RGPD

Outsourced DPO: duties, fees and trade-offs with an internal DPO

Since the General Data Protection Regulation (GDPR) came into force on 25 May 2018, appointing a Data Protection Officer (DPO) has become one of the pillars of compliance for organisations processing personal data. Yet many managers of

Contents
Schedule a discussion

Reading time:

15 min

Since the General Data Protection Regulation (GDPR) came into force on 25 May 2018, appointing a Data Protection Officer (DPO) has become one of the pillars of compliance for organisations processing personal data. Yet many managers of micro-enterprises, SMEs and mid-sized companies still hesitate over which arrangement to choose: hiring an internal DPO, calling on an outsourced DPO, or combining the two in a hybrid model.

The choice is not solely a budgetary one. It affects the quality of compliance, the legal security of the company and its ability to withstand an inspection by the Commission nationale de l'informatique et des libertés (CNIL). The penalties handed down in 2025 are a reminder: failing to involve your DPO properly can cost up to 100,000 euros in administrative fines, as illustrated by decision SAN-2025-008 of 18 September 2025 against the company operating La Samaritaine.

This article takes stock, up to date with the applicable texts and recent practice, of the duties of the outsourced DPO, the fees observed on the market in 2026, and the decision framework between an internal and an external DPO that every manager should keep in mind to structure their data governance.

What is a DPO and when is its appointment mandatory?

What is the legal definition of the Data Protection Officer?

The DPO is the natural or legal person responsible, within an organisation or in support of it, for ensuring the proper application of the GDPR and the French Data Protection Act. Its regime is defined by Articles 37 to 39 of the GDPR, supplemented under French law by Article 57 of Act no. 78-17 of 6 January 1978 (known as the "French Data Protection Act"), which states that the controller and its representative shall designate an officer under the conditions laid down in Section 4 of Chapter IV of the European regulation.

The DPO is not a mere technical contact: it enjoys a protected status, must be able to perform its duties in full independence, and benefit from the resources necessary for their accomplishment (Article 38 of the GDPR).

In which cases is the appointment of a DPO mandatory?

Article 37 of the GDPR requires the appointment of a DPO in three main scenarios:

  • where the processing is carried out by a public authority or public body, except for courts acting in their judicial capacity;
  • where the core activities of the controller or processor consist of processing operations which require regular and systematic monitoring on a large scale of data subjects;
  • where the core activities consist of large-scale processing of special categories of data (so-called sensitive data: health, political opinions, biometrics, etc.) or of data relating to criminal convictions.

Outside these cases, appointment remains strongly recommended whenever the organisation processes high-risk data or wishes to demonstrate its compliance (the accountability principle laid down in Article 5(2) of the GDPR). Under French law, Article 103 of the French Data Protection Act also makes this appointment mandatory for controllers operating in the field of police and security files.

What is a shared or outsourced DPO?

The GDPR expressly permits the appointment of a single DPO for several entities of a group (Article 37.2), as well as the use of an external provider on the basis of a service contract (Article 37.6). The DPO may therefore be:

  • an employee of the controller (internal DPO);
  • an independent provider (lawyer, consultant, specialised firm) bound by contract (outsourced DPO);
  • a legal person (law firm, consultancy firm), which designates within it a natural person actually responsible for carrying out the task.

What are the concrete duties of the outsourced DPO?

Which duties does the GDPR assign to the DPO?

The duties of the DPO, whether internal or external, are identical. Article 39 of the GDPR sets out an exhaustive list:

  • inform and advise the controller, the processor and the employees on their obligations;
  • monitor compliance with the GDPR, other provisions of Union and national law, and the organisation's internal rules;
  • provide advice on the data protection impact assessment (DPIA) and verify its performance;
  • cooperate with the CNIL and act as its contact point;
  • have due regard to the risk associated with the processing operations.

In practice, an outsourced DPO operates on a broader scope: maintaining and updating the record of processing activities, reviewing internal policies, training teams, managing data breaches (Article 33 of the GDPR), supporting requests to exercise rights (access, erasure, objection) and ad hoc audits.

Does the outsourced DPO advise or decide for the company?

This is an essential point that is often misunderstood: the DPO is not the controller. It does not make decisions in place of the manager or management. Its role is to inform decision-making and to monitor compliance, but legal responsibility always lies, under Article 5(2) of the GDPR, with the controller (and, where applicable, with the processor as regards its own role).

