There is no single statutory fee for an external DPO. The price depends on risk, size, sectors, project volume, suppliers, rights requests, incidents and the availability required. The useful comparison is not "how much does the appointment cost", but how much dedication, independence and real capacity the service actually includes. A cut-price DPO who only lends a name can leave the substantive obligation unmet.
What You Are Actually Contracting For
The DPO informs and advises, monitors compliance, advises on data protection impact assessments (DPIAs), cooperates with the supervisory authority and acts as the point of contact. The DPO must be involved in good time, have adequate resources, report to the highest level of management and act without instructions.
The external service does not transfer liability away from the controller or processor. Nor is it the same as an annual audit, or an advisory role that decides on the processing activities themselves.
Why the Price Varies
Complexity of the Controller
Number of entities, sites, employees, countries and joint controllers. A group with several companies needs more coordination and accessibility.
Nature of the Data
Health data, children's data, biometrics, profiling, surveillance or criminal-records data all raise the level of specialisation and review required.
Volume and Change
A stable organisation with few processing activities needs less dedication than a platform with weekly releases, campaigns and new suppliers.
Technology and Suppliers
Cloud services, artificial intelligence, international transfers, apps, cookies, geolocation and sub-processor chains all add diligence and testing requirements.
Incidents and Rights
The contract can include a reasonable pool of hours or specific billing. You need to know what happens outside business hours and in the event of a serious breach.
Starting Point
If there is no inventory, no contracts and no procedures in place, an initial compliance project comes first. It is worth keeping this separate from the recurring service so the real scope is not obscured.
Components of a Proposal
| Component | Minimum content |
|---|---|
| Appointment | Notification and public contact point |
| Onboarding | Context, inventory and monitoring plan |
| Advice | Queries and projects with a defined turnaround |
| Monitoring | Risk-based reviews |
| DPIA | Criteria and advice, with clear limits |
| Rights | Support with complex requests |
| Breaches | Assessment, documentation and notification |
| Authority | Cooperation and complaints |
| Training | Role-based sessions with evidence |
| Management | Independent, periodic reports |
If a proposal does not quantify these activities, it cannot really be compared.
Pricing Models
Fixed Fee
Suitable for predictable activity. It should specify hours or capacity, turnaround times, meetings, deliverables and what happens if these are exceeded.
Hours Pool
Offers flexibility, but can discourage queries if every contact eats into the balance. It needs transparent usage tracking.
Per Project
Useful for a DPIA, an audit or a complex incident. It does not replace ongoing monitoring.
Hybrid
A base fee for ordinary functions plus an agreed rate for extraordinary projects. This usually makes costs predictable without promising unlimited availability.
Work Out the Scope Before Asking for a Price
Prepare a scope sheet covering:
- Entities and sites.
- Sector and whether appointing a DPO is mandatory.
- Headcount and data subjects affected.
- Categories of data.
- Processing activities and systems.
- Countries and transfers.
- Critical suppliers.
- Planned projects.
- Rights requests and past incidents.
- Certifications and in-house team.
- Availability required.
Without this information, quotes will each rest on different assumptions.
A Credible Minimum Commitment
There is no universal figure. The proposal should show how it will cover:
- Knowledge of the organisation.
- Involvement in projects.
- Monitoring and sampling.
- Handling requests from data subjects and the authority.
- Ongoing professional development.
- Reporting to management.
- Cover during absences.
The European Data Protection Board (EDPB) has identified insufficient resources, insufficient expertise and conflicts of interest as recurring problems. The price must allow these failures to be avoided.
Independence and Conflicts of Interest
The provider should not design a processing activity, approve it and then certify its own work. It can offer other services provided the functions are kept separate and it does not determine the purposes and means of processing.
Questions worth asking:
- Who is formally the DPO?
- What other services does the provider offer?
- Who reviews the implementation work?
- Does the DPO report directly to management?
- Can the DPO issue a recommendation that goes against commercial interests?
- How is the team protected from pressure?
