Choosing an external DPO should not come down to comparing three quotes and picking the cheapest one. The Data Protection Officer role has concrete legal functions —set out in Article 39 of the GDPR— and a position of independence protected by Article 38, so getting this hire wrong is not just a service risk: it is a compliance risk that ultimately falls on the controller, not on the provider. If you already know your organisation needs an external DPO and you are weighing several proposals, this article does not compare brands —we will not name competitors—, but gives you the ten objective criteria you should use to filter any offer before signing.
This content assumes you have already decided which model suits your organisation best. If you are still unsure whether to keep a DPO on staff or outsource the role, start with our comparison Internal vs. external DPO: which model fits your organisation. And if what you need is a pricing reference before requesting proposals, see how much an external DPO costs: variables and indicative range. Here we focus exclusively on how to compare providers once you already know you want to outsource the function.
Why the choice of provider matters more than it seems
The GDPR does not require the DPO to hold a specific qualification, but Article 37.5 does require them to be designated «on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices». That qualification is not a decorative requirement: if the organisation undergoes an inspection by the Spanish Data Protection Agency (AEPD) or mishandles a security breach, the suitability of the appointed DPO can come under scrutiny. In addition, Article 38.6 of the GDPR introduces a second condition that many companies overlook when comparing providers: the guarantee that the DPO has no conflict of interest with the tasks they perform, meaning they do not determine the purposes and means of the very processing they must supervise.
Choosing the wrong provider translates into a DPO who fails to spot a risky processing activity before it becomes a breach, a late notification to the AEPD that aggravates a sanction, or an outdated record of processing activities that leaves the organisation exposed at the first inspection. These are the ten criteria that separate a solid external DPO firm from one that simply signs the contract.
1. Absence of conflict of interest (Art. 38.6 GDPR)
This is the criterion you should verify first, and the one asked about least in practice. Article 38.6 of the GDPR requires the DPO —internal or external— to be able to perform their duties independently, without any other tasks they take on for the organisation determining the purposes and means of personal data processing. Applied to an external provider, this means checking that the same person or entity does not simultaneously act as marketing manager, commercial director or IT director for the client organisation, nor provides services that force them to decide on the very processing activities they must later audit.
In practice, ask the provider directly: what other services do they provide to your organisation? If the same company runs your marketing campaigns using customer data and also acts as your DPO, there is a conflict of interest the AEPD can challenge in an inspection. A well-structured external DPO provider keeps this function clearly separate from any other service that could compromise its independence.
2. Genuine qualification, not just a title in the proposal
Article 37.5 of the GDPR does not set an official DPO qualification, but it does require demonstrable expert knowledge of data protection law and practice. Ask the provider to evidence specific training, experience in your sector and, if they hold one, certification under a recognised DPO scheme —we explain what that actually guarantees in DPO certification: what it is and what it guarantees—. It is not mandatory to practise as a DPO, but it is a sign that this knowledge has been put through external assessment.
Be wary of proposals where it is unclear who will actually act as DPO: the name and track record of the person who will sign the notification to the AEPD and respond to a breach should appear in the proposal, not be diluted into a nameless «team of specialists».
3. Demonstrable sector specialisation
The GDPR does not require sector specialisation, but practice rewards it. The data processing carried out by a dental clinic (health records, health data subject to the special categories of Article 9) has nothing to do with that of a subsidised school (children's data) or an accounting firm (financial data with cross-cutting tax obligations). A provider that applies the same generic template to any sector is not really acting as a DPO: they are filling in a form. Ask for concrete examples of cases resolved in your sector and how they adapt the record of processing activities to your actual operations, not to a generic template.
4. Genuine proximity and availability
An external DPO does not need to be around the corner, but they do need to be accessible whenever an operational question or an incident arises. Ask how quickly the provider responds to a routine query, whether there is an identified point of contact —not a generic inbox shared with other clients— and whether they offer in-person meetings or periodic video calls, not just a single email once a year to renew the contract. Proximity is also geographic where the sector demands it: local government bodies, schools or entities subject to on-site inspections tend to value a DPO who knows the territory and can attend in person when necessary.