GDPR · Role of the Data Protection Officer

Duties of the DPO

Duty 1 of 8

Advice and information

Operational content

Legal notes

Recommendations

Alerts

Duty 2 of 8

Compliance monitoring

Operational content

Audits

Reviews

Dashboards

Duty 3 of 8

Record of processing activities

Operational content

Creation

Update

Monitoring

Duty 4 of 8

Impact assessments (DPIA)

Operational content

Scoping

Methodology

Validation

Duty 5 of 8

Data breaches

Operational content

Qualification

CNIL notification

Record

Duty 6 of 8

Data subject requests

Operational content

Procedure

Response

Deadline tracking

Duty 7 of 8

Training and awareness

Operational content

Training plans

Materials

Sessions

Duty 8 of 8

CNIL contact point

Operational content

Official exchanges

Inspection management

What is the legal status of the outsourced DPO?

The outsourced DPO must be able to perform its duties in full independence (Article 38.3 of the GDPR). It may not receive instructions on how to carry them out, nor be penalised for the performance of its duties, and it reports directly to the highest level of management.

It must also be involved, properly and in a timely manner, in all issues relating to the protection of personal data (Article 38.1 of the GDPR). This obligation is not a mere formality: the CNIL now penalises it directly, as illustrated by the recent administrative case law analysed below.

Contractually, the outsourced DPO is bound to the company by a service contract which must in particular set out: the exact scope of the duties, the term of engagement, confidentiality, the conditions for access to information, the absence of conflicts of interest, the liability regime, and the terms for ending the engagement.

How much does an outsourced DPO cost in 2026?

What are the fee ranges observed on the market?

The cost of an outsourced DPO varies significantly according to the size of the organisation, the volume and sensitivity of the processing, the level of support expected (regular presence or ad hoc interventions), and the initial maturity of the organisation in terms of compliance.

Market offers generally range from 150 € excluding VAT per month for simple scopes (micro-enterprises, associations, small structures with few processing operations) to several thousand euros per month for complex organisations. Intermediate packages are frequently offered around 220 €, 350 €, 660 € or 750 € excluding VAT per month, depending on the level of service.

On an annual basis, the budgets observed most often fall within a range of 6,000 to 15,000 € excluding VAT per year for an SME, with wider variations for highly exposed structures (health, finance, HR, digital platforms).

What factors cause the budget of an outsourced DPO to vary?

Several parameters directly influence the cost:

  • number and nature of processing operations (an HR or health processing operation is more demanding than a simple prospect file);
  • presence of transfers outside the European Union;
  • use of processors and number of contracts to be reviewed;
  • frequency of DPIAs to be carried out;
  • level of presence requested (days per month on site, committees, training);
  • management of data breaches and existing data subject requests;
  • initial state of the record and documentation.

On top of these direct costs come indirect costs that are sometimes underestimated: time spent mobilising internal teams, deploying mapping tools, upgrading internal policies, bringing cookies and GDPR banners into compliance, etc.

Is the cost of the outsourced DPO tax-deductible?

The fees paid to an outsourced DPO constitute operating expenses deductible from the company's taxable profit, provided they are incurred in the interest of the business and properly justified. The VAT paid on these services is in principle recoverable under the general conditions, subject to the deduction coefficient specific to each company. This favourable tax treatment reinforces the economic appeal of the outsourced arrangement compared with hiring an employee, whose overall social and tax cost is significantly higher.

Internal DPO or outsourced DPO: how to choose?

Which criteria require or recommend an internal DPO?

An internal DPO will be more relevant where the compliance workload is continuous, cross-functional and strongly integrated into operations. This is typically the case for:

  • large groups and mid-sized companies processing a significant volume of data, in particular HR or health data;
  • organisations operating complex international flows;
  • structures for which compliance requires a daily presence and ongoing dialogue with IT, security, legal and business teams;
  • public entities for which appointment is mandatory and the scope is extensive.

Internal recruitment nevertheless requires having a person who is genuinely competent, available, free of conflicts of interest (a DPO cannot be the IT director, the legal director or the marketing director in most configurations, according to the guidelines of the European Data Protection Board).

In which cases is the outsourced DPO preferable?

The outsourced DPO most often represents the best compromise for structures that:

  • do not have enough volume to justify a full-time position;
  • want a quick start without recruitment and training costs;
  • wish to access specialised expertise immediately, in particular legal and operational expertise;
  • seek budgetary flexibility (adjustable package, alignment with actual activity);
  • thereby benefit from enhanced independence through organisational distance.

This is in particular the recommended configuration for the vast majority of micro-enterprises/SMEs and e-merchants, as well as for startups in a structuring phase.

Is the hybrid model suitable for large companies with sensitive data?

For large companies and highly exposed structures (health, banking, insurance, telecoms, digital platforms), a hybrid model is often the most robust: an internal DPO manages compliance day to day, supported by an external firm on complex matters (targeted audits, sensitive DPIAs, crisis management, CNIL litigation, international inspections).

This combination makes it possible to combine operational continuity, business proximity and specialised expertise, while securing the most sensitive matters through an independent external perspective.

