The Bulgarian Commission for Personal Data Protection (the CPDP) has recently published additional guidelines on the appointment of a Data Protection Officer (DPO) by controllers and processors of personal data. The purpose of the guidelines is to clarify whether a legal entity can be designated as a DPO, and to provide information on how to ensure the independent nature of the DPO.
In compliance with the requirements of Art. 37, para. 7 of Regulation (EU) 2016/679 (the GDPR) and Art. 25b of the Bulgarian Personal Data Protection Act (the PDPA), the controllers and processors of personal data that are obliged to appoint or have voluntarily appointed a DPO, must notify the supervisory authority (the CPDP) about this and provide the DPO’s contact details. Controllers and processors must update this information whenever it changes. The CPDP maintains a public Register of controllers and processors of personal data which have designated a DPO.
In its analysis, the CPDP determines that the appointed DPO must be a natural person. Here are the reasons why the DPO cannot be a legal entity:
According to Art. 37, para. 5 of the GDPR, the controller or processor should be assisted in monitoring the internal compliance with the GDPR by a person with “expertise and professional qualities” in the field of data protection laws and practices. The requirement of “expertise and professional qualities” is unique to an individual. Public authorities and other organizations and structures, in their capacity as entities, could not possess such characteristics. Moreover, the GDPR imposes an obligation on the controllers and processors to “maintain the DPO’s expertise”.
The legal framework described in Art. 37, para. 6 of the GDPR defines the DPO as an “employee” or “member of the staff”. The interpretation of these concepts also shows that the legislator meant specific individuals. It does not matter whether the individual is an employee of the controller or the processor or is an employee of an external organization providing data protection services. The provision of Art. 37, para. 6 of the GDPR allows that the DPO may “perform the tasks on the basis of a service agreement”. The DPO does not have to be party to the agreement for the provision of service, but he/she should always be a specific employee performing the tasks arising from the agreement.
In accordance with Art. 25b. of the PDPA, the controller and the processor of personal data must notify the CPDP of the name, the personal identification number (PIN), and contact details of the DPO, as well as for any subsequent changes to them. The PIN is an administrative identifier of individuals only, and therefore, the PDPA in alignment with the GDPR, requires a specific natural person to be designated to perform the functions of a DPO.
Regarding the independence of the DPO, Art. 38, para. 3 of the GDPR provides that the controllers / processors of personal data are obliged to ensure that the DPO “does not receive any instructions in connection with the performance of these tasks” and “reports directly to the highest management level of the controller or processor”. Art. 38, para. 6 of the GDPR outlines the characteristics of the position of DPO: “to perform its duties and tasks independently” and its functions “shall not lead to a conflict of interests”, regardless of whether the DPO is a member of the controller’s / processor’s staff, or he/she combines the position with another position, or performs his/her tasks under a service agreement.
This leads to the conclusion that the DPO should be a person different from the controller / processor of personal data, as well as from the individuals who determine the purposes and the means for processing personal data. These could be the Manager, CEO, COO, CFO, Chief Medical Officer, Head of Marketing Department, Head of Human Resources Department, Head of IT Department, as well as other functions further down the organizational structure if the positions or functions in question are related to the designation of purposes and means of data processing.
In conclusion, the CPDP determines that when the functions of the DPO are performed under a service agreement with a legal entity or organization, the individual skills, expertise, and experience of the team members can be combined, so that different individuals can serve their customers more efficiently. According to the CPDP, the abovementioned arguments do not exclude the possibility of legal entities or organizations providing services related to the functions of DPO. On the contrary, legal entities and other organizations may perform the functions of the DPO based on a service agreement, but they are obliged to appoint a specific individual as a DPO and point of contact for the specific controller or processor of personal data.