In fact the nature of the Data Protection Officer’s figure is not purely new to the Bulgarian legislation. The current legislation allows data controllers to assign the application of data protection rules to a specific person or persons.
What is new is that now with the GDPR, DPO is not only recommendable but also a statutory position in some of the data controllers (e.g. public bodies, where the data processing requires regular and systematic monitoring etc.). The DPO shall advise the data protection controller, to supervise data protection compliance and to serve as a constant point of contact with the PDPC, to give assessment of the level of impact of the collected data and to educate the rest of the data controller’s personnel.
Who could be DPO?
The Bulgarian CPDP confirmed the understanding that the DPO may not be part of the data controller’s personnel. Possible options could include assigning the duties of the DPO to an external council or consultant. This could be done through a clear commercial agreement, which would properly arrange the relationship between both parties.
The option for the data controller to hire a DPO as an employee still remains available. Questions are raised, whether an already hired person could be assigned with the duties of the DPO and the answer is positive. In such case the data controller should take into account the fact that the said employee may face high workload, which could lead to improper multitasking between being DPO and doing his or her other duties.
Are there legal requirements for the qualification of DPOs?
There are no formal requirements for the education degree of a DPO (e.g. master’s degree, bachelor etc.). The CPDP shares the requirements of the GDPR, saying that the DPO should have deep knowledge in the sphere of data protection.
In any case it could be deemed that a data controller would seek to hire a highly qualified DPO, who would ensure proper protection of the collected and processed personal data and to ensure compliance of the data controller himself. The DPO’s role in a corporation could be seen as not only protecting the collected personal data, but also to guard the corporation, as the financial penalties (as well as reputational damages) for incompliance with the GDPR may lead to undesired consequences.
Article provided by:
- Mitko Karushkov / Attorney, Kambourov & Partners
- Mario Arabistanov / Attorney, Kambourov & Partners