Why is it so hard to find a clear price for an external DPO?
If you have searched for how much it costs to hire an external Data Protection Officer, you have probably found very wide ranges — from a few dozen to thousands of euros per month — with little explanation. This is not deliberate opacity: the price of an external DPO depends on variables that differ significantly between organisations, and quoting without knowing the specifics would be irresponsible.
This article breaks down those variables, explains what components the service must cover under Articles 37 to 39 of Regulation (EU) 2016/679 (GDPR) and offers indicative market ranges for 2026 in Spain, without guaranteeing specific outcomes or replacing a personalised assessment.
What the GDPR requires regarding the external DPO
The GDPR precisely defines the functions the Data Protection Officer must perform, regardless of whether the role is internal or external:
- Art. 37 GDPR — Designation: the controller or processor must designate a DPO when mandatory under paragraph 1 (public authority, large-scale processing of special categories, or systematic large-scale monitoring). The designation may be fulfilled by an external professional or company under a service contract.
- Art. 38 GDPR — Position: the controller must ensure that the DPO is involved properly and in a timely manner in all matters relating to personal data protection, has the necessary resources and can act independently. The DPO must not receive instructions on how to exercise their tasks.
- Art. 39 GDPR — Tasks: these include informing and advising the controller; monitoring compliance with the GDPR and with Organic Law 3/2018 (LOPDGDD); cooperating with the Spanish Data Protection Agency (AEPD); acting as the contact point with the AEPD; and advising on data protection impact assessments (DPIAs) under Art. 35 GDPR.
These functions are neither optional nor reducible to a consultant who only drafts documents: the DPO must be available, accessible and operationally active. That is what largely determines the real cost of the service.
The six variables that determine the price
1. Mandatory or voluntary designation
If the DPO designation is mandatory under Art. 37.1 GDPR — clinics, schools processing children's data, large digital platforms, law enforcement bodies, public authorities — the service must be more robust and the price reflects that requirement. An organisation that voluntarily appoints a DPO because it regularly processes sensitive data but is not legally required to do so may negotiate a somewhat reduced scope.
2. Sector of activity and categories of data processed
A firm of accountants that occasionally handles health data of clients is very different from a physiotherapy clinic whose core activity involves processing health data at scale (a special category under Art. 9 GDPR). The intrinsic risk level of the sector raises the required supervision intensity and, with it, the price. Sectors with the greatest impact on external DPO cost include:
- Healthcare and social care (large-scale health data).
- Education involving minors (special category data due to age and associated health data).
- Human resources with video surveillance or biometric attendance control.
- Insurance, banking and financial services (credit profiles, asset data).
- Digital platforms with systematic user monitoring.
3. Volume and complexity of processing activities
The number of processing records, the variety of purposes, the number of processors the organisation works with and the existence of international data transfers are direct complexity factors. A ten-person company with two simple purposes (payroll and customers) requires a DPO with far less dedication than a 200-person company with multiple business lines, digital marketing, video surveillance and cloud providers.
4. Baseline compliance status
If the organisation already has an up-to-date record of processing activities, correct information notices, signed processor agreements and a completed DPIA where required, the external DPO's work focuses on ongoing supervision and maintenance. If everything must be built from scratch, the first year involves significant implementation effort that does not repeat in subsequent years.
5. Service intensity and response SLA
The GDPR requires the DPO to be accessible to data subjects and to the AEPD. That implies a minimum level of genuine availability. Some external DPO contracts on the market offer response times of 48–72 hours; others guarantee a response within a few hours for critical incidents. The price varies accordingly. A response SLA for security breaches is particularly relevant because Art. 33 GDPR requires notification to the AEPD within 72 hours of the controller becoming aware of the breach.
6. Number of sites or group entities
A single DPO may be designated for a corporate group (Art. 37.2 GDPR), provided they are easily accessible from each entity. When a company has several sites or group companies, this option can be used to share the DPO cost, though the service must be dimensioned to reflect the actual total volume.
Indicative market ranges in 2026
The figures below are indicative ranges drawn from observation of the Spanish market in 2026. They are not Summum Consultoría's rates nor a guarantee that your organisation's cost will fall within these ranges. Analysing a specific case always requires a prior assessment.
| Organisation profile | Indicative monthly range | Typical inclusions |
|---|---|---|
| SME without sensitive data, low complexity (<20 employees, 1–2 purposes) | €80–€180/month | Processing record, information notices, data subject requests, basic annual review |
| SME with health or children's data, medium complexity (20–100 employees) | €180–€350/month | Above + DPIA, incident management, 24–48 h SLA, annual staff training |
| Mid-sized company with video surveillance, complex HR or international transfers | €350–€600/month | Above + breach management, annual audit, AEPD contact point, processor contract review |
| Multi-entity group or regulated sector (healthcare, banking, insurance) | From €600/month | Multi-entity coverage, reinforced SLA, privacy committee, periodic management reporting |
Services exist on the market below €80 per month. In most cases, that price corresponds to a document maintenance service — updating templates, responding to data subject requests — without active supervision or genuine DPO availability. It does not fully meet the requirements of Art. 38 GDPR and may create a false sense of compliance.
