Any public authority or body.
Including courts, regulators, municipalities, schools, hospitals. Mandatory regardless of size or processing volume.
SERVICE PRACTICE · DPO-AS-A-SERVICE
External DPO, named of record.
We act as your formally named Data Protection Officer with the supervisory authority. DSAR queue, breach response, DPIA review, vendor DPA negotiation, staff awareness training and authority liaison on a monthly retainer.
DPO.DESK · LAST 30 DAYS● LIVE
Data subject requests handledavg 9 d cycle128
DPIAs reviewed / signed17
Vendor DPAs negotiated34
Article 33 incidents triaged1 notified4
Cross-border transfer assessments11
Records of Processing entries kept current420
TRUSTED BY 300+ EU ORGANISATIONS
ROCHESIEMENSIKEAASTRAZENECAVODAFONEPHILIPSJUST EAT
FREE 30-MIN CONSULTATION
Talk to a senior advisor.
One business day reply. Clear next steps and indicative pricing.
1 BUSINESS DAY REPLY·NDA ON REQUEST·NO OBLIGATION
§ 01 / WHY A DPO
When the role is required.
Systematic monitoring as a core activity.
Behavioural tracking, CCTV operations, location intelligence, customer profiling. Triggers Article 37(1)(b).
Large-scale processing of sensitive data.
Health, biometric, genetic, criminal data. Standard for hospitals, insurers, HR-tech, security firms.
OBLIGATION · ART. 37
Up to €10M or 2% turnover
Failure to appoint a DPO when required. Procedural finding under Tier 1.
INDEPENDENCE · ART. 38
Up to €20M or 4% turnover
Interference with the DPO role or failure to provide resources. Material finding under Tier 2.
§ 02 / DPO ARTICLES
Articles 37–39.
APPOINTMENT (ART. 37)
Art. 37(1)Mandatory designationTriggers, scope and documentation of the appointment.
Art. 37(5)Professional qualitiesExpertise in data protection law and practice.
Art. 37(6)Service-contract DPOService-contract DPO explicitly permitted.
Art. 37(7)PublicationContact details published and communicated to the supervisory authority.
TASKS AND POSITION (ART. 38-39)
Art. 38(1)Early involvementInvolved in all matters relating to personal data.
Art. 38(3)IndependenceNo instructions on tasks, reports to highest management.
Art. 38(4)AccessibilityReachable by data subjects for all questions on processing.
Art. 39(1)(a)Inform and adviseAdvise the controller and staff on GDPR obligations.
Art. 39(1)(b-c)Monitor and trainMonitor compliance, run awareness, audit programmes.
Art. 39(1)(e)Authority liaisonCo-operate with and act as contact for the supervisory authority.
§ 03 / ENGAGEMENT MODELS
Engagement models.
FULLMOST POPULAR
Full DPO retainer
Named DPO of record, end-to-end. Monthly steering, DSAR and breach response, DPIA review, vendor DPA negotiation, staff training, authority liaison.
- →Named DPO of record
- →Monthly steering review
- →DSAR + breach response
- →Annual programme report
CORE12 MO TERM
Core DPO retainer
Named DPO with a capped monthly hour pool. Suitable for stable operations where day-to-day demand is predictable.
- →Named DPO of record
- →Capped monthly hours
- →Quarterly steering
- →Annual review
ADVPAY-AS-YOU-GO
On-call DPO advisory
You have an internal DPO. We provide senior cover for complex cases, supervisory queries, board prep and DPIA review.
- →Senior cover for complex cases
- →Supervisory query support
- →DPIA peer review
- →Board reporting prep
§ 04 / SCOPE
Scope of work.
01 / 04
Day-to-day operations
- DSAR intake and response
- Breach triage (Art. 33)
- Authority notification when required
- Records of Processing upkeep
- Vendor DPA review and negotiation
02 / 04
Risk and oversight
- DPIAs for high-risk processing
- Legitimate interest assessments
- Cross-border transfer assessments (TIA)
- Privacy-by-design SDLC review
- Annual risk register and roadmap
03 / 04
Programme and governance
- Privacy policy stack maintenance
- Roles and responsibilities (RACI)
- Board reporting cadence
- Internal audit programme
- Annual DPO programme report
04 / 04
People and authority
- Role-based staff training
- Awareness campaigns and phishing tests
- Data subject channel of contact
- Supervisory authority correspondence
- Pre-supervisory readiness reviews
§ 05 / DPO READOUTSee sample engagement letterPDF · 6 PP
External DPO retainer.
