25.07.2025

The role of the external data protection officer (DPO): obligations, tasks and costs

Most companies are required by law to appoint a data protection officer. But what exactly does a DPO do, and what skills should they possess? When is it sensible to appoint an external DPO, and when is an internal solution sufficient? We have compiled all the information you need about external DPOs to help you decide.

Arrange a free, no-obligation initial consultation now

Your ISiCO-Expert:
Jacqueline Neiazy
Director Privacy

What is an external data protection officer (DPO)?

Although companies are legally required to protect personal data, many lack the time or expertise to fully understand these complex requirements. This is where external DPOs come into play.

They are independent individuals or organisations that support companies and institutions in complying with data protection regulations, particularly the General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG). Their responsibilities include advising on data protection issues, monitoring compliance with data protection regulations and acting as a liaison between management, employees and data protection authorities. Unlike internal data protection officers, external DPOs are not employees of the contracting company.

In short, external data protection officers ensure that companies view data protection as an added value that builds trust and minimises legal risks, not just as a duty.

When is it necessary to appoint an external data protection officer?

Many companies are unsure whether they need one at all. Data protection regulations clearly state that a data protection officer is mandatory if at least 20 people are permanently involved in the automated processing of personal data.

The same applies when sensitive data, such as health information or data relating to criminal offences, is processed. A data protection officer must also be appointed if the company carries out systematic monitoring, for example through video surveillance or tracking technologies.

Practical tips: Even if there is no legal obligation to do so, it may be advisable to hire an external data protection officer. This is particularly the case if companies:

operate in an industry with high data protection requirements;
process large amounts of personal data; or
are uncertain about how to implement the GDPR.
want to focus on their core business and minimise the administrative burden of data protection.

What qualifications are required to be an external data protection officer (DPO)?

In principle, anyone can be appointed as a DPO. However, both internal and external DPOs must have proven expertise in data protection law and practice, and be able to demonstrate this. This includes legal, technical and organisational knowledge.

Depending on the company in question, sector- or industry-specific knowledge, including specific data protection regulations, is also required in order to provide specific, concrete advice. Company-specific knowledge also means that the external DPO must always consider the sensitivity of the data to be processed and adapt their duties accordingly.

DPOs should also be able to conduct reviews, consultations and documentation, as well as log file analyses. If necessary, they should also be able to work with employee representatives.

Certifications or training courses, which are now offered by various organisations, can be used to demonstrate this expertise. However, there is no legal requirement for the external DPO to hold such certifications.

Should you hire an internal or external data protection officer? Which is the better solution?

Companies have two options: They can either appoint an internal data protection officer or engage an external expert. Both options have their pros and cons.

External data protection officers offer particular advantages:

Companies do not have to spend a lot of time training internal employees or releasing them to take on data protection tasks. They are highly qualified and have up-to-date expertise, which they develop through regular training and experience.

Furthermore, there are no conflicts of interest as external data protection officers work independently. Another advantage is legal certainty: companies can avoid data protection violations and potential fines by seeking professional advice. The costs and long-term commitment involved in hiring an external data protection officer are also more predictable than those of an internal employee.

Of course, internal data protection officers also offer advantages, particularly through their integration into company processes. Since they are familiar with internal structures and procedures, they can efficiently integrate data protection measures into existing processes. In addition, being based within the company enables rapid responses to data protection issues, meaning problems can be addressed immediately.

However, internal data protection officers can present challenges, too. Considerable training and continuing professional development are required to ensure their expertise is always up to date. Furthermore, there is a risk of conflicts of interest, particularly if the data protection officer works in other areas of the company, such as IT or human resources. This could compromise their ability to perform their duties objectively and independently.

There are also long-term personnel costs, as the company must pay not only their salary, but also for regular training. Another significant disadvantage is the limited independence of internal data protection officers, who are employees of the company and subject to instructions, potentially encountering conflicts of interest as a result.

Summary: Internal vs. external DPO

	Internal DPO	External DPO
Expertise and qualifications	They must undergo regular training to ensure they are familiar with current data protection laws	They are highly qualified and always up to date
Costs	Long-term personnel costs (salary, training, continuing education)	Plannable and contractually regulated
Independence and conflicts of interest	There may be conflicts of interest if working in other departments simultaneously	There are no conflicts of interest as they are independent of the company
Legal certainty	Risk due to lack of expertise or internal dependencies	High legal certainty through specialised consultancy
Flexibility and adaptability	Permanent employment and long-term commitment to the company	Can be booked flexibly as needed
Expenses for training and continuing education	Significant training expenditure is required to stay up to date	Continuing education is provided by an external provider, so there are no expenses for the company
Subordination	Subordinate to instructions as an employee of the company	Independent and objective, free from internal influences

What factors should you consider when selecting an external data protection officer?

