Data Protection Officer / Bulgarian Overview


With the upcoming entrance into force of the new General Data Protection Regulation in May 2018, the Bulgarian Commission for Personal Data Protection (CPDP), decided to bring clarity in certain new figures, introduced by the GDPR. As part of doing so CPDP issued guidance and description of the Data Protection Officer (DPO), a new figure introduced in Section 4 of the GDPR.

What’s new?

In fact the nature of the Data Protection Officer’s figure is not purely new to the Bulgarian legislation. The current legislation allows data controllers to assign the application of data protection rules to a specific person or persons. 

What is new is that now with the GDPR, DPO is not only recommendable but also a statutory position in some of the data controllers (e.g. public bodies, where the data processing requires regular and systematic monitoring etc.). The DPO shall advise the data protection controller, to supervise data protection compliance and to serve as a constant point of contact with the PDPC, to give assessment of the level of impact of the collected data and to educate the rest of the data controller’s personnel.

Who could be DPO?

The Bulgarian CPDP confirmed the understanding that the DPO may not be part of the data controller’s personnel. Possible options could include assigning the duties of the DPO to an external council or consultant. This could be done through a clear commercial agreement, which would properly arrange the relationship between both parties.

The option for the data controller to hire a DPO as an employee still remains available. Questions are raised, whether an already hired person could be assigned with the duties of the DPO and the answer is positive. In such case the data controller should take into account the fact that the said employee may face high workload, which could lead to improper multitasking between being DPO and doing his or her other duties. 

Are there legal requirements for the qualification of DPOs?

There are no formal requirements for the education degree of a DPO (e.g. master’s degree, bachelor etc.). The CPDP shares the requirements of the GDPR, saying that the DPO should have deep knowledge in the sphere of data protection. 

In any case it could be deemed that a data controller would seek to hire a highly qualified DPO, who would ensure proper protection of the collected and processed personal data and to ensure compliance of the data controller himself. The DPO’s role in a corporation could be seen as not only protecting the collected personal data, but also to guard the corporation, as the financial penalties (as well as reputational damages) for incompliance with the GDPR may lead to undesired consequences. 

Article provided by:

  • Mitko Karushkov / Attorney, Kambourov & Partners 
  • Mario Arabistanov / Attorney, Kambourov & Partners


Discover more about the Cloud Privacy Check(CPC) / Data Privacy Compliance(DPC) project

Director CPC project: Dr. Tobias Hö


What is the INPLP?

INPLP is a not-for-profit international network of qualified professionals providing expert counsel on legal and compliance issues relating to data privacy and associated matters. INPLP provides targeted and concise guidance, multi-jurisdictional views and practical information to address the ever-increasing and intensifying field of data protection challenges. INPLP fulfils its mission by sharing know-how, conducting joint research into data processing practices and engaging proactively in international cooperation in both the private and public sectors.