Internal vs. external DPO: which should you choose and why?

·

When an organisation reaches the point of appointing a Data Protection Officer (DPO), the first question that arises is almost always the same: do we bring someone in from our own staff, or do we use an external service? Regulation (EU) 2016/679 (GDPR) and Organic Law 3/2018 (LOPDGDD) impose neither model: both are valid. However, the choice has very different practical consequences in terms of independence, specialisation, cost and sanction exposure. This article answers every relevant question to help you make that decision with confidence.

What does the GDPR say about the DPO model?

Articles 37 to 39 of the GDPR regulate the DPO without expressing a preference for either model. Article 37(6) states explicitly that «the data protection officer may be a staff member of the controller or processor, or fulfil the tasks on the basis of a service contract». In other words, the regulation recognises and equally supports both routes.

What the GDPR does require — in Article 38 — is that the DPO act with full functional independence: the DPO may not receive instructions from the controller or processor regarding the performance of those tasks and may not be dismissed or penalised for performing them. That independence requirement is, in practice, the main differentiating factor between the two models.

Internal DPO: when does it make sense?

An internal DPO is an employee of the organisation who assumes the tasks set out in Article 39 of the GDPR: informing and advising the controller, supervising compliance, cooperating with the supervisory authority (the AEPD in Spain) and acting as a contact point for data subjects.

This model may be appropriate when all of the following conditions are met:

External DPO: when is it the better option?

An external DPO is a specialised professional or organisation that provides the delegate service under a service contract. This is not a processor contract within the meaning of Article 28 of the GDPR: the external DPO does not process data on behalf of the controller for their own purposes, but acts as an independent adviser and supervisor.

The external model is the most common choice for SMEs, medium-sized entities and organisations that are required to have a DPO but do not have sufficient volume to sustain a highly qualified internal position. Its structural advantages are clear:

Comparison table: internal DPO vs. external DPO

Criterion Internal DPO External DPO
Functional independence Possible but harder to demonstrate (risk of hierarchical pressure) Structurally more robust; easier to demonstrate to the AEPD
Specialisation Depends on the candidate's profile and available ongoing training High; data protection is the consultancy's primary activity
Availability during incidents Limited by working hours, holidays and sick leave Continuous, with on-call protocols for breaches
Risk of conflict of interest High if the DPO has other operational functions involving data Low; function is exclusively supervisory
Cost for SMEs High (salary + social security + training + recruitment) Affordable; indicative ranges from €800 to €6,000/year depending on complexity
Internal knowledge of the organisation Greater; direct access to day-to-day operations Requires an onboarding phase and periodic updates
Suitability for legally obligated organisations Yes, if independence requirements are met Yes, and more common in practice in the Spanish market
Ease of replacement Complex (recruitment process, employment notice period) Straightforward; the provider guarantees service continuity

Who is required to have a DPO?

Before choosing a model, it is worth confirming whether the appointment is mandatory or voluntary. Article 37 of the GDPR establishes three mandatory scenarios:

  1. Public authorities and bodies, except for courts acting in their judicial capacity.
  2. Controllers or processors whose core activities consist of processing operations which, by their nature, require regular and systematic monitoring of data subjects on a large scale: digital tracking platforms, telecoms companies, financial institutions with continuous transaction monitoring.
  3. Controllers or processors whose core activities consist of processing, on a large scale, special categories of data (Art. 9 GDPR: health data, genetic or biometric data, racial origin, religious beliefs, sexual life, trade union membership, political opinions) or data relating to criminal convictions and offences (Art. 10 GDPR): hospitals, clinics, health insurers, laboratories, criminal law firms.

The LOPDGDD extends this list in Article 34 with categories specific to the Spanish legal order: professional associations, educational establishments, private security companies, energy distributors and electronic communications providers that build user profiles, among others.

If the organisation does not fall within any of these scenarios, it may voluntarily appoint a DPO. The AEPD recommends doing so when special categories of data are processed even if not «at large scale», when the Record of Processing Activities (RoPA) is extensive, or when data protection impact assessments (DPIAs) are carried out regularly.

What happens if the DPO does not meet the independence requirements?

The AEPD has resolved cases in which the appointed DPO had incompatible functions: an IT Manager who was also DPO, an HR Manager appointed as delegate, or executives with decision-making power over processing. In all those cases, the authority considered the appointment ineffective and the organisation to be, in practice, without a DPO.

The consequences are significant. The absence of a DPO in an organisation required to have one is classified under Article 83(4) of the GDPR as an infringement that may attract fines of up to €10 million or 2% of global annual turnover. In actual enforcement cases, an inoperative DPO has acted as an aggravating factor that increases the amount of sanctions that already included other non-conformities.

