Art. 37 GDPR / § 38 BDSG Mandatory from 20 employees

External DPO

Your Data Protection Officer on call - certified, technically proficient and independent

An external Data Protection Officer takes on the statutory DPO function under Art. 37-39 GDPR for your organisation - without permanent employment, without conflict of interest. AWARE7 combines data protection expertise with IT security know-how from over 500 penetration tests: your data is protected not only legally, but also technically.

AWARE7 is ISO 27001 certified 500+ penetration tests completed Based in Gelsenkirchen - serving all of Germany In the market since 2018

Appoint DPO - request a quote View DPO tasks

Vertrauen unserer Kunden

BDSG - Mandatory from 20 persons: § 38; BDSG - Mandatory from 20 persons
Notification deadline for data breaches: 72 hrs; Notification deadline for data breaches
Employees = obligation (often): 20+; Employees = obligation (often)
Max. fine (Art. 83 para. 4 GDPR): €10M; Max. fine (Art. 83 para. 4 GDPR)

Does your company need a Data Protection Officer?

The obligation arises from Art. 37 GDPR and § 38 BDSG. Check whether your company is affected.

A DPO is mandatory if at least one applies:

1
20+ employees regularly process personal data in an automated manner (§ 38 BDSG)
2
Processing requiring a DPIA as core activity - a Data Protection Impact Assessment under Art. 35 GDPR is required, e.g. for scoring, profiling or large-scale processing of sensitive data (§ 38 para. 1 s. 2 BDSG)
3
Systematic monitoring of individuals at large scale - e.g. CCTV, tracking, profiling (Art. 37 para. 1 lit. b GDPR)
4
Large-scale processing of special categories as core activity - e.g. health data, genetic or biometric data (Art. 37 para. 1 lit. c GDPR)

What happens without a DPO?

EUR 10M

Maximum fine for a missing DPO under Art. 83 para. 4 GDPR - or 2% of global annual turnover, whichever is higher

72 hours

Notification deadline for data breaches under Art. 33 GDPR. Without a DPO, companies often lack the competence to report incidents correctly and on time.

Accountability

Under Art. 5 para. 2 GDPR you must be able to demonstrate compliance with data protection at any time. Without a DPO, systematic documentation is lacking.

Clarify your obligation - free of charge

Why many companies have no DPO - and why that is risky

GDPR has been in force since 2018. Yet many companies still lack an appointed Data Protection Officer.

Fine risk

The absence of a legally required DPO is itself a fineable offence. Supervisory authorities check actively - especially following data breaches or complaints from individuals.

Internal overload

Data protection as a side task does not work. Law, technology, processes - an internal DPO without sufficient time and expertise creates a false sense of security.

Reputational risk

A publicly disclosed data breach or a supervisory authority order damages the trust of customers, partners and employees - often more lastingly than any fine.

Echte DSGVO-Bußgelder in Europa

Quelle: GDPR Enforcement Tracker (CMS Law) · enforcementtracker.com

3.000+ dokumentierte Fälle

Alle 3.000+ Bußgelder auf enforcementtracker.com ansehen

Internal vs. external Data Protection Officer

GDPR permits both. But which option suits your company?

Criterion	Internal DPO	External DPO Recommended
Cost	EUR 50,000-80,000/year (salary + social contributions + training)	Predictable monthly fee, significantly lower
Independence	Limited - internal hierarchies, potential conflicts of interest	Fully independent, no conflict of interest
Expertise	Limited to one company, training at own cost	Broad experience across many sectors and company sizes
Availability	Absence risk for illness, holidays, resignation	Cover arrangements in the team, no absence risk
Dismissal protection	Special dismissal protection under § 6 para. 4 BDSG in conjunction with § 38 para. 2 BDSG	No dismissal protection - contract flexibly terminable
IT security	Usually purely legal perspective	With AWARE7: data protection + IT security from one source
Liability	Employee liability - limited to intent and gross negligence	Contractual liability backed by professional indemnity insurance

Data protection based on international standards

We do not work by intuition. In our role as external DPO we align our work with recognised standards and recommendations.

ISO 27701

Privacy Information Management

We aspire to align our DPO activities with ISO 27701 on the basis of ISO 27001. ISO 27701 is the international standard for privacy information management systems - an extension of ISO 27001 to include privacy-specific requirements. It bridges technical information security and legal data protection.

Structured privacy management system with clear roles and processes

Compatible with existing ISO 27001 certifications - synergy instead of duplication

Documented evidence for GDPR accountability obligations (Art. 5 para. 2)

Data Processing

Trustworthy Data Processing

We pursue a structured approach to trustworthy data processing - aligned with best practices for service providers that process personal data on behalf of others. This ensures that your processors are not only contractually bound, but also technically and organisationally trustworthy.

