# 13 First law in the field of cyber security was adopted in Bulgaria

The first Bulgarian act entirely on cyber security is already a fact.

The new Cyber Security Act (CA/the Act) was promulgated on November 13, 2018. The Act was adopted in compliance with the obligation to transpose Directive (EU) 2016/1148 of 6 July 2016 of the European Parliament and the Council concerning measures for a high common level of security of network and information systems across the Union.

The adoption of the Act is of key importance to ensuring an adequate level of security when using digital technologies and the successful counteraction to deliberate harmful attacks, since there was no such instrument for resolving cyber security issues until now, just separate rules in a number of special Acts (e.g., The Counter-Terrorism Act, the Electronic Governance Act, the Electronic Communications Act, the Criminal Code, the Ordinance on the Common Requirements for Network and Information Security, etc.).

Which authorities are going to be responsible for the cyber security?

The new Act creates new competent authorities and structures in the cybersecurity area:

  • Cyber ​​Security Council;
  • National Single Point of Contact for Cyber Security Issues;
  • National Cyber ​​Security Coordinator;
  • National Competent Authorities for Network and Information Security with administrative authorities, determined by the Council of Ministers;
  • National Response Team for Computer Security Incidents;
  • Sector Response Teams for Computer Security Incidents;
  • Cyber crime Center within the Chief Directorate “Combating Organized Crime” of the Ministry of Interior will be set up to carry out activities concerning the detection, investigation and documentation of computer crimes at national level;

The new Act regulates the powers in this matter of authorities such as:

  • the Chairman of the State Agency for Electronic Governance;
  • the Minister of Defense;
  • the Minister of Interior;
  • the Chairman of State Agency Of National Security;

Who is affected by the new requirements?

CA contains rules addressed to several different categories of liable entities (public and private):

  • administrative authorities;
  • operators of essential services operating in the following sectors:
    – energy;
    – transport;
    – banking;
    – financial market infrastructures;
    – health sector;
    – drinking water supply and distribution;
    – digital infrastructure. Essential service providers may be both public and private entities of those categories that meet each of the following criteria: 1) they provide essential service; (2) the provision of the essential service should depend on networks and information systems; and 3) network and information security incidents should have a significant disruptive effect on the provision of the service. The operators of essential services will be designated by the competent administrative authorities according to these criteria and in accordance with a methodology adopted by the Council of Ministers. In this regard, the Chairman of the State Agency for Electronic Governance has to make a list of the essential services, which list will not be public though;
  • digital service providers providing any of the following services:
    – online marketplace;
    – online search engine;
    – cloud computing services;
  • organisations providing public services that are not designated as essential service providers or digital service providers when these organisations provide administrative services by electronic means. Public services are services in relation to provision of which administrative services may be provided, namely:
    – educational;
    – health care;
    – water supply;
    – sewage;
    – heat supply;
    – electricity supply;
    – gas supply;
    – telecommunications;
    – postal;
    – banking;
    – financial;
    – trust services within the meaning of Regulation (EU) 910/2014; and
    – other similar services provided in order to satisfy public needs, including services provided as a commercial activity;
  • persons exercising public functions, which are not designated as essential service providers, when providing administrative services by electronic means.

Obviously, the new Act has a potentially very wide range of addressees which justifies the need to know it so that the respective obligated persons can comply with it.

In order to avoid the imposing of a disproportionate financial and administrative burden, enterprises that are micro and small digital service providers, within the meaning of the Micro and Small Enterprises Act, are among the entities, that are excluded from the scope of the new Act.

How does this affect the private sector?

