Crucial for any controller opinion of the Bulgarian Commission for Personal Data Protection (the Commission) on the form of authorisation regarding the exercise of rights of the data subject before medical institutions has recently been published on their website.
The Commission made its statement in response to an enquiry submitted by a medical institution regarding patients’ access to their personal data, as well as regarding the exercise of their rights as data subject through an authorised person. The issue arose in the process of preparation of the institution’s internal rules on data protection aimed at synchronizing their data processing activities with the requirements of Regulation (EU) 2016/679. There are no clear provisions on this issue neither in the European, nor in the national legislation. To put it short, is a notarized form of authorization required for the exercise of the data subjects’ rights by another person under Articles 15-22 of the Regulation?
In its legal analysis, the Commission examines the conditions for the exercise of the data subjects’ rights as set out in Art. 12 of the Regulation. For the controller, the verification of the data subject’s identity is the the thing to begin with. The manner in which such verification is carried out depends on the specifics of each case, but the controller is generally supposed to use the already available data on the subject. Where there is doubt, the controller may request additional information from the data subject, and in case such is not provided or is unconvincing, the controller may refuse a remedy bearing the burden of proof regarding the unverifiability of the subject’s identity. With regards to the data subject, the procedure for the submission of rights requests is laid down in the Personal Data Protection Act – namely, a written application to the controller is required, unless otherwise specified by the controller, including by electronic means or an user interface. The Act states that an application submitted by an authorised person shall be accompanied by the respective form of authorisation. The Commission furthermore addresses the Health Act and the opportunity provided therein for patients to authorize another person in a written form to get acquainted with their medical files and make copies thereof . Taking into account the general regulatory framework regarding authorisation contained in the Obligations and Contracts Act which provides for an aggravated form of authorisation only upon the conclusion of transactions in aggravated form, as well as considering the absence of requirements in the special legislation relevant to the case, the Commission makes its final statement in response to the submitted enquiry, namely the medical institutions, in their capacity of controllers, have no legal grounds to require notary certification of the signature when authorizing another person to exercise the data subjects’ rights under Art. 15-22 of the Regulation.
Despite in the context of the exercise of rights of the data subject before a specific type of controllers – namely, the medical institutions, the conclusions drawn by the Commission can be applied in all cases of exercise of data subjects’ rights under the Regulation. In the absence of specific regulation, the “standard” written authorisation should always be sufficient for their exercise through an authorised person.