This decision should be made carefully, as the officer assumes an important role within the company. But what should you actually look for?

Firstly, their professional qualifications must be appropriate. Data protection is a complex topic that requires knowledge of technology, law, and organisation. Good data protection officers should be familiar with the GDPR, as well as IT security and internal data protection processes. While a certification or a relevant degree can indicate qualification, it is not mandatory. Practical experience of dealing with data protection requirements is crucial.

However, experience in the relevant industry is also important. For example, someone responsible for data protection in a medical practice requires different specialist knowledge to a data protection officer in an online marketing company.

What are the responsibilities of an external data protection officer (DPO)?

Their responsibilities are set out in Article 39(1) of the GDPR. It should be noted that this list specifies the minimum requirements only and is not a comprehensive regulation.

Therefore, external DPOs assume a wide range of tasks, all of which aim to ensure efficient and secure data protection within the company.

Their core responsibilities include advising management and employees. They train teams in the correct handling of personal data and help prevent data protection violations. DPOs also regularly review the company's data protection measures to ensure compliance with the GDPR.
Another important area is supporting data protection impact assessments. When a company introduces new technologies or processes that pose a high risk to data subjects, the data protection officer assists in identifying risks and implementing appropriate protective measures.
Furthermore, they act as the primary point of contact for data protection authorities. If an inspection or request is received from data subjects, they ensure correct communication and that all relevant documentation is available.
In the event of a data breach, swift action is required. The data protection officer assists with the analysis, initiates the necessary measures and ensures that notifications are submitted to the supervisory authorities within the specified timeframe.

An external data protection officer is an active partner who helps companies implement data protection effectively and in compliance with the law, not just an advisor.

How much does an external data protection officer cost?

Neither the GDPR nor the BDSG specify the costs or remuneration of an external DPO.

The cost of an external DPO varies depending on:

The size of the company
the industry and risk of data processing
The scope of services (e.g. training, audits and documentation)
Agreed response times and on-site consultations.

Typically, costs are covered by a monthly flat rate or an hourly fee.

Why is ISiCO the best choice for your company's external data protection officer?

As a data protection consultancy, we have supported many companies, including large DAX-listed corporations, in addressing data protection issues. We have extensive experience working as external DPOs for large corporations, including multinationals, and have helped them implement and comply with the GDPR.

Thanks to our many years of experience and diverse client portfolio, we have broad industry and sector-specific knowledge. For instance, we are familiar with the challenges and legal requirements of the logistics, finance and healthcare sectors. We have also successfully supported clients in implementing and supporting research projects.

Thanks to our experience, we can draw on sample templates and guidelines that can be adapted to your individual needs. This enables us to provide you with the necessary information and guidelines quickly, such as a privacy policy for your website or data protection notices for your employees.

Darüber hinaus sind wir auch bestens mit der Kommunikation und dem Auftreten gegenüber den Datenschutzaufsichtsbehörden vertraut und stehen Ihnen hierbei zur Seite.

We are also experienced in communicating with and presenting ourselves to data protection supervisory authorities, and we can assist you in this process. We look forward to getting to know you and your company during an initial consultation. Our consultancy services are designed to provide straightforward support and help you implement your projects and comply with data protection regulations. We are passionate about finding tailored solutions to your challenges and problems. We provide innovative ideas and creative solutions for our clients.

What are the most common threats to data protection?

Almost everyone has experienced one of these situations at some point: either an email is sent to the wrong recipient, or a document containing sensitive information is left open on the screen. While such errors may seem harmless at first, they can lead to significant data protection problems within companies.

Human error is one of the greatest threats to data protection.

Beschäftigte, die unbedacht auf Phishing-Mails klicken, können Hackern Tür und Tor öffnen. Diese Betrugsversuche sind oft raffiniert gestaltet und wirken täuschend echt. Ein unüberlegter Klick kann dazu führen, dass sensible Kundendaten oder interne Geschäftsgeheimnisse in falsche Hände geraten.

Employees who carelessly click on phishing emails can open the door to hackers. These scams are often sophisticated and appear deceptively real. A thoughtless click can result in sensitive customer data or internal business secrets falling into the wrong hands.

Lost or stolen devices also pose a significant threat. Leaving an unsecured smartphone or an unencrypted laptop on the train, for example, can give cybercriminals access to confidential company data. This is particularly problematic when adequate protection through passwords or encryption is lacking.

Another major risk lies in insecure IT systems. Software vulnerabilities or inadequate security measures can provide attackers with an opportunity to access internal networks. Cyberattacks, such as ransomware attacks in which companies are blackmailed into buying back their own data, are becoming increasingly common.

