Bulgarian data protection authority establishes new procedural rules


The Bulgarian Personal Data Protection Commission (the “Commission”) has adopted new Rules of Procedure, which come into force on 30 July 2019. The new Rules were adopted less than a month after the data leak of 5 million Bulgarian citizens from the National Revenue Agency.

The new Rules regulate the structure and organisation of the Commission’s work and administration, and codify certain proceedings before the Commission under the EU's General Data Protection Regulation (GDPR) and Bulgarian Personal Data Processing Act, which went into force last March.

An expansion of existing general provisions, the Rules include the following procedures:

  • Dealing with data subject complaints – the Commission is entitled to investigate the complaint, collect evidence, and request third-party statements. Furthermore, it must notify the data subject on the development of the case within three months after receiving the complaint.
  • Submission of a data subject's request – requests that do not include the statutory prerequisites or anonymous signals and requests will not be reviewed by the Commission. The Commission can start an ex-officio procedure if the respective signal contains information of substantial social interest.
  • Approval of the Commission’s opinions – the Commission must prepare an opinion within one month of receiving a request.
  • Approval of Standard Contractual Clauses by the Commission and coordination with the European Data Protection Board (EDPB) - the Commission is entitled to adopt, at its own discretion, Standard Contractual Clauses upon coordination with the EDPB, and approve Binding Corporate Rules, in accordance with the provisions of the Rules.
  • Approval and permission of transfers of personal data to third countries.
  • Performing preliminary consultations – where a data protection impact assessment procedure is required or where there is a question of social interest concerning social protection and public health.
  • Managing personal data breach notifications – the Commission must review a data breach case within two weeks of receiving the notification and prepare а reasoned report, which may propose further investigation.
  • Approval and amendments of the codes of conduct – the Commission must review a draft of a code of conduct and issue a decision (upon coordination with EDPB, if necessary).
  • Accreditation procedure of supervision bodies – in respect to codes of conduct and certifying authorities.
  • Training – the Commission is entitled to perform training, culminating in an examination upon request, or at its discretion on the grounds of the approved annual education plan.
  • Codifying a formal procedure for the imposition of coercive measures, etc.

The Rules were implemented by the Commission and published in the State Gazette with the absence of a single amendment proposal during the one-month period for public consultations.

The new Rules are available on the Commission’s public website - https://www.cpdp.bg/?p=element&aid=36

For further information on this topic, call or email your usual CMS contact or our local CMS expert: Maya Aleksandrova, Senior Attorney, CMS Sofia.