OPINION
OF
THE COMMISSION FOR PERSONAL DATA PROTECTION
reg. No. РД-01-102/2023
Sofia, 28 June 2023
SUBJECT: Positions of direct subordination to the bodies of the executive power – “data protection officer” and “employee in charge of handling reports” under the APPRIPDIB
The Commission for Personal Data Protection (CPDP), composed of – Chairman: Ventsislav Karadzov and members: Tsanko Tsolov, Mariya Mateva and Veselin Tselkov, considered pursuant to the conditions of Article 12 of the Rules on the Activity of the CPDP and its Administration a letter with incoming No. РД-01-102/15.06.2023 from the Secretary General of the Council of Ministers (CoM) of the Republic of Bulgaria. The letter states that the Administration of the Council of Ministers (AMC) is directly involved in the coordination and monitoring of the establishment of a legal and effective structure of the state administration. The CoM expresses the opinion that the construction of a maximally unified structure and processes of the administrations is a basic prerequisite for achieving their effectiveness. According to the current regulations, the administrative structures should be built in accordance with the Administration Act (AdmA) and the corresponding special laws. Such as, for example, the Personal Data Protection Act (PDPA) and the Act on Protection of Persons, Reporting Information, or Publicly Disclosing Information about Breaches (APPRIPDIB), which introduce the figures of “personal data protection officer” and “employee in charge of handling reports”, respectively.
The CoM envisages preparation of subsequent instructions to the bodies of the executive power for a lawful, expedient and potentially unified internal structuring of the administrations that support them. In view of this, they turn to the CPDP with a request for an opinion on the following issues:
- As regards the AMC’s view expressed in the request regarding the internal positioning of the “data protection officer”; and
- To which units/positions the function of “employee in charge of handling reports under the APPRIPDIB” should be assigned, taking into account the fact that in some of the administrations inspectorates have been established under the AdmA, while in the rest of them the formation of such units is not envisaged by the Act.
On item 1, the AMC’s opinion is that the position of “data protection officer” should not be set to the direct subordination of the head of the administration outside the general and specialized administration. The CoM states that the function of this officer should be taken over by an employee – part of a directorate from the general or specialized administration, and that his/her functions should not be specifically described in the rules of procedure. Reasons are also presented:
The AMC states that pursuant to Article 5, paragraph 1 of the AdmA the administration is general and specialized, according to the distribution of the activities they perform in support of the body of state power. For the removal of a position or unit outside the general or specialized administration, it is necessary that such a possibility is regulated by law.
According to the AMC’s opinion, the CPDP does not require the creation of a position of “data protection officer” directly subordinated to the body, outside the general and specialized administration. According to Article 69 of the Personal Data Protection Act (PDPA) “the data controller shall designate a data protection officer on the basis of his or her professional qualities and, in particular, his/her expert knowledge of data protection law and practice and the ability to pewrform the tasks referred to in Article 70. A single data protection officer may be designated for several controllers, taking account of the organisational structure and size of the said controllers.” It is clear from the provision that:
– The data protection officer does not necessarily have to be part of the controller’s staff. The person in charge of personal data protection can be part of the staff, but it can also be an external subject that fulfills its obligations on the basis of a concluded contract. Therefore, controllers are not obliged to appoint specifically such an officer, but are only obliged to designate a person to perform the functions of a data protection officer.
– There is no obstacle for the employee designated by the controller as a data protection officer to perform other functions within the organization. The conditions under which a data protection officer shall be designated or appointed shall be entirely at the discretion of the data controller.
The AMC considers that since there are no requirements for the person designated to perform the functions of “data protection officer” to be outside the general and specialized administration, the most effective and, at the same time, lawful solution is to assign the functions of this person to an employee from the existing directorates of the general or specialized administration.
Regarding item 2, the AMC considers that “employee in charge of handling reports under the APPRIPDIB’’ should not be singled out as a separate position of direct subordination to the head of the administration outside the general and specialized administration. Reasons are given that the function of this officer should be taken over by an employee from an existing internal unit, and that his/her functions should not specifically be described in the rules of procedure. The AMC finds it appropriate in the administrations, in the structure of which inspectorates have been created, that the functions of handling reports should be assigned to employees from the inspectorate and in other cases – to an employee from a directorate of the general or specialized administration. The letter also states that the organization of work with reports should be defined in the section “Organization of work” in the rules of procedure.
Legal analysis:
The figure of the data protection officer is regulated in Regulation (EU) 2016/679 (General Data Protection Regulation, GDPR). The provisions cited in the request (Article 69 and Article 70) of the PDPA refer to the designation of the data protection officer in the structures of the competent authorities within the meaning of Directive (EU) 2016/68011 (the so-called Police Directive).
