When an organisation reaches the point of appointing a Data Protection Officer (DPO), the first question that arises is almost always the same: do we bring someone in from our own staff, or do we use an external service? Regulation (EU) 2016/679 (GDPR) and Organic Law 3/2018 (LOPDGDD) impose neither model: both are valid. However, the choice has very different practical consequences in terms of independence, specialisation, cost and sanction exposure. This article answers every relevant question to help you make that decision with confidence.
What does the GDPR say about the DPO model?
Articles 37 to 39 of the GDPR regulate the DPO without expressing a preference for either model. Article 37(6) states explicitly that «the data protection officer may be a staff member of the controller or processor, or fulfil the tasks on the basis of a service contract». In other words, the regulation recognises and equally supports both routes.
What the GDPR does require — in Article 38 — is that the DPO act with full functional independence: the DPO may not receive instructions from the controller or processor regarding the performance of those tasks and may not be dismissed or penalised for performing them. That independence requirement is, in practice, the main differentiating factor between the two models.
Internal DPO: when does it make sense?
An internal DPO is an employee of the organisation who assumes the tasks set out in Article 39 of the GDPR: informing and advising the controller, supervising compliance, cooperating with the supervisory authority (the AEPD in Spain) and acting as a contact point for data subjects.
This model may be appropriate when all of the following conditions are met:
- The organisation has sufficient volume to justify a dedicated or near-dedicated position. In practice, organisations with more than 500 employees, or with very complex data processing operations (large hospitals, public authorities, financial institutions), tend to opt for an internal DPO.
- There is no conflict of interest with the candidate's current functions. Article 38(6) of the GDPR prohibits the DPO from carrying out tasks that involve determining the purposes and means of processing. The Head of IT who decides which software to implement, the HR Director who decides what employee data is collected, the Legal Director who drafts processor contracts: none of them can simultaneously be the DPO. The AEPD has identified this dual function as one of the most frequent non-conformities detected in its supervisory activities.
- Ongoing training is guaranteed. The GDPR is a living regulation: guidelines from the European Data Protection Board (EDPB), AEPD resolutions and court judgments accumulate continuously. The internal DPO needs dedicated time and budget to stay current.
- Formal independence can be guaranteed. The internal DPO must report to the highest management level (Art. 38(3) GDPR) and cannot be operationally subordinate to those who make decisions about data processing.
External DPO: when is it the better option?
An external DPO is a specialised professional or organisation that provides the delegate service under a service contract. This is not a processor contract within the meaning of Article 28 of the GDPR: the external DPO does not process data on behalf of the controller for their own purposes, but acts as an independent adviser and supervisor.
The external model is the most common choice for SMEs, medium-sized entities and organisations that are required to have a DPO but do not have sufficient volume to sustain a highly qualified internal position. Its structural advantages are clear:
- More robust functional independence. The external DPO does not depend hierarchically on management and has no employment interests that could create pressure to soften their conclusions. The independence required by Article 38 of the GDPR is easier to demonstrate before the AEPD when the DPO is not part of the internal structure.
- Permanently up-to-date specialisation. A consultancy specialising in data protection has direct incentives to stay current with EDPB guidelines, AEPD sanctions decisions and legislative developments. An internal DPO at a company not focused on privacy may fall behind without adequate training support.
- Uninterrupted availability. Data breaches do not give advance notice. Article 33 of the GDPR requires notification to the supervisory authority within a maximum of 72 hours from when the controller becomes aware of a breach that poses a risk to individuals' rights. And when the risk is high, Article 34 requires communication to the data subjects themselves without undue delay. An external DPO with an on-call protocol ensures that notification is handled correctly even on public holidays or outside normal working hours. An internal DPO may be on holiday or on sick leave.
- Predictable cost with no employment overheads. The external service is contracted with a defined scope and a fixed annual price, with no recruitment costs, initial training, social security contributions or redundancy risk.
- No structural conflict of interest. The external DPO has no dual function within the organisation; their only role is that of delegate.
Comparison table: internal DPO vs. external DPO
| Criterion | Internal DPO | External DPO |
|---|---|---|
| Functional independence | Possible but harder to demonstrate (risk of hierarchical pressure) | Structurally more robust; easier to demonstrate to the AEPD |
| Specialisation | Depends on the candidate's profile and available ongoing training | High; data protection is the consultancy's primary activity |
| Availability during incidents | Limited by working hours, holidays and sick leave | Continuous, with on-call protocols for breaches |
| Risk of conflict of interest | High if the DPO has other operational functions involving data | Low; function is exclusively supervisory |
| Cost for SMEs | High (salary + social security + training + recruitment) | Affordable; indicative ranges from €800 to €6,000/year depending on complexity |
| Internal knowledge of the organisation | Greater; direct access to day-to-day operations | Requires an onboarding phase and periodic updates |
| Suitability for legally obligated organisations | Yes, if independence requirements are met | Yes, and more common in practice in the Spanish market |
| Ease of replacement | Complex (recruitment process, employment notice period) | Straightforward; the provider guarantees service continuity |
Who is required to have a DPO?
Before choosing a model, it is worth confirming whether the appointment is mandatory or voluntary. Article 37 of the GDPR establishes three mandatory scenarios:
- Public authorities and bodies, except for courts acting in their judicial capacity.
- Controllers or processors whose core activities consist of processing operations which, by their nature, require regular and systematic monitoring of data subjects on a large scale: digital tracking platforms, telecoms companies, financial institutions with continuous transaction monitoring.
