External DPO Duties — What the GDPR Actually Requires

Article 37(1) GDPR mandates the designation of a DPO in three cases: when processing is carried out by a public authority or body, when core activities require regular and systematic monitoring of data subjects on a large scale, or when core activities consist of large-scale processing of special categories of data (Article 9) or data relating to criminal convictions (Article 10). Many EU member states have expanded these requirements through national legislation. Germany, for example, requires a DPO for any organization with 20 or more employees regularly engaged in automated processing of personal data. Other countries have similar thresholds or sector-specific requirements. Organizations may appoint either an internal or external DPO. An external DPO operates under a service contract (Article 37(6)) and can serve multiple organizations — making it a viable business model for privacy professionals. The GDPR explicitly permits this, provided the DPO is accessible to each organization and can perform their tasks effectively. The trend toward external DPOs is accelerating. Smaller and mid-sized organizations often cannot justify a full-time internal DPO role, and NIS2 has brought thousands of additional companies into scope. External DPOs who can serve 10-50 clients efficiently are filling a critical market need.

Article 39 defines the minimum tasks of a DPO: informing and advising the controller or processor and their employees about GDPR obligations, monitoring compliance with the GDPR and with the organization's data protection policies, providing advice on Data Protection Impact Assessments (DPIAs) and monitoring their performance, cooperating with the supervisory authority, and acting as the contact point for the supervisory authority on issues relating to processing. It is important to note what the DPO is not responsible for: the DPO does not ensure compliance — the controller does. The DPO advises, monitors, and reports, but the ultimate responsibility for data protection compliance lies with the organization's management. This distinction is legally significant and should be clearly documented in every DPO service contract. Beyond the mandatory tasks, external DPOs typically also handle: maintaining the RoPA (Article 30), managing DSARs (Article 15-22), reviewing and tracking DPAs (Article 28), conducting or overseeing audits, training employees, and advising on data protection by design and by default (Article 25). These additional tasks should be explicitly defined in the service contract with corresponding fee structures.

Article 38(3) is clear: the DPO shall not receive any instructions regarding the exercise of their tasks. They cannot be dismissed or penalized for performing their duties, and they must report directly to the highest management level of the controller or processor. For external DPOs, independence is generally easier to maintain than for internal DPOs — you are not on the client's payroll and do not have career incentives to soften your advice. However, conflicts of interest can still arise: if a significant portion of your revenue comes from a single client, you may unconsciously hesitate to deliver uncomfortable findings. Best practice is to diversify your client portfolio so that no single client represents more than 20-25% of your revenue. Document all recommendations and management responses in writing. If management overrides your advice, record this clearly — it protects you professionally if issues arise later. Article 38(6) states that the DPO may fulfil other tasks and duties, provided these do not result in a conflict of interest. For external DPOs, this means you should not serve as both the DPO and the IT security provider for the same client, or as both the DPO and the marketing data analyst. The advisory and the operational roles must remain separate.

The economics of an external DPO practice depend on efficiency. Most external DPOs charge between EUR 500 and EUR 2,000 per client per month, depending on the client's size and complexity. At these rates, managing 15-20 clients can generate EUR 10,000-30,000 in monthly revenue — but only if administrative overhead does not consume all your time. The biggest time sinks for external DPOs are: maintaining RoPAs across clients (solved by templates and structured tools), tracking DSAR deadlines (solved by automated reminders), producing audit reports (solved by one-click exports), and switching context between clients (solved by multi-tenant dashboards). External DPOs who use dedicated tools report spending 40-60% less time on administrative tasks compared to those using Excel and email. That translates to either higher profitability with the same number of clients, or the ability to take on additional clients without proportionally increasing workload. As your practice grows beyond 20 clients, consider standardizing your service packages. Define clear tiers (basic monitoring, standard with training, premium with audit support) and use your compliance tool to deliver consistent service quality across all clients. Trustee.eu is designed specifically for this workflow — from single-DPO practices to agencies managing 50+ mandates.