An external DPO named in your record, with senior privacy experience and no conflict of interest. Monthly programme support, staff training, supervisory authority liaison and breach triage on call.
Response SLA · DSARs
24 h
Response SLA · breach
4 h
Quarterly steering
Included
DPA registration
We file
SAMPLE.MONTHLY.READOUTOCT 2026
DSARs14 / 14 in SLA
Breach incidents2 triaged, 1 notified
DPIAs delivered3
New vendors onboarded7 / DPA signed
Open risk register12 items · 0 high
Authority correspondence1 voluntary submission
SIGNED. IVANA ŠARIĆ, DIRECTOR. REGULATORY STRATEGY
§ 06 / SELECTED WORK
All case studies →Recent engagements.
CASE 01Pharmaceutical · 4,000 employees
External DPO of record across 7 EU subsidiaries, single retainer.
7
Subsidiaries
~40
DSARs / month
8 d
Avg cycle
SCOPEDPO-aaS · DSAR ops · Vendor DPAs
CASE 02Pan-EU e-commerce
Outsourced DPO function during DPA audit. Zero findings.
0
Audit findings
4 mo
Time to readiness
€3.2M
Fines avoided
SCOPEDPO-aaS · DPIA review · Authority liaison
CASE 03B2B SaaS · 200-person
Single DPO covering 11 EU jurisdictions on a single retainer.
11
Jurisdictions
~90
DSARs / month
7 d
Avg cycle
SCOPEDPO-aaS · Cross-border DSAR ops · Vendor risk
§ 07 / WHY THIS MATTERS
DPO landscape.
500,000+
EU organisations with a DPO appointed
€20M / 4%
Maximum fine for Art. 38 interference
24 h
Typical DSAR response SLA
72 h
Art. 33 breach notification window
TREND 01
Authorities treat DPO independence as load-bearing
EDPB guidance and recent decisions confirm that interference with the DPO role triggers the higher fine tier (Art. 83(5)).
TREND 02
Cross-border processing concentrates DPO load
Single DPO functions handle 5-15 jurisdictions in practice. Standard retainer structure follows.
TREND 03
Specialist DPOs are now expected
Authorities expect demonstrable sector expertise for health, finance and AI deployment cases.
§ 08 / FAQ
Common questions.
01Can an external DPO be named to the supervisory authority?+
Yes. Article 37(6) explicitly permits a service-contract DPO. We are named on your register, identifiable to staff and authorities, and reachable by data subjects.
02How fast can the appointment be filed?+
Within 10 business days of contract signature. We prepare the appointment, file with the supervisory authority, and update your privacy notices and internal directory.
03Do you cover multiple legal entities or jurisdictions?+
Yes. One DPO function can cover related entities and multiple EU jurisdictions on a single retainer, provided independence and accessibility are preserved.
04What happens at a supervisory authority enquiry?+
We respond as DPO of record, prepare the evidence pack, brief executives, and attend the meeting. Pre-supervisory readiness reviews are part of the retainer.
05How is the DPO independent if you also advise on the programme?+
Article 38 independence is preserved through separate engagement streams and reporting lines. Programme advisory is delivered by a different partner than the named DPO.
06What does the monthly retainer include?+
Named DPO of record, DSAR and breach response, DPIA review, vendor DPA review, monthly or quarterly steering, annual programme report, and authority correspondence. Scope is documented in the engagement letter.
§ 09 / RESOURCES
Templates and guides.
GUIDEPDF · 18 pages
DPO Appointment Guide
Step-by-step process for designating a DPO and publishing contact details to the authority.
Download ↓EMAIL REQUIRED
TEMPLATEPDF + DOCX
DPO Engagement Letter
Reference engagement letter showing scope, independence, reporting line and termination.
Download ↓EMAIL REQUIRED
GUIDEPDF · 6 pages
DPO Independence Checklist
12 questions to confirm Article 38 independence is preserved in your structure.
Download ↓EMAIL REQUIRED
§ 10 / RELATED PRACTICES
Related practices.
Data Protection & GDPR
Full GDPR programme, policies, DPIAs, records of processing, supervisor liaison and audit preparation.
Open practice →Cybersecurity & NIS2
Same incident, two clocks. NIS2 layers a 24-hour CERT warning on top of the GDPR 72-hour notification.
Open practice →Incident Response
Pre-built breach playbooks, DPA notification templates, crisis-team coordination.
Open practice →11 / GET STARTED
Start your DPO function.
Free initial meeting. Clear next steps. Indicative pricing within one business day.