#22 The Bulgarian Constitutional Court declared the provision of PDPA on data processing for journalistic purposes unconstitutional

By decision of November 15, 2019 the Constitutional Court (CC) declared unconstitutional the provision governing the processing of personal data for journalistic purposes and for the purposes of academic, artistic or literary expression (Article 25h of the Personal Data Protection Act – PDPA). The text was adopted within the option provided by Regulation 2016/679 (GDPR) for Member States to align the right to protection of personal data with the right to freedom of expression and information.

The decision of the CC put an end to the turbulent history of the provision. Initially, the provision was widely criticized by the media and journalistic organizations, then the President vetoed changes to the act because of it, and in March 2019 the CC was seised by 55 members of parliament with an appeal to declare it unconstitutional.

The primary reason for the controversy was the criteria introduced for assessing the balance between freedom of expression and the right to information and the right to protection of personal data, in which those seeking to declare the provision unconstitutional saw a potential threat of legal censorship on freedom of expression.

In its decision, the CC refers to European legislation, international human rights instruments and the case law of the Court of Justice of the European Union (ECJ) and the European Court of Human Rights (ECHR). The CC has repeatedly emphasized that it follows the principles of “balance of interests” and proportionality which are agreed and adopted at European level.

CC finds the provision of the PDPA unconstitutional for the following primary reasons:

  • The CC accentuates that the balancing of the various rights, in this case the protection of personal data and the right to freedom of expression and information, has to be carried out through a rational and pragmatic approach, taking into account the specific circumstances of each individual case; therefore the introduction of criteria into a general legal rule creates a risk to the proper balancing of interests and is contrary to the practice of the ECJ and the ECHR to make an objective assessment;
  • According to the CC, the provision does not meet the requirements for comprehensibility, precision, unambiguity and clarity, as it does not clearly define to its addressees what is inadmissible. The CC criticizes several criteria in particular which make it impossible for the media/journalists to align their behavior with the law and to apply the so-called “journalistic exemption” allowing them to process personal data under specific conditions. The decision of the CC also states that the ambiguity of the criteria gives the law enforcement bodies unpredictable power.
  • According to the CC, the provision runs counter to the GDPR spirit and reason, since the Regulation seeks to allow Member States to introduce exemptions and derogations to the general rules that balance the protection of personal data and the right to freedom of expression and information, rather than to allow them to adopt rules that are “burdensome to the media/journalists”. The CC expressly emphasizes that such interpretation of the GDPR by the Bulgarian legislature “makes it extremely difficult to further limit state interference in terms of freedom of expression of the media/journalists”, and that the provision would distort the balance between fundamental rights to the detriment of the right to expression and information;
  • Last but not least, the CC considers the provision disproportionate to the objective it pursues as it excessively restricts the right to freedom of expression and information; The CC assumes that the provision impedes the attainment of the objectives of journalistic activity and the function of the media, as it may lead to self-censorship motivated by an attempt to comply with unclear criteria. In addition, the CC accentuates that the measure is unnecessary because there is a much less restrictive and well-established alternative – to improve self-discipline in the media industry, including by adopting codes of conduct drafted jointly by media organizations and CPDP, as is the practice in democracies and what is explicitly provided for in the GDPR.

In conclusion, the CC announced the provision of 25h, Para 2 PDPA as unconstitutional due to unpredictability, legal uncertainty and limitation of the right to freedom of expression and information disproportionate to the objective pursued in the context of journalistic expression.

We have yet to see whether the lawmaker will try to formulate a new legal rule to strike a balance between the right to protection of personal data and the right to freedom of expression and information, or similar to the recommendations in the decision of the CC – the balance will be sought through self-regulation of the media industry – e.g. through codes of conduct. The full text of the decision is available only in Bulgarian here.

# 21 Websites with a Facebook “Like“ button – the recent CJEU judgement sheds light on some key questions regarding the application of GDPR

If a website operator embeds a social plugin, such as the Facebook “Like” button, this triggers the collection and transmission of the visitors’ personal data to the plugin provider. The processed data include the IP address and the page content accessed by the visitors and are transmitted automatically by the browser even if the visitor does not have a social media account and regardless of whether the visitor clicks on the button.

