GDPR Articles 37–39 · Outsourced, named, filed

A senior privacy lawyer as your DPO — on record, on Slack, on call.

If you process personal data at scale, handle special categories, or operate in the public sector, GDPR requires a Data Protection Officer. We provide a named, independent, senior privacy lawyer — registered with the supervisory authority, embedded in your team, and backed by a bench of specialists.

Book a demo → Do I need a DPO?

Designated DPO · Art. 37(7) DPA Filed

Lena Hofmann

Head of Privacy · Senior Counsel

CIPP/E CIPM LL.M. Data Protection DE Bar · #48217

ControllerHelix Health, Inc.

ScopeEU + UK GDPR

Direct contactdpo@helixhealth.eu

Reports toBoard of Directors

Supervisory Authority LfDI Baden-Württemberg Ref · 6.1.3 / DPO-2026-0418

Filed 22 Apr 2026 3 business days

Do I need a DPO?

Art. 37 is mandatory in three cases, plus one you'll feel in diligence.

Most teams discover the requirement during a DPA audit or a customer security review. We'd rather you discover it on a 10-minute call. Tick what's true.

Awaiting input

Tick what's true — we'll classify you.

A DPO is required when any of the three Art. 37(1) triggers apply. Outside those, it's often contractually required anyway — most enterprise-security reviews in 2024–25 ask for a named DPO regardless of legal obligation.

Who your DPO actually is

A real person. Named, credentialed, assigned.

Not a rotating inbox. Not a junior paralegal. You get a senior privacy lawyer with sector-matched experience, filed with your lead DPA by name, reachable on Slack, backed by a team for peak load.

Lena Hofmann · Senior Privacy Counsel

Designated DPO · filed with BfDI · reference DPO-2026-00417

● ACTIVE · 14 CLIENTS

Sector experience

Healthtech, B2B SaaS, connected devices. Two Series C→IPO tours. Former in-house at a regulated European health platform.

Languages

Native German, working English & French. Files and responds to German, Austrian, and Swiss regulators in native.

Availability model

On Slack during CET business hours. 24h response on all client channels. Emergency hotline for breach events.

Escalation bench

Backed by 6 privacy counsels and external barristers at a magic-circle firm for litigation-grade matters.

CIPP/E CIPM Qualified attorney · Germany 12 yrs privacy practice ISO 27001 lead auditor

Sample assignment. Your DPO is matched by sector, regulatory geography, language, and existing customer workload.

What your DPO does — and doesn't

The statutory role, done well. No scope creep.

In scope Art. 39

Advise on GDPR, UK GDPR, ePrivacy obligations, and national add-ons
Monitor compliance — audits, staff training, accountability
DPIA review, risk sign-off, prior consultation with the DPA (Art. 36)
Cooperate with and act as contact point for the supervisory authority
Data subject point of contact under Art. 38(4)
Report directly to the highest management level — written, board-ready
Incident & breach advisory, including Art. 33 / 34 notification drafts
Vendor DPAs, transfer mechanisms (SCCs + TIA), sub-processor register

Out of scope By design

Determining purposes and means of processing — stays with your controllers. Independence is mandatory.
Litigating on your behalf — we brief external counsel and coordinate, but we don't act as barrister
Building your privacy engineering stack — we advise on requirements; your engineers build
Managing your security program — CISO-adjacent, but a distinct role (we can introduce a fractional CISO)
Contractual privacy negotiation with every customer — we give you the playbook and escalate the hard ones

The boundary matters. Under Art. 38(6), the DPO must not face a conflict of interest with other tasks. We keep the role clean.

How it works

Designated, filed, operational — in two weeks.

Scoping & matching
90-minute call. We map your data processing, confirm Art. 37 applicability, and shortlist two DPOs matched to your sector and geography.
DPO designated
Mandate letter countersigned. Your DPO joins your Slack, gets read-only access to your privacy tooling, and completes the intake questionnaire.
Filed & published
We file the designation with your lead DPA, update your privacy policy with the Art. 37(7) contact details, and register the role in your Art. 30 records.
30-day baseline
DPO delivers a compliance baseline — gaps, risks, priorities — to your highest management. Ongoing rhythm starts: weekly office hours, quarterly board report, annual audit.

Privacy-policy snippet we provide

// Required under GDPR Art. 37(7)

Data Protection Officer
Lena Hofmann
c/o World Presence j.d.o.o.
Ulica Brune Bušića 42, 10000 Zagreb

Email: dpo@eupresence.com
Ref:   ACME-DPO-2026

// Filed with lead DPA:
// DPO-2026-00417
// Updated within 24h of any change.

That filing is what regulators look for first. A named individual, a reachable contact, and a DPA reference on record.

Proof

Teams with a named DPO on file.

