External DPO (Data Protection Officer)

Other Data Protection areas of expertise:

Appointing a Data Protection Officer (DPO) is mandatory if you process personal data on a large scale, regularly monitor user behavior (e.g., analytics, profiling), or if you are a public authority. The good news: a DPO does not have to be an employee, the law allows engaging an external DPO through a service agreement. This way, you gain senior expertise, independence, and continuity without burdening your internal organization.

Zunic Law provides an external DPO service that combines legal knowledge, administrative discipline, and technological understanding. We cover GDPR/EU and Serbian Data Protection Act (ZZPL) requirements, ensuring independence, direct access to management, and operational delivery: from DPIAs and training to handling data subject requests, incident oversight, and cooperation with the Commissioner and other supervisory authorities.

When is a DPO mandatory, and why is an “external DPO” often better?

Appointing a DPO is required, among other cases, when:

You process data as a public authority;
Your core activities include regular and systematic large-scale monitoring of individuals; or
Your core activities involve large-scale processing of special categories of data or criminal conviction data.

An external DPO is allowed and may perform the function under a service agreement.

In Serbia, the ZZPL imposes the obligation to appoint a Data Protection Officer in comparable cases and further specifies their role and qualifications. Practical guidance from the supervisory authority helps determine whether you are obliged and how to organize the function.

Why external DPO? Independence and avoidance of conflicts of interest (e.g., IT/marketing managers often cannot be DPOs), senior expertise on demand, continuity and coverage during vacations/sick leave and EU market expansion, cost efficiency with SLAs and measurable results.

What does the law require from a DPO (and how do we deliver it)?

Position and guarantees: The DPO is involved in privacy matters in a timely manner; has access to data, processes, and management; does not receive instructions on how to perform tasks; cannot be penalized or dismissed for performing duties; and is bound by confidentiality.

Main duties: advising on GDPR/ZZPL and internal policy obligations; monitoring compliance and raising awareness/training; advising and monitoring DPIAs; cooperating with the supervisory authority and acting as a contact point; taking into account risks, nature, scope, context, and purposes of processing.

Appointment and transparency: A DPO may be internal or external (via service agreement). The DPO’s contact details must be published and communicated to the supervisory authority. One DPO may serve a group of related companies if easily accessible.

Who cannot be a DPO (conflict of interest)?

A DPO cannot hold a role that determines the purposes and means of data processing or control their own work. Supervisory authority and court practice recognize typical incompatible roles in an organization:

Top management and strategy-defining positions: CEO, COO, CFO, branch manager, head of operations.
Heads of functions routinely deciding on data processing: CIO/Head of IT, CMO/Head of Marketing & Digital, Head of Sales, Head of HR, Head of Production or Logistics relying on large-scale data processing.
Security/technical roles setting policies and controls: CISO, Head of Data Analytics or Data Platforms, product owners deciding on telemetry/tracking.
Other “process owners” defining purposes and means (e.g., product lead, head of compliance if also deciding on processing in business operations).
Individuals whose bonuses/tasks depend on goals conflicting with data protection (e.g., aggressive marketing KPIs based on profiling without valid grounds).
It is not advisable for the same person to be both DPO and EU/RS representative due to potential conflicts (the representative acts as a “messenger” under controller instructions, while the DPO must be independent).

Quick conflict test: Does this person define the “why” and “how” of data processing? Do they control budgets and tools for processing? Would they need to audit their own decisions? If yes, the role is likely incompatible with DPO.

Scope of external DPO service (monthly work)

Strategy, risk, and documentation: processing mapping (RoPA), gap analysis of privacy policy, DPA, retention, legal bases; advice on legal bases, legitimate interests, risk balancing, DPIA/LIA; compliance with special regimes (ePrivacy cookies/marketing, sector-specific rules).
Operational compliance and training: role-based training programs (sales/marketing, product/IT, HR, support, management); privacy by design in product development (checklists, feature review stamps, release logs); risk assessment and mitigation methodology (metrix and criteria).
Data Subject Requests (DSAR): procedures, deadlines, response templates; managing complex cases (e.g., competing requests, rights abuse); identification and verification; exceptions and restrictions; clear communication.
Incidents and breaches: playbook for detection, risk assessment, and reporting decisions; coordination with IT/InfoSec and PR; preparation and submission of reports; communication with affected individuals where required.
Vendors and data transfers: processor agreements (DPA), subprocessor checks, international transfer assessments and SCCs; cookie policy sync, online advertising, and measurement efficiency compared with legitimate interest/consent rules.
Supervisory authority cooperation and audit readiness: communication with the Commissioner and other authorities; preparing oversight documentation; internal audits and reports for management/board.