This caused a legal dispute in Germany after the Verbraucherzentrale NRW, a public-service association tasked with safeguarding the interests of consumers, brought legal proceedings against the online retailer FashionID that used such social plugins, collecting and transmitting personal data to Facebook Ireland without informing its visitors or requesting their consent. Following a decision of the Regional Court Düsseldorf that ruled against FashionID, the Higher Regional Court Düsseldorf referred the case to the Court of Justice of the European Union (CJEU) requesting interpretation of several provisions of the former Data Protection Directive of 1995.

Although the Directive was repealed by the General Data Protection Regulation (GDPR) last year, the recent judgement of the CJEU can lead to a better understanding of the current European data protection law.

Admissibility of the Action

The Court held that consumer protection associations are granted the right to bring legal proceedings against a party that is allegedly responsible for the infringement of the protection of personal data under both the former Directive and the new General Data Protection Regulation.

Processing of Data

The Court found that FashionID shall be considered a joint controller together with Facebook Ireland regarding the processes it has influence on, namely the collection and transmission of personal data on its website. However, FashionID is not liable for the data processing carried out by Facebook after the data has been transmitted.

Therefore, the website operators must thoroughly inform their visitors about the data processing operations. Furthermore, a legal basis is necessary to lawfully process the personal data of the website visitors. The Court provides interpretation of two of the legal grounds enlisted in Article 6 GDPR.

The website operator must obtain the consent of the visitors regarding the operations in which it acts as a joint controller, namely the collection and transmission that occurs through the website plugins.

When it comes to the pursuit of a legitimate interest, it can be a legal basis only if the processing is necessary for the legitimate interests of both joint controllers.

A social plugin brings a lot of advantages for a website such as bigger outreach of its content, optimisation of its visibility on social media, keeping track on the popularity of the goods offered. In order to still use it and avoid liability, a website operator should inform the website visitors on all points enlisted in Article 13 GDPR such as the ways it processes data, the purposes of processing and legal grounds and the recipients of the data. In most cases these would be Facebook and Google as the most popular social plugin providers.

A possible solution to data protection concerns is implementing social plugins in a way that prevents the automatic transmission of data. In the case of Facebook, the technological giant provides the Like and Share Button as a program code. Instead of embedding it without changing anything, the button can be designed as a link to a pop-up window – the so called “Two-click method“.This way, the plugin and the transmission of data it facilitates are activated not by just opening the website, but only after clicking on the button and giving consent to the processing of data. All this information must be included in the privacy policy statement and its terms and conditions.

Sources:

Case C-40/17, CJEU, Second Chamber, 29 July 2019, available at: http://curia.europa.eu/juris/document/document.jsf;jsessionid=C928F3FB3CCCF093027557F27F1CCD39?text=&docid=216555&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=8508664

#20 Proceedings before the Commission for Personal Data Protection

The Rules of Procedure for the Commission for Personal Data Protection were published on the 30 July 2019. They provide details regarding the Commission’s internal structure and organisation, the proceedings before it, as well the consulting and advising activities through which the Commission provides assistance to controllers.

The Rules of Procedure contain a list of all the proceedings before the Commission: handling of complaints regarding data rights violations; application of the powers granted to supervisory authorities by Regulation (EU) 679/2016 (GDPR); issuing statements on queries regarding personal data protection; approval of standard data protection contractual clauses in accordance with the Regulation; observation of procedures for the transfer of personal data to third parties or international organisations; conduct of preliminary consultations; investigations of notifications of personal data breach; approval of codes of conduct; accreditation and revocation of accreditation of code of conduct of the monitoring bodies.

Other procedures may also be established in legislation. In this article we will examine the main proceedings and the ones applicable to most subjects.


Complaints and alerts for data subject rights violations
Complaints and alerts are the means of informing the Commission of a violation of rights protected under the GDPR and the Personal Data Protection Act (PDPA). A complaint is filed for the violation of one’s own rights, whereas an alert is sent when another person’s rights have been violated. Such complaints and alerts cannot be anonymous or unsigned and must explicitly identify the person or entity, against which they are submitted, date and nature of the violation being specified as well. In case of irregularities, the person lodging the complaint or alert is given 3 days to correct the complaint. The validity, admissibility and merits of the complaint are assessed by the Legal Proceedings and Surveillance Direction of the Commission. The hearings for examination of complaints and alerts are public and the parties concerned are informed about their date and hour. At the end of the proceedings the Commission may decide to apply measures according to GDPR or PDPA and, alternatively or cumulatively, impose administrative penalties.

