Bulgarian Parliament to vote on Personal Data Protection amendments bill

On 18 July 2018, after extensive public consultations, the Council of Ministers submitted the bill for amendments and supplements to the Personal Data Protection Act (“Bill”) to the Bulgarian Parliament for a vote.

The Bill can be viewed at this link, and outlines the requirements for implementation of the EU's General Data Protection Regulation (GDPR).

The Bill includes:

The new competencies of the Bulgarian Personal Data Protection Commission (PDPC)

• The PDPC, as a leading supervisory authority, will monitor and facilitate the lawful processing and movement of personal data within the EU in the context of the GDPR and the Personal Data Protection Act (PDPA);
• Instead of a data controllers register, the PDPC will maintain the following registers:
  • public register of the controllers and processors that have appointed data protection officers (DPO);
  • public register of the accredited certifying bodies;
  • public register of codes of conduct;
  • internal register for breaches of the GDPR and the PDPA.
• The PDPC is responsible for the accreditation of bodies monitoring codes of conduct and certifying bodies (bodies who issue, review and withdraw data protection certification, seals and marks) in compliance with the GDPR.

Local derogations under the Bill

• When data processing is performed without legal grounds, the controller/processor will return the personal data to the data subject or delete/destroy the data.
• The controller has an obligation to notify the PDPC of the DPO`s details when a DPO is appointed or there are any subsequent changes to this position.
• The minimum age for valid consent is 14 years when using information society services. Otherwise, the consent of a parent is required.
• Public access to information, containing the personal identification number or personal number of a foreigner, will not be allowed unless otherwise provided by law. The personal identification number/personal number of a foreigner will not be the only identifier for a data subject using electronic public services.
• The controller can copy an identity document, a driving licence or a residence permit only if required by law.
• There are special rules for the large scale processing of personal data through systematic monitoring of a publicly accessible area.

Rights of data subjects

• New and strengthened rights for data subjects are introduced (e.g. the right to be forgotten, right to data portability, right to object profiling, right of access, etc.)
• Data subjects may exercise their rights by either filing applications with the controller or by filing complaints to the PDPC or the competent court.
• Special rules are stipulated for the processing of personal data for the purpose of prevention, investigation or criminal prosecution of crimes.
• The controller is obliged to provide information to data subjects, including details about the controller and the DPO, the purposes of data processing, the right to file a complaint to the PDPC, and the rights of data subjects.
• Additionally, upon the request of the data subject or by his own initiative, the controller will provide the following additional information to data subjects: the legal grounds for processing; the term for storage of personal data; the recipients of personal data, including those in third countries; and other additional information.

Data Controllers and Data Processors

• The data controllers will implement appropriate technical and organisational measures to guarantee privacy-by-design and privacy-by-default principles.
• The data controllers are obliged to keep records of all categories of processing activities, and the processors are obliged to keep records of all categories of processing activities on behalf of a controller. The Bill specifies the minimum content of information to be recorded.
• Automatic processing systems will have log mechanisms identifying (i) the processing activities of collection, changes, verification, disclosures and transfers, the combining or deletion of data, and (ii) the grounds, date and hour of the activity, as well as the identity of the person who performed the verification. The PDPC my request this information.
• Controllers will determine the appropriate terms for data retention, including the archiving of records.
• Special rules are stipulated for consultation with the PDPC if processing may result in a high risk to data subjects. The PDPC will adopt and announce a list of the data operations requiring preliminary consultation.
• In case of automatic processing, controllers and processors will implement a set of control measures, which the Bill lists.

Data transfer to third countries or international organisations

The PDPC will not be notified of standard contractual clauses concluded by controllers.

Unless a transfer is conducted to a country or organisation that ensures an adequate level of data protection, data may only be transferred if:

• the legislation of the country, the statutes of the organisation, an international agreement to which Bulgaria is a party or other valid legal laws provide for appropriate measures and guarantees; or
• the data controller has assessed the transfer and concluded that proper guarantees exist. In the latter case, the controller will document the transfer, notify the PDPC and provide additional information, if requested.

The Bill allows for several exceptions to the above rules concerning when a data transfer may be performed, such as the protection of legitimate interests, the protection of vital interests, responding to a threat to public security and order, the prevention of crimes, etc.

Sanctions

The Bill refers to the general sanction rules and fines established by the GDPR, but it does not provide a minimum threshold for fines. In addition, for other violations under the Bill, the PDPC will impose a sanction of up to BGN 5,000 (EUR 2,550).

For more information, please contact: Raya Maneva, Maya Aleksandrova and Tatyana Yosifova.