From Series C healthtech to global adtech to regulated insurers — DPO designated, filed with the lead DPA, and embedded on your team within two weeks.

Healthtech · Series C

"Our Series C lead asked for a named DPO in diligence. We had one filed with the Austrian DPA six working days later. The deal closed on time."

Elisa Schuster General Counsel · Connected devices, Vienna

"We'd been dodging the DPO question for 18 months. Having a senior counsel on Slack three days after signing was a step-change in how our team operates."

Tom van der Meer CFO · Adtech, Amsterdam

"DPA audit hit in month four. Our DPO handled correspondence in German, filed the response ahead of deadline, and closed it with no action."

Rani Abad Head of Privacy · Insurtech

"We compared an in-house hire vs this. The fully-loaded cost difference was 6× — for the same seniority and higher availability."

Clara Bellini COO · B2B SaaS, Milan

180+DPO designations filed

27 + UKJurisdictional coverage

< 2 weeksTime to operational

0DPA findings, 2024–25

Pricing

Senior privacy counsel, at fractional cost.

Designated

$1,450/month

Teams < 75 people · straightforward processing

A named DPO on record, available monthly, with all the statutory duties covered and no scope creep.

Included

Named DPO filed with lead DPA
Monthly office hour
Up to 4 DPIAs / year
Quarterly compliance check-in
Breach advisory during events

Start on Designated →

Most chosen

Embedded

$2,900/month

Scaling teams · enterprise contracts

Weekly office hours on Slack, unlimited DPIAs, board-ready reporting, vendor DPA review queue — plus GDPR Representative bundled.

Everything in Designated, plus

Weekly office hours on Slack
Unlimited DPIAs & TIAs
Board-ready quarterly report
Vendor DPA review queue
GDPR Representative bundled

Book a demo →

Group DPO

Custom

Multi-entity · regulated · listed

For multi-entity groups, regulated sectors, or listed companies needing a group-level DPO plus on-site presence.

Everything in Embedded, plus

Multi-entity designation
Quarterly on-site days
Annual independent audit
24/7 regulator hotline
Named deputy & custom MSA

Talk to sales →

Often purchased together

The standard privacy foundations stack.

Privacy Foundations Bundle

Three products. One engagement. 15% off.

DPO, external Representative, and the privacy UI your data subjects actually see. One onboarding, one counsel team, one invoice.

You save $5,556 / yr

THIS PAGE

Data Protection Officer

Named senior counsel as your Art. 37 DPO, filed with your DPA.

Embedded$2,900 / mo

ADD

GDPR Representative

Article 27 coverage, 27 member states, named EU entity on record.

Flat$127 / mo

ADD

Privacy Center

Hosted trust hub, DSR inbox, policies, certifications.

Plus$57 / mo

BUNDLE TOTAL

$3,084 / mo $2,621/ mo · 15% off Book a bundle call →

Common questions

What GCs ask us first.

Is an outsourced DPO actually allowed under GDPR?

Yes, explicitly. Art. 37(6) permits the DPO to be "a staff member of the controller or processor or fulfil the tasks on the basis of a service contract." The EDPB guidance confirms this is a first-class option and specifically endorses it for SMEs and non-EU companies without local privacy staff.

What's the difference between a DPO and an Art. 27 Representative?

Different roles, often confused. A DPO (Art. 37–39) advises you on compliance — internal-facing. A Representative (Art. 27) is your legal EU-side contact for authorities and data subjects. If you have no EU establishment you may need both. We offer both, and bundle them.

Does our DPO have access to confidential information?

Yes — and they're bound by statutory confidentiality under Art. 38(5), enforceable in addition to our MSA. Your DPO signs your confidentiality policy, your code of conduct, and gets read-only access to the privacy tooling you choose.

How does the DPO stay independent if we're paying them?

The structure matters. The DPO reports to your highest management but receives no instructions on how to perform the role (Art. 38[3]). Our service contract replicates this: your DPO is engaged, paid, and can only be dismissed for cause. We maintain a firewall between billing and advisory.

What happens if a regulator opens an investigation?

Your DPO is the point of contact. They take the first correspondence, translate and coordinate with you, draft written responses, and — if things escalate — brief external counsel and sit with your GC. Breach-scale events trigger our 24/7 hotline and a full tabletop playbook.

Can we switch DPOs mid-engagement?

Yes, with 30 days' notice for cause, or at renewal for convenience. We file the change with your lead DPA, produce a handover dossier, and match you to a new DPO from our bench. Continuity is the whole point — the DPO you had never leaves without overlap.

Your DPO, named on record this month.

90-minute discovery call. A shortlist of two DPOs matched by sector. Designated, filed with the DPA, and published on your privacy policy in two weeks.

Book a discovery call → Also see GDPR Representative