Notifications of a personal data breach
This notification is submitted by a controller, and the required content is set out in Article 67, paragraph 3 PDPA and Article 33, paragraph 3 GDPR. Once the notification is submitted, the Commission, within a period of two weeks, conducts an investigation, to determine its own level of involvement (whether it is the lead authority or it is supporting other personal data protection authorities in other Member States), the nature of the breach, the number of affected data subjects and records, the possible consequences and measures taken, as well as the level of risk involved in the breach.

Prior consultation
The Regulation requires controllers to consult the Commission where a data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk. The Commission is given all the information related to the data processing, and base on it the Commission issues a written statement. The Regulation also provides for the for the possibility for Member States to make this procedure mandatory for certain types of data processing activities concerning public interest, public health, and social protection. The CPDP’s Rules of Procedure also provides that that in some cases the Commission may require controllers to seek consultation and preliminary permission regarding a particular processing operation where public interest and social protection are concerned. This prior consultation is intended to provide preliminary supervision, on the one hand, and to assist controllers in taking the necessary precautions to ensure protection of the data subjects’ rights. After the consultation, the Commission can exercise any of its powers under the Regulation (for example to impose a temporary or definitive limitation including a ban on processing, to impose an administrative fine or to issue warnings to the data controller or processor), or to issue a permission for the planned processing.

Approval of Codes of Conduct
Enterprises, associations, representative structures and categories of controllers are provided with the possibility to adopt their own Code of Conduct. Its purpose is to facilitate the application of the Regulation’s requirements and to guarantee the rights and freedoms of the data subjects whose data will be processed. The proceedings are again initiated by filing an application which must contain information on the applicant proposing the Code of Conduct, a unique name for the Code, and the categories of controllers it is applied to. The draft Code is evaluated as to whether it complies with the Regulation, facilitates the uniform application of the Regulation and guarantees the observation of data subject rights. In case a draft is not approved, it is sent back to the applicant for complementing or amending. The approved draft is translated and sent to the European Data Protection Board. This procedure is also applied to amendments and supplements to Codes of Conduct already in effect.

Trainings
Organizing and conducting training programmes on personal data protection is the activity of the Commission where the widest range of subject might be involved. Such training can be organised upon the Commission’s initiative or at a specific request. The request must include the names, address and phone number of the applicant, the relevant documents and information, and it also has to be signed and dated. Regarding activities of high public interest and ones that, by their nature, require special attention, the Commission takes the initiative to organise training programmes for controllers and data processing personnel. According to the Rules of Procedure, data subjects, certifying bodies, controllers, data processing personnel and data protection officers may take part in the trainings. Sessions begin with a test for determining the level of initial knowledge, and there is a final exam as well. The participants receive a certificate confirming successful completion of the training.

#19 The Bulgarian Commission for Personal Data Protection Published an Opinion on the Form of Authorisation regarding the Exercise of Rights of Data Subject before Medical Institutions

Crucial for any controller opinion of the Bulgarian Commission for Personal Data Protection (the Commission) on the form of authorisation regarding the exercise of rights of the data subject before medical institutions has recently been published on their website.

The Commission made its statement in response to an enquiry submitted by a medical institution regarding patients’ access to their personal data, as well as regarding the exercise of their rights as data subject through an authorised person. The issue arose in the process of preparation of the institution’s internal rules on data protection aimed at synchronizing their data processing activities with the requirements of Regulation (EU) 2016/679. There are no clear provisions on this issue neither in the European, nor in the national legislation. To put it short, is a notarized form of authorization required for the exercise of the data subjects’ rights by another person under Articles 15-22 of the Regulation?

