RGPD
Since the General Data Protection Regulation (GDPR) came into force on 25 May 2018, appointing a Data Protection Officer (DPO) has become one of the pillars of compliance for organisations processing personal data. Yet many managers of
Reading time:
15 min
Since the General Data Protection Regulation (GDPR) came into force on 25 May 2018, appointing a Data Protection Officer (DPO) has become one of the pillars of compliance for organisations processing personal data. Yet many managers of micro-enterprises, SMEs and mid-sized companies still hesitate over which arrangement to choose: hiring an internal DPO, calling on an outsourced DPO, or combining the two in a hybrid model.
The choice is not solely a budgetary one. It affects the quality of compliance, the legal security of the company and its ability to withstand an inspection by the Commission nationale de l'informatique et des libertés (CNIL). The penalties handed down in 2025 are a reminder: failing to involve your DPO properly can cost up to 100,000 euros in administrative fines, as illustrated by decision SAN-2025-008 of 18 September 2025 against the company operating La Samaritaine.
This article takes stock, up to date with the applicable texts and recent practice, of the duties of the outsourced DPO, the fees observed on the market in 2026, and the decision framework between an internal and an external DPO that every manager should keep in mind to structure their data governance.
The DPO is the natural or legal person responsible, within an organisation or in support of it, for ensuring the proper application of the GDPR and the French Data Protection Act. Its regime is defined by Articles 37 to 39 of the GDPR, supplemented under French law by Article 57 of Act no. 78-17 of 6 January 1978 (known as the "French Data Protection Act"), which states that the controller and its representative shall designate an officer under the conditions laid down in Section 4 of Chapter IV of the European regulation.
The DPO is not a mere technical contact: it enjoys a protected status, must be able to perform its duties in full independence, and benefit from the resources necessary for their accomplishment (Article 38 of the GDPR).
Article 37 of the GDPR requires the appointment of a DPO in three main scenarios:
Outside these cases, appointment remains strongly recommended whenever the organisation processes high-risk data or wishes to demonstrate its compliance (the accountability principle laid down in Article 5(2) of the GDPR). Under French law, Article 103 of the French Data Protection Act also makes this appointment mandatory for controllers operating in the field of police and security files.
The GDPR expressly permits the appointment of a single DPO for several entities of a group (Article 37.2), as well as the use of an external provider on the basis of a service contract (Article 37.6). The DPO may therefore be:
The duties of the DPO, whether internal or external, are identical. Article 39 of the GDPR sets out an exhaustive list:
In practice, an outsourced DPO operates on a broader scope: maintaining and updating the record of processing activities, reviewing internal policies, training teams, managing data breaches (Article 33 of the GDPR), supporting requests to exercise rights (access, erasure, objection) and ad hoc audits.
This is an essential point that is often misunderstood: the DPO is not the controller. It does not make decisions in place of the manager or management. Its role is to inform decision-making and to monitor compliance, but legal responsibility always lies, under Article 5(2) of the GDPR, with the controller (and, where applicable, with the processor as regards its own role).
GDPR · Role of the Data Protection Officer
Duty 1 of 8
Operational content
Legal notes
Recommendations
Alerts
Duty 2 of 8
Operational content
Audits
Reviews
Dashboards
Duty 3 of 8
Operational content
Creation
Update
Monitoring
Duty 4 of 8
Operational content
Scoping
Methodology
Validation
Duty 5 of 8
Operational content
Qualification
CNIL notification
Record
Duty 6 of 8
Operational content
Procedure
Response
Deadline tracking
Duty 7 of 8
Operational content
Training plans
Materials
Sessions
Duty 8 of 8
Operational content
Official exchanges
Inspection management
The outsourced DPO must be able to perform its duties in full independence (Article 38.3 of the GDPR). It may not receive instructions on how to carry them out, nor be penalised for the performance of its duties, and it reports directly to the highest level of management.
It must also be involved, properly and in a timely manner, in all issues relating to the protection of personal data (Article 38.1 of the GDPR). This obligation is not a mere formality: the CNIL now penalises it directly, as illustrated by the recent administrative case law analysed below.
