Outsourcing IOD Outsourcing the functions of the Data Protection Officer

• •Access to experts – you work with a team of specialists in RODO, law and data security.
• •Assurance of RODO compliance – you are guaranteed that your company meets the requirements of the EU regulation.
• •Lower costs – you do not need to employ a Data Protection Officer (DPO) permanently; you pay only for the service.
• •Independence and objectivity – an external DPO is not subject to the company structure, which helps you avoid conflicts of interest.
• •Comprehensive advice – assistance with risk analysis, DPIA, incidents, documentation and audits.
• •Representation before UODO – an external Data Protection Officer (DPO) can contact and represent your company before the supervisory authority.

• •Maintaining and updating RODO documentation.
• •Conducting compliance audits and reporting the results.
• •Training for employees and management staff.
• •Legal and technical advisory on data protection.
• •Monitoring ongoing compliance with legislation and the company's procedures.
• •Ongoing cooperation and communication with UODO.

The price of outsourcing a Data Protection Officer (DPO) is generally significantly lower than the cost of hiring an internal Data Protection Officer (DPO). However, it depends on many factors, such as: scope of services, company size, types of personal data processed, industry, number of employees and the complexity of data processing processes.

Depending on the above factors, the monthly price of an outsourced DPO service may be 1,500 - 3,500 PLN per month. Usually the contract is concluded for an indefinite period.

Outsourcing a DPO can be more cost-effective for companies and other organisations that do not process large volumes of personal data in many frequently changing processes. To choose the optimal solution, it is worth carefully analysing your needs and expectations, then requesting offers from several firms and comparing experience, scope, quality and flexibility of services as well as prices.

The Data Protection Officer (DPO) assists the controller or processor in all matters related to the protection of personal data. Their main task is to monitor and control the company's compliance with data protection law, provide information and advice regarding data processing, and cooperate with the supervisory authority for data protection. The Data Protection Officer is appointed by the controller.

Every company/organisation that is a controller or processor should designate a DPO if its core activities involve the processing of sensitive data on a large scale or regular and systematic monitoring of individuals on a large scale. Pursuant to Art. 37(1) RODO the designation of a Data Protection Officer is mandatory in the following cases:

• •if the organisation is a public authority or body and processes personal data (except for courts in the exercise of judicial authority);
• •if the organisation's core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and systematic monitoring of data subjects on a large scale;
• •if the organisation's core activities consist of large-scale processing of special categories of personal data referred to in Art. 9(1) RODO, and personal data relating to criminal convictions and offences referred to in Art. 10 RODO.

If a company is not subject to such a legal obligation, it can and should consider appointing a Data Protection Officer, as this increases the security of the data processed in the organisation.

Pursuant to Art. 38(6) RODO, the Data Protection Officer may carry out other tasks and duties; however, the controller or processor should ensure that such tasks and duties do not give rise to a conflict of interests. The DPO must not hold a position within the organisation in which they determine the purposes and means of processing. According to the Article 29 Working Party Guidelines, such positions include managerial posts (chief executive officer, chief operating officer, chief financial officer, medical director, head of marketing, head of HR, head of IT), but also lower-level positions if the persons holding them participate in determining the purposes and means of processing.

Outsourcing involves entrusting the performance of services not related to the company's core activity to an external entity. If the contract ensures equality of relations between the contracting entrepreneur and the entrepreneur accepting the contract, it is, of course, a completely legal arrangement, with no consequences in the event of an inspection by PIP or ZUS. To avoid the risk of the outsourcing agreement being deemed sham, its provisions regarding employee hierarchy, the scope and manner of provided services and the responsibilities of both entities should be clearly specified.

Outsourcing is a proven way to optimise processes and costs. An outsourcing company provides specialisation and expertise that your company does not have. External experts work only when you really need them. Outsourcing is less expensive than additional full-time positions; you can also avoid the time-consuming process of selecting potential candidates, their training and purchasing equipment. By freeing up part of the company’s funds and resources, you can focus on core activities and improving efficiency. This gives you an advantage over other competitors in the market. Depending on the scope of services, organisation size, type and amount of personal data processed, industry, number of employees and the complexity of processing procedures, the price of an outsourced DPO service typically ranges from 1,500 - 3,500 PLN per month.

