Sceau

DPO as a service

DPO as a service

A designated, independent data protection officer for offices whose files are too sensitive for improvisation and too small for a full-time hire — working on the same platform your evidence already lives in.

An AML practice is a data-protection edge case by construction: identity documents, beneficial-owner structures, screening results, suspicion files — much of it touching criminal-law territory under art. 10 GDPR. That is exactly the profile where a data protection officer stops being optional and starts being scrutinised. We provide the officer.

What your external DPO actually does

Designation & registration

Formally designated under art. 37, registered with the supervisory authority (in Belgium the GBA/APD), published as your art. 38(4) contact point for data subjects.

Records of processing

The art. 30 register built and maintained against your real activities — with the AML legal bases per data category, not copy-pasted templates.

DPIAs where they bite

Data protection impact assessments (art. 35) for the processing that genuinely carries risk: screening pipelines, portal identity flows, monitoring logic.

Breach response, on the clock

Assessment and notification of personal-data breaches within the 72-hour window (arts. 33–34), with the timeline evidenced as it runs.

Data subject requests

Access, rectification and erasure requests handled within the month — including the delicate carve-out where STR-related data meets the disclosure prohibition.

Training & awareness

Staff instruction on the GDPR duties that actually arise in an obliged entity's day, folded into your existing AML training cycle.

In scope

  • Formal DPO designation, authority registration and the public contact point
  • Records of processing tied to your actual AML data flows
  • DPIA drafting and review for high-risk processing
  • Breach triage, 72-hour notifications and data-subject communication
  • DSR intake and response, with the AML/tipping-off boundary handled
  • Retention schedules reconciling the five-year AML duty with storage limitation
  • Annual data-protection review with a board-ready report

Deliberately out of scope

  • We are not your law firm: litigation, contract drafting and legal opinions stay with counsel
  • We do not take management decisions — the DPO advises and monitors; the controller decides
  • We do not replace your AMLCO: money-laundering compliance is a separate designated role
  • No representation in court proceedings before the authority beyond the DPO's statutory role

The DPO works inside your evidence, not beside it

Sceau's data-protection workspace is the DPO's operating surface: the processing register, retention schedules, DSR clocks and breach deadlines live next to the AML files they describe. Advice lands as ledgered entries, not email attachments — so at inspection time, the data-protection posture is as provable as the AML one.

How it runs

1 · Baseline

A structured intake maps your processing, existing documentation and gaps — typically two weeks to a signed designation and a filed registration.

2 · Standing rhythm

Monthly review of DSRs, incidents and register changes; quarterly on-file audit; immediate availability on breaches.

3 · The annual close

A yearly data-protection report your management signs, your insurer likes, and your supervisor recognises.

Talk to us about the DPO mandate

Book a 30-minute demo: we onboard a test client live, trigger a screening hit, and export your first inspection pack — your profession, your country, your supervisor.

Book a demo