- Controllers or processors whose core activities consist of processing, on a large scale, special categories of data (Art. 9 GDPR: health data, genetic or biometric data, racial origin, religious beliefs, sexual life, trade union membership, political opinions) or data relating to criminal convictions and offences (Art. 10 GDPR): hospitals, clinics, health insurers, laboratories, criminal law firms.
The LOPDGDD extends this list in Article 34 with categories specific to the Spanish legal order: professional associations, educational establishments, private security companies, energy distributors and electronic communications providers that build user profiles, among others.
If the organisation does not fall within any of these scenarios, it may voluntarily appoint a DPO. The AEPD recommends doing so when special categories of data are processed even if not «at large scale», when the Record of Processing Activities (RoPA) is extensive, or when data protection impact assessments (DPIAs) are carried out regularly.
What happens if the DPO does not meet the independence requirements?
The AEPD has resolved cases in which the appointed DPO had incompatible functions: an IT Manager who was also DPO, an HR Manager appointed as delegate, or executives with decision-making power over processing. In all those cases, the authority considered the appointment ineffective and the organisation to be, in practice, without a DPO.
The consequences are significant. The absence of a DPO in an organisation required to have one is classified under Article 83(4) of the GDPR as an infringement that may attract fines of up to €10 million or 2% of global annual turnover. In actual enforcement cases, an inoperative DPO has acted as an aggravating factor that increases the amount of sanctions that already included other non-conformities.
It is also worth noting that the most serious infringements — up to €20 million or 4% of global annual turnover under Article 83 of the GDPR — apply to breaches of the principles and lawfulness conditions of processing, including cases in which the absence of an operational DPO has contributed to a security breach not being properly managed.
Can the same external DPO serve multiple clients?
Yes. The GDPR explicitly provides that the DPO may provide services to several organisations (Art. 37(3)), provided they can dedicate the time necessary to each to perform their tasks adequately and provided there are no conflicts of interest between the different clients. This is precisely what a well-structured external DPO service does: it distributes the workload across the consultancy's team — several specialised professionals, not a single resource — guaranteeing a response to any incident regardless of any individual's personal schedule.
Appointment process: steps common to both models
- Prior diagnosis of processing activities: inventory of the Record of Processing Activities (RoPA), identification of special categories, assessment of whether the obligation is legal or the appointment is voluntary.
- Selection of the DPO: Article 37(5) of the GDPR requires that they be appointed on the basis of their professional qualities and, in particular, their expert knowledge of data protection law and practice. In the Spanish market, CIPP/E (IAPP) or CDPP (AEPD/ENAC) certifications and demonstrable experience in breach management and impact assessments are particularly valued.
- Formalisation: service contract if external, job description if internal. The scope of functions, contact channels and independence guarantee must be documented.
- Internal communication: employees must know who the DPO is and how to contact them. This is included in the internal privacy policy and in the privacy notices addressed to data subjects.
- Notification to the AEPD: using the form provided on the AEPD's electronic platform. Mandatory when the appointment is legally required; recommended for voluntary appointments.
- Ongoing operations: the DPO is integrated into the privacy-by-design workflow, handling of data subject rights requests, breach management and ongoing regulatory compliance supervision.
Practical recommendation for SMEs in Castilla y León and the Canary Islands
For the majority of SMEs in our geographical area — organisations with between 10 and 250 employees in Castilla y León and the Canary Islands — the external DPO model provides the best balance of cost, independence and specialisation. The reasons are concrete: the cost of an internal professional with the right profile (specialist legal training, recognised certification, experience in DPIAs and breaches) significantly exceeds the annual cost of a well-structured external service. Moreover, the risk of a conflict of interest is almost inevitable if the role is assigned to someone who already has operational responsibilities involving data.
The exception is larger organisations with very high-volume or highly sensitive processing operations — hospitals, large public authorities, financial institutions — where a dedicated internal DPO makes sense both in terms of workload and the level of internal knowledge required.
In any case, the decision should be based on a genuine diagnosis of the processing map and the organisation's specific risks, not on a generic choice based solely on cost. The data protection compliance team at Summum Consultoría supports that diagnosis and, where appropriate, assumes the external DPO function with full operability from day one.
Frequently asked questions
Can the company's Legal Director be the DPO?
It depends on their specific functions. If the Legal Director determines the purposes and means of data processing — such as drafting processor contracts or deciding the lawfulness bases for main processing operations — a conflict of interest exists that invalidates their appointment as DPO. If their legal function is disconnected from decisions about data processing, the incompatibility may not exist, although the AEPD recommends caution and explicitly documenting that there is no conflict.
Does the external DPO sign as a data processor?
No. The external DPO is not a processor within the meaning of Article 28 of the GDPR. Their relationship with the organisation is formalised through an ordinary service contract, typically supplemented by enhanced confidentiality clauses. The DPO accesses personal data to perform their supervisory functions, but does not process it on behalf of the controller for their own purposes.
What happens if we change our external DPO mid-year?
The organisation must notify the AEPD of the outgoing DPO's departure and communicate the new DPO's details as soon as they are appointed. If the appointment was legally required, any period without an operational DPO constitutes a non-conformity. Well-structured external DPO contracts include notice periods of one to three months and transition guarantees to avoid coverage gaps.
Can the external DPO also manage a data breach?
Yes, and it is one of their main functions. Article 39(1)(b) of the GDPR includes among the DPO's tasks the supervision of security and cooperation with the supervisory authority. In practice, the external DPO typically leads or coordinates the notification process to the AEPD (Art. 33 GDPR: 72 hours) and, when the risk is high, communication to the data subjects (Art. 34 GDPR). An external DPO service with an on-call protocol is especially valuable at such moments, as the deadlines are strict and an error in the notification can itself constitute an additional infringement.