Insights

The purpose of this report is to analyse two key figures in the activity of public authorities with significant responsibilities for the protection of the information processed by these authorities. These are the Data Protection Officer (DPO) under the General Data Protection Regulation 2016/679 (GDPR) and the Personal Data Protection Act (PDPA) and the Information Security Officer (ISO) under the Classified Information Protection Act (CIPA). While at first glance the DPO and the ISO have some similar, even overlapping functions, there are significant differences between these two figures. They can be outlined in different directions – who can hold these positions, what their tasks are, whether they can combine other roles, including whether the same person can combine the roles of DPO and ISO. The answer to these and other important questions about DPO and ISO can be found in this study. The results of the analysis are intended to help public authorities required to designate DPO and ISO to gain clearer understanding of the specific duties, roles and responsibilities of these persons in their activities.

The figure of the Data Protection Officer (DPO) under Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (GDPR) and Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA (Directive/Directive 2016/680) reveals some similarities with already familiar figures. This article aims to distinguish the DPO from several other similar figures (inhouse legal advisor, IT specialist and team members of the DPO itself), with the aim of assisting data controllers and data processors (DPAs/DPAs) in making decisions about designating data protection officers in their organisations. *This publication is in Bulgarian.

Bulgarian Personal Data Protection Commission has issued an opinion on the admissibility of processing video surveillance records with sound for the purposes of assessing the personal performance of the employees and for determining their bonuses. The opinion of the commission is that such further processing of the personal data does not comply with the requirements of Art. 6, para. 4 of GDPR and therefore is inadmissible

One of the new obligations introduced by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR) and Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties and on the free movement of such data and repealing Framework Decision 2008/977/JHA (the Directive), was the obligation for certain controllers and processors (DPAs) to appoint a Data Protection Officer (DPO). This is the first time such an obligation has been established by law in Bulgaria. And now, more than 5 years since the two Acts have been implemented, there is often a misunderstanding of what the role and tasks of the DPO are. This article is intended to distinguish the DPO from the similar figure of the lawyer, thereby making it easier for DPAs to choose how to allocate responsibilities regarding the protection of personal data within their organisations. *This publication is in Bulgarian.

Comment by Hristo Nihrizov, Head of Banking & Finance, on the opportunities and challenges that the new regulations will bring to financial market participants. *This publication is in Bulgarian.