How to decide concretely between the three arrangements?

The following table summarises the main selection criteria.

Choosing your DPO: internal, outsourced or hybrid

1

Profile 01

Internal DPO

2

Profile 02

Outsourced DPO

3

Profile 03

Hybrid model

What are the legal risks in the event of a failure in the DPO's role?

What does a company risk if it does not appoint a DPO when it should have?

The failure to appoint, where it is mandatory, exposes the organisation to an administrative fine imposed by the CNIL that may reach, under Article 83 of the GDPR and Article 20 of the French Data Protection Act:

  • 10 million euros, or 2% of total worldwide annual turnover for the preceding financial year, whichever is higher;
  • or even 20 million euros or 4% of turnover in the most serious cases.

To this are added any formal notices, reprimands, injunctions to bring into compliance (where applicable accompanied by penalty payments) and, of course, the reputational impact of a decision made public.

What does a company risk if it does not properly involve its DPO?

Appointing a DPO is not enough: it must also be effectively involved in decisions having an impact on personal data. CNIL decision SAN-2025-008 of 18 September 2025, handed down against the company operating the La Samaritaine store, provides a recent and striking illustration.

In this case, the company had installed cameras concealed in smoke detectors, fitted with microphones, in two storage rooms of its store, without documenting the system and without involving its data protection officer. The latter was only informed after the installation and then the removal of the cameras by the employees themselves.

The CNIL's restricted committee noted that "consulting the data protection officer beforehand would have given her the opportunity to remind the controller of the conditions under which such a system may be deployed" and that the failure to involve the DPO constituted a characterised breach of Article 38.1 of the GDPR.

The penalty imposed amounted to 100,000 euros in administrative fines, together with a publication of the decision, for all the breaches found (Articles 5-1-a, 5-2, 5-1-c, 33 paragraphs 1 and 5, and 38-1 of the GDPR). This decision demonstrates that simply appointing a DPO is not enough: governance must provide for effective and documented consultation of the officer for every project involving data issues.

What risk does the manager personally bear?

In addition to the administrative penalties imposed on the company, certain breaches of data protection rules may engage the criminal liability of the manager on the basis of Articles 226-16 et seq. of the Criminal Code (fraudulent collection, unlawful retention, unauthorised disclosure). The penalties incurred reach 5 years' imprisonment and a 300,000 euro fine, which all the more justifies solid and documented DPO governance.

How does the Mirabile Avocat firm support companies on DPO governance?

The Mirabile Avocat firm works alongside the managers of micro-enterprises, SMEs, mid-sized companies, e-merchants and digital players to structure, secure and defend their data compliance.

What support to frame the choice between internal, external or hybrid DPO?

Before any contractual engagement or recruitment, it is essential to diagnose the situation: nature of the processing, level of risk, regulatory exposure, internal capabilities. The firm conducts a preliminary audit leading to a reasoned recommendation as to the model to adopt, and supports the manager in drafting the outsourced DPO contract or formalising the internal position (engagement letter, hierarchical positioning, allocated resources).

What role in day-to-day compliance and the prevention of penalties?

The firm can act as an outsourced DPO or in support of an internal DPO, on a scope that includes in particular:

  • the review of the record of processing activities and impact assessments;
  • bringing e-commerce sites into compliance (cookies, legal notices, general terms and conditions);
  • the securing of contracts with processors (Article 28 of the GDPR) and commercial partners;
  • the drafting and updating of internal policies (IT charter, privacy policy, breach procedure);
  • the management of data breaches and their notification to the CNIL within the 72-hour period provided for in Article 33 of the GDPR;
  • the training of teams and raising management's awareness.

What support in the event of a CNIL inspection or litigation?

In the event of a CNIL inspection, a formal notice, the initiation of penalty proceedings or contentious appeal before the Conseil d'État, the firm ensures the defence of the company at all stages of the procedure: drafting observations in response, hearing before the restricted committee, judicial appeals, as well as managing the media and reputational consequences of a possible public decision.

What connection with commercial and distribution strategy?

Data governance is not limited to GDPR compliance: it also runs through distribution contracts, general terms and conditions of sale, the terms of use of platforms, and the tax structuring of data flows between subsidiaries or partners. The firm offers a cross-functional approach combining digital law, commercial law, distribution law and tax law.

Conclusion: which best practices should a manager remember?

The choice between internal DPO, outsourced DPO or hybrid model is not neutral. For the majority of micro-enterprises and SMEs, the outsourced DPO remains the best cost/expertise compromise, especially when compliance has to be built or consolidated. For large groups and organisations handling sensitive data, a hybrid arrangement offers the necessary robustness.