Criteria for selecting and assessing processors beyond the DPA

Transparency on data flows and sub-processors throughout the entire chain

Evidence for customers and partners: your company as a trustworthy data processor

ISO 27701 as an extension of your ISMS?

If you are already ISO 27001 certified or planning to be, ISO 27701 can be integrated as a privacy extension. We support both - information security and data protection - from a single source.

ISO 27001 Consulting

Tasks of the external Data Protection Officer

Full assumption of the DPO function under Art. 39 GDPR - from documentation to supervisory authority communication.

RoPA Management

Build-up and ongoing maintenance of the Record of Processing Activities (Art. 30 GDPR). Structured, complete and available for inspection at any time.

DPA Management

Review, negotiation and conclusion of Data Processing Agreements with all external service providers that process personal data.

Data Breach Response

Coordination for reportable data breaches. Assessment, notification to the supervisory authority within 72 hours, communication with affected individuals, documentation.

Data Subject Requests

Handling of requests for access, erasure, rectification and data portability within the statutory deadlines - complete and legally sound.

Employee Training

Regular, documented data protection awareness training for all employees - as in-person sessions or e-learning. With attendance records.

Management Reporting

Regular reports to management on data protection status, open risks and completed measures - documented in an audit-proof manner.

How we start working together

From enquiry to ongoing support - in four clear steps.

Initial consultation

We clarify your needs, check the appointment obligation and discuss the scope. Free and non-binding.

Assessment

We analyse your current data protection situation: processing activities, existing documentation, open risks.

Appointment

Formal appointment as external DPO, notification to the competent supervisory authority and internal announcement.

Ongoing support

Regular status meetings, ongoing documentation, training and rapid response to incidents or requests.

What does an external Data Protection Officer cost?

Cost depends on company size, sector and the scope of data processing activities. Here is an orientation.

Cost comparison: Internal vs. External

Internal DPO (full-time) EUR 50,000 - 80,000/year

Salary + social contributions + training + absence risk + dismissal protection

Internal DPO (part-time) EUR 15,000 - 25,000/year

Proportionate working time + training - but: higher liability risk with insufficient qualification

External DPO (AWARE7) Individual quote

Predictable monthly fee, no hidden costs, no social contributions, no absence risk

Individual quote

The exact cost depends on your company. We provide a transparent quote - free and non-binding. No small print.

No setup fee
Monthly cancellable
Fixed price - no surprises

Request a quote

External DPO for companies of every size

Whether small company, mid-sized business or larger organisation - we tailor the scope of services to your needs.

Small Companies

20-50 employees

Appointment obligation often from 20 employees. An external DPO is the most cost-effective solution - professional data protection without a full-time position.

Mid-Sized Businesses

50-500 employees

More complex processing activities, more service providers, higher requirements. This is where the combination of data protection and IT security expertise pays off particularly.

Specialist Sectors

Healthcare, Finance, IT

Special data categories (Art. 9 GDPR) in healthcare, strict regulation in financial services and high technical requirements in IT demand a DPO with deep specialist knowledge.

When does a company need a Data Protection Officer?

Under § 38 para. 1 BDSG (German Federal Data Protection Act), a DPO is mandatory if you regularly employ at least 20 persons engaged in automated processing of personal data. Regardless of headcount, the obligation applies under Art. 37 GDPR for certain processing activities: for example if your core activity involves large-scale processing of special categories of personal data (health, genetic or biometric data), or you regularly and systematically monitor individuals at large scale (e.g. large-scale CCTV surveillance).

What are the advantages of an external DPO over an internal one?

An external DPO brings broad experience from a variety of industries and company sizes. They are independent from internal hierarchies, have no interest in avoiding conflict, and can report openly. Additionally, there are no recruitment costs, salary costs, training costs, or risk of absence through illness or resignation. With AWARE7 there is an added benefit: our DPO brings IT security and data protection together - which is decisive in practice.

What tasks does the external DPO take on specifically?

The external DPO monitors compliance with GDPR and other data protection regulations, advises management and staff, maintains the Record of Processing Activities (RoPA), reviews and negotiates DPAs with service providers, supports Data Protection Impact Assessments (DPIAs) and acts as the contact point for data subject requests and the supervisory authority. They regularly train your employees and report to management.

What does an external Data Protection Officer cost?

The cost of an external DPO depends on company size, sector and the scope of data processing activities. As a benchmark: an external DPO is significantly more cost-effective than an internal full-time position, where salary (approx. EUR 50,000-80,000/year), social contributions, training and absence risk apply. Contact us - we will provide an individual quote.

Can AWARE7 be appointed as DPO even though you are IT security consultants?

Yes. AWARE7 can be appointed as DPO. The GDPR expressly permits the appointment of an external DPO (Art. 37 para. 6 GDPR). There is no conflict of interest between our work as IT security consultants and the DPO function - quite the contrary: combining IT security and data protection is a concrete advantage for your organisation.

