DPO as a service
DPO as a service
A designated, independent data protection officer for offices whose files are too sensitive for improvisation and too small for a full-time hire — working on the same platform your evidence already lives in.
An AML practice is a data-protection edge case by construction: identity documents, beneficial-owner structures, screening results, suspicion files — much of it touching criminal-law territory under art. 10 GDPR. That is exactly the profile where a data protection officer stops being optional and starts being scrutinised. We provide the officer.
When a DPO stops being optional
Art. 37 GDPR requires a DPO where core activities involve regular and systematic monitoring of data subjects on a large scale, or large-scale processing of special categories or of data relating to criminal convictions and offences (art. 10).
An obliged entity's compliance file is precisely that: continuous screening of clients against sanctions and PEP lists, adverse-media checks, transaction monitoring, and suspicion records — criminal-adjacent by nature. Supervisory authorities have taken a broad view of 'large scale' where the processing is intensive rather than merely voluminous.
Even where designation is arguably voluntary, appointing one changes your posture: the authority meets a professional counterpart instead of a scrambling office manager.
What your external DPO actually does
Designation & registration
Formally designated under art. 37, registered with the supervisory authority (in Belgium the GBA/APD), published as your art. 38(4) contact point for data subjects.
Records of processing
The art. 30 register built and maintained against your real activities — with the AML legal bases per data category, not copy-pasted templates.
DPIAs where they bite
Data protection impact assessments (art. 35) for the processing that genuinely carries risk: screening pipelines, portal identity flows, monitoring logic.
Breach response, on the clock
Assessment and notification of personal-data breaches within the 72-hour window (arts. 33–34), with the timeline evidenced as it runs.
Data subject requests
Access, rectification and erasure requests handled within the month — including the delicate carve-out where STR-related data meets the disclosure prohibition.
Training & awareness
Staff instruction on the GDPR duties that actually arise in an obliged entity's day, folded into your existing AML training cycle.
Independence is the whole point
Art. 38 GDPR demands a DPO who reports to the highest management level, receives no instructions on their tasks, and holds no conflicting function. In a small office, whoever knows the files best is usually also responsible for them — which is exactly the conflict art. 38(6) prohibits.
An external DPO dissolves the conflict structurally. Ours arrives with the sector context already loaded: we know what a notarial deed file, a UBO extract and a goAML export look like, because we build the platform they live on.
In scope
- Formal DPO designation, authority registration and the public contact point
- Records of processing tied to your actual AML data flows
- DPIA drafting and review for high-risk processing
- Breach triage, 72-hour notifications and data-subject communication
- DSR intake and response, with the AML/tipping-off boundary handled
- Retention schedules reconciling the five-year AML duty with storage limitation
- Annual data-protection review with a board-ready report
Deliberately out of scope
- We are not your law firm: litigation, contract drafting and legal opinions stay with counsel
- We do not take management decisions — the DPO advises and monitors; the controller decides
- We do not replace your AMLCO: money-laundering compliance is a separate designated role
- No representation in court proceedings before the authority beyond the DPO's statutory role
The DPO works inside your evidence, not beside it
Sceau's data-protection workspace is the DPO's operating surface: the processing register, retention schedules, DSR clocks and breach deadlines live next to the AML files they describe. Advice lands as ledgered entries, not email attachments — so at inspection time, the data-protection posture is as provable as the AML one.
How it runs
1 · Baseline
A structured intake maps your processing, existing documentation and gaps — typically two weeks to a signed designation and a filed registration.
2 · Standing rhythm
Monthly review of DSRs, incidents and register changes; quarterly on-file audit; immediate availability on breaches.
3 · The annual close
A yearly data-protection report your management signs, your insurer likes, and your supervisor recognises.
The honest boundary
DPO as a service is a statutory function delivered under arts. 37–39 GDPR, not legal advice under professional privilege. Where a matter needs counsel, we say so and hand over cleanly.
The controller remains the controller: responsibility for processing decisions stays with your office. What we guarantee is that those decisions are informed, documented and defensible.
Primary sources
Talk to us about the DPO mandate
Book a 30-minute demo: we onboard a test client live, trigger a screening hit, and export your first inspection pack — your profession, your country, your supervisor.
Book a demo