Privacy & Data Protection

Data Protection Officer

Author: Preslav Baldzhiev

With the entry into force of the General Data Protection Regulation (GDPR), new participants in the processing of personal data have been introduced. One of these new participants is the Data Protection Officer.

What is a Data Protection Officer?

Data Protection Officer is an internal or external structure that is entirely dedicated to the protection of processed personal data. The obligations of the Data Protection Officer include giving instructions and recommendations, conducting training for the staff of the Data Controller/Processor, and monitoring the observance of the requirements set in the GDPR. Most often, the appointment of a Data Protection Officer is voluntary, with the exception of the cases specified in the GDPR, namely:

  • The processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
  • The core activities of the Data controller or the Data processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subject on a large scale;
  • The core activities of the Data controller or the Data processor consist of processing on a large scale of special categories of data pursuant to Article 9 or personal data relating to criminal convictions and offences referred to in Article 10.

The same Data Protection Officer can be appointed by either one structure or several if the organizations mentioned above have easy access to the Data Protection Officer.

Requirements for the appointment of Data Protection Officer

When a Data Controller/Processor appoints a Data Protection Officer, whether is obliged to do so, the Data Controller/Processor must comply with the following requirements:

  • Required level of experience – The level of experience is determined by the type, amount, and sensitivity of the personal data to be processed.
  • Required professional qualities – Not explicitly stated. By “Professional qualities” the GDPR means knowledge in the field of data protection as well as knowledge of the relevant National and European legislation.
  • Publicity and Transparency – The information relating to the Data Protection Officer must be public and presented in such a way that any data subject or supervisory authority can easily and directly contact the Data Protection Officer. Article 37 (7) of the GDPR stipulates that this information must be provided to the relevant Supervisory Authority. The GDPR does not provides restrictions on the country of origin of the Data Protection Officer – it can be from an EU Member State or country that in not part of the Union.
  • No conflict of interest – The GDPR allows a person to combine the positions of Data Protection Officer with other, as long as they do not contradict each other. There would be a contradiction if the Data Protection Officer is also part of the top level management of the organization (this means that the Data Protection Officer will be responsible to itself, as the Data Protection Officer is responsible only to the top level management of the organization).

Requirements for organizations

The appointment of the Data Protection Officer is a two-way process in which the Data Controller/Processor shall comply with certain requirements. These requirements can be reduced to:

  • Ensuring the independence of the Data Protection Officer – The Data Protection Officer is obliged to act independently and not to be influenced by the Data Controller/Processor in the performance of his/her functions (Article 39 (2) of the GDPR). In addition, the Data Controller/Processor has no right to dismiss or sanction the Data Protection Officer “in the performance of his tasks” (Article 38 (2) of the GDPR);
  • Involvement of the Data Protection Officer in matters related to Data protection – The Data Controller/Processor is obliged to ensure that the Data Protection Officer “is involved, properly and in a timely manner, in all issues which relate to the protection of personal data”.
  • Provision of the necessary resources – The Data Controller/Processor is obliged to assist the appointed Data Protection Officer by providing them with resources necessary for the performance of these tasks and access to personal data and processing operations, as well as maintain his or her expert knowledge. Such resources can be: providing the necessary time to perform the obligations, providing the necessary information, forming a team led by the Data Protection Officer and so on.

Obligations of Data Protection Officer

  • To monitor the observance of the Legislation – Data Protection Officer shall monitor whether the Data Controller/Protection complies with the relevant National and European legislation, in particular GDPR.
  • To support processing of personal data – An important clarification is that the Data Protection Officer itself does not process personal data, as would do the Data Controller/Processor. The functions of the Data Protection Officer is to provide guarantees and recommendations, regarding the processing of personal data. An example is the recommendation that the Data Protection Officer gives to the Data Controller/Processor when performing a Data Protection Impact Assessment.
  • To cooperate with the national supervisory authority and to act as a Contact Point – This obligation stems from the requirement of “Publicity and transparency”.

This material prepared by Preslav Baldzhiev aims to provide more information about data protection officers. It does not constitute a legal opinion and cannot be interpreted as individual consultation on any concrete facts or circumstances. The advice of a specialist should be obtained for specific questions and situations. For more information on the above-mentioned issues and individual consultations, please contact the team of the law firm of Krasimira Kadieva at 00359 882 308 670 or make an inquiry using the contact form of the website. Since 2017 Preslav Baldzhiev is a law student at Sofia University “St. Kliment Ohridski “, having previously graduated from the High School of mathematics and natural science “Acad. Nicola Obreshkov” in Burgas. In February 2020 he took a course for industrial property representatives at the Patent Office of the Republic of Bulgaria in the field of trademarks, geographical indications, and industrial designs. He is interested in intellectual property, personal data protection, commercial and law on obligations and contracts and also regularly attends conferences, practical courses, seminars, and webinars.

error: Content is protected !!