Skip to main content

Data Protection Officer / Bulgarian Overview

Mitko Karushkov & Mario Arabistanov, Partners of EuroCloud CPC Network

With the upcoming entrance into force of the new General Data Protection Regulation in May 2018, the Bulgarian Commission for Personal Data Protection (CPDP), decided to bring clarity in certain new figures, introduced by the GDPR. As part of doing so CPDP issued guidance and description of the Data Protection Officer (DPO), a new figure introduced in Section 4 of the GDPR.

What’s new?

In fact the nature of the Data Protection Officer’s figure is not purely new to the Bulgarian legislation. The current legislation allows data controllers to assign the application of data protection rules to a specific person or persons. 

What is new is that now with the GDPR, DPO is not only recommendable but also a statutory position in some of the data controllers (e.g. public bodies, where the data processing requires regular and systematic monitoring etc.). The DPO shall advise the data protection controller, to supervise data protection compliance and to serve as a constant point of contact with the PDPC, to give assessment of the level of impact of the collected data and to educate the rest of the data controller’s personnel. 

Who could be DPO?

The Bulgarian CPDP confirmed the understanding that the DPO may not be part of the data controller’s personnel. Possible options could include assigning the duties of the DPO to an external council or consultant. This could be done through a clear commercial agreement, which would properly arrange the relationship between both parties.

The option for the data controller to hire a DPO as an employee still remains available. Questions are raised, whether an already hired person could be assigned with the duties of the DPO and the answer is positive. In such case the data controller should take into account the fact that the said employee may face high workload, which could lead to improper multitasking between being DPO and doing his or her other duties. 

Are there legal requirements for the qualification of DPOs?

There are no formal requirements for the education degree of a DPO (e.g. master’s degree, bachelor etc.). The CPDP shares the requirements of the GDPR, saying that the DPO should have deep knowledge in the sphere of data protection. 

In any case it could be deemed that a data controller would seek to hire a highly qualified DPO, who would ensure proper protection of the collected and processed personal data and to ensure compliance of the data controller himself. The DPO’s role in a corporation could be seen as not only protecting the collected personal data, but also to guard the corporation, as the financial penalties (as well as reputational damages) for incompliance with the GDPR may lead to undesired consequences. 

Article provided by:

  • Mitko Karushkov / Attorney, Kambourov & Partners 
  • Mario Arabistanov / Attorney, Kambourov & Partners

Cloud Privacy Check (CPC). Data Privacy Compliance in the Cloud Made Easy

Understand Cloud and Data Protection Law in only 4 easy steps. Plus highly relevant legal information for 33 countries. Provided by EuroCloud and 53 European lawyers.


About Us

EuroCloud is an independent non-profit organization and consists of a two-tier setup where organisations form all European countries can apply to participate in as long as they respect the EuroCloud Statutes.

To act as a true European player, all programs that are developed are intended to be European activities. These European programs are the strength of EuroCloud as a whole. Respect to local cultures along with the will to promote a real European spirit.