Whatever model is chosen, three principles should guide the decision:

  1. Document the appointment and mission of the DPO, and formalise its means of action;
  2. Involve the DPO upstream of every project involving personal data, in accordance with Article 38.1 of the GDPR;
  3. Record this involvement in writing, so that it can be demonstrated in the event of an inspection.

Beyond the headline price, the real question for the manager is not "how much does a DPO cost" but "which organisation enables me to maintain compliance over time and to withstand a CNIL inspection". It is on this basis that suitable legal support finds its full value.

This article is published for purely informational purposes and does not constitute legal advice. The analyses presented reflect the state of the law and case law as at the date of writing. For any particular situation, it is recommended to consult a lawyer. The Mirabile Avocat firm is at your disposal for any personalised support on matters of data protection, GDPR compliance, digital law and distribution law.

To learn more

What is an outsourced DPO?

An outsourced DPO is a data protection officer whose mission is entrusted to an external provider rather than to an employee. It carries out the duties of the DPO while pooling its expertise, which makes it a suitable option for many micro-enterprises, SMEs and mid-sized companies.

What are the duties of an outsourced DPO?

The outsourced DPO carries out the same duties as an internal DPO: informing and advising, monitoring GDPR compliance, advising on impact assessments and acting as the CNIL's contact point. It performs them in full independence on behalf of the organisation.

Internal, outsourced or hybrid DPO: how to choose?

The choice depends on the size of the organisation, the volume of processing, the resources and the level of risk. The internal DPO offers a daily presence, the outsourced one pooled expertise, the hybrid model combines the two. This choice affects the quality of compliance.

Is the choice of DPO solely budgetary?

No. The choice between internal, outsourced or hybrid DPO is not solely budgetary: it affects the quality of compliance, the legal security of the company and its ability to withstand a CNIL inspection.

How much does an outsourced DPO cost?

The fee for an outsourced DPO depends on the volume and sensitivity of the processing, the level of support and the size of the organisation. This arrangement makes it possible to pool expertise without the cost of a full-time position, often to the benefit of micro-enterprises and SMEs.

What is the risk of poorly involving your DPO?

Failing to properly involve your DPO in processing can be costly. Decision SAN-2025-008 of 18 September 2025, against the company operating La Samaritaine, illustrates an administrative fine that may reach 100,000 euros for such a breach.

Must the DPO be involved in the organisation's decisions?

Yes. The DPO must be involved in a timely manner in data protection matters. A failure to involve it may be penalised by the CNIL, as illustrated by decision SAN-2025-008. This involvement is a condition for the effectiveness of compliance.

Is a lawyer useful regarding the outsourced DPO?

A lawyer helps to decide between internal, outsourced or hybrid DPO, to secure the involvement of the DPO in processing and to prepare for a CNIL inspection. A lawyer can also carry out the mission of outsourced DPO, combining compliance and legal expertise.

Still have questions?

Our team is available!

Have a question?

Vos informations restent strictement confidentielles.
Thank you! We will get back to you shortly. If you'd like to speed things up, schedule a time with me directly here:
Schedule a 15-minute call
Oops! Something went wrong while submitting the form.
Homme en costume bleu foncé avec cravate et pochette blanche, bras croisés, regardant vers l'avant.

Ressources

Aller plus loin

00
article(s) affiché(s) sur
00

9 min

Local SEO for legal professionals: strategic challenges and contractual framework
In an increasingly competitive legal sector, online visibility has become a crucial issue for law firms, notaries, bailiffs and other legal professionals. Local SEO has established itself as an essential strategy to stand out within a given

5 min

E-commerce: 5 Major Legal Risks for Businesses in 2025
The e-commerce landscape is evolving rapidly, and with it, the legal challenges facing businesses operating in this sector.

15 min

Pre-contractual disclosure document (DIP) in franchising: mandatory content before signing
Joining a franchise network is a strategic step for many entrepreneurs. Before committing sometimes several hundred thousand euros and signing a contract that may run for five, seven or ten years, the law requires the franchisor to provide a pre-contractual disclosure docu

10 min

Website maintenance contract: the essential clauses
At a time when cyberattacks are multiplying and data protection regulations are tightening, the security of your website has become a major strategic issue.

6 min

Commercial agent outside the EU: does French law apply?
The question of whether French law applies to a commercial agent operating outside the EU is of particular importance.

6 min

CHARTERED ACCOUNTANT - Generative AI and data protection: how to reconcile innovation and confidentiality? Académie Notebook No. 43
The dramatic rise of generative artificial intelligence is transforming professional practices, particularly in the use of AI for accounting and legal professions. Since late 2022, tools such as ChatGPT, Copilot, Claude and Llama have become embedded in everyday use. They make it possible
Prendre rendez-vous
Book an appointment