The average monthly salary (median) for the position of Data Protection Officer (DPO) is 7,810 PLN gross. Half of Data Protection Officers receive a salary between 5,930 PLN and 10,330 PLN. In the case of outsourcing a DPO, its cost may be 1,500 - 3,500 PLN + VAT per month, depending on the scope of the service.

The appointment of a Data Protection Officer (DPO) must be notified to the President of the Personal Data Protection Office (UODO) within 14 days. The notification should specify the DPO's first and last name and e-mail address or telephone number, and also:

• •first and last name and residential address – where the controller or processor is a natural person;
• •the trader's company name and the address of the place of business – where the controller or processor is a natural person conducting business activity;
• •the full name and registered office address;
• •the REGON identification number – if one has been assigned to the controller or processor.

Data Protection Officer (DPO) may be part of the organisation's personnel or carry out tasks under a service contract. Pursuant to Art. 37(6) RODO, the Data Protection Officer (DPO) may be an employee of the controller/processor or a person outside the staff of the aforementioned entities, acting within an outsourcing arrangement.

Before choosing a company offering outsourcing services, it is worth carefully analysing your needs and expectations, and then comparing offers from different firms. Otherwise, there is a risk of low-quality services and reduced organisational security. You should also take into account the risk of business dependence on the service provider and extended delivery times.

B2B, i.e. Business-to-Business, is cooperation between two companies, not between an employer and an employee. Outsourcing is a form of B2B cooperation and involves entrusting the performance of services not related to the company's core activity to an external entity.

Companies use outsourcing because it is generally less costly than hiring a full-time employee, while allowing them to utilise the services of experts in areas where they lack specialised knowledge or experience, e.g. in the field of personal data protection. Outsourcing is an element of a modern organisational management strategy. It enables the segregation of tasks that can be carried out by a separate, specialised entity. As a result, the organisation optimises costs and gains a competitive advantage.

Many services may be subject to outsourcing, which, however, should not be directly related to the primary activity, that is they must not constitute the so-called core business. Examples of services outsourced under outsourcing include:

• •personal data protection
• •internal audit
• •training
• •IT network management
• •HR and recruitment
• •accounting
• •marketing and advertising
• •security
• •cleaning
• •catering

Depending on the place of task execution, two types of outsourcing are distinguished:

• •External outsourcing (contractual) – commissioning a service to an external business entity.
• •Internal outsourcing (capital) – establishing a so‑called subsidiary that takes over a specified scope of the company’s activities, e.g. IT or accounting.

A different classification of outsourcing is based on the scope of services:

• •Selective outsourcing – entrusting only part of the tasks to an external company.
• •Full outsourcing – comprehensive service.

The most popular outsourcing services are those providing broad support for core activities and business development:

• •IT
• •accounting
• •recruitment
• •legal advice
• •audits
• •personal data protection
• •marketing and advertising
• •property management

The purpose of outsourcing is above all cost optimisation by entrusting to an external company those tasks that are not directly related to the organisation’s core activity, while at the same time requiring specialised knowledge and resources that are not available within the organisation.

According to various studies, it is estimated that already 70–80% of companies in Poland use IT outsourcing. It is the sector that most often offers this type of service. Almost equally popular are accounting, legal and tax services and data protection services.

Outsourcing of certain tasks is most often commissioned by large companies that want to concentrate on their core activities, as well as by medium and small companies for which it is not cost-effective to organise separate positions requiring specialised knowledge and competencies.

Outsourcing is an abbreviation of three English words — outside resource using, that is the use of external resources. In other words, outsourcing is the takeover by a specialised company of certain tasks of another entity, on the basis of an appropriate contract.

