Citizens have the right to contact the person who processes their personal data in cases of abuse, negligent use or use without the consent in various everyday situations. For these cases, as well as for the introduction, monitoring and updating of internal mechanisms for the protection of personal data among legal entities – processors of personal data, the Law on Personal Data Protection provide for the determination of an authorized person for the protection of personal data. A personal data protection officer is mandatorily determined in four cases: when the processing is carried out by a state authority, when the basic activities of the person processing personal data consist of processing operations that, due to their nature, scope and/or purposes, require, to a large extent, regular and systematic monitoring of the subjects of personal data and when the basic activities of the person processing personal data consist of extensive processing of special categories of personal data or personal data related to criminal convictions and criminal acts.
As an example, let us look at a typical supermarket, which has installed a video surveillance system. Given that the supermarket has employees and processes their personal data in order to fulfill obligations, such as payment of salaries (more on the protection of personal data in employment relations here), and processes the personal data of customers through the system of video surveillance (more about personal data protection during video surveillance here), is obliged to appoint a personal data protection officer.
The personal data protection officer is determined based on their professional qualifications, especially their expert knowledge of legislation and practices in the field of personal data protection. They may be an employee of the person processing personal data or perform work based on a service contract. Given that the officer does not have to be employed by the person processing personal data, which would mean that the officer would perform their duties only for that person, a group of legal entities processing personal data may jointly designate a personal data protection officer. For example, the aforementioned supermarket may appoint a person employed by the supermarket itself as a personal data protection officer, or several supermarkets may jointly appoint an external person with appropriate qualifications as a personal data protection officer. In the case of such “association”, the officer must be easily accessible to each legal entity (each of the supermarkets) within the group, to the Agency for the protection of personal data, as well as to the citizens who would meet them for fulfilling their rights to protect personal data. The person who processes personal data or the group of persons who have appointed a common officer is obliged to publicly publish the contact data of the officer and to notify the Personal Data Protection Agency about their appointment.
In relation to the work they perform, that is, the obligations of the personal data protection officer can be divided into two groups: internal and external. The officer’s internal duties relate to informing and advising the person processing personal data (the supermarket or group of supermarkets, in our example) regarding their obligations under the Personal Data Protection Act. They also monitor the compliance of the personal data protection policy and the relevant acts carried out by the person processing personal data with the Law on Personal Data Protection and other relevant laws. The officer performs analyzes of the acts, as well as employee training in relation to these acts and the Law on Personal Data Protection. The external duties of the officer reffer to their communication with the Agency for Personal Data Protection, as well as with the general public, i.e. with the citizens exercising their rights to protect their personal data. In the course of their work, the officer is obliged to act independently and without external influences or pressures from other employees or superiors.
In our example, the personal data protection officer is obliged to carry out an analysis of the way the supermarket collects and processes the personal data of its employees for the purpose of payment of salaries and to notify the supermarket (the person who processes the personal data) of anything illegal or for any omissions. They should inform and train employees about their rights in the context of the processing of their personal data during the payment of salaries. Furthermore, the officer should make an analysis of the justification for setting up a video surveillance system, as well as prepare appropriate acts for it. If a consumer would like to exercise their right to delete the video recording on which their image is visible, the officer should prepare the appropriate acts for the deletion procedure or prepare a justification for the impossibility of deleting the video recording.
The personal data protection officer is an important link in fulfilling the rights of citizens to protect their personal data according to the Law on Personal Data Protection. They are the point of contact and the “main” advisor between the personal data processor, the Agency for the Protection of Personal Data and the general public, i.e. the citizens. In view of that, they should have the appropriate ability and perform their duties independently and conscientiously.
Author: Nikola Dimitrov, M.Sc
This text has been prepared with the support of the European Union. The contents of this text are the sole responsibility of the partners of the project “Privacy by design – building an inclusive digital ecosystem” and the author and in no way reflect the views of the European Union.