Contractually, the outsourced DPO is bound to the company by a service contract which must in particular set out: the exact scope of the duties, the term of engagement, confidentiality, the conditions for access to information, the absence of conflicts of interest, the liability regime, and the terms for ending the engagement.
The cost of an outsourced DPO varies significantly according to the size of the organisation, the volume and sensitivity of the processing, the level of support expected (regular presence or ad hoc interventions), and the initial maturity of the organisation in terms of compliance.
Market offers generally range from 150 € excluding VAT per month for simple scopes (micro-enterprises, associations, small structures with few processing operations) to several thousand euros per month for complex organisations. Intermediate packages are frequently offered around 220 €, 350 €, 660 € or 750 € excluding VAT per month, depending on the level of service.
On an annual basis, the budgets observed most often fall within a range of 6,000 to 15,000 € excluding VAT per year for an SME, with wider variations for highly exposed structures (health, finance, HR, digital platforms).
Several parameters directly influence the cost:
On top of these direct costs come indirect costs that are sometimes underestimated: time spent mobilising internal teams, deploying mapping tools, upgrading internal policies, bringing cookies and GDPR banners into compliance, etc.
The fees paid to an outsourced DPO constitute operating expenses deductible from the company's taxable profit, provided they are incurred in the interest of the business and properly justified. The VAT paid on these services is in principle recoverable under the general conditions, subject to the deduction coefficient specific to each company. This favourable tax treatment reinforces the economic appeal of the outsourced arrangement compared with hiring an employee, whose overall social and tax cost is significantly higher.
An internal DPO will be more relevant where the compliance workload is continuous, cross-functional and strongly integrated into operations. This is typically the case for:
Internal recruitment nevertheless requires having a person who is genuinely competent, available, free of conflicts of interest (a DPO cannot be the IT director, the legal director or the marketing director in most configurations, according to the guidelines of the European Data Protection Board).
The outsourced DPO most often represents the best compromise for structures that:
This is in particular the recommended configuration for the vast majority of micro-enterprises/SMEs and e-merchants, as well as for startups in a structuring phase.
For large companies and highly exposed structures (health, banking, insurance, telecoms, digital platforms), a hybrid model is often the most robust: an internal DPO manages compliance day to day, supported by an external firm on complex matters (targeted audits, sensitive DPIAs, crisis management, CNIL litigation, international inspections).
This combination makes it possible to combine operational continuity, business proximity and specialised expertise, while securing the most sensitive matters through an independent external perspective.
The following table summarises the main selection criteria.
1
Profile 01
2
Profile 02
3
Profile 03
The failure to appoint, where it is mandatory, exposes the organisation to an administrative fine imposed by the CNIL that may reach, under Article 83 of the GDPR and Article 20 of the French Data Protection Act:
To this are added any formal notices, reprimands, injunctions to bring into compliance (where applicable accompanied by penalty payments) and, of course, the reputational impact of a decision made public.
Appointing a DPO is not enough: it must also be effectively involved in decisions having an impact on personal data. CNIL decision SAN-2025-008 of 18 September 2025, handed down against the company operating the La Samaritaine store, provides a recent and striking illustration.
In this case, the company had installed cameras concealed in smoke detectors, fitted with microphones, in two storage rooms of its store, without documenting the system and without involving its data protection officer. The latter was only informed after the installation and then the removal of the cameras by the employees themselves.
The CNIL's restricted committee noted that "consulting the data protection officer beforehand would have given her the opportunity to remind the controller of the conditions under which such a system may be deployed" and that the failure to involve the DPO constituted a characterised breach of Article 38.1 of the GDPR.
The penalty imposed amounted to 100,000 euros in administrative fines, together with a publication of the decision, for all the breaches found (Articles 5-1-a, 5-2, 5-1-c, 33 paragraphs 1 and 5, and 38-1 of the GDPR). This decision demonstrates that simply appointing a DPO is not enough: governance must provide for effective and documented consultation of the officer for every project involving data issues.
