#20 Proceedings before the Commission for Personal Data Protection

The Rules of Procedure for the Commission for Personal Data Protection were published on the 30 July 2019. They provide details regarding the Commission’s internal structure and organisation, the proceedings before it, as well the consulting and advising activities through which the Commission provides assistance to controllers.

The Rules of Procedure contain a list of all the proceedings before the Commission: handling of complaints regarding data rights violations; application of the powers granted to supervisory authorities by Regulation (EU) 679/2016 (GDPR); issuing statements on queries regarding personal data protection; approval of standard data protection contractual clauses in accordance with the Regulation; observation of procedures for the transfer of personal data to third parties or international organisations; conduct of preliminary consultations; investigations of notifications of personal data breach; approval of codes of conduct; accreditation and revocation of accreditation of code of conduct of the monitoring bodies.

Other procedures may also be established in legislation. In this article we will examine the main proceedings and the ones applicable to most subjects.


Complaints and alerts for data subject rights violations
Complaints and alerts are the means of informing the Commission of a violation of rights protected under the GDPR and the Personal Data Protection Act (PDPA). A complaint is filed for the violation of one’s own rights, whereas an alert is sent when another person’s rights have been violated. Such complaints and alerts cannot be anonymous or unsigned and must explicitly identify the person or entity, against which they are submitted, date and nature of the violation being specified as well. In case of irregularities, the person lodging the complaint or alert is given 3 days to correct the complaint. The validity, admissibility and merits of the complaint are assessed by the Legal Proceedings and Surveillance Direction of the Commission. The hearings for examination of complaints and alerts are public and the parties concerned are informed about their date and hour. At the end of the proceedings the Commission may decide to apply measures according to GDPR or PDPA and, alternatively or cumulatively, impose administrative penalties.

Notifications of a personal data breach
This notification is submitted by a controller, and the required content is set out in Article 67, paragraph 3 PDPA and Article 33, paragraph 3 GDPR. Once the notification is submitted, the Commission, within a period of two weeks, conducts an investigation, to determine its own level of involvement (whether it is the lead authority or it is supporting other personal data protection authorities in other Member States), the nature of the breach, the number of affected data subjects and records, the possible consequences and measures taken, as well as the level of risk involved in the breach.

Prior consultation
The Regulation requires controllers to consult the Commission where a data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk. The Commission is given all the information related to the data processing, and base on it the Commission issues a written statement. The Regulation also provides for the for the possibility for Member States to make this procedure mandatory for certain types of data processing activities concerning public interest, public health, and social protection. The CPDP’s Rules of Procedure also provides that that in some cases the Commission may require controllers to seek consultation and preliminary permission regarding a particular processing operation where public interest and social protection are concerned. This prior consultation is intended to provide preliminary supervision, on the one hand, and to assist controllers in taking the necessary precautions to ensure protection of the data subjects’ rights. After the consultation, the Commission can exercise any of its powers under the Regulation (for example to impose a temporary or definitive limitation including a ban on processing, to impose an administrative fine or to issue warnings to the data controller or processor), or to issue a permission for the planned processing.

Approval of Codes of Conduct
Enterprises, associations, representative structures and categories of controllers are provided with the possibility to adopt their own Code of Conduct. Its purpose is to facilitate the application of the Regulation’s requirements and to guarantee the rights and freedoms of the data subjects whose data will be processed. The proceedings are again initiated by filing an application which must contain information on the applicant proposing the Code of Conduct, a unique name for the Code, and the categories of controllers it is applied to. The draft Code is evaluated as to whether it complies with the Regulation, facilitates the uniform application of the Regulation and guarantees the observation of data subject rights. In case a draft is not approved, it is sent back to the applicant for complementing or amending. The approved draft is translated and sent to the European Data Protection Board. This procedure is also applied to amendments and supplements to Codes of Conduct already in effect.