In its legal analysis, the Commission examines the conditions for the exercise of the data subjects’ rights as set out in Art. 12 of the Regulation. For the controller, the verification of the data subject’s identity is the the thing to begin with. The manner in which such verification is carried out depends on the specifics of each case, but the controller is generally supposed to use the already available data on the subject. Where there is doubt, the controller may request additional information from the data subject, and in case such is not provided or is unconvincing, the controller may refuse a remedy bearing the burden of proof regarding the unverifiability of the subject’s identity. With regards to the data subject, the procedure for the submission of rights requests is laid down in the Personal Data Protection Act – namely, a written application to the controller is required, unless otherwise specified by the controller, including by electronic means or an user interface. The Act states that an application submitted by an authorised person shall be accompanied by the respective form of authorisation. The Commission furthermore addresses the Health Act and the opportunity provided therein for patients to authorize another person in a written form to get acquainted with their medical files and make copies thereof . Taking into account the general regulatory framework regarding authorisation contained in the Obligations and Contracts Act which provides for an aggravated form of authorisation only upon the conclusion of transactions in aggravated form, as well as considering the absence of requirements in the special legislation relevant to the case, the Commission makes its final statement in response to the submitted enquiry, namely the medical institutions, in their capacity of controllers, have no legal grounds to require notary certification of the signature when authorizing another person to exercise the data subjects’ rights under Art. 15-22 of the Regulation.

Despite in the context of the exercise of rights of the data subject before a specific type of controllers – namely, the medical institutions, the conclusions drawn by the Commission can be applied in all cases of exercise of data subjects’ rights under the Regulation. In the absence of specific regulation, the “standard” written authorisation should always be sufficient for their exercise through an authorised person.

# 18 The Bulgarian Commission for Personal Data Protection published an opinion on the determination of the figures of “controller” and “processor” in the conduct of clinical trials

Crucial for the pharmaceutical sector opinion of the Bulgarian Commission for Personal Data Protection (CPDP/Commission) on the determination of the figures of “controller” and “processor” in the conduct of clinical trials was published on 10.06.2019 on the website of the Commission.

According to the opinion, when conducting clinical trials, the medical institutions and the sponsor of the clinical trial act in the capacity of joint controllers under the meaning of Art. 26 of the Regulation (EU) 2016/679 (GDPR).

The opinion has been published after CPDP examined a request by a company having the capacity of a “sponsor” under the meaning of § 1, item 8 of the Additional Provision of the Medical Products in the Human Medicine Act (MPHMA), i.e. a company which is responsible for initiating, management and/or financing a clinical trial and is participating in the clinical trials initiated by it. The requesting company states that while conducting clinical trials, the sponsor also has relations with other persons participating in the clinical trials, namely with the principal investigator and the investigators, as well with the members of the investigator’s team – collaborators, monitors and auditors of the trial.

To clearly determine the roles of the parties, CPDP examines the figures of “Controller” and “Processor” in the light of the national and EU legislation regulating clinical trials. Furthermore, CPDP explains that the Regulation (EU) No 536/2014 of the European Parliament and of the Council on Clinical Trials on Medicinal Products for Human Use and the MPHMA exhaustively determines the functions and tasks of all persons participating in a clinical trial. According to the Commission, the data processing activities related to the conduct of clinical trials, could not be carried out “on behalf” of the sponsor of the trial, since such activities cannot be carried out by it, but only by organizations authorized in accordance with the applicable procedures and having the status of a “medical institution”. This is yet another confirmation of the thesis long ago adopted both in theory and practice (including that of CPDP), that not each assignment contract automatically leads to arising of relationship of the type of controller-processor and that in order to adequately determine the roles and responsibilities of the parties with regard to the processing of personal data, the nature of the rights and obligations of the parties in the contractual relationship need to be taken into account.

An additional argument for classification of the parties‘ roles according to CPDP is the Opinion 1/2010 of the Article 29 Data Protection Working Party (now European Data Protection Board) on the concepts of “controller” and “processor” which explicitly states that when conducting clinical trials, the participants are processing personal data in the capacity of joint controllers (p. 30 from the Opinion).

The main consequence of this opinion for the pharmaceutical companies and the medical institutions that conduct clinical trials is that they will need to conclude an agreement between themselves that shall in a transparent manner determine their respective responsibilities for compliance with the obligations in the field of data protection. In particular, they will have to regulate matters related to exercising the rights of the data subject and their respective duties to provide the information referred to in Art. 13 and 14 of GDPR. Furthermore, the data subjects-participants in the clinical trial may exercise their rights in respect of and against each any of the controllers. (Art. 26, Para. 3 of GDPR).