The business concept of outsourcing originates from the 1920s. At that time Henry Ford argued that "if there is something that we cannot do more efficiently, more cheaply and better than our competitors, there is no point in our doing it and we should hire someone to carry out that work who will do it better than we can". The term "outsourcing" itself was used for the first time in 1979, in the context of the acquisition of German designs by the British automotive industry.

External outsourcing is the commissioning of specified services to an external business entity. External outsourcing is also known as contractual outsourcing.

The Data Protection Officer (DPO) is a key role within an organisation in the area of personal data. The DPO works for their principal, informs them of obligations arising from data protection legislation, and advises them. The DPO trains employees and raises their awareness of personal data matters. The DPO's duty is to monitor whether the organisation complies with personal data protection requirements. Therefore the DPO conducts audits, provides recommendations and monitors the implementation of data protection impact assessments (DPIAs), and continuously assesses the organisation's compliance with RODO. On that basis they identify the most important areas for improvement. The DPO is the primary point of contact – both for UODO and for the data subjects whose data the organisation processes.

Any organisation may appoint a data protection officer. Appointing one always increases the organisation's security, and in some cases it is also a legal obligation. Article 37(1) RODO provides for the obligation to appoint a DPO in certain cases:

• •if the organisation is a public authority or body and processes personal data (except for courts in the exercise of judicial authority);
• •if the organisation's core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and systematic monitoring of data subjects on a large scale;
• •if the organisation's core activities consist of large-scale processing of special categories of personal data referred to in Article 9(1) RODO, or of personal data relating to criminal convictions and offences referred to in Article 10 RODO.

When you appoint a Data Protection Officer (DPO), you have 14 days to notify the President of UODO. In the notification indicate the DPO's first and last name and their email address or telephone number, and also:

• •first and last name and residential address – where the controller or processor is a natural person;
• •the entrepreneur's company name and the address of the place of business – where the controller or processor is a natural person conducting business activity;
• •the full name and the registered office address;
• •the REGON identification number – if it has been assigned to the controller or processor.

Yes, you can appoint a single Data Protection Officer (DPO) for several companies that form a corporate group. At ODO 24 we specialise in the outsourcing of the Data Protection Officer (DPO) for corporate groups. We will advise you how to set up such a process.

There are several specific situations in which it is mandatory to appoint a Data Protection Officer (DPO). However, you should bear in mind that concepts such as "main activity", "regular and systematic monitoring" or "on a large scale" leave a lot of room for interpretation. Therefore we recommend that each organisation carefully considers whether it might be safer to appoint a Data Protection Officer (DPO). The higher the qualifications and experience of the DPO, the lower the risk of problems arising in the company in the context of personal data.

The obligation to appoint a DPO is subject to a sanction of up to €10,000,000 or 2% of total annual worldwide turnover. For some public entities this is a lower amount – a maximum of 100,000 PLN.

When the supervisory authority (the President of UODO) considers a potential administrative fine for your company, it will take into account whether you have appointed a person to perform the role of Data Protection Officer (DPO) in the organisation. Most likely, the President of UODO will regard this as an indication that you are taking actions within the organisation aimed at minimising the risk of breaching legal provisions.

Undoubtedly someone who knows what they are doing and whom you will be able to trust. You must take into account that based on the recommendations of that very person, you will decide, among other things:

• •what will be contained in the letter you send to thousands of your customers,
• •whether to report a breach to the President of the Personal Data Protection Office,
• •which IT system to purchase or what your application should contain,
• •which marketing consents to obtain from customers.

Yes, the Data Protection Officer (DPO) should have knowledge of IT security. This is particularly important when the organisation for which they work processes large volumes of data or uses advanced information technologies. Knowledge of IT security threats is very important because it enables understanding of the processes and tools that concern data processing and their protections. Thanks to this the Data Protection Officer (DPO) can more effectively oversee data protection activities and also prevent data security incidents.

Knowledge of IT is especially important in the context of digital transformation, in which organisations around the world are currently participating. As technology develops, data processing becomes increasingly complex and requires more advanced tools. Therefore the Data Protection Officer (DPO) should understand how tools operate and what security threats different technologies entail.