What must always be included in the external DPO contract?
Beyond price, service quality is assessed by what the contract guarantees in writing. These are the elements that must never be missing:
- Express identification of the professional(s) who will perform the DPO functions and evidence of their qualification (Art. 37.5 GDPR requires expert knowledge of data protection law and practice).
- Guaranteed access to senior management so the DPO can act independently (Art. 38.3 GDPR).
- Security breach response SLA, aligned with the 72-hour notification deadline in Art. 33 GDPR.
- Specific scope of covered functions: monitoring, training, DPIA advice, data subject handling, AEPD liaison.
- Enhanced confidentiality clause (Art. 38.5 GDPR imposes a duty of secrecy on the DPO).
- Mechanism for notifying relevant regulatory changes (the GDPR is not static and the AEPD regularly publishes guidance and interpretive criteria).
External DPO vs internal DPO: which is more cost-effective?
The comparison is not just about gross cost. An internal DPO involves an employment contract, social security contributions, ongoing training, cover costs for leave or sick leave and, in many cases, a partial dedication that can create conflicts of interest if the person also has operational responsibilities within the organisation — something Art. 38.6 GDPR explicitly prohibits when those responsibilities determine the purposes and means of processing.
For most Spanish SMEs and mid-sized companies, an external DPO is more efficient: access to accumulated sectoral expertise, absence of conflicts of interest, predictable and scalable cost, and immediate availability without a training period.
How to compare external DPO proposals
When evaluating several proposals, consider these criteria before deciding on price:
- Does the DPO have experience in your sector? A DPO who has worked with clinics understands the intersection of health regulation and GDPR; one specialised in hospitality knows the specifics of video surveillance and employee data in that environment.
- Does the contract specify who does what? Active accompaniment and document drafting are different functions. Ask how many effective DPO hours per month the service includes.
- What happens in the event of a security breach or a complaint to the AEPD? That situation has real urgency and the contract must explicitly state how it is managed and within what timeframe.
- Is periodic staff training included? Art. 39.1.b GDPR assigns the DPO the task of monitoring compliance, which in practice includes ensuring staff are aware of their obligations.
- Does the service include updating the record of processing activities when treatments change? The Art. 30 GDPR record is not a static document; it must be updated when processes, providers or purposes change.
The role of the AEPD in DPO supervision
The Spanish Data Protection Agency (AEPD) is the competent supervisory authority in Spain (Art. 57 GDPR and Art. 45 LOPDGDD). The external DPO acts as the contact point with the AEPD (Art. 39.1.e GDPR), which means that in the event of an inspection, a data subject complaint or a breach notification, it is the DPO who interacts with the Agency on behalf of the organisation.
This does not mean the external DPO assumes the controller's legal liability: the GDPR is clear that the organisation remains the responsible party. The DPO advises, monitors and accompanies; they do not replace the controller or guarantee the absence of sanctions. The sanction framework of Art. 83 GDPR — with fines of up to €20 million or 4 % of total annual worldwide turnover — applies to the controller or processor, not to the external DPO as such.
At Summum Consultoría we support companies in Castilla y León and the Canary Islands in the designation and effective exercise of external DPO functions. If you would like to analyse whether your organisation needs a DPO and what scope the service would require, our team offers an initial no-obligation assessment.
Frequently asked questions
Is the cost of an external DPO tax-deductible?
As a general rule, the cost of an external DPO service is a deductible expense for Corporate Income Tax purposes as an operating expense related to regulatory compliance. Consult your tax adviser for the specifics of your organisation.
Can the same provider be both a processor and the DPO?
Art. 38.6 GDPR prohibits the DPO from having a conflict of interest. If the same provider processes data on behalf of the company and also acts as DPO, a real conflict may exist. The European Data Protection Board's Guidelines 0/2016 explicitly warn of this situation. It should be assessed case by case with a conservative approach.
Does the external DPO also cover the company's employees?
The scope of the service depends on what is contracted. The DPO supervises all of the controller's processing activities, including those relating to employees (payroll, time tracking, video surveillance, occupational health). However, HR management functions remain with the controller; the DPO advises and monitors, not manages.
What happens if a company does not appoint a DPO when required?
The absence of a DPO when mandatory constitutes an infringement of Art. 37 GDPR, subject to sanction under Art. 83.4 GDPR (up to €10 million or 2 % of annual worldwide turnover). The AEPD may detect this in inspections or following complaints from data subjects. Furthermore, without a DPO, the organisation lacks its primary contact point with the Agency in urgent situations such as security breaches.