# 16 INFORM e-Learning platform – a convenient means for introduction to data protection law

Recently our colleagues from Law and Internet Foundation have launched an online platform that introduces data protection law in an easily accessible manner. The e-learning platform is built as part of the INFORM (INtroduction of the data protection reFORM to the judicial system) project and is available on the following link.

The registration is quick and straightforward, allowing the user to choose his/ her role (judiciary, court staff & legal practitioner) since the platform is organised in three distinct modules. Each of the modules provides tailored content according to the specifics of each of the roles.

The platform provides comprehensive introduction to EU data protection law, focusing not only on GDPR but also on the provision of Directive 2016/680. The users can quickly check their knowledge on the topic as the e-learning platform maintains self-assessment functionality.

This article is created as part of the INFORM (INtroduction of the data protection reFORM to the judicial system) project, financed under the Justice Program of the European Commission. The contents of this article are the sole responsibility of the authors and can in no way be taken to reflect the views of the European Commission.

# 14 The Bulgarian Commission for Personal Data Protection adopted list of the processing activities where data protection impact assessment under GDPR is mandatory

Further to publication #12 Data Protection Impact Assessment from our Blog we inform You that the Commission for Personal Data Protection published a list of the types of processing operations for which data protection impact assessment (DPIA) is required. The list was published on 13.02.2019 on the Commission’s website.

Pursuant to the above-mentioned list data controllers whose main or single establishment is on the territory of the Republic of Bulgaria are required to conduct compulsory DPIA in each of the following cases:
• Large scale processing of biometric data for the purposes of the unique identification of a natural person, which is not occasional;
• Processing of genetic data for profiling purposes which produces legal effects for the data subject or similarly significantly affects them;
• Processing of location data for profiling purposes which produces legal effects for the data subject or similarly significantly affects them;
• Processing operations for which the provision of information to the data subject pursuant to Art. 14 of GDPR is impossible or would involve disproportionate effort or is likely to render impossible or seriously impair the achievement of the objectives of that processing, when this is related to large scale processing;
• Personal data processing by controller whose main place of establishment is outside the EU when its designated representative for the EU is located on the territory of the Republic of Bulgaria;
• Regular and systematic processing for which the provision of information pursuant to Art. 19 of GDPR by the controller to the data subject is impossible or involves disproportionate efforts;
• Processing of personal data of children in relation to the offer of information society services directly to a child;
• Migration of data from existing to new technologies when this is related to large scale data processing.

The current list – adopted on the basis of Art. 35 Para 4 of GDPR – is non-exhaustive and can be updated, if necessary. We will inform You accordingly for any such updates.

# 13 First law in the field of cyber security was adopted in Bulgaria

The first Bulgarian act entirely on cyber security is already a fact.

The new Cyber Security Act (CA/the Act) was promulgated on November 13, 2018. The Act was adopted in compliance with the obligation to transpose Directive (EU) 2016/1148 of 6 July 2016 of the European Parliament and the Council concerning measures for a high common level of security of network and information systems across the Union.

The adoption of the Act is of key importance to ensuring an adequate level of security when using digital technologies and the successful counteraction to deliberate harmful attacks, since there was no such instrument for resolving cyber security issues until now, just separate rules in a number of special Acts (e.g., The Counter-Terrorism Act, the Electronic Governance Act, the Electronic Communications Act, the Criminal Code, the Ordinance on the Common Requirements for Network and Information Security, etc.).

Which authorities are going to be responsible for the cyber security?

The new Act creates new competent authorities and structures in the cybersecurity area:

  • Cyber ​​Security Council;
  • National Single Point of Contact for Cyber Security Issues;
  • National Cyber ​​Security Coordinator;
  • National Competent Authorities for Network and Information Security with administrative authorities, determined by the Council of Ministers;
  • National Response Team for Computer Security Incidents;
  • Sector Response Teams for Computer Security Incidents;
  • Cyber crime Center within the Chief Directorate “Combating Organized Crime” of the Ministry of Interior will be set up to carry out activities concerning the detection, investigation and documentation of computer crimes at national level;

The new Act regulates the powers in this matter of authorities such as:

  • the Chairman of the State Agency for Electronic Governance;
  • the Minister of Defense;
  • the Minister of Interior;
  • the Chairman of State Agency Of National Security;

Who is affected by the new requirements?

