I am in this space, dealing with similar problems with similar organizations. Any DPO that is not listing you as a shared controller will be acting illegally. And they might, its still a grey area, but how many of those assesments can you handle before your CAC becomes too much? Don't get me wrong I really think that it can help a lot on HCLS space if you want to chat more shoot me an email contact_vdk@proton.me