Services and prices
In order to get an offer within the price range, please contact us.
The price depends on your field of activity and the personal data you process. The prices do not include VAT.
Data Protection Officer
350 - 850 EUR
- Entry into the Company Register
- Regular data processing suprevision
- Training for the staff
- Participation in the Data Protection Impact Assessment (DPIA)
- Other obligations set forth by the law
This is a monthly service for companies who have already achieved compliance
Description of the service – more information!
Data protection services
450 - 1750 EUR
- Data protection audit
- Compiling the register
- Compiling the privacy notice(s)
- Reviewing the relevant contracts
- Compiling internal rules of procedure and guidelines
- Compiling guidelines for data breach response and related training
- Providing additional explanations on the above
These are one-off services to ensure GDPR compliance.
All services can be ordered separately – more information!
Advantanges of DPO service contract
As compared to an in-house DPO, our specialist is more up-to date regarding the ever changing data protection law and practical enforcement as well as the latest developments of the case-law.
Please refer to the comparison below:
| Topics | Our Expert | Our employee |
| Training costs | We pay | You pay yourself |
| Legal information costs | We pay | You pay yourself |
| Finding a replacement | You have no risk | Your risk |
| Employer liability | Non | You are responsible |
| Attitude towards you as a data controller | Objective | Rather subjective |
| Role conflict | Non | Very difficult to avoid |
| Experience in data protection | High | Non |
Requirements and applicable law
Appointment of a DPO is one of the requirements of the GDPR. Ignoring this obligation may entail fines for the controller/processor. E.g. in January 2019 the French Data Protection Authority CNIL imposed a fine of 50 mln euros to Google LLC, including amongst other things for non-compliance with this particular requirement.
How to proceed?
In general, only large companies, such as Google and others, can afford to employ a professional DPO. Therefore a DPO on service contract is a reasonable solution.
Who must appoint a DPO?
According to the GDPR, all public bodies (governmental and local government institutions) and private organizations (companies, NGO-s, etc) who regularly and systematically monitoring of data subjects on a large scale are required to appoint a DPO.
This obligation is of particular relevance in the following fields of activity:
– Medicine
– Banking
– Retail trade
– Tourism
– Telecom
What does the DPO do?
It is Article 37 of the GDPR that sets forth the requirements. The DPO must have expert knowledge of data protection already upon appointment, incl earlier experience.
Acedemic education and additional training is a clear asset. In order to understand the data protection processing activities the DPO must have prior contact with complicated IT systems.
In order to implement the GDPR and the relevant legislation in force in Estonia, the DPO must be proficient in law.
The main tasks of the DPO are set forth in Article 39 of the GDPR.
One of the main tasks of DPO is to inform and advise the controller/processor and the employees who carry out the processing of their obligations. This includes informing the employees of internal rules and the due diligence obligation.
The DPO regularly revises the technical and organizational measures which the controller/processor takes for personal data protection purposes.
This includes access to personal data, portability, entry into the information systems and access control. DPO also conducts regular audits.
DPO supervises personal data protection first and foremost by technological means with the aim to ensure that the data subjects are properly informed and their rights protected.
This is important to ensure the data subjects’ rights of access, to rectification, erasure, restriction of processing, portability, objection to processing and right to information.
DPO liaises with Andmekaitse Inspektsioon (the EstonianData Protection Supervisory Authority) and represents the controller/processor in case of breaches, e.g. an attack that targets the IT system which causes an unauthorized disclosure and infringes the rights of the data subjects
Reproduction of the content of the homepage for business purposes is only allowed on prior written permission by Waldrand Law OÜ.
