External DPO (DPO-as-a-Service)
Legal basis: GDPR Arts. 37–39; LOPDGDD Arts. 34–37
PurposeThe Data Protection Officer function provided under a service contract, with the qualification, independence and availability of a DPO without the cost of an internal hire. Includes the designation and its communication to the AEPD within ten days.
What it includes
- Designation and communication to the AEPD (10 days)
- Point of contact and intervention in claims (Art. 37)
- Continuous monitoring and management reporting
Deliverables
- Designation letter and communication to the AEPD
- Annual monitoring plan and obligations calendar
- Periodic report to management
- Handling of claims (Art. 37 LOPDGDD)
Intended forEntities obliged by Article 34 LOPDGDD and organisations seeking to outsource the function independently.