As already emphasized, besides public sector entities, a number of companies from the private sector shall have obligations under this Act as well. Some of the key requirements can be outlined depending on the addressee:

  • Administrative authorities:
    – take appropriate and proportionate measures to ensure network and information security;
    – take appropriate measures to prevent and minimize the impact of accidents affecting their network and information security, in order to ensure the continuity of their activities;
    – notify the sector response teams for computer security incidents that have an impact on the continuity of their activities;
    – take minimum measures for achieving network and information security, which shall be determined with an ordinance to be adopted within 6 months from the entry into force of CA;
  • Persons exercising public functions and organisations providing public services;
    – provide and are responsible for their network and information security when providing administrative services by electronic means;
    – notify the sector response teams for computer security incidents that have an impact on the continuity of the administrative services they provide electronically;
  • Essential service providers:
    – take appropriate and proportionate measures to ensure a level of network and information security, corresponding to the existing risk;
    – take appropriate measures to prevent and minimize the impact of incidents affecting their network and information security, in order to ensure the continuity of the essential services they provide;
    – notify the sector response teams for computer security incidents for incidents that have an impact on the continuity of the essential services they provide;
    – notify the digital service provider in case of an incident that may have a significant detrimental effect on the continuity of the provided essential service and affects the digital service provider, when the essential service provider relies on a digital service provider to provide a given essential service;
    – take minimum measures for ensuring network and information security, which shall be determined with an ordinance to be adopted within 6 months of entering into force of the CA. The network and information security requirements provided for by the Act must be applied by essential service providers only in respect to the provided essential services;
  • Digital service providers:
    – take appropriate and proportionate technical and organisational measures to manage the risks to the security of the networks and their information systems, used for providing digital services within the territory of Bulgaria;
    – take appropriate measures to prevent and minimize the impact of accidents affecting their network and information security;
    – notify the sector response teams for computer security incidents of incidents that have a significant impact on the continuity of the digital services they provide.

A number of criteria are taken into account in determining the impact of an incident;
– take minimum measures for ensuring network and information security, which shall be determined with an ordinance to be adopted within 6 months from the entry into force of CA;
– a digital service provider that is not established in a EU Member State but offers any of the above-mentioned services within the EU, the digital service provider must designate a representative in the EU that must be established in a Member State where the services are offered;
– in certain occasions, it may be necessary for the public to be notified of incidents that have occurred.

It should also be noted that the Act expressly states that where it is provided for in a EU legal act or a sector-specific or service-specific act, the operators of essential services or the digital service providers are required either to ensure the security of their network and information systems or to notify of incidents, those acts apply, provided that their requirements are at least equivalent in effect to the obligations laid down in CA.

  • Persons not expressly designated as obligated persons under the Act:
    – Except for persons, expressly mentioned in the Act, other persons may notify on a voluntary basis the sector response teams for computer security incidents of incidents that have an impact on the continuity of the services they provide. The obligated persons’ notifications shall be processed with priority.

Regarding the notification obligations

The notification under the Act in the event of the specified incidents occurring should be made within two hours of identifying the incident and the complete data should be sent within 5 days.

Notifications shall be submitted following the sample form approved in accordance with an ordinance on the minimum scope of network and information security measures, along with other recommended measures to be adopted by the Council of Ministers under Art. 3, Para. 2 CA.

By-law legislation is yet to be adopted.

Sanctions

The CA provides for sanctions for violation of its requirements, with fines amounting to BGN 20,000 and property sanctions – up to BGN 25,000.

It should be emphasised that the CA also provides for sanctions for officials who commit or allow a violation under Chapter Two of the Act to be committed, with fines amounting up to BGN 15,000.

The Act has entered into force as of November 16, 2018 for most of its part. The provisions on the establishment and functions of an Incident Monitoring and Response Center for incidents with a significant detrimental impact on the communication and information systems of strategic sites and activities relevant to national security as well as certain obligations of the Sector Response Teams for Computer Security Incidents for notification shall take effect as of January 1, 2022.

Ensuring the secure and orderly functioning of networks and information systems is essential to the facilitation of the cross-border movement of goods, services, capital and people. From this point of view, the European Union is increasingly focusing on the creation of common rules on cybersecurity, as it is an important step towards the establishment of a single digital economy within the internal market. We are about to observe how the new regulation will affect the public and private sectors, but in any case, the EU’s and the Bulgarian legislature’s ambition to create a legal framework on cybersecurity is commendable.

# 9 The Commission for Personal Data Protection has repealed Ordinance No. 1 of 30 January 2013 – what technical and organizational measures the organizations need to undertake from now on?