A contract that allows the DPO to be replaced for giving an inconvenient opinion compromises independence.
Competence and Team
The GDPR requires a qualification based on expert knowledge and the ability to carry out the tasks. There is no single mandatory qualification.
Consider:
- Sector experience.
- Legal and technical knowledge.
- Experience with DPIAs and incidents.
- Contracts and transfers.
- Communication with management.
- Backup team.
- Ongoing training.
Professional certification can be evidence of competence, but it does not replace experience and resources.
SLAs and Availability
The proposal should set out:
| Service | Commitment to define |
|---|---|
| Routine query | First-response time |
| Project | Review turnaround |
| Rights request | Escalation against the statutory deadline |
| Breach | Urgent channel and availability |
| Complaint | Owner and coordination |
| Report | Frequency and recipient |
"Unlimited support" without a defined SLA or capacity is not a guarantee of anything.
What Deliverables to Expect
- A risk-based annual plan.
- A log of queries and recommendations.
- Monitoring reports.
- DPIA opinions.
- A breach register and assessments.
- Follow-up on action items.
- A report to management.
- Training records.
- A conflict-of-interest declaration, kept up to date.
The DPO should not become a producer of templates with no follow-through.
Comparing Proposals
Use a weighted scoring matrix:
| Criterion | Indicative weight |
|---|---|
| Independence and conflicts | 20% |
| Experience and team | 20% |
| Scope and dedication | 20% |
| Responsiveness and incidents | 15% |
| Monitoring and reporting | 15% |
| Total price and extras | 10% |
A low price does not make up for a conflict of interest or insufficient coverage.
Costs That Are Often Left Out
- Initial compliance project.
- Technical audit.
- Security testing.
- Legal defence in proceedings.
- Translations.
- Travel.
- International projects.
- Multiple DPIAs.
- Out-of-hours emergency support.
There is nothing wrong with excluding them, but it must be stated explicitly.
Warning Signs
- An "appointment" with no onboarding.
- Thousands of clients per professional with no visible team.
- No direct contact with management.
- No urgent channel.
- The same person acting as DPO and as operational head of marketing or IT.
- A price with no assumptions behind it.
- Identical, automated reports.
- A promise of "guaranteed compliance".
- No cover and no continuity plan.
- Being penalised for issuing recommendations.
A Hiring Timeline
Week 1
Define the scope, risks and preferred model.
Week 2
Request comparable proposals and a meeting with the actual team.
Week 3
Assess independence, track record and SLAs; ask for references.
Week 4
Sign the contract, communicate the appointment, publish the contact details and approve the 90-day plan.
Contract Checklist
- Entities and scope.
- The designated person or team.
- The functions under Articles 38 and 39.
- Independence and conflicts of interest.
- Access to management.
- Dedication, SLAs and emergencies.
- Deliverables and reports.
- Extras and rates.
- Confidentiality and security.
- Cover and termination.
- Portability of the file.
Frequently Asked Questions
Can a Standard Rate Be Published?
A rough guide can be given, but a responsible quote needs to know the scope first. Without it, the price says nothing about the real coverage.
Is the More Expensive Service Better?
Not necessarily. What should be compared is evidence, independence, dedication and results.
Does It Include a DPIA?
The DPO's advice is indeed part of the role, but intensive execution can be budgeted as a separate project. This must be made clear in the contract.
Can a Group Share a Single DPO?
Yes, provided the DPO is easily accessible from every establishment and has sufficient resources.
Who Pays for a Fine?
Legal liability rests with the controller or the processor, depending on the case. The contract may set out the provider's own liabilities, but it cannot override the GDPR.
Official Sources Consulted
- GDPR, Articles 37-39.
- AEPD (Spanish DPA): frequently asked questions about the DPO.
- Guidelines on DPOs (WP243 rev.01).
- EDPB: guide for small businesses.
- EDPB: report on the designation and position of the DPO.
Summum Consultoría can prepare a proposal based on risk and scope, without turning the appointment into a mere formality.