Data Protection Regulation (EU) 2016/679 (GDPR or the Regulation), in force since 25th May 2018th, introduces several obligations for data controllers and processors. One of these obligations is to designate a Data Protection Officer (DPO). In general, this person has the task of informing and advising (shall inform and advice) the administrator or processor of personal data and the processing staff (staff which processes the data) of their obligations under the Regulation, to monitor compliance with the Regulation and to cooperate with the Supervisory Authority.
The figure of the DPO is not new for the Bulgarian legislation – it was introduced in 2007th by Ordinance No. 1 of 07.02.2007. The Regulation introduces a requirement for mandatory appointment of an officer with these specific functions in the following cases:
- Public authorities or bodies, except in the case of courts acting in their judicial capacity – for example – municipalities, ministries;
- Controllers whose activity, which, by virtue of their nature, their scope and their purposes, require regular and systematic monitoring of data subjects – for example – large shopping centres, hospitals, banks;
- Controllers whose main activities consist of large-scale processing of special categories of data and personal data related to convictions and violations – for example – hospitals, insurance companies.
In other cases, to designate such a person is not mandatory.
The Regulation allows the same DPO to be defined by a group of undertakings, provided that each undertaking has easy access to it. The DPO must have in-depth expertise in the field of the data protection law and practice.
Controllers can choose whether to be recruited based on a contract of employment or to perform tasks based on a service contract. When employed under an employment contract, the person may combine other occupational functions at the discretion of the employer. If personal data protection tasks are to be assigned to a person who is already on a contract with the controller, their job description should not be considered to have a conflict of interest – for example, that position would be incompatible with a management of Human Resources or IT. This person enjoys a special status – could not be dismissed or sanctioned by the controller or the personal data processor for a good faith performance of his or her personal data protection tasks (e.g. notifying the supervisor of non-compliance with certain obligations by the controller). The DPO shall report directly to the highest management of the controller or the personal data processor. However, this person may be subject to disciplinary liability for failing to comply with personal data protection obligations and for any other offense not related to the performance of their personal data protection tasks – failure to comply with disciplinary code, lateness, not working during work time, non-compliance with the rules for health and safety at work, etc.
The main and most significant difference between appointing a DPO with a contract of employment and a service contract is the amount of liability for acts/omissions of the person that constitutes a breach of the data protection legislation that can lead to sanctions for the controller – employer; where there is a contract of employment, according to Art. 203 of the Labour Code, the employee has limited financial liability, which is generally up to the agreed labour remuneration received (up to 3 monthly labour remunerations when the damage is caused by a manager). The liability of the employee is in full extent only if it is caused intentionally or as a result of a crime or was caused not during or in connection with the performance of employment obligations. If an infringement is found, an analysis should be made on each case, and the employer is required to prove that the infringement was committed intentionally.
In the case of a service contract, the capacities of the contracting authority – controller of personal data, are far greater – depending on the contractual arrangements and the particular circumstances, the contractor could be liable for all damages and lost profits, especially if it is a legal entity that professionally carries out this activity.
Taking into account the extremely high fines and financial penalties for infringements of the GDPR – up to € 20 million or up to 4% of the infringer’s annual turnover – it is quite resolute whether it is preferable for a DPO to be determined on the basis of to a civil or commercial service contract. This contract should clearly and exhaustively regulate the rights and obligations of the contractor (DPO) as well as the amount of liability for personal data controller’s sanctions as a result of breaches committed by the contractor. In the light of this, it is also advisable to require DPO to submit and maintain insurance on their liability to third parties for damage caused by their activities. Unfortunately, insurers still do not offer such a product on the Bulgarian insurance market. At present, there is also no statutory obligation that to DPO have such an insurance as a type of professional liability (similar to the participants in the construction process or the lawyers), which may be the reason for the legislator to take steps in this direction to reduce the financial risk of data protection officers while carrying out it actions.