5. Clear contractual scope: which deliverables are included
This is where expectations blur the most. «External DPO service» can mean very different things depending on the provider: from a simple formal notification to the AEPD with no follow-up whatsoever, to active support with periodic review of the record of processing activities, staff training and breach drills. Before signing, demand in writing which specific deliverables the contract includes:
- Formal registration and notification of the appointment to the AEPD (Art. 37.7 GDPR).
- Maintenance and updating of the record of processing activities (Art. 30 GDPR).
- Review of privacy policies, legal notices and information clauses.
- Annual training for staff with access to personal data.
- Documented protocol for responding to security breaches.
- Handling of data subject rights requests (access, rectification, erasure, objection, portability and restriction).
- Support in the event of an AEPD inspection or request.
A serious provider details each of these points in the contract, with the specific frequency of each deliverable. If the proposal is limited to a generic phrase such as «ongoing data protection advice», ask for it to be broken down before signing.
6. 72-hour security breach response protocol
Article 33 of the GDPR requires the controller to notify a personal data breach to the AEPD without undue delay and, where feasible, no later than 72 hours after becoming aware of it, unless the breach is unlikely to result in a risk to the rights and freedoms of the individuals affected. That deadline is demanding and leaves no room for improvisation: if a breach is detected on a Friday afternoon, the external DPO provider needs an operational contact channel outside office hours too, to assess the risk and prepare the notification in time.
Ask explicitly: how is the breach protocol triggered? Is there a direct phone line, or only an email checked during office hours? Does the provider draft the notification to the AEPD, or merely advise while your team drafts it? Does it also cover the analysis of whether the breach must be communicated to the data subjects themselves, under Article 34 of the GDPR, when the risk is high? A provider that cannot describe this workflow precisely is not ready for the moment it is needed most.
7. Independence and reporting to the highest management level
Article 38.3 of the GDPR requires the DPO to report directly to the highest management level of the controller or processor, and to receive no instructions on how to carry out their tasks. Check that the provider understands this requirement and that its way of working respects that reporting line: the DPO must be able to flag a breach even if it inconveniences a middle manager, without their continuity in the role depending on that person. A provider that reports solely to the department whose activity it is supposed to supervise can hardly exercise the independence the rule demands.
8. Staff training, not just paperwork
An immaculate record of processing activities is of little use if the team handling data every day cannot identify a breach, does not know which data is especially sensitive, or does not know what to do when a customer exercises their right to erasure. Check whether the service includes periodic training —at least annually— tailored to each team's profile (HR, customer service, IT), rather than a generic one-hour talk repeated identically every year.
9. Transparency in price and scope
The price of an external DPO varies according to the volume of processing, the sector and the scope contracted, and there is no fixed market rate —which is why we do not publish our own figures in this article—; you can check the factors that determine it in our guide external DPO pricing: variables and indicative range. What you can demand during comparison is full transparency: the proposal should specify what is included in the fee, what is billed separately (a serious breach, an extraordinary audit, in-person support during an inspection) and what happens if the volume of processing grows during the contract. Be wary of prices significantly lower than the rest of the proposals compared without it being clear what is left out: in a compliance service, the lowest price almost always means fewer hours dedicated, not greater efficiency.
10. Continuity of service and what happens if you switch providers
Switching external DPO is itself a legal procedure: it requires a new notification to the AEPD within the ten-day period set by Article 34.3 of the LOPDGDD for designations, appointments and terminations of the data protection officer. Before contracting, ask what happens if you decide to switch providers in the future: does the record of processing activities and all documentation generated remain in your possession, in a format you can hand over to the next provider without rebuilding the work from scratch? A provider that makes it hard to port your documentation —keeping it in a proprietary format or refusing to hand it over— is not acting in your interest, but in its own.
