no fixed numerical threshold in the GDPR. A 30-employee company managing health records of 50,000 patients processes on a large scale; a family doctor handling their own patients' data does not.

As for «core activities», the EDPB clarifies that this does not refer to ancillary or support activities (such as managing the organisation's own payroll), but to the processing operations that form the heart of the business. A dental clinic has the provision of health services as its core activity and the processing of health data is inseparable from that activity — it is mandatory for them. A bakery that maintains a customer database to send promotions treats data processing as an ancillary activity; the mandatory case in Art. 37.1.b does not apply directly.

Comparison table: does the DPO obligation apply to you?

Type of organisation Applicable provision DPO mandatory Recommended voluntarily
Public authority (town council, ministry, public body) Art. 37.1.a GDPR Yes, always
Hospital, clinic, testing laboratory (large-scale health data processing) Art. 37.1.c GDPR + Art. 34 LOPDGDD Yes
Insurer, financial institution, bank Art. 37.1.b + Art. 34.h/i LOPDGDD Yes (under LOPDGDD)
Digital platform with mass user profiling Art. 37.1.b GDPR (regular and systematic monitoring on a large scale) Yes
Private security company Art. 34 LOPDGDD Yes (under LOPDGDD)
Professional association or governing body Art. 34.a LOPDGDD Yes (under LOPDGDD)
Educational institution (school, university) Art. 34.b LOPDGDD Yes (under LOPDGDD)
Small retail SME (customer base <10,000, no profiling) None directly Not mandatory Yes, if there is an extensive Record of Processing Activities
HR or recruitment company (processes extensive employment data) Grey area: depends on volume and profiling Depends on analysis Highly advisable
Law firm (client data, criminal proceedings) Art. 37.1.c if there is volume of criminal data Possibly yes Yes in any case

When it makes sense to appoint a DPO even if it is not mandatory

The AEPD, in its Practical Guide for the DPO in non-public entities, is explicit: the voluntary appointment of a DPO is a measure of proactive accountability that the GDPR views positively. It does not compel — but strongly recommends — appointing one in organisations that, while not falling under the mandatory cases, are characterised by any of these factors:

From a practical standpoint, the presence of a DPO — even a voluntary one — generates significant legal effects: it facilitates demonstration of the accountability principle, reduces the likelihood of sanctions in the event of an incident, and strengthens the confidence of clients, suppliers and the regulator itself. In sectors where GDPR is a commercial lever (healthcare, pharmaceuticals, financial services, technology), having a DPO appointed and registered with the AEPD is now practically a market standard.

Registration of the DPO with the AEPD

Whether the appointment is mandatory or voluntary, the controller must publish the DPO's contact details and communicate them to the supervisory authority. In Spain, the AEPD maintains a public DPO register accessible through its electronic office. Notification is made via the form available on the AEPD's electronic office and is mandatory when the appointment is legally required. The DPO is not required to disclose their identity to data subjects, but a contact channel must be made available to them (typically a dedicated email address such as dpo@company.com).

A practical consequence that many organisations discover too late: if you voluntarily appoint a DPO and notify the AEPD, the authority may address them in its supervisory proceedings. The appointed DPO must be genuinely operational and have access to the necessary information; otherwise, the role can become counterproductive.

DPO profile and qualifications: what the GDPR requires

Article 37.5 of the GDPR states that the DPO must be appointed on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices, as well as the ability to fulfil the tasks referred to in Article 39. The GDPR does not require any specific official qualification, although in the Spanish market the following are particularly valued:

The external DPO — whether a natural or legal person — must ensure the absence of conflicts of interest. The GDPR prohibits the controller from giving the DPO instructions on how to perform their tasks, and the AEPD has indicated in resolutions that the same DPO may provide services to multiple clients, provided they can dedicate sufficient time to each and no conflicts of interest exist between them.

What does an external DPO cost in 2026: market ranges

The Spanish external DPO market has matured considerably since 2018. Prices vary depending on the size and complexity of the organisation, the volume of processing activities, the sector, and the level of service included (compliance only, or also training, incident response, DPIA management, etc.). Below is an approximate reflection of the market ranges observed in 2025-2026, not including Summum Consultoría's own rates, which are always provided after analysis of the specific case:

Organisation profile Indicative annual range (Spanish market 2026) What it typically includes
Small SME (<50 employees, 2-4 processing activities, no sensitive data) €800 – €2,500/year RPA maintenance, annual review, DPO channel, basic query support
Medium SME (50-250 employees, multiple processing activities, health or financial data) €2,500 – €6,000/year Full RPA, DPIA where applicable, staff training, breach management, AEPD contact
Large organisation or public entity (>250 employees, complex processing, high regulation) €6,000 – €18,000/year (or more) Full service: periodic audits, 24/7 incident response, ongoing training, management reporting
Initial implementation from scratch (gap analysis + RPA + clauses + processor contracts) €1,500 – €5,000 (one-off project) Gap diagnosis, RPA, documentation review, AEPD registration

These ranges are indicative and reflect market observation; the actual cost always depends on the scope of the service. The key point for decision-making is to compare that cost against the real risk of sanctions: the GDPR sets fines of up to €20 million or 4% of total worldwide annual turnover for the most serious infringements. The AEPD imposed sanctions worth tens of millions of euros in published resolutions in 2024 alone, with cases that explicitly include the absence or ineffectiveness of the DPO as an aggravating factor.

