On 30 April 2018, less than a month before the date of which the new European Data Protection Regulation – Regulation 2016/679 (GDPR) begins to apply, a Bill on Amendment and Supplement to the Personal Data Protection Act, currently in force in Bulgaria, was published in the public domain (the Bill). The Bill aims at harmonizing the Bulgarian legislation on the protection of personal data with the European one.
In this publication we will only focus on some of the most important and interesting elements of the Bill, and the whole Bill should be subject to detailed analysis and evaluation by all stakeholders in the following days:
- The Commission for Personal Data Protection (CPDP), which had so far fulfilled this function, was officially appointed as a supervisory body within the meaning of GDPR. It will be the independent body that will monitor the protection of individuals in the processing of their personal data and the enforcement of the Regulation.
- GDPR introduced a new figure to society, namely the Data Protection Officer. With the Bill, the Bulgarian legislator provided for a new ground for appointing such a person, setting precise limits for his appointment, namely the processing of personal data of “10,000 individuals”.
- The Bill provides that the CPDP should organize and conduct trainings of the persons designated for taking the position of a “data protection officer” or of persons wishing to be trained to take up this position. The trainings will be paid at a rate set by the Minister of Finance. This is a specific national solution that has no analogue in GDPR and which is rather controversial, because the European legislation does not require specific certification/mandatory registration for this position.
- One of the Bill’s interesting innovations relates to following obligation: in case data is received without a legal basis, whether by a controller or a processor, the latter has to return it immediately or deleted it within one month of getting aware of the fact.The age threshold for obtaining children’s consent f
- or the provision of information society services is reduced (from 16 years under GDPR to 14 years under the Bill). Here the change is quite reasonable considering the “total incapacity” institute, established for persons under 14 years of age under Bulgarian law.
- According to the Bill, public access to National Identification Number / Foreigner Identification Number will be provided solely if required by law. Therefore, controllers providing electronic services will need to take technical and organizational measures to avoid National Identification Number to be the only identifier for the provision of the service.
- The Bill contains specific rules for balancing the freedom of academic, artistic and literary, expression with the protection of personal data.
Important changes also stand with regard to employers. The legislator took advantage of the opportunity provided by Art. 88 of the GDPR, by establishing special rules in this respect.
- The Bill provides for the prohibition of copying the national ID document, the driving license, the worker / civil servant residence permit, with only one admissible hypothesis, namely the existence of an explicit legal obligation on the controller or the processor.
- Employers will also need to provide for a number of rules and procedures to show compliance with the new law and to ensure that these rules and procedures are brought to the attention of employees. Such will be needed, for example, in the framework of: (i) a system of evidence of breaches, (ii) restrictions on the use of in-house resources, and (iii) access control, working time and labor discipline.
- The employer will be able to store personal data of participants in personnel selection procedures for up to 3 years.
With the Bill, in addition to synchronizing national provisions with GDPR requirements, the legislator will also transpose the Directive (EU) 2016/680 of the European parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA, and has dedicated a whole chapter of the Bill to this end.
Interestingly, the legislator set out minimum thresholds (such do not exist under the GDPR) of BGN 10,000 for infringements punishable with a fine of up to EUR 20,000,000 and BGN 5,000 for infringements punishable with a fine of up to EUR 10,000,000.
For offenses other than those specified in the GDPR, a fine of BGN 1,000 to 5,000 is introduced. For failure to comply with the CPDP’s prescription, the sanctions will also vary in quite high amounts, namely between BGN 2,000 and BGN 200,000.
It remains to be seen whether this Bill will be adopted according to the proposed draft version. In any case, the positive intention of the Bulgarian legislator to settle the issue of bringing national legislation in line with the new rules on personal data protection before 25 May 2018 should be appreciated. Unfortunately, however, the short deadlines for public discussion (opinions on the Bill can be submitting by 14 May 2018) may be a barrier to the possibility of a detailed and comprehensive national discussion of the proposed measures.