How much does it cost to hire an external DPO
There is no single market rate for the external DPO service: the price depends on the volume and sensitivity of the processing, the sector of activity, the scope contracted (only the legal role or active support with training and audits) and whether management of the AEPD procedure itself is included. Before requesting proposals, it helps to understand which variables drive the price and what range is reasonable to expect for your organisation's size: we explain it in detail in how much an external DPO costs in 2026. Using that guide as a reference lets you spot both inflated proposals and unreasonably low offers that usually hide an incomplete service.
Summary table: the 10 comparison criteria
| Criterion | What to check | Legal basis |
|---|---|---|
| 1. Conflict of interest | The DPO does not decide the purposes or means of the processing they supervise | Art. 38.6 GDPR |
| 2. Genuine qualification | Demonstrable training and experience, not just a title in the proposal | Art. 37.5 GDPR |
| 3. Sector specialisation | Concrete cases and risks from your activity, not generic templates | — |
| 4. Proximity and availability | Identified point of contact, response times and periodic meetings | — |
| 5. Contractual deliverables | AEPD notification, RAT, training, breach protocol, detailed in writing | Arts. 30 and 37.7 GDPR |
| 6. 72h breach response | Operational channel outside office hours and drafting of the notification | Art. 33 GDPR |
| 7. Independence and reporting | Reporting to the highest management level, no instructions on their role | Art. 38.3 GDPR |
| 8. Staff training | Periodic sessions tailored by department, not a generic talk | — |
| 9. Price transparency | What the fee includes and what is billed separately | — |
| 10. Continuity and portability | Handover of documentation if you switch providers | Art. 34.3 LOPDGDD |
Frequently asked questions
Can the same provider be my tax or payroll advisor and also my external DPO?
It depends on whether that dual role creates a conflict of interest under Article 38.6 of the GDPR. If the advisory firm only provides administrative services without deciding on the purposes and means of the personal data processing the DPO must supervise, there may be no conflict; but if the same person manages payroll and decides, for example, which employee data is shared with third parties, the situation must be assessed case by case. Always ask the provider to justify why their dual role does not compromise the required independence.
Is it mandatory for the external DPO to hold a specific certification?
No. Article 37.5 of the GDPR requires demonstrable qualification and expert knowledge, but does not impose a mandatory official certification. Certification under a recognised scheme is an additional quality signal, not a legal requirement to practise.
What happens if I hire an external DPO and it later turns out they do not meet the independence requirements?
Responsibility for GDPR compliance always rests with the controller, not the DPO. If an AEPD inspection finds that the appointed DPO did not meet the independence required by Article 38, the organisation may face the consequences of not having had, in practice, a valid DPO during that period.
How long does it take to switch from one external DPO firm to another?
The formal notification to the AEPD of the DPO change must be made within the ten-day period set by Article 34.3 of the LOPDGDD, but the actual time the switch takes depends on how much existing documentation you can transfer to the new provider. With an orderly handover of the record of processing activities and current policies, the transition can be completed in a few weeks with no gaps in coverage.
Should I always choose the most specialised provider in my sector even if they are further away?
Sector specialisation carries significant weight, but it is not the only factor: a provider with solid general regulatory knowledge and genuine availability can handle most sectors well if they dedicate the necessary time to understanding your specific operations. When you have to prioritise, an available and rigorous DPO usually outperforms a highly specialised but inaccessible one.
Can the external DPO sign on my behalf before the AEPD?
They can handle the procedure if they hold the necessary representation, usually formalised through an express power of attorney set out in the service contract. It is worth putting this in writing from the outset, to avoid depending on third parties' personal digital certificates at the moment of an urgent notification.
What is the difference between asking for references and asking for concrete use cases when comparing providers?
Generic references —«we work with many clients in your sector»— are easy to claim and hard to verify. Asking for a concrete use case —how they resolved a real breach, how they adapted a record of processing activities to a complex processing operation— forces the provider to demonstrate real experience rather than repeat a sales pitch.
If you have already compared providers against these ten criteria and want to know how we structure the service at Summum Consultoría —from designation and notification to the AEPD through to annual training and the breach response protocol—, you can review the details on our external DPO for organisations page.