Note: As a DPO we do not manage your IT systems or make business/technical decisions, we monitor, advise, and report, as required by law. Implementation is carried out by your teams or specialized providers.

How cooperation with Zunic Law works (5 steps):

Onboarding and appointment: service agreement + formal appointment decision; defining channels (dedicated email, Service Desk), publishing DPO contact and notifying authority.
Early health-check: quick gap analysis (policies, RoPA, cookies/marketing, vendors, transfers, incidents) and remediation plan with deadlines and responsibilities.
Process setup and training: DSAR flows, DPIA methodology, incident playbook, TPRM/DPA standards; initial role-based training.
Ongoing DPO work: advice on initiatives, review of new features, participation in risk management meetings and oversight.
Reporting and audit prep: quarterly reports to management, KPI/OKR, preparation for oversight and audits.

What does “external” mean in law?

A DPO may be external: the function is performed under a service agreement. One DPO may serve a group of companies if accessible. The DPO’s contact details must be published and communicated to the supervisory authority.

The DPO must not receive instructions on their work, cannot suffer consequences for fulfilling their duties, and must have resources and access to management.

How is a DPO different from an “EU/Serbia representative”?

A DPO (internal or external) is an independent function within the organization (or contracted externally) advising, monitoring, and coordinating privacy issues; directly cooperating with the supervisory authority as a contact point.

A data privacy representative (EU/RS) is a local contact point for communication with the authority and data subjects when the organization has no establishment in that jurisdiction, and they do not make independent compliance decisions. These roles often coexist in the same companies (e.g., external DPO + EU/RS representative).

Why Zunic Law as your external DPO

Regulatory assurance: work according to GDPR/ZZPL and valid guidelines on the DPO role and independence.
Industry expertise: SaaS, e-commerce/marketing, fintech & payments, healthcare/research, manufacturing & logistics.
Operational delivery: documents, procedures, training, and constant communication — not just “policy on paper.”
Scaling across markets: cross-border coordination with EU/UK representatives and local counsel.
Measurability: KPIs/OKRs, SLAs, and quarterly management reports.

Next steps

Send us a short description of your processing activities, industry, and target markets. We will immediately propose an external DPO model, an activity calendar for the next 90 days, and a set of priorities (DSAR, DPIA, incidents, vendors), so that your organization can quickly and efficiently meet obligations and increase privacy maturity.

Tijana Žunić Marić

Jelena Đukanović

Frequently Asked Questions (FAQ)

Does a DPO need to be our employee?

No. The law allows an external DPO to act under a service agreement.

Who decides on budget and priorities?

Management. The DPO advises and monitors but must not receive instructions on task execution and must have sufficient resources and access.

Can one DPO cover several of our entities/groups?

Yes, if the DPO is easily accessible to each unit/branch.

Where do we publish the DPO contact and to whom do we report it?

The contact is published (e.g., in the privacy policy/contact page) and communicated to the supervisory authority.

Does the DPO keep records (RoPA) and file reports themselves?

The DPO can assist and oversee, but the organization remains responsible for compliance; the DPO is an advisor and overseer, not the operational “controller.”

What if we already appointed a “representative” for Serbia/EU?

The data privacy representative and DPO are different roles – often both are required (e.g., a non-EU/RS entity targeting these markets + large-scale processing).

How do you ensure independence when you are also legal advisors?

Through contract and process:

a. DPO reporting line directly to management/board;
b. “Firewall” from sales/projects;
c. documented access and escalation in line with DPO independence rules.