Trainings
Organizing and conducting training programmes on personal data protection is the activity of the Commission where the widest range of subject might be involved. Such training can be organised upon the Commission’s initiative or at a specific request. The request must include the names, address and phone number of the applicant, the relevant documents and information, and it also has to be signed and dated. Regarding activities of high public interest and ones that, by their nature, require special attention, the Commission takes the initiative to organise training programmes for controllers and data processing personnel. According to the Rules of Procedure, data subjects, certifying bodies, controllers, data processing personnel and data protection officers may take part in the trainings. Sessions begin with a test for determining the level of initial knowledge, and there is a final exam as well. The participants receive a certificate confirming successful completion of the training.

# 13 First law in the field of cyber security was adopted in Bulgaria

The first Bulgarian act entirely on cyber security is already a fact.

The new Cyber Security Act (CA/the Act) was promulgated on November 13, 2018. The Act was adopted in compliance with the obligation to transpose Directive (EU) 2016/1148 of 6 July 2016 of the European Parliament and the Council concerning measures for a high common level of security of network and information systems across the Union.

The adoption of the Act is of key importance to ensuring an adequate level of security when using digital technologies and the successful counteraction to deliberate harmful attacks, since there was no such instrument for resolving cyber security issues until now, just separate rules in a number of special Acts (e.g., The Counter-Terrorism Act, the Electronic Governance Act, the Electronic Communications Act, the Criminal Code, the Ordinance on the Common Requirements for Network and Information Security, etc.).

Which authorities are going to be responsible for the cyber security?

The new Act creates new competent authorities and structures in the cybersecurity area:

  • Cyber ​​Security Council;
  • National Single Point of Contact for Cyber Security Issues;
  • National Cyber ​​Security Coordinator;
  • National Competent Authorities for Network and Information Security with administrative authorities, determined by the Council of Ministers;
  • National Response Team for Computer Security Incidents;
  • Sector Response Teams for Computer Security Incidents;
  • Cyber crime Center within the Chief Directorate “Combating Organized Crime” of the Ministry of Interior will be set up to carry out activities concerning the detection, investigation and documentation of computer crimes at national level;

The new Act regulates the powers in this matter of authorities such as:

  • the Chairman of the State Agency for Electronic Governance;
  • the Minister of Defense;
  • the Minister of Interior;
  • the Chairman of State Agency Of National Security;

Who is affected by the new requirements?

CA contains rules addressed to several different categories of liable entities (public and private):

  • administrative authorities;
  • operators of essential services operating in the following sectors:
    – energy;
    – transport;
    – banking;
    – financial market infrastructures;
    – health sector;
    – drinking water supply and distribution;
    – digital infrastructure. Essential service providers may be both public and private entities of those categories that meet each of the following criteria: 1) they provide essential service; (2) the provision of the essential service should depend on networks and information systems; and 3) network and information security incidents should have a significant disruptive effect on the provision of the service. The operators of essential services will be designated by the competent administrative authorities according to these criteria and in accordance with a methodology adopted by the Council of Ministers. In this regard, the Chairman of the State Agency for Electronic Governance has to make a list of the essential services, which list will not be public though;
  • digital service providers providing any of the following services:
    – online marketplace;
    – online search engine;
    – cloud computing services;
  • organisations providing public services that are not designated as essential service providers or digital service providers when these organisations provide administrative services by electronic means. Public services are services in relation to provision of which administrative services may be provided, namely:
    – educational;
    – health care;
    – water supply;
    – sewage;
    – heat supply;
    – electricity supply;
    – gas supply;
    – telecommunications;
    – postal;
    – banking;
    – financial;
    – trust services within the meaning of Regulation (EU) 910/2014; and
    – other similar services provided in order to satisfy public needs, including services provided as a commercial activity;
  • persons exercising public functions, which are not designated as essential service providers, when providing administrative services by electronic means.

Obviously, the new Act has a potentially very wide range of addressees which justifies the need to know it so that the respective obligated persons can comply with it.

In order to avoid the imposing of a disproportionate financial and administrative burden, enterprises that are micro and small digital service providers, within the meaning of the Micro and Small Enterprises Act, are among the entities, that are excluded from the scope of the new Act.

How does this affect the private sector?