With State Gazette, Issue 43 of 25.05.2018 Ordinance No. 1 dated 30 January 2013 on the Minimum Level of Technical and Organizational Measures and the Admissible Type of Personal Data Protection (the Ordinance) was repealed. The Commission for Personal Data Protection (CPDP) has announced that the Ordinance is to be revised and transformed into methodical guidelines to the controllers without committing to a specific deadline (https://www.cpdp.bg/en/index.php?p=element&aid=1151).

Thus, among other uncertainties concerning the application of the General Data Protection Regulation (“GDPR”), yet another important question arises – what technical and organizational measures should be applied by the organizations from now on in order to ensure an appropriate level of security of the data they process.

Applicable measures under the repealed Ordinance

The repealed Ordinance provided for 5 types of personal data protection (physical, personnel, documentary protection, protection of automated information systems and/or networks and cryptographic protection) and contained detailed regulation of the technical and organizational measures for their implementation.

The CPDP’s previous approach was to oblige the controllers to carry out an impact assessment on each personal data register they keep. On the basis of the determined level of impact for the register the controllers had to apply corresponding level of data protection – a mandatory minimum set of measures settled for each level of impact in the Ordinance. Now the lack of compulsory list of such measures leaves plenty of room for speculation in this respect, so the analysis below is intended to bring some clarity on the issue.

Art. 32 of the GDPR lists some exemplary, but not mandatory measures such as pseudonymization, encryption, etc., which can offer the organizations guidance in terms of what measures are considered appropriate. Of course, the final choice depends on the context and the purposes of the processing. In this sense, although both controllers and processors are not required to apply any of the measures explicitly listed in the GDPR, their obligation to ensure the security of the data processed remains.

Applicable technical and organizational measures from now on

In the process of assessment every controller or processor should bear in mind the following:

First, the GDPR focuses on the protection of personal data as a fundamental human right of the EU citizens. Therefore, the understanding that the GDPR constitutes а “fully technological framework” is untrue. The requirement to implement technical and organizational measures to ensure data security undoubtedly has an important role, but it is just one of the seven basic principles of data protection laid down in the GDPR. In other words, even if we have applied extremely high security measures, even if all the information we handle is encrypted – if we process these data without legal or for illegal purposes or we have not properly informed individuals about such processing etc., our business will not meet the GDPR requirements whatsoever.

Second, GDPR sets out a number of criteria to guide the controller or the processor in defining these measures and choosing the most appropriate amongst all of them. Through this approach, the European legislator achieves a fairly good balance between the freedom of action and the crucial responsibility for attaining an adequate level of data protection.

Nonetheless, the main set of measures laid down in the repealed Ordinance could serve as a good guidance or as a point of reference in terms of data protection. Of course, the assessment should be tailored to the particularities of each and every type of processed personal data in compliance with the established standards and best practices for information security.

In the meantime, we will continue to monitor and keep you updated on the development of the case and the subsequent regulation on the appropriate personal data protection measures as well as the specific measures, undertaken on local level regarding the implementation of the GDPR.

# 8 ACCOUNTABILITY AS A NEW GDPR PRINCIPLE

Following our previous publications regarding the GDPR, we will now review one of the entirely new concepts in data protection introduced by the Regulation, namely accountability.

Accountability in practice means that the data controller is able to demonstrate at any time that personal data are processed lawfully, fairly, in a transparent manner and limited to clearly defined purposes, keeping the data accurate and up to date and retaining it only for the time required to achieve these purposes, while ensuring an appropriate level of security and protection of the personal data.

Accountability implies proper documentation of all the processes of processing personal data within the undertaking. In other words, undertakings should keep documentary track of the processing – relevant written records allowing for traceability of the data processing processes and serving as an element by which to demonstrate compliance with the GDPR requirements in the event of a CPDP inspection.

Among others, some of the most essential tools for achieving accountability are the following:
• maintaining records of the processing activities under Art. 30 GDPR;
• proper regulation of the relations with data subjects with regard to data processing (through personal data protection policies, privacy notices, etc.);
• proper regulation of relations with third parties regarding the transfer of data (contracts between controllers and contracts between controllers and processors);
• designation of a data protection officer, where applicable;
• conducting an impact assessment in the presence of a high risk to the rights and freedoms of the data subjects;
• timely communication to the Commission for Personal Data Protection and the data subject in cases of personal data breaches;
• implementing voluntary certification mechanisms and/or compliance with codes of conduct;
• аdopting internal rules for personal data protection (guidelines, policies, etc.).