How does the appointment of an external DPO work?

The appointment takes place in four steps: 1. Initial consultation to clarify your needs and the obligation to appoint. 2. Assessment of your current data protection situation. 3. Formal appointment and notification to the supervisory authority. 4. Ongoing support with regular status meetings. The entire onboarding process typically takes 2-4 weeks.

What happens in the event of a data breach or data subject request?

Your external DPO is the first point of contact. For reportable data breaches, they coordinate notification to the supervisory authority within the 72-hour deadline, document the incident and support communication with affected individuals. For access requests under Art. 15 GDPR, they ensure the legally required one-month deadline is met and the response is complete and accurate.

We do not yet have a DPO - are we facing fines?

If you are legally required to appoint a DPO but have not done so, the supervisory authority can impose a fine - under Art. 83 para. 4 GDPR up to EUR 10 million or 2% of global annual turnover, whichever is higher. More important than the fine question: a DPO protects you against the far more costly consequences of actual data protection violations. We help you reach a legally sound position quickly.

Is an external DPO also worthwhile for small companies?

Especially for small companies and mid-sized businesses, an external DPO is often the best solution. An internal full-time position is not financially viable, and data protection as a side task for an employee carries risks. An external DPO delivers professional expertise at predictable cost - no permanent employment, no absence risk, no conflict of interest.

Which sectors does AWARE7 serve as external DPO?

AWARE7 serves companies across all sectors - from IT service providers and SaaS vendors to healthcare and financial services, through to manufacturing and the public sector. The combination of data protection and IT security expertise is a particular advantage in sectors with high requirements for technical and organisational measures.

Your data protection contact

Chris Wojzechowski

Geschäftsführender Gesellschafter

E-Mail

PGP 465C26E1AF161AFA

Geschäftsführender Gesellschafter der AWARE7 GmbH mit langjähriger Expertise in Informationssicherheit, Penetrationstesting und IT-Risikomanagement. Absolvent des Masterstudiengangs Internet-Sicherheit an der Westfälischen Hochschule (if(is), Prof. Norbert Pohlmann). Bestseller-Autor im Wiley-VCH Verlag und Lehrbeauftragter der ASW-Akademie. Einschätzungen zu Cybersecurity und digitaler Souveränität erschienen u.a. in Welt am Sonntag, WDR, Deutschlandfunk und Handelsblatt.

IT-Grundschutz-Praktiker (TÜV) IT Risk Manager (DGI) § 8a BSIG Prüfverfahrenskompetenz Ausbilderprüfung (IHK)

Vollständiges Profil ansehen

Jan Hörnemann

Chief Operating Officer · Prokurist

E-Mail

PGP A3FD64BB96C888E2

M.Sc. Internet-Sicherheit (if(is), Westfälische Hochschule). COO und Prokurist mit Expertise in Informationssicherheitsberatung und Security Awareness. Nachwuchsprofessor für Cyber Security an der FOM Hochschule, CISO-Referent bei der isits AG und Promovend am Graduierteninstitut NRW.

ISO 27001 Lead Auditor (PECB/TÜV) T.I.S.P. (TeleTrusT) ITIL 4 (PeopleCert) BSI IT-Grundschutz-Praktiker (DGI) Ext. ISB (TÜV) BSI CyberRisikoCheck CEH (EC-Council)

Vollständiges Profil ansehen

Aus dem Blog

Alle Artikel

Compliance & Standards

Appoint an external DPO

We discuss your needs, clarify the appointment obligation and provide an individual quote - free and non-binding.

Get in touch now Back to overview

External DPO

Does your company need a Data Protection Officer?

A DPO is mandatory if at least one applies:

What happens without a DPO?

Why many companies have no DPO - and why that is risky

Fine risk

Internal overload

Reputational risk

Echte DSGVO-Bußgelder in Europa

Internal vs. external Data Protection Officer

Data protection based on international standards

Privacy Information Management

Trustworthy Data Processing

ISO 27701 as an extension of your ISMS?

Tasks of the external Data Protection Officer

RoPA Management

DPA Management

Data Breach Response

Data Subject Requests

Employee Training

Management Reporting

How we start working together

Initial consultation

Assessment

Appointment

Ongoing support

What does an external Data Protection Officer cost?

Cost comparison: Internal vs. External

Individual quote

External DPO for companies of every size

Small Companies

Mid-Sized Businesses

Specialist Sectors

Weiterführende Artikel

Datenleck Kosten: DSGVO-Bußgelder, Schadensersatz und reale Schäden

Der Informationssicherheitsbeauftragte - Zuständigkeiten und Aufgaben!

DSGVO-Compliance: Anforderungen, Bußgelder und praktische Umsetzung

Appoint an external DPO