The Need for DPO (Data Protection Officer)

The new General Data Protection Regulation (GDPR) has been increasingly discussed since the beginning of 2018, and the fact how many new rights, duties and restriction have been introduced for everybody collecting and processing personal data (also called Personal Data Controller).

As a matter of fact, the changes are not small, but yet not too strikingly big considering the business level in Bulgaria (predominantly middle and small-size business).

One of the key introductions governed by the Regulation is the figure of DPO – Data Protection Officer.

What is important for you as personal data controllers is to know whether or not you have the obligation to appoint such a figure:

According to the Regulation DPO appointment is obligatory only if:

Data processing is carried out by public structures and authorities, however and whenever regularly, personal data are processed systematically and in large scale or specific data (data about health status, judgments, offences, etc.) are processed in large scale.

Since the Regulation does not give a definition of large scale personal data processing, we should apply the Bulgarian Act stipulating that large scale data processing takes place when you process personal data of a particularly large group of individuals – more than 1,000,000. If this figure does not change until 25 May 2018 it means that a very small part of the companies in Bulgaria will be obliged to appoint a DPO.

Nevertheless that appointment of such a figure is not always a mandatory condition for compliance with the Regulation, it should be clear that its absence would bring difficulties to you and your company in the performance of all of its duties introduced by the Regulation. And for this reason exactly, it is strongly recommendable for you to employ/appoint such an individual at your company.

The major role of the Data Protection Officer is to ensure that your company processes the personal data of your employees, customers, suppliers or other persons (also called Data Subjects) in compliance with the applicable data protection rules.

The major duties and authority that this Regulation provides to this officer is:

  1. To inform you about all your duties arising out of the Regulation and the laws in the country;
  2. To monitor and check if your company complies with the Regulation and the laws in the country;
  3. To conduct regular trainings to your employees having access to personal data;
  4. To correspond and cooperate with the Commission for Protection of Personal Data.

The purpose of the newly introduced figure is to help you deal with some of the most important requirements introduced by the Regulation, namely:

  1. You and your companies to process the smallest possible amount of data (only these necessary for the respective business),
  2. The data shall be stored for the shortest possible period of time and the access the data to be restricted as much as possible.

To fulfill these requirements one who is familiar in details with the Regulation requirements has to decide which data are important for your business, how long they should be stored according to a contract, law or the consent given by the data subject, as well as which persons should have access to these data. Here comes the role of the Data Protection Officer who will give you an answer to all questions and will ensure compliance with the Regulation requirements. Lawmaker has been aware of the fact that every company is able to employ such an officer and here the Regulation has introduced a very good alternative of DPO, i.e. external experts and lawyers. The said professionals, after making am assessment for the data processed by you and your company, can help you adapt your company to the changes introduced by the Regulation without the need for employment of such a figure.

 

In case that you decide to employ or appoint such a person, it is vital for you to make sure that the said person is competent to carry out all of their duties as verified by certificates for completed trainings and courses. You must be sure that the person is familiar in details with the Regulation requirements and practices of the national law. The Commission for Protection of Personal Data is engaged to conduct compulsory trainings and certification of those who wish to occupy such position.

In case that you need help to decide whether or not you should employ such a person at your company and if you would deal with the Regulation requirements without that person, we would be happy if you contact us.

 

Dimitar Yanev