Of the above listed tools, particular attention should be given to record-keeping of the processing activities. These records shall be maintained by the personal data controller and the processor and shall be made available to the supervisory authority upon its request. The content of the records is laid down in detailed in the GDPR (Article 30, paragraphs 1 and 2).

The obligation of record keeping does not apply to organisations with fewer than 250 employees unless (i) the processing they carry out is likely to result in a risk to the rights and freedoms of data subjects, (ii) the processing is not occasional, or (ii) includes special categories of personal data or personal data relating to criminal convictions and offences. Regardless of which of these exceptions is present, the organisation concerned shall keep records of the relevant processing activity.

The impact assessment is also important for adherence to the principle of accountability. The Working Party established by Art. 29 accepts that the data protection impact assessment is a key tool for achieving accountability as it not only contributes to compliance with the requirements but also demonstrates the existence of appropriate safeguards.

The Working Party established by Article 29 – an European Union data protection advisory body – in one of its opinions on the old data protection regime points out some of the categories of general accountability measures other than the ones listed above, the most important of which are[1]:
• identifying all data processing processes within the organisation;
• ensuring adequate level of data protection, training the staff members processing or responsible for personal data (such as heads of human resource departments), but also IT managers, developers and business units directors, as well as allocating sufficient resources for protection of personal data within the organisation;
• establishing an internal mechanism for handling complaints;
• developing internal procedures for the effective management and reporting of data protection breaches;
• implementing and monitoring verification procedures to ensure that all the measures are not only formal ones, but they are actually introduced and implemented (internal or external audits, etc.).

What is the practical need for the principle of accountability and why should an organization make efforts to comply with it?

Personal data are a specific type of “resource” for any organisation. They constitute a powerful business tool as they provide information about the choices, preferences, attitudes and needs of consumers. This opens up great prospects for better marketing, PR, etc. Besides being a resource, personal data are a special category of information that may affect the privacy of the persons they relate to, or allow for malpractices (manipulations, etc. – an example of this is the scandal with Cambridge Analytica and data from the social network Facebook). Therefore, organisations should ensure adequate level of protection for this type of data. This is increasingly important in the context of the new rules and high sanctions introduced by the GDPR.

The purpose of the accountability principle is to gradually develop a culture of proper documentation of the entire movement of any personal data within the organisation. This would allow companies to have greater control and will enable them to more adequately manage their resources, and in a case of an inspection – to demonstrate compliance with the GDPR requirements.

[1] Opinion 3/2010 on the principle of accountability, WP 173, Adopted on 13 July 2010, p. 11-12.

#7 Bill on Amendment and Supplement to the Personal Data Protection Act is published for public consultation

On 30 April 2018, less than a month before the date of which the new European Data Protection Regulation – Regulation 2016/679 (GDPR) begins to apply, a Bill on Amendment and Supplement to the Personal Data Protection Act, currently in force in Bulgaria, was published in the public domain (the Bill). The Bill aims at harmonizing the Bulgarian legislation on the protection of personal data with the European one.

In this publication we will only focus on some of the most important and interesting elements of the Bill, and the whole Bill should be subject to detailed analysis and evaluation by all stakeholders in the following days:

  • The Commission for Personal Data Protection (CPDP), which had so far fulfilled this function, was officially appointed as a supervisory body within the meaning of GDPR. It will be the independent body that will monitor the protection of individuals in the processing of their personal data and the enforcement of the Regulation.
  • GDPR introduced a new figure to society, namely the Data Protection Officer. With the Bill, the Bulgarian legislator provided for a new ground for appointing such a person, setting precise limits for his appointment, namely the processing of personal data of “10,000 individuals”.
  • The Bill provides that the CPDP should organize and conduct trainings of the persons designated for taking the position of a “data protection officer” or of persons wishing to be trained to take up this position. The trainings will be paid at a rate set by the Minister of Finance. This is a specific national solution that has no analogue in GDPR and which is rather controversial, because the European legislation does not require specific certification/mandatory registration for this position.
  • One of the Bill’s interesting innovations relates to following obligation: in case data is received without a legal basis, whether by a controller or a processor, the latter has to return it immediately or deleted it within one month of getting aware of the fact.The age threshold for obtaining children’s consent f
  • or the provision of information society services is reduced (from 16 years under GDPR to 14 years under the Bill). Here the change is quite reasonable considering the “total incapacity” institute, established for persons under 14 years of age under Bulgarian law.
  • According to the Bill, public access to National Identification Number / Foreigner Identification Number will be provided solely if required by law. Therefore, controllers providing electronic services will need to take technical and organizational measures to avoid National Identification Number to be the only identifier for the provision of the service.
  • The Bill contains specific rules for balancing the freedom of academic, artistic and literary, expression with the protection of personal data.