In addition to the administrative penalties imposed on the company, certain breaches of data protection rules may engage the criminal liability of the manager on the basis of Articles 226-16 et seq. of the Criminal Code (fraudulent collection, unlawful retention, unauthorised disclosure). The penalties incurred reach 5 years' imprisonment and a 300,000 euro fine, which all the more justifies solid and documented DPO governance.
The Mirabile Avocat firm works alongside the managers of micro-enterprises, SMEs, mid-sized companies, e-merchants and digital players to structure, secure and defend their data compliance.
Before any contractual engagement or recruitment, it is essential to diagnose the situation: nature of the processing, level of risk, regulatory exposure, internal capabilities. The firm conducts a preliminary audit leading to a reasoned recommendation as to the model to adopt, and supports the manager in drafting the outsourced DPO contract or formalising the internal position (engagement letter, hierarchical positioning, allocated resources).
The firm can act as an outsourced DPO or in support of an internal DPO, on a scope that includes in particular:
In the event of a CNIL inspection, a formal notice, the initiation of penalty proceedings or contentious appeal before the Conseil d'État, the firm ensures the defence of the company at all stages of the procedure: drafting observations in response, hearing before the restricted committee, judicial appeals, as well as managing the media and reputational consequences of a possible public decision.
Data governance is not limited to GDPR compliance: it also runs through distribution contracts, general terms and conditions of sale, the terms of use of platforms, and the tax structuring of data flows between subsidiaries or partners. The firm offers a cross-functional approach combining digital law, commercial law, distribution law and tax law.
The choice between internal DPO, outsourced DPO or hybrid model is not neutral. For the majority of micro-enterprises and SMEs, the outsourced DPO remains the best cost/expertise compromise, especially when compliance has to be built or consolidated. For large groups and organisations handling sensitive data, a hybrid arrangement offers the necessary robustness.
Whatever model is chosen, three principles should guide the decision:
Beyond the headline price, the real question for the manager is not "how much does a DPO cost" but "which organisation enables me to maintain compliance over time and to withstand a CNIL inspection". It is on this basis that suitable legal support finds its full value.
This article is published for purely informational purposes and does not constitute legal advice. The analyses presented reflect the state of the law and case law as at the date of writing. For any particular situation, it is recommended to consult a lawyer. The Mirabile Avocat firm is at your disposal for any personalised support on matters of data protection, GDPR compliance, digital law and distribution law.
To learn more
An outsourced DPO is a data protection officer whose mission is entrusted to an external provider rather than to an employee. It carries out the duties of the DPO while pooling its expertise, which makes it a suitable option for many micro-enterprises, SMEs and mid-sized companies.
The outsourced DPO carries out the same duties as an internal DPO: informing and advising, monitoring GDPR compliance, advising on impact assessments and acting as the CNIL's contact point. It performs them in full independence on behalf of the organisation.
The choice depends on the size of the organisation, the volume of processing, the resources and the level of risk. The internal DPO offers a daily presence, the outsourced one pooled expertise, the hybrid model combines the two. This choice affects the quality of compliance.
No. The choice between internal, outsourced or hybrid DPO is not solely budgetary: it affects the quality of compliance, the legal security of the company and its ability to withstand a CNIL inspection.
The fee for an outsourced DPO depends on the volume and sensitivity of the processing, the level of support and the size of the organisation. This arrangement makes it possible to pool expertise without the cost of a full-time position, often to the benefit of micro-enterprises and SMEs.
Failing to properly involve your DPO in processing can be costly. Decision SAN-2025-008 of 18 September 2025, against the company operating La Samaritaine, illustrates an administrative fine that may reach 100,000 euros for such a breach.
Yes. The DPO must be involved in a timely manner in data protection matters. A failure to involve it may be penalised by the CNIL, as illustrated by decision SAN-2025-008. This involvement is a condition for the effectiveness of compliance.
A lawyer helps to decide between internal, outsourced or hybrid DPO, to secure the involvement of the DPO in processing and to prepare for a CNIL inspection. A lawyer can also carry out the mission of outsourced DPO, combining compliance and legal expertise.
Still have questions?
Our team is available!
Have a question?

Ressources
Aller plus loin