Data Privacy Compliance in the Cloud
Made Easy

Understand Cloud and Data Protection Law in only 4 easy steps. Plus highly relevant legal information for 33 countries. Provided by EuroCloud and 53 European lawyers.

Data Protection Officer / Bulgarian Overview

29.09.2017

With the upcoming entrance into force of the new General Data Protection Regulation in May 2018, the Bulgarian Commission for Personal Data Protection (CPDP), decided to bring clarity in certain new figures, introduced by the GDPR. As part of doing so CPDP issued guidance and description of the Data Protection Officer (DPO), a new figure introduced in Section 4 of the GDPR.

What’s new?

In fact the nature of the Data Protection Officer’s figure is not purely new to the Bulgarian legislation. The current legislation allows data controllers to assign the application of data protection rules to a specific person or persons. 

What is new is that now with the GDPR, DPO is not only recommendable but also a statutory position in some of the data controllers (e.g. public bodies, where the data processing requires regular and systematic monitoring etc.). The DPO shall advise the data protection controller, to supervise data protection compliance and to serve as a constant point of contact with the PDPC, to give assessment of the level of impact of the collected data and to educate the rest of the data controller’s personnel.

Who could be DPO?

The Bulgarian CPDP confirmed the understanding that the DPO may not be part of the data controller’s personnel. Possible options could include assigning the duties of the DPO to an external council or consultant. This could be done through a clear commercial agreement, which would properly arrange the relationship between both parties.

The option for the data controller to hire a DPO as an employee still remains available. Questions are raised, whether an already hired person could be assigned with the duties of the DPO and the answer is positive. In such case the data controller should take into account the fact that the said employee may face high workload, which could lead to improper multitasking between being DPO and doing his or her other duties. 

Are there legal requirements for the qualification of DPOs?

There are no formal requirements for the education degree of a DPO (e.g. master’s degree, bachelor etc.). The CPDP shares the requirements of the GDPR, saying that the DPO should have deep knowledge in the sphere of data protection. 

In any case it could be deemed that a data controller would seek to hire a highly qualified DPO, who would ensure proper protection of the collected and processed personal data and to ensure compliance of the data controller himself. The DPO’s role in a corporation could be seen as not only protecting the collected personal data, but also to guard the corporation, as the financial penalties (as well as reputational damages) for incompliance with the GDPR may lead to undesired consequences. 

Article provided by:

  • Mitko Karushkov / Attorney, Kambourov & Partners 
  • Mario Arabistanov / Attorney, Kambourov & Partners

 

Discover more about the Cloud Privacy Check(CPC) / Data Privacy Compliance(DPC) project

Director CPC project: Dr. Tobias Höllwarthtobias.hoellwarth@eurocloud.org

VIEW PROJECT

WHAT IS THE DPC/CPC PROJECT?

53 lawyers from 33 countries are contributing to the project “Data Privacy Compliance (DPC)/Cloud Privacy Check (CPC)” in 26 different languages.

Understanding the complexity of current European data protection laws and regulations is already difficult enough for an IT engineer, buyer, or business user. In combination with the often small but nevertheless significant differences between various EU member states, however, it can become an almost insurmountable challenge without proper juristic accompaniment from the very start... Read More

 

CPC MISSION & VISION STATEMENT, 2018

The CPC is a trusted, not-for-profit international network of qualified professionals who deliver simplified and straight-forward guidance to help navigate the legal and regulatory environment relating to privacy and the cloud. This is done through collective know-how, research and market analysis gained from pan-European industry activity, collaboration and experience. Our mission is to provide authoritative views, information and practical solutions to two principal stakeholders: industry professionals and public authorities.