Skip to content

Internal DPO vs External DPO: the case for external is stronger than most companies realise

Full comparison between an in-house Data Protection Officer and an external DPO in 2026: real costs, AEPD registration, conflict of interest rules and the hybrid model.

Internal DPO

Advantages

  • Deep company knowledge from day one: the internal DPO understands systems, data flows and organisational culture without an onboarding period
  • Immediate availability: responds to incidents and ad hoc queries without coordination delays or third-party protocols
  • Natural team integration: attends product, IT and HR meetings without friction, facilitating genuine privacy by design
  • Physical presence at audits and AEPD inspections: can accompany the executive team in supervisory authority visits at no extra cost
  • Accumulated institutional memory: builds an organisational record of data processing decisions, past incidents and compliance history

Disadvantages

  • Total cost of EUR 50,000-70,000 per year (gross salary + employer social security contributions + specialist GDPR training)
  • Limited regulatory breadth: an in-house DPO rarely holds equal depth across GDPR, the Spanish LOPDGDD, NIS2 and sector-specific regulations (healthcare, financial services, HR)
  • Single point of failure: resignation, sick leave or dismissal of the DPO creates a critical gap precisely when the company is most exposed
  • Structural conflict of interest risk: the DPO cannot supervise processing activities for which they are also responsible — in SMEs, this occurs whenever the DPO is also the IT Director or the Legal Counsel
  • Regulatory update costs fall entirely on the employer: keeping pace with EDPB guidelines, AEPD resolutions and international transfer rules is a continuous investment the company must fund

External DPO

Advantages

  • Cost of EUR 500-1,500 per month depending on volume and complexity — equivalent to 15-30% of the cost of an in-house DPO
  • Specialist team behind a single contact: the client accesses experts in GDPR, LOPDGDD, NIS2, HR data protection and international transfers at no extra cost per speciality
  • AEPD DPO registration included: the firm manages the communication and ongoing maintenance of the supervisory authority record
  • No structural conflict of interest: the external DPO's independence is guaranteed by contract — they cannot be pressured by the CEO or the board
  • Permanent regulatory updates built in: AEPD resolutions, EDPB guidelines and legislative changes are incorporated into the service immediately
  • Scalable service: adjusts to company growth without recruitment, onboarding or initial training processes

Disadvantages

  • Business knowledge takes time to build: requires a genuine onboarding period of 1-3 months before the external DPO has the depth of an in-house counterpart
  • Shared attention across clients: the external DPO manages multiple clients simultaneously — dedication per client is partial, not exclusive
  • Variable response times for critical incidents: depending on the contractual SLA, response times may be hours rather than minutes
  • Provider dependency: changing firms requires documentation transfer, re-registration with the AEPD and a new learning curve

Our verdict

The external DPO is the optimal choice for companies with fewer than 500 employees. An in-house DPO is only justified in large corporations with massive data processing operations, multiple controllers and special category data requiring permanent on-site presence. For the majority of Spanish businesses, the emerging best practice is the hybrid model — an external DPO combined with an internal Privacy Champion (an IT or Legal reference point without the formal DPO responsibility) — which delivers independence, technical depth and business knowledge at a cost that makes clear commercial sense.

The decision most companies get wrong

When the GDPR requires a company to designate a Data Protection Officer — or when a company decides to designate one voluntarily — the first question is almost always the same: internal or external?

The most common wrong answer is “internal, because they would know the company better”. The correct analysis requires considering total cost, conflict of interest risk and the technical depth required in a regulatory area that evolves rapidly.

What a DPO actually does

A DPO is not a cybersecurity officer or an IT technician. Their tasks, defined in Article 39 of the GDPR, are:

  • Inform and advise the controller and processor on their obligations under data protection law
  • Monitor compliance with the GDPR, internal policies and staff training
  • Advise on Data Protection Impact Assessments (DPIAs) and supervise their implementation
  • Cooperate with the supervisory authority (the AEPD in Spain) and act as the contact point
  • Respond to data subjects exercising their rights (access, rectification, erasure, portability)

This profile requires deep legal knowledge of the GDPR and the Spanish LOPDGDD, familiarity with information technology, risk analysis skills and the ability to communicate at all levels of the organisation.

Cost comparison 2026

ItemInternal DPOExternal DPO
Base annual costEUR 45,000-55,000 (gross salary)EUR 8,000-18,000 (annual fee)
Employer social securityEUR 14,000-18,000
GDPR specialist trainingEUR 2,000-4,000Included
Compliance toolsEUR 1,000-3,000Included
AEPD registrationInternal management requiredIncluded
Professional liability insuranceIncluded
Cover during holidays/sick leaveNoneIncluded (team)
Total estimated costEUR 62,000-80,000/yearEUR 8,000-18,000/year

The EUR 45,000-65,000 annual differential is the number that must be put on the table before making this decision. For a company with 50-500 employees, that differential funds a complete privacy by design programme, employee training and incident management for several years.