According to Article 37, paragraph 1 of Regulation (EU) 2016/679, the designation of a data protection officer is mandatory in three specific cases:
(а) when the processing is carried out by a public body or structure;
(b) when the main activity of the controller or data processor consists of processing operations which, due to their nature, scope and/or purposes, require regular and systematic large-scale monitoring of data subjects; or
(c) where the main activity of the controller or data processor consists of large-scale processing of the special categories of data or personal data related to convictions and offences.
The designation of a data protection officer is also mandatory for competent authorities under Article 32 of Directive (EU) 2016/680 (respectively, Articles 69 – 70 of the PDPA). The Instructions for data protection officers of the European Data Protection Board (adopted on 13 December 2016 and last revised and adopted on 5 April 2017) are also to this end. While the instructions in question refer to data protection officers under Regulation (EU) 2016/679, by analogy they are also applicable to data protection officers under Directive (EU) 2016/680. This distinction is required solely for the fact that the functions of data protection officers in the structures and for the purposes of the competent authorities within the meaning of Directive (EU) 2016/680, respectively Chapter Eight of the PDPA, may not be performed by persons who are external to the competent authority. Only one data protection officer is allowed to be appointed jointly for several competent authorities, taking into account their organizational structure and scale (arg. from Article 32, paragraph 3 of Directive (EU) 2016/680 and, accordingly, Article 69, paragraph 2 of the PDPA).
According to Article 37 (6) of Regulation (EU) 2016/679 the data protection officer may be:
- a staff member (internal), including but not limited to:
- in an independent full-time “data protection officer” position;
- in a part-time position in more than one administrative body;
- by holding more than one job, subject to the restrictions under the Civil Servants Act or the Labour Code;
- on assignment of functions by an order within the administrative structure, etc.
- should perform his/her tasks on the grounds of a service contract with the controller or the processor (external), with the exception of the officer designated in a competent authority within the meaning of Directive (EU) 2016/680.
The CPDP’s Guidelines regarding the fulfillment of the obligation of controllers and personal data processors to notify the CPDP when designating a data protection officer, published on the Commission’s official website, section “Data Protection Officer’ (https://www.cpdp.bg/?p=sub_rubric&aid=249) are also to this end.
An essential element of the status of the data protection officer is his/her independence. According to Article 38 (3) of Regulation (EU) 2016/679, the controllers/ data processors shall ensure that the DPO2 “does not receive any instructions regarding the exercise of those tasks” and “shall directly report to the highest management level of the controller or the processor”. With the provisions of recital (97) and Article 38 (6) of Regulation (EU) 2016/679, the characteristic features of the DPO’s position are outlined – “to perform their duties and tasks in an independent manner” and his/her functions “should not result in a conflict of interests”, regardless of whether the DPO is a member of the controller’s/processor’s staff, whether he/she is holding the position as an additional job or performing tasks under a service contract. The clarifications made require that the DPO be a person different from the controller/processor, as well as from the persons who determine the purposes and means of personal data processing at the relevant controller/processor (such as the head of the administrative body, chief/executive director, chief operating director, chief financial director, chief medical director, head of marketing department, head of human resources department or head of IT department, but also other functions further down the organizational structure, if the positions or functions in question are related to determination of the purposes and means of data processing). It is equally important that the DPO should be protected from unfair dismissal or termination of the service contract when performing the functions and tasks provided for in Regulation (EU) 2016/679 in good faith. This measure guarantees the independence of the DPO.
Regardless of how the DPO is defined (as internal or external to the administrative body), in terms of his/her assigned functions as such, the controller must ensure his/her functional independence. When performing the functions of the DPO, the employee “does not receive any instructions regarding the performance of these tasks” and “reports directly to the highest management level of the controller or processor of personal data”, i.e. in this capacity, he/she may not be subordinated to other administrative heads than to the highest management of the administrative body.
There is no legal obligation for the function of the DPO to be regulated in the rules of procedure of the administrative body as it is regulated in Regulation (EU) 2016/679 (Articles 37 – 39). The function of the DPO should be derived from the structure of the general and specialized administration of the administrative body and it should be directly subordinated to the highest management, i.e. this is not a new structure, but only a functional separation. For example, a person appointed to an expert position in the general or specialized administration of the administrative body and designated by an order to perform the DPO functions as well shall report accordingly to:
- their direct head in the structural unit of the administration where he/she is appointed – for the functions of their expert position, and
- directly to the highest management – for their functions as DPO.