The foundation of the service of taking over the functions of the Data Protection Officer (DPO) comprises elements such as an annual audit, risk analysis and staff training. This is the mandatory scope. However, to better tailor the service to your company, we can always extend its scope with additional elements. For example: penetration testing, audits at data processors or training aimed at the management board.

Information, including personal data, is among the most valuable assets of an enterprise. If you cause the loss or unintended disclosure of data to third parties within your organisation, you may suffer irreversible consequences. Such incidents can damage your organisation's reputation, lead to a loss of customer trust, and expose you to the risk of severe administrative sanctions.

Therefore, to ensure data security in the organisation, you should appoint a Data Protection Officer (DPO). If your organisation does not have an expert in this field, an effective solution is to entrust this role to specialists through outsourcing. If you would like to join forces with us in this area, contact us.

There are no clear guidelines specifying the level of knowledge a Data Protection Officer (DPO) must possess. When selecting a candidate, however, the organisation should consider the nature, complexity and volume of the data it processes. This means that the Data Protection Officer (DPO) should know the scope of national and European data protection legislation and have practical experience in this field. A thorough knowledge of the processes related to the processing of personal data, IT systems and the security measures used in the organisation is a basic requirement for the officer. They should also demonstrate a high level of professional ethics. In the case of public authorities and entities, the DPO should also be familiar with administrative procedures and the regulations governing the operation of the unit.

The choice of the person to fulfil the functions of the Data Protection Officer (DPO) is not easy for any organisation. The ideal candidate should have knowledge and experience covering both legal and IT areas. These are the qualities that will ensure proper oversight of the way the organisation processes personal data. Importantly, the Data Protection Officer (DPO) can be either an employee of the organisation or an external person (outsourcing).

If you want to ensure the highest quality in the performance of DPO tasks, you can hire a team of employees. An alternative and rational solution is to use outsourcing. An undeniable advantage of this solution is access to the extensive knowledge and experience of a specialised advisory firm. It is worth remembering that with outsourcing an organisation gains the support not of one, but of many experts who specialise in different aspects of data protection.

Outsourcing is cooperation with an external company to which your company commissions services in order to achieve a specific business objective. Specialisation is a key advantage of an outsourcing company. So if your organisation lacks specialised knowledge, for example in the field of personal data protection, outsourcing is an excellent solution. It is also a more efficient use of time – external experts work only when you really need them, not necessarily on a full-time basis. It also optimises costs – outsourcing is less expensive than additional full‑time positions. Moreover, with outsourcing you can also avoid the time‑consuming process of selecting potential candidates, training them and purchasing equipment.

The objective is to free up some of the company's funds and resources. This allows the organisation to focus on its core business and on improving efficiency. It is a good way to gain an advantage over other competitors on the market.

Prices for outsourcing of the Data Protection Officer (DPO) (RODO) are usually significantly lower than the costs of employing an internal Data Protection Officer. When you hire an external company that offers specialist services, you can expect that, thanks to many years of practice, it will carry out tasks quickly and to a high substantive standard.

The monthly price of outsourcing the Data Protection Officer (DPO) (RODO) varies due to the variability of many factors. These include, for example: the scope of services, the size of the company, the type of personal data processed, the sector, the number of employees and the degree of complexity of the data processed. If you choose an offer solely on the basis of price, bear in mind that lower price may reflect lower quality. Some companies may offer lower prices but may lack appropriate experience or offer a narrower scope of services. In the longer term this may lead to higher costs or create serious risks.

Professional outsourcing of the Data Protection Officer (DPO) function and ongoing support in the field of personal data protection increase your organisation's security. This gives you greater confidence that you meet the strict requirements for personal data protection. It is a good way to gain more time for operational activities.

Remember: expert support can prove crucial in critical situations. These include incidents of data protection breaches, data leaks and other cybersecurity threats, or an inspection by the supervisory authority.

Use the contact form and send us your question. On working days, you will receive a response within 24 hours.