Important changes also stand with regard to employers. The legislator took advantage of the opportunity provided by Art. 88 of the GDPR, by establishing special rules in this respect.

  • The Bill provides for the prohibition of copying the national ID document, the driving license, the worker / civil servant residence permit, with only one admissible hypothesis, namely the existence of an explicit legal obligation on the controller or the processor.
  • Employers will also need to provide for a number of rules and procedures to show compliance with the new law and to ensure that these rules and procedures are brought to the attention of employees. Such will be needed, for example, in the framework of: (i) a system of evidence of breaches, (ii) restrictions on the use of in-house resources, and (iii) access control, working time and labor discipline.
  • The employer will be able to store personal data of participants in personnel selection procedures for up to 3 years.

With the Bill, in addition to synchronizing national provisions with GDPR requirements, the legislator will also transpose the Directive (EU) 2016/680 of the European parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA, and has dedicated a whole chapter of the Bill to this end.

Interestingly, the legislator set out minimum thresholds (such do not exist under the GDPR) of BGN 10,000 for infringements punishable with a fine of up to EUR 20,000,000 and BGN 5,000 for infringements punishable with a fine of up to EUR 10,000,000.

For offenses other than those specified in the GDPR, a fine of BGN 1,000 to 5,000 is introduced. For failure to comply with the CPDP’s prescription, the sanctions will also vary in quite high amounts, namely between BGN 2,000 and BGN 200,000.

It remains to be seen whether this Bill will be adopted according to the proposed draft version. In any case, the positive intention of the Bulgarian legislator to settle the issue of bringing national legislation in line with the new rules on personal data protection before 25 May 2018 should be appreciated. Unfortunately, however, the short deadlines for public discussion (opinions on the Bill can be submitting by 14 May 2018) may be a barrier to the possibility of a detailed and comprehensive national discussion of the proposed measures.

Link to the Bill

Introduction

Dear clients and partners,

From May 25, 2018, the new European regulation on personal data protection – Regulation 2016/679 (GDPR) shall apply. GDPR introduces stricter requirements for the business regarding personal data protection as well as unprecedented sanctions. The amount of the sanctions provided can reach up to EUR 20 million or 4 % of the total worldwide annual turnover of the undertaking of the preceding financial year, whichever is higher.

What are personal data? Are we processing such?
Do the new GDPR rules affect us?
Is our business ready to face that challenge?
What is the best way to protect ourselves from sanctions? How can we minimize the risks to our business?
Should we change the business processes?

Each one of you has reasonably been asking themselves at least part of these questions and perhaps a lot more. Being your trusted partner, the Dimitrov, Petrov & Co.’s team will help you familiarize yourself with the essence of the new requirements by preparing a series of explanatory publications on key concepts regarding GDPR.

We are glad to present to you our first GDPR publication focusing on the data protection officer (DPO). Let us take the first steps towards GDPR together!

The team of Dimitrov, Petrov & Co.

# 1 Data Protection Officer

The Data Protection Officer (DPO) is a new figure introduced by the GDPR in order to assist organisations in managing personal data protection. DPO is supposed to be the “person in charge’ regarding all personal data protection issues within the undertaking – from providing clarifications and advice to employees and management body, through control of data processing activities, to functioning as the contact point for both the supervisory authorities and the data subjects whose personal data are being processed.