External DPO vs. internal DPO: decision criteria

The choice between an internal and external DPO is not purely economic. There are organisational and independence factors that weigh equally or more:

If your organisation is considering hiring an external DPO, the first step is always a diagnostic of the processing map to determine whether the obligation applies and what level of service the actual complexity of processing requires.

Practical process for appointing an external DPO

Once the decision to appoint an external DPO has been taken, the typical process in the Spanish market follows these steps:

  1. Prior diagnosis: inventory of active processing activities, assessment of whether a legal obligation exists or the appointment is voluntary, identification of documentary gaps (incomplete RPA, outdated privacy notices, outstanding processor contracts).
  2. DPO service contract: signing the service agreement with the designated entity or professional, which must specify the concrete functions, availability, communication channels and confidentiality terms.
  3. Internal communication: publication of the DPO's contact details in the privacy policy and through the organisation's internal channels. Employees must know who to contact.
  4. Notification to the AEPD: via the notification form available on the AEPD's electronic office (mandatory when the appointment is legally required; recommended even when voluntary).
  5. Documentary update: updating the RPA, reviewing privacy notices, verifying processor agreements (DPAs) with key technology suppliers.
  6. Ongoing operation: the DPO is incorporated into the operational workflow: handling data subject rights requests, overseeing new projects with a privacy impact (privacy by design), managing breaches if they occur.

The GDPR compliance practice at Summum Consultoría covers both initial implementation and ongoing maintenance of the privacy management system, including the external DPO role for organisations that require it by legal obligation or strategic compliance decision.

Real sanctions for the absence or ineffectiveness of the DPO

Although the absence of a DPO does not have a specific sanction amount assigned in the GDPR, it is classified as a serious infringement under Article 83.4: fines of up to €10 million or 2% of total worldwide annual turnover where it relates to infringements of Chapter IV (which includes Article 37 on the DPO). In actual AEPD proceedings, the absence of a DPO in organisations required to have one has acted as an aggravating factor in sanctions that combined multiple other breaches.

Documented cases from the AEPD in recent years include educational institutions without a DPO processing children's data on a large scale, private security companies without an appointed DPO — a sector explicitly included in the LOPDGDD — and private healthcare entities that had «appointed» a DPO on paper but with no real functions or access to the necessary information. In all these cases, the absence or ineffectiveness of the DPO aggravated the final sanction.

Frequently asked questions

Does an SME with 10 employees have to appoint a DPO?

Not merely because it has 10 employees. The obligation does not depend on the size of the company but on the nature and volume of the processing activities. A micro-enterprise with 5 employees operating a digital health platform that monitors thousands of users is required to appoint one. A 200-employee company engaged in retail without special categories of data and without large-scale profiling is not, although it is advisable to voluntarily appoint a DPO if the complexity of its processing justifies it.

Can the IT manager or HR director take on the DPO role?

The GDPR and the AEPD expressly warn that the DPO cannot perform functions that involve determining the purposes and means of processing. The Head of IT who decides which HR software to implement, or the HR director who determines what employee data to collect, have a structural conflict of interest that makes their appointment as DPO invalid. This dual role is one of the most frequent errors detected by the AEPD in its supervisory activities and may result in the appointment being deemed ineffective.

Does the external DPO sign as controller or processor?

Neither. The DPO is a supervisory and independent role, not a party to the processing. The relationship with the external DPO is formalised through a service contract (not a data processing agreement in the sense of Article 28 GDPR). The external DPO accesses the organisation's personal data to carry out their functions, but does not process it on behalf of the controller for their own purposes; they act as advisor and supervisor. Some firms include reinforced confidentiality clauses in their DPO contract precisely to clarify this status.

What happens if the appointed DPO stops providing the service?

If the relationship with the external DPO is terminated and the organisation was required to have one, it enters a situation of non-compliance from the first day without a DPO. The organisation must notify the AEPD of the departure of the previous DPO and communicate the new one as soon as they are appointed. It is common for external DPO contracts to include notice periods of 1 to 3 months precisely to ensure continuity of compliance. In organisations with a legal obligation, leaving the position vacant — even for a brief period — is a risk the AEPD can detect if an incident or complaint arises in that interval.