DPO outsourcing and EU GDPR compliance

Data protection officer or DPO is corporate official responsible for data protection under the EU's Data Protection Directive.

According to relevant Article 37(6), the DPO may be:

  • internal DPO - a staff member of the controller or the processor or
  • external DPO - a proffesional 'fulfiling the tasks on the basis of a service contract'.
In the case of external DPO, mentioned function can be provided on a service contract concluded with an individual or an organisation.

If the DPO is external, all the requirements of Articles 37 to 39 apply to such a DPO. As stated in the Guidelines, when the function of the DPO is exercised by an external service provider, a team of individuals working for that entity may effectively carry out the DPO tasks as a team, under the responsibility of a designated lead contact and ‘person in charge’ of the client. In this case, it is essential that each member of the external organisation exercising the functions of a DPO fulfils all relevant requirements of the GDPR.

For the sake of legal clarity and good organisation, the Guidelines recommend to have, in the service contract, a clear allocation of tasks within the external DPO team and to assign a single individual as a lead contact and 'person in charge' of the client.

Contact us for custom-made proposal for your organization.