CA contains rules addressed to several different categories of liable entities (public and private):

  • administrative authorities;
  • operators of essential services operating in the following sectors:
    – energy;
    – transport;
    – banking;
    – financial market infrastructures;
    – health sector;
    – drinking water supply and distribution;
    – digital infrastructure. Essential service providers may be both public and private entities of those categories that meet each of the following criteria: 1) they provide essential service; (2) the provision of the essential service should depend on networks and information systems; and 3) network and information security incidents should have a significant disruptive effect on the provision of the service. The operators of essential services will be designated by the competent administrative authorities according to these criteria and in accordance with a methodology adopted by the Council of Ministers. In this regard, the Chairman of the State Agency for Electronic Governance has to make a list of the essential services, which list will not be public though;
  • digital service providers providing any of the following services:
    – online marketplace;
    – online search engine;
    – cloud computing services;
  • organisations providing public services that are not designated as essential service providers or digital service providers when these organisations provide administrative services by electronic means. Public services are services in relation to provision of which administrative services may be provided, namely:
    – educational;
    – health care;
    – water supply;
    – sewage;
    – heat supply;
    – electricity supply;
    – gas supply;
    – telecommunications;
    – postal;
    – banking;
    – financial;
    – trust services within the meaning of Regulation (EU) 910/2014; and
    – other similar services provided in order to satisfy public needs, including services provided as a commercial activity;
  • persons exercising public functions, which are not designated as essential service providers, when providing administrative services by electronic means.

Obviously, the new Act has a potentially very wide range of addressees which justifies the need to know it so that the respective obligated persons can comply with it.

In order to avoid the imposing of a disproportionate financial and administrative burden, enterprises that are micro and small digital service providers, within the meaning of the Micro and Small Enterprises Act, are among the entities, that are excluded from the scope of the new Act.

How does this affect the private sector?

As already emphasized, besides public sector entities, a number of companies from the private sector shall have obligations under this Act as well. Some of the key requirements can be outlined depending on the addressee:

  • Administrative authorities:
    – take appropriate and proportionate measures to ensure network and information security;
    – take appropriate measures to prevent and minimize the impact of accidents affecting their network and information security, in order to ensure the continuity of their activities;
    – notify the sector response teams for computer security incidents that have an impact on the continuity of their activities;
    – take minimum measures for achieving network and information security, which shall be determined with an ordinance to be adopted within 6 months from the entry into force of CA;
  • Persons exercising public functions and organisations providing public services;
    – provide and are responsible for their network and information security when providing administrative services by electronic means;
    – notify the sector response teams for computer security incidents that have an impact on the continuity of the administrative services they provide electronically;
  • Essential service providers:
    – take appropriate and proportionate measures to ensure a level of network and information security, corresponding to the existing risk;
    – take appropriate measures to prevent and minimize the impact of incidents affecting their network and information security, in order to ensure the continuity of the essential services they provide;
    – notify the sector response teams for computer security incidents for incidents that have an impact on the continuity of the essential services they provide;
    – notify the digital service provider in case of an incident that may have a significant detrimental effect on the continuity of the provided essential service and affects the digital service provider, when the essential service provider relies on a digital service provider to provide a given essential service;
    – take minimum measures for ensuring network and information security, which shall be determined with an ordinance to be adopted within 6 months of entering into force of the CA. The network and information security requirements provided for by the Act must be applied by essential service providers only in respect to the provided essential services;
  • Digital service providers:
    – take appropriate and proportionate technical and organisational measures to manage the risks to the security of the networks and their information systems, used for providing digital services within the territory of Bulgaria;
    – take appropriate measures to prevent and minimize the impact of accidents affecting their network and information security;
    – notify the sector response teams for computer security incidents of incidents that have a significant impact on the continuity of the digital services they provide.

A number of criteria are taken into account in determining the impact of an incident;
– take minimum measures for ensuring network and information security, which shall be determined with an ordinance to be adopted within 6 months from the entry into force of CA;
– a digital service provider that is not established in a EU Member State but offers any of the above-mentioned services within the EU, the digital service provider must designate a representative in the EU that must be established in a Member State where the services are offered;
– in certain occasions, it may be necessary for the public to be notified of incidents that have occurred.

