Would appreciate if those who are familiar with DPO aspects could provide some guidance.
GDPR states the following regarding DPO requirement.:
The Article 29 working party group has guidance on appointing a DPO but it's mostly focused on the role:
It does express a preference for EU based DPOs but it's not mandatory.
It's very difficult to comment further without more clarity on the data you are storing - the "large scale and systematic" part of the storage will be the key issue. If you're storing for example name, address, email, phone number for 1000s of data subjects in the EU for your customers, you'd almost certainly be seen as needing a DPO.
See WP29 WP243 opinion and the related FAQs.
It is considered good practice by the WP29 to appoint a DPO on a voluntary basis even if the 3 conditions in article 37 are not met. I'd suggest as SaaS supply may be processing personal data of many client therefore needs to carefully consider documenting any decision not to appoint a DPO. If the EEA country is Germany you will have to appoint a DPO as national legislation requires it.
A consultant on a service contract in the relevant country would be acceptable under GDPR. It will be more difficult to argue that a DPO in the US has the relevant experience of EU jurisdictions, is fluent in the relevant languages and is easily contactable given time zone differences etc.
since I am not a lawyer, I can't tell you if it is legally rquired for that business. But from my practical experiance (in Germany) apointing a DPO is seen very positive by customers and their DPOs here. It is common practice that these DPO's are very often external Consultants in many cases from organistions with good reputation such as the TÜV. They have a good knowöedge of what companies and governments expect in their country (and there are some differences as I had to learn in the past). Their charges are reasonable, mostly based on effort.
Especially in a phase where customers come up with all sort of questions and contract templates they obtained from the web, some advise can only be an advantage. When this type of issues decreases, you can always reduce the consultany.
I hope that helps, if practical information from Germany is needed, drop a line.
No problem, the tags newcomer, contributor etc are a bit strange. Thanks for the feedback though. I was aware that in a German context the role of the DPO was long accepted.