• +359 88 9552668
  • kupate.bg2021@gmail.com
  • BULGARIA, Sofia (1517), Slatina district, 31 514th Street

KUPATE BG

Data Protection Officer (DPO)

KUPATE BG – Roma Public Council Foundation Website

Effective Date: 25/12/2025
Last Updated: 25/12/2025

Table of Contents

  1. Introduction

  2. Appointment and Independence of the DPO

  3. Roles and Responsibilities

  4. Personal Data Oversight and Processing

  5. Data Protection Impact Assessments (DPIA)

  6. Record-Keeping and Documentation

  7. Breach Response Protocols

  8. Staff Training and Awareness

  9. Third-Party and Partner Compliance

  10. Reporting and Accountability

  11. Technical and Organisational Safeguards

  12. Risk Management and Continuous Improvement

  13. Communication with Data Subjects

  14. Templates, Checklists, and Examples

  15. Contacting the DPO

  16. Governing Law and Compliance

1. Introduction

The KUPATE BG – Roma Public Council Foundation (hereafter β€œthe Foundation”) is a non-profit organisation dedicated to improving the welfare, education, housing, and social inclusion of vulnerable communities across Bulgaria, the Balkans, and globally.

This manual establishes a comprehensive framework for the Data Protection Officer (DPO) to ensure full compliance with the General Data Protection Regulation (GDPR, EU 2016/679), Bulgarian data protection law, and other relevant EU/UK legislation. The DPO ensures that personal data of donors, beneficiaries, staff, and partners is collected, processed, stored, and transmitted responsibly, securely, and ethically.

2. Appointment and Independence of the DPO

2.1 Appointment

  • The DPO is appointed by the Board of Trustees.

  • Qualifications include:

    • Advanced knowledge of GDPR and EU data protection laws

    • Experience with non-profit or charitable organisations

    • Competence in risk management and compliance monitoring

2.2 Independence

  • Reports directly to the Board of Trustees and executive leadership.

  • Cannot be instructed regarding compliance decisions or penalised for recommendations.

  • Provided with the necessary resources, budget, and access to all processing activities.

2.3 Responsibilities to the Organisation

  • Advises on compliance strategies and data protection policies.

  • Monitors adherence to internal procedures and regulatory requirements.

  • Ensures due diligence in donor, partner, and third-party interactions.

3. Roles and Responsibilities

The DPO’s responsibilities cover six primary areas:

  1. Compliance Monitoring: Review processing activities to ensure alignment with GDPR and Bulgarian law.

  2. Advisory Role: Guide the Foundation on data protection law, DPIAs, and third-party agreements.

  3. Data Subject Rights Management: Respond to access, rectification, erasure, restriction, and portability requests.

  4. Staff Training and Awareness: Conduct mandatory training and maintain awareness programs.

  5. Breach Management: Detect, assess, and report personal data breaches to supervisory authorities and data subjects.

  6. Liaison with Supervisory Authorities: Serve as the primary contact for CPDP, EU, and UK regulators.

4. Personal Data Oversight and Processing

4.1 Categories of Data

The Foundation processes:

  • Donor Data: Names, addresses, emails, financial information

  • Beneficiary Data: Personal identification, case records, impact assessments

  • Employee and Volunteer Data: HR records, payroll, emergency contacts

  • Partner and Contractor Data: Legal documents, agreements, performance reports

4.2 Lawful Basis for Processing

  • Consent

  • Contractual necessity

  • Legal obligations

  • Legitimate interests aligned with charitable objectives

4.3 Data Minimisation and Retention

  • Collect only necessary data for specific purposes.

  • Implement retention schedules aligned with legal requirements and internal policies.

  • Securely delete or anonymise data once the retention period ends.

5. Data Protection Impact Assessments (DPIA)

5.1 When to Conduct a DPIA

  • High-risk data processing activities

  • Collection of sensitive or special categories of data

  • Cross-border transfers outside the EU

5.2 DPIA Steps

  1. Describe the processing: purpose, scope, and categories of data.

  2. Assess necessity and proportionality: justify collection and use.

  3. Identify risks: potential harm to rights and freedoms.

  4. Evaluate measures: technical and organisational safeguards.

  5. Document findings: maintain DPIA records for supervisory review.

5.3 Approval

  • DPIAs are reviewed by the DPO and submitted to the Board of Trustees for final approval.

6. Record-Keeping and Documentation

The DPO maintains:

  • Processing activity logs (Article 30 GDPR)

  • Consent records for donors and beneficiaries

  • Staff training logs

  • Incident and breach reports

  • DPIA records

  • Audit reports and risk assessments

7. Breach Response Protocols

7.1 Detection

  • Monitor logs, systems, and staff reports.

  • Immediately report suspected breaches to the DPO.

7.2 Assessment

  • Identify scope, nature, and severity.

  • Determine potential impact on individuals.

7.3 Notification

  • Notify CPDP within 72 hours of qualifying breaches.

  • Inform affected individuals if high risk is identified.

7.4 Remediation

  • Contain the breach and mitigate harm.

  • Review policies and technical measures.

  • Document actions and lessons learned.

8. Staff Training and Awareness

8.1 Mandatory Training

  • GDPR basics

  • Secure handling of personal data

  • Reporting incidents and breaches

8.2 Awareness Activities

  • Posters and newsletters

  • Online training modules

  • Updates on regulatory changes

8.3 Staff Responsibilities

  • Follow all data protection policies

  • Report concerns immediately to the DPO

9. Third-Party and Partner Compliance

  • Conduct due diligence on all partners and contractors

  • Include data processing agreements in contracts

  • Monitor partner compliance regularly

  • Terminate agreements if breaches or non-compliance occur

10. Reporting and Accountability

10.1 Internal Reporting

  • Monthly reports to the Executive Director

  • Quarterly compliance reports to the Board of Trustees

10.2 External Reporting

  • Supervisory authorities

  • Donors for projects involving personal data

  • Public transparency reports

11. Technical and Organisational Safeguards

  • Encryption of sensitive data

  • Access controls by role

  • Regular data backups

  • Secure communication and storage systems

  • Anti-malware, firewall, and cybersecurity protocols

12. Risk Management and Continuous Improvement

  • Conduct annual compliance reviews

  • Update policies based on regulatory guidance

  • Incorporate lessons from audits, breaches, and feedback

13. Communication with Data Subjects

  • Provide clear information on data processing

  • Respond to requests within GDPR timelines

  • Ensure data subjects can exercise all rights easily

14. Templates, Checklists, and Examples

  • DPIA template

  • Breach notification form

  • Donor consent form

  • Staff training log

  • Third-party compliance checklist

15. Contacting the DPO

Data Protection Officer
KUPATE BG – Roma Public Council Foundation
πŸ“ Bulgaria, Sofia (1517), Slatina district, 31 514th Street
πŸ“ž +359 88 955 2668
πŸ“§ dpo@kupate.bg

16. Governing Law and Compliance

  • Governed by the Republic of Bulgaria law, EU GDPR, and applicable UK regulations.

  • DPO ensures compliance with all applicable data protection and charity laws.