While under the current regime, the undertakings have been given the opportunity, at their discretion, to appoint the so called „Data Protection Official”, under GDPR for first time the designation of a “person in charge” of personal data protection becomes mandatory for the organizations (personal data controllers and processors). GDPR requires the designation of DPO in three specific cases:

  • where the processing is carried out by a public authority or body (except for courts acting in their judicial capacity);
  • where the core activities of the controller or the processor consist of:
    • processing operations, which require regular and systematic monitoring of data subjects on a large scale. A “large-scale” would be considered for instance, the processing of patient data in the regular course of business by a hospital; the processing of travel data of individuals using a city’s public transport system; the processing of customer data in the regular course of business by an insurance company or a bank; processing of personal data for behavioural advertising by a search engine; processing of data (content, traffic, location) by telephone or internet service providers, etc. On the other hand, “Regular and systematic” would be monitoring which involves operating a telecommunications network; providing telecommunications services; email retargeting; profiling and scoring for purposes of risk assessment (e.g. for purposes of credit scoring, establishment of insurance premiums, fraud prevention, detection of money-laundering); location tracking; loyalty programs; behavioural advertising; closed circuit television, etc.¹;
    • processing on a large scale of special categories of data under GDPR (e.g. personal data revealing racial or ethnic origin, data concerning health or data concerning a natural person’s sex life or sexual orientation; genetic data, biometric data such as fingerprints, facial shapes, iris, retina, etc.) or data relating to criminal convictions/ offences.

Besides in the cases listed above, Member States may set additional requirements for the designation of a DPO. According to information available on the website of the Bulgarian Commission for Personal Data Protection, DPO needs to be designated also in the cases where the organization processes personal data of more than 10 000 individuals². Even when the designation of DPO is not mandatory, GDPR allows organizations to voluntarily appoint DPO – such an appointment may be a successful marketing and reputational tool, as well as an efficient way of fulfilling some burdensome obligations. If an undertaking, even not having such an obligation, appoints DPO, it needs to comply with all the GDPR’s rules regarding this position, including ensuring independence.

DPO should possess an in-depth expertise on data protection law and practice. A single DPO is allowed to be designated by a group of undertakings (provided that the said DPO is easily accessible from each undertaking) or by a several public authorities/ bodies, taking account of their organisational structure and size. According to GDPR, DPO may be a staff member of the organisation or to be external fulfilling the tasks on the basis of a service contract. It is a matter of judgement for each organisation to decide what is the best way to designate DPO taking into account the specifics of its operation. Given that DPO is a staff member, he or she cannot combine other functions which would be in conflict with his or her duties and responsibilities as DPO. For example, senior management positions such as chief executive, head of Human Resources, chief financial or head of IT department cannot act as DPO, as they will have to control themselves. Any DPO must be “independent” – he/she shall be responsible to the highest management only and cannot be dismissed or sanctioned for reasons related to the performance of his/ her tasks (e.g. for consulting the controller to conduct impact assessment, because DPO considers a particular data processing operation to be particularly risky).

The rules and requirements regarding DPO need to be taken seriously as their infringement may result in fines up to EUR 10 million, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher. If properly used, the DPO figure may turn into a powerful tool for achieving and maintaining compliance with the new rules.

¹ Refer to Guidelines on Data Protection Officers (‘DPOs’) by the Data Protection Working Party under Art. 29, available at the following Internet address: http://ec.europa.eu/newsroom/document.cfm?doc_id=44100

² Refer to See Ten practical steps to implement the General Data Protection Regulation by the CPDP available at the following Internet address: https://www.cpdp.bg/?p=element&aid=1109

The team of Dimitrov, Petrov & Co.

The present material is elaborated by the team of Dimitrov, Petrov & Co. Law Firm and is addressed to clients and partners of the firm as well as other readers interested in the law field and in the field of personal data protection.

The information and the opinions in this material are not a comprehensive and detailed analysis of the considered legal issues.

The presented analyses and other information materials are not legal advice or consultation, and shall not be apprehended as sufficient for dealing with specific legal issues, cases, etc. All materials in the present e-blog are under the protection of the Copyright and Neighboring Rights Act. Any kind of change, publishing, distribution, etc. without prior explicit consent of Dimitrov, Petrov & Co. is forbidden.