However, external attacks are not the only problem; data protection risks also exist within companies. If employees access personal data or share information without authorisation, this can lead to a loss of trust and hefty fines. The unauthorised handling of data can have serious consequences, particularly in sensitive areas such as healthcare or finance.

Finally, the importance of robust data protection policies cannot be overstated. Without clearly defined policies on who has access to which data and how personal information is processed securely, the risk of data breaches increases significantly. Without clear guidelines, uncertainties quickly arise, leading to avoidable violations of the GDPR.

What penalties might you face if you fail to appoint a data protection officer?

“Data protection? Nobody cares about that!' Anyone who thinks like this risks heavy penalties.

Companies that are legally required to appoint a data protection officer but fail to do so risk heavy fines. The GDPR provides for fines of up to €10 million or 2% of global annual turnover in such cases.

However, even if you do appoint a data protection officer, you could still face serious penalties for data protection violations. The GDPR allows for fines of up to €20 million or 4% of global annual turnover if companies violate data protection regulations through gross negligence or intent. As well as fines, you could receive warnings, claims for damages from affected parties or official orders.

As well as the financial consequences, data protection violations entail considerable reputational risks. Customers and business partners increasingly value data protection, so companies that act negligently in this area risk losing trust and market share.

What issues should a DPO pay particular attention to with regard to the GDPR?

The following issues are of particular importance to an external DPO:

Processing data subject requests;
Training employees in handling data subject requests.
Employee data protection
Involvement of the works council, particularly in mediation between the works council and the company.
Cooperation with the relevant data protection supervisory authorities.
The relationship and interaction of the GDPR with other data protection laws and sector- and industry-specific requirements.

Stay on the safe side by appointing
an external DPO

ISiCO can provide you with one:

Enjoy a comprehensive solution that keeps your data secure and your company legally compliant.
The external DPO identifies data protection gaps before they result in costly violations.
They also handle communication with the relevant authorities, including reporting data protection incidents.

Book your appointment now

Frequently asked questions about external data protection officers:

When does a company need a DPO?

According to Art. 37 GDPR, all companies whose core activity consists of processing personal data must have a data protection officer. This means that a data protection officer is required if business areas mainly consist of data processing and are crucial for the company's strategy.

Section 38 of the BDSG also stipulates that a data protection officer must be appointed if at least 20 employees are regularly and permanently involved in the automated processing of personal data. This includes, for example, the use of programmes such as Outlook or Excel.

What does an external DPO do?

The external data protection officer helps companies to implement and maintain compliance with data protection regulations. He or she monitors the company's handling of personal data in accordance with data protection law and also takes into account the data protection concerns of employees. He or she also sets data protection objectives and determines the need for action and the timetable for ensuring compliance with data protection laws.

What are the main tasks of a DPO?

The main tasks of the external DPO are to ensure compliance with data protection laws and regulations, to create and maintain procedural overviews, to ensure that employee and customer data is processed in compliance with data protection regulations, to conduct pre-approval reviews of IT applications and to advise on data protection issues in the various departments. He or she develops data protection-compliant processes, drafts guidelines and company agreements, and reviews system security. In addition, external DPOs are the point of contact for all data protection issues and prepare an annual data protection report. The tasks of an external DPO are primarily defined by the German Federal Data Protection Act (BDSG) and the European General Data Protection Regulation (GDPR).

What does an external DPO cost?

Costs vary greatly depending on the size of the business, the sector and the amount of work required. We will provide you with a personalised and transparent quotation tailored to your needs.

External DPOs are also often cheaper than in-house DPOs, as in-house DPOs have to take into account non-wage labour and training costs.

What can the external DPO do for a company?

The external DPO can be a particularly valuable solution for companies. He or she brings a wealth of knowledge and experience and can focus on data protection without being distracted by other business issues. The external DPO can provide objective and independent reviews and analysis, and assist in the development of a comprehensive data protection strategy.

In addition, external DPOs can provide the necessary support to manage changes resulting from existing and new data protection regulations. They can provide training and ensure that all employees are up to date with the latest data protection practices and legislation.

What is the difference between an internal and external DPO?

The choice between an internal and an external Data Protection Officer (DPO) depends on a number of factors, including the size of the organisation, the complexity of the data to be processed and the internal resources available. For example, if an organisation requires support across multiple sites and at a group level, the appointment of a group DPO may be considered. Whatever the choice, it is essential that the DPO has the necessary qualifications to fulfil his or her role. In the fast-moving digital world, data protection is a central pillar of any successful organisation. External DPOs can be an important resource in ensuring that organisations comply with data protection regulations while remaining innovative and competitive.

Back to the news overview