# 15 DOs and DON’Ts under the new Bulgarian data protection law

As of today, February 26, the long-awaited amendments to the Personal Data Protection Act (the “Act/PDPA”) aimed at harmonizing the Bulgarian legislation with the General Data Protection Regulation (GDPR) are already a fact. In addition, the Act brings about certain specific national regulations.

Below you will find a short list of some of the most important requirements introduced by the new Act:

DОs

  • Adopt explicit internal rules in case you carry out any of the following activities or you have implemented any of the following processes within your organisation:
    – You conduct video surveillance;
    – You have restricted the use of the company’s devices, systems or resources (for example, if you have restricted your employees’ access to certain websites);
    – You have implemented a system for reporting violations (the so-called “whistleblowing” systems);
    – You have implemented systems controlling the access, the working hours or the work discipline (card check-in systems, GPS systems for tracking company’s cars and other company’s technical devices);
  • Inform your employees about the adopted internal rules and provide them with access to these documents;
  • Store the personal data collected within recruitment procedures for no more than 6 months. Request the applicant’s consent to store his/her data for a longer period;
  • Appoint a Data Protection Officer (DPO) in case you fall within the definition of a “public authority” in accordance with the Act – a state or local authority, as well as a structure, the main activity of which is related to expenditure of public funds;
  • Provide the names, PIN/PNF and contact details of your DPO (if designated) to the Commission for Personal Data Protection (CPDP);
  • Whenever minors’ personal data (under the age of 14) is processed on the basis of consent, require consent from parent exercising parent’s rights/from guardian. This requirement applies not only to the provision of information society services, but to any form of processing based on consent as well;
  • In cases where personal data of deceased persons is processed, such processing shall only be carried out in case there is a legal ground therefor and by taking appropriate measures so that such processing shall not adversely affect the rights or freedoms of others or any public interest;
  • When processing personal data for the purposes of journalistic, academic, artistic and or literary expression, always try to strike a balance between freedom of expression, right to information and privacy in compliance with the criteria set out in the PDPA.

DON’Ts

  • Do not copy identification documents (ID card, passport, driver’s license) or residence permit (unless you have ensured a legal ground provided for by law);
  • Do not allow free public access to information containing PIN/PNF, unless otherwise provided by law (for example: publication of lists containing personal data);
  • Do not use PIN as passwords as the Act requires the adoption of appropriate technical and organizational measures to prevent the use of PIN/PNF as the only means of user identification when providing remote access to electronic services (e.g. as a password for access to medical test results).

Tailor your practices to the new requirements, bearing in mind that our list is not an exhaustive one and is intended only to familiarize you with the general structure of the amendments adopted.

Keep an eye on our follow up publications where the most important changes will be analyzed in more detail and we will continue to keep you up-to-date in the field of personal data protection!

# 14 The Bulgarian Commission for Personal Data Protection adopted list of the processing activities where data protection impact assessment under GDPR is mandatory

Further to publication #12 Data Protection Impact Assessment from our Blog we inform You that the Commission for Personal Data Protection published a list of the types of processing operations for which data protection impact assessment (DPIA) is required. The list was published on 13.02.2019 on the Commission’s website.

Pursuant to the above-mentioned list data controllers whose main or single establishment is on the territory of the Republic of Bulgaria are required to conduct compulsory DPIA in each of the following cases:
• Large scale processing of biometric data for the purposes of the unique identification of a natural person, which is not occasional;
• Processing of genetic data for profiling purposes which produces legal effects for the data subject or similarly significantly affects them;
• Processing of location data for profiling purposes which produces legal effects for the data subject or similarly significantly affects them;
• Processing operations for which the provision of information to the data subject pursuant to Art. 14 of GDPR is impossible or would involve disproportionate effort or is likely to render impossible or seriously impair the achievement of the objectives of that processing, when this is related to large scale processing;
• Personal data processing by controller whose main place of establishment is outside the EU when its designated representative for the EU is located on the territory of the Republic of Bulgaria;
• Regular and systematic processing for which the provision of information pursuant to Art. 19 of GDPR by the controller to the data subject is impossible or involves disproportionate efforts;
• Processing of personal data of children in relation to the offer of information society services directly to a child;
• Migration of data from existing to new technologies when this is related to large scale data processing.

The current list – adopted on the basis of Art. 35 Para 4 of GDPR – is non-exhaustive and can be updated, if necessary. We will inform You accordingly for any such updates.