As correctly stated in the request, in order to remove a position or unit outside the general or specialized administration, it is necessary to have such an opportunity that is regulated by law. In this case, it is Regulation (EU) 2016/679. It is especially important when the person designated to perform the DPO functions and holds such an independent position that this position be outside the structure of the general or specialized administration. In other hypotheses of performance of this function (by holding more than one job, by order, part-time, in more than one controller, etc.), it is only functionally separated.
It should be taken into account that with a letter reg. No. AПO-20-13/17.10.2017 to the Minister of Labour and Social Policy, the CPDP has expressed an opinion with the same reasons regarding the inclusion of the position “DPO” in the National Classification of Professions and Positions.
With regard to item 2 of the request on the “employee in charge of handling reports under the APPRIPDIB” the following should be taken into account:
According to Article 14, paragraph 2 of the APPRIPDIB, employees in charge of handling reports may be the employees in the structure of each of the obliged subjects under Article 12, paragraph 1, charged with the processing and protection of personal data. The assessment relies on the employer – an obliged subject under the Act. Obliged subjects under the APPRIPDIB, who do not have an obligation under Article 37 of Regulation (EU) 2016/679 for designation of a person in charge of the processing and protection of personal data, shall designate another employee in charge of handling reports. In this respect, there is no obstacle to assign the function of an employee in charge of handling reports under the APPRIPDIB to an inspector/s or another employee/s from the inspectorates under the AdmA. There is also no legal obstacle to entrust such functions to another person from the administration, as long as his/her independence is guaranteed in the handling of reports and he/she is not in conflict of interest in this hypothesis.
Regardless of the administrative hierarchical subordination between certain structures, their divisions or units in the administration (e.g. ministry and executive agency; municipality and municipal enterprises or kindergartens, etc.), decisive for the occurrence of the obligation to build and maintain an internal channel under the APPRIPDIB is the quality of “independent employer” within the meaning of § 1, item 2 of the AP of the APPRIPDIB of the relevant structure, division or unit and the number of employees, and not the hierarchical subordination in the organization, the legal organizational form or who selects/appoints and dismisses its head.
It should be borne in mind that per argumentum a contrario from Article 14, paragraph 5 of the APPRIPDIB it is not allowed for obliged subjects under Article 12, paragraph 1, item 1 (i.e. employers in the public sector) of the same Act to assign the functions of receiving, registering and considering reports under the APPRIPDIB to natural or legal persons, outside their structure. As a result, in case the administrative body uses the services of an external DPO, he/she may not perform the functions of an employee in charge of handling reports under the APPRIPDIB.
The obliged subjects under the APPRIPDIB should make and adopt their own rules and procedures for receiving, registering and handling oral and written reports within the meaning of this Act.
For these reasons and on the grounds of Article 58 (3) (b) of Regulation (EU) 2016/679 in conjunction with Article 10a, paragraph 1 of the Personal Data Protection Act and Article 51, item 2 of the Rules on the Activity of the CPDP and its Administration and § 7 of the Final Provisions of the APPRIPDIB and Article 25a, paragraph 1, item 10 of the Rules on the Activity of the CPDP and its Administration, the Commission for Personal Data Protection expresses the following
OPINION:
- In the case of the mandatory designation of a data protection officer (DPO) by a controller/data processor – a public body, the latter shall ensure and guarantee his independence and absence of conflict of interest, regardless of his structural positioning within the administration of this body. In order to fulfil this requirement, his figure should be functionally separated from the structure of the general and specialized administration and should be directly subordinated to the highest management of the public body.
- Pursuant to Article 14, paragraph 2 of the APPRIPDIB, employees in charge of handling reports may be the data protection officers in the structure of each of the obliged subjects under Article 12, paragraph 1 of the same Act. There is no obstacle to assigning the function of an employee in charge of handling reports under the APPRIPDIB to an inspector/s or another employee/s from the inspectorates under the AdmA. There is also no legal obstacle to entrusting such functions to another person from the administration, as long as his/her independence is guaranteed in the consideration of reports and he/she is not in conflict of interest in this hypothesis.
The selection of the most appropriate persons or units within the obliged subject from the public sector under the APPRIPDIB, who may be designated as competent to handle reports and take follow-up actions on reports, depends on the structure of the subject, but in any case their function should be such as to guarantee independence and absence of conflict of interest. In this respect, their activity should be functionally separated and should not be affected by hierarchical subordination within the general and specialized administration of the respective body.
____________
1 Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA has been transposed into our national legislation with Chapter Eight of the PDPA (Article 42 – Article 83), as well as with separate provisions of the MoI Act
2 DPO – data protection officer
| CHAIRMAN: | MEMBERS: | |
| Ventsislav Karadzhov /sgn./ |
Tsanko Tsolov /sgn./ | |
| Mariya Mateva /sgn./ | ||
| Veselin Tselkov /sgn./ |