Article 38.6 of the GDPR states that the DPO may fulfil other tasks and duties, but the controller must ensure these do not result in a conflict of interest. The EDPB has clarified that a conflict exists when the DPO determines the purposes and means of the processing they must supervise.

This effectively disqualifies:

  • The IT Director who makes decisions about information systems and automated processing
  • The Legal Counsel who participates in defining data policies and processor contracts
  • The HR Manager who manages the most sensitive employee data processing
  • The CEO or CFO for obvious reasons of hierarchy over all staff

In small and medium enterprises where roles overlap, finding an employee without a conflict of interest for the DPO position is genuinely difficult. The external DPO resolves this structurally.

When an internal DPO makes sense

An internal DPO is justified when at least three of these conditions apply:

  • The company has more than 500 employees with regular access to personal data
  • The volume of data subject rights requests exceeds 50 per month
  • The company operates in a sector with highly specific sector regulation (banking, insurance, healthcare) requiring daily on-site presence
  • There are multiple controllers within a corporate group requiring permanent coordination
  • The company has suffered recurring data breaches or is subject to enhanced AEPD supervision

For all other companies — the vast majority of the Spanish business community — the external DPO delivers superior technical coverage, guaranteed independence and a substantially lower cost.

The hybrid model: Privacy Champion + external DPO

The most advanced practice in mid-sized companies is the hybrid model:

External DPO (specialist firm):

  • Legal responsibility for GDPR compliance
  • AEPD registration and maintenance
  • Complex rights requests management
  • DPIAs for new processing activities
  • Data breach notifications to the AEPD
  • Interface with the AEPD in inspections

Internal Privacy Champion (IT, Legal or HR employee):

  • Daily point of contact for team queries
  • First-line response to rights requests
  • Coordination of the Records of Processing Activities
  • Ensures new projects pass the privacy check before launch

This model combines the immediate availability of an internal employee with the independence, technical depth and liability coverage of an external specialist team.

FAQ

Frequently asked questions

Article 37 of the GDPR establishes three mandatory scenarios: when processing is carried out by a public authority or body; when the core activities of the controller or processor consist of processing operations that require regular and systematic monitoring of data subjects at large scale; or when the core activities consist of large-scale processing of special categories of data (health, biometric, ideology, religion) or data relating to criminal convictions. In practice this affects hospitals, insurers, financial institutions, digital marketing companies with user profiling and any company that systematically processes health or biometric data. The AEPD also recommends voluntary designation for controllers who, while not legally required, process data at a scale that carries significant risks.
A mid-level internal DPO in Spain has a gross salary of EUR 45,000-55,000. On top of that, the company pays employer social security contributions (approximately EUR 15,000-18,000), specialist GDPR training (EUR 2,000-4,000 per year) and compliance management tools (EUR 1,000-3,000 per year). The total effective cost is approximately EUR 63,000-80,000 per year. A quality external DPO service for a mid-sized company costs EUR 8,000-18,000 per year (EUR 660-1,500 per month). The annual differential is EUR 45,000-70,000 — enough to fund the company's entire privacy compliance programme for several years.
The Spanish LOPDGDD (Article 34) requires the DPO designation to be communicated to the AEPD within ten days of appointment. The communication is made through the AEPD's electronic registry and includes the DPO's identification details, whether the role is internal or external, contact details for data subjects and the territorial scope. Changes must be notified: the previous DPO's deregistration and the new appointment. Registration is free and requires no AEPD approval — it is a notification, not an authorisation. Failure to register can result in a sanction.
They can formally be designated, but the GDPR requires that the DPO does not receive instructions regarding the exercise of their tasks and is not dismissed or penalised for performing them (Article 38.3). The EDPB has clarified that a conflict of interest exists when the DPO has to supervise processing activities for which they are responsible. An IT Director who makes decisions about information systems cannot be the DPO who supervises whether those systems comply with the GDPR. A Legal Counsel who participates in defining data policies and processor contracts cannot be the DPO who validates those policies. Conflict of interest is one of the most frequent grounds for sanction in AEPD inspections.
The Privacy Champion (or internal privacy reference) is an organisational model not defined in the GDPR but widely recommended by compliance firms as a complement to the external DPO. They are an internal employee — typically from IT, Legal or HR — who acts as the external DPO's liaison within the company: collects queries from teams, escalates incidents, coordinates records of processing activities documentation and ensures new projects pass through the external DPO before launch. They do not hold the DPO's legal responsibility but act as the bridge. This model solves the main criticism of the external DPO (response time) without the cost of a full-time in-house DPO.

Related service

data-protection →

Request a personalized consultation

Our experts are ready to analyze your situation and provide tailored solutions.

Free consultation
Call Contact