It is also worth noting that the most serious infringements — up to €20 million or 4% of global annual turnover under Article 83 of the GDPR — apply to breaches of the principles and lawfulness conditions of processing, including cases in which the absence of an operational DPO has contributed to a security breach not being properly managed.

Can the same external DPO serve multiple clients?

Yes. The GDPR explicitly provides that the DPO may provide services to several organisations (Art. 37(3)), provided they can dedicate the time necessary to each to perform their tasks adequately and provided there are no conflicts of interest between the different clients. This is precisely what a well-structured external DPO service does: it distributes the workload across the consultancy's team — several specialised professionals, not a single resource — guaranteeing a response to any incident regardless of any individual's personal schedule.

Appointment process: steps common to both models

  1. Prior diagnosis of processing activities: inventory of the Record of Processing Activities (RoPA), identification of special categories, assessment of whether the obligation is legal or the appointment is voluntary.
  2. Selection of the DPO: Article 37(5) of the GDPR requires that they be appointed on the basis of their professional qualities and, in particular, their expert knowledge of data protection law and practice. In the Spanish market, CIPP/E (IAPP) or CDPP (AEPD/ENAC) certifications and demonstrable experience in breach management and impact assessments are particularly valued.
  3. Formalisation: service contract if external, job description if internal. The scope of functions, contact channels and independence guarantee must be documented.
  4. Internal communication: employees must know who the DPO is and how to contact them. This is included in the internal privacy policy and in the privacy notices addressed to data subjects.
  5. Notification to the AEPD: using the form provided on the AEPD's electronic platform. Mandatory when the appointment is legally required; recommended for voluntary appointments.
  6. Ongoing operations: the DPO is integrated into the privacy-by-design workflow, handling of data subject rights requests, breach management and ongoing regulatory compliance supervision.

Practical recommendation for SMEs in Castilla y León and the Canary Islands

For the majority of SMEs in our geographical area — organisations with between 10 and 250 employees in Castilla y León and the Canary Islands — the external DPO model provides the best balance of cost, independence and specialisation. The reasons are concrete: the cost of an internal professional with the right profile (specialist legal training, recognised certification, experience in DPIAs and breaches) significantly exceeds the annual cost of a well-structured external service. Moreover, the risk of a conflict of interest is almost inevitable if the role is assigned to someone who already has operational responsibilities involving data.

The exception is larger organisations with very high-volume or highly sensitive processing operations — hospitals, large public authorities, financial institutions — where a dedicated internal DPO makes sense both in terms of workload and the level of internal knowledge required.

In any case, the decision should be based on a genuine diagnosis of the processing map and the organisation's specific risks, not on a generic choice based solely on cost. The data protection compliance team at Summum Consultoría supports that diagnosis and, where appropriate, assumes the external DPO function with full operability from day one.

Frequently asked questions

Can the company's Legal Director be the DPO?

It depends on their specific functions. If the Legal Director determines the purposes and means of data processing — such as drafting processor contracts or deciding the lawfulness bases for main processing operations — a conflict of interest exists that invalidates their appointment as DPO. If their legal function is disconnected from decisions about data processing, the incompatibility may not exist, although the AEPD recommends caution and explicitly documenting that there is no conflict.

Does the external DPO sign as a data processor?

No. The external DPO is not a processor within the meaning of Article 28 of the GDPR. Their relationship with the organisation is formalised through an ordinary service contract, typically supplemented by enhanced confidentiality clauses. The DPO accesses personal data to perform their supervisory functions, but does not process it on behalf of the controller for their own purposes.

What happens if we change our external DPO mid-year?

The organisation must notify the AEPD of the outgoing DPO's departure and communicate the new DPO's details as soon as they are appointed. If the appointment was legally required, any period without an operational DPO constitutes a non-conformity. Well-structured external DPO contracts include notice periods of one to three months and transition guarantees to avoid coverage gaps.

Can the external DPO also manage a data breach?

Yes, and it is one of their main functions. Article 39(1)(b) of the GDPR includes among the DPO's tasks the supervision of security and cooperation with the supervisory authority. In practice, the external DPO typically leads or coordinates the notification process to the AEPD (Art. 33 GDPR: 72 hours) and, when the risk is high, communication to the data subjects (Art. 34 GDPR). An external DPO service with an on-call protocol is especially valuable at such moments, as the deadlines are strict and an error in the notification can itself constitute an additional infringement.