As already emphasized, besides public sector entities, a number of companies from the private sector shall have obligations under this Act as well. Some of the key requirements can be outlined depending on the addressee:

  • Administrative authorities:
    – take appropriate and proportionate measures to ensure network and information security;
    – take appropriate measures to prevent and minimize the impact of accidents affecting their network and information security, in order to ensure the continuity of their activities;
    – notify the sector response teams for computer security incidents that have an impact on the continuity of their activities;
    – take minimum measures for achieving network and information security, which shall be determined with an ordinance to be adopted within 6 months from the entry into force of CA;
  • Persons exercising public functions and organisations providing public services;
    – provide and are responsible for their network and information security when providing administrative services by electronic means;
    – notify the sector response teams for computer security incidents that have an impact on the continuity of the administrative services they provide electronically;
  • Essential service providers:
    – take appropriate and proportionate measures to ensure a level of network and information security, corresponding to the existing risk;
    – take appropriate measures to prevent and minimize the impact of incidents affecting their network and information security, in order to ensure the continuity of the essential services they provide;
    – notify the sector response teams for computer security incidents for incidents that have an impact on the continuity of the essential services they provide;
    – notify the digital service provider in case of an incident that may have a significant detrimental effect on the continuity of the provided essential service and affects the digital service provider, when the essential service provider relies on a digital service provider to provide a given essential service;
    – take minimum measures for ensuring network and information security, which shall be determined with an ordinance to be adopted within 6 months of entering into force of the CA. The network and information security requirements provided for by the Act must be applied by essential service providers only in respect to the provided essential services;
  • Digital service providers:
    – take appropriate and proportionate technical and organisational measures to manage the risks to the security of the networks and their information systems, used for providing digital services within the territory of Bulgaria;
    – take appropriate measures to prevent and minimize the impact of accidents affecting their network and information security;
    – notify the sector response teams for computer security incidents of incidents that have a significant impact on the continuity of the digital services they provide.

A number of criteria are taken into account in determining the impact of an incident;
– take minimum measures for ensuring network and information security, which shall be determined with an ordinance to be adopted within 6 months from the entry into force of CA;
– a digital service provider that is not established in a EU Member State but offers any of the above-mentioned services within the EU, the digital service provider must designate a representative in the EU that must be established in a Member State where the services are offered;
– in certain occasions, it may be necessary for the public to be notified of incidents that have occurred.

It should also be noted that the Act expressly states that where it is provided for in a EU legal act or a sector-specific or service-specific act, the operators of essential services or the digital service providers are required either to ensure the security of their network and information systems or to notify of incidents, those acts apply, provided that their requirements are at least equivalent in effect to the obligations laid down in CA.

  • Persons not expressly designated as obligated persons under the Act:
    – Except for persons, expressly mentioned in the Act, other persons may notify on a voluntary basis the sector response teams for computer security incidents of incidents that have an impact on the continuity of the services they provide. The obligated persons’ notifications shall be processed with priority.

Regarding the notification obligations

The notification under the Act in the event of the specified incidents occurring should be made within two hours of identifying the incident and the complete data should be sent within 5 days.

Notifications shall be submitted following the sample form approved in accordance with an ordinance on the minimum scope of network and information security measures, along with other recommended measures to be adopted by the Council of Ministers under Art. 3, Para. 2 CA.

By-law legislation is yet to be adopted.

Sanctions

The CA provides for sanctions for violation of its requirements, with fines amounting to BGN 20,000 and property sanctions – up to BGN 25,000.

It should be emphasised that the CA also provides for sanctions for officials who commit or allow a violation under Chapter Two of the Act to be committed, with fines amounting up to BGN 15,000.

The Act has entered into force as of November 16, 2018 for most of its part. The provisions on the establishment and functions of an Incident Monitoring and Response Center for incidents with a significant detrimental impact on the communication and information systems of strategic sites and activities relevant to national security as well as certain obligations of the Sector Response Teams for Computer Security Incidents for notification shall take effect as of January 1, 2022.

Ensuring the secure and orderly functioning of networks and information systems is essential to the facilitation of the cross-border movement of goods, services, capital and people. From this point of view, the European Union is increasingly focusing on the creation of common rules on cybersecurity, as it is an important step towards the establishment of a single digital economy within the internal market. We are about to observe how the new regulation will affect the public and private sectors, but in any case, the EU’s and the Bulgarian legislature’s ambition to create a legal framework on cybersecurity is commendable.