It should also be noted that the Act expressly states that where it is provided for in a EU legal act or a sector-specific or service-specific act, the operators of essential services or the digital service providers are required either to ensure the security of their network and information systems or to notify of incidents, those acts apply, provided that their requirements are at least equivalent in effect to the obligations laid down in CA.

  • Persons not expressly designated as obligated persons under the Act:
    – Except for persons, expressly mentioned in the Act, other persons may notify on a voluntary basis the sector response teams for computer security incidents of incidents that have an impact on the continuity of the services they provide. The obligated persons’ notifications shall be processed with priority.

Regarding the notification obligations

The notification under the Act in the event of the specified incidents occurring should be made within two hours of identifying the incident and the complete data should be sent within 5 days.

Notifications shall be submitted following the sample form approved in accordance with an ordinance on the minimum scope of network and information security measures, along with other recommended measures to be adopted by the Council of Ministers under Art. 3, Para. 2 CA.

By-law legislation is yet to be adopted.

Sanctions

The CA provides for sanctions for violation of its requirements, with fines amounting to BGN 20,000 and property sanctions – up to BGN 25,000.

It should be emphasised that the CA also provides for sanctions for officials who commit or allow a violation under Chapter Two of the Act to be committed, with fines amounting up to BGN 15,000.

The Act has entered into force as of November 16, 2018 for most of its part. The provisions on the establishment and functions of an Incident Monitoring and Response Center for incidents with a significant detrimental impact on the communication and information systems of strategic sites and activities relevant to national security as well as certain obligations of the Sector Response Teams for Computer Security Incidents for notification shall take effect as of January 1, 2022.

Ensuring the secure and orderly functioning of networks and information systems is essential to the facilitation of the cross-border movement of goods, services, capital and people. From this point of view, the European Union is increasingly focusing on the creation of common rules on cybersecurity, as it is an important step towards the establishment of a single digital economy within the internal market. We are about to observe how the new regulation will affect the public and private sectors, but in any case, the EU’s and the Bulgarian legislature’s ambition to create a legal framework on cybersecurity is commendable.

# 12 Data protection impact assessment – a key part of GDPR compliance

Further to the series of publications regarding the changes introduced by the GDPR, in this publication we will introduce you to one of the new concepts set out in the GDPR, namely the Data protection impact assessment (DPIA).

What is DPIA?

Data controllers are responsible for introducing appropriate safeguards to ensure compliance with the GDPR taking into account “the risks of various likelihood and severity to the rights and freedoms of natural persons”. In this sense, their role is not limited solely to the control and definition of the purposes and means of personal data processing, but also includes their obligation to manage the risks that could arise as a result of that activity.

The main objective of the DPIA is to clarify, to describe all processing processes, to assess their necessity and proportionality, and to contribute to the adequate and appropriate management of risks to the rights and freedoms of natural persons arising from the processing of their personal data.

What is DPIA expressed in and what does it contain?

Article 35, Para.7 of the GDPR sets out the minimum features of a DPIA, namely:

  • a systematic description of the envisaged processing operations and the purposes of the processing;
  • an assessment of the necessity and proportionality of the processing operations in relation to the purposes;
  • an assessment of the risks to the rights and freedoms of data subjects;
  • the measures envisaged to address the risks and demonstrate compliance with thе Regulation.

The assessment of the risks to the rights and freedoms of the processing is one of the main components of the DPIA. Some of the risk assessment guidelines and principles set out in the GDPR partially overlap already existing internationally recognised risk management standards, such as ISO 31000:2009. Examples in this regard are:

  • establishing the context: “taking into account the nature, scope, context and purposes of the processing and the sources of the risk”;
  • assessing the risks: “assess the particular likelihood and severity of the high risk”;
  • treating the risks: “mitigating that risk” and “ensuring the protection of personal data”, and “demonstrating compliance with this Regulation”.

DPIA – when it should be carried out?

It is important to note that the carrying out of a DPIA is only mandatory where a processing is “likely to result in a high risk to the rights and freedoms of natural persons”. In this sense, considered to be the most dangerous is the processing of data that is of a very personal nature by technical means without human intervention (e.g. algorithms / software) including:

  •  Systematic and detailed assessment of personal aspects related to health, workplace performance, personal preferences, location, economic status with respect to individuals, which is based on automatic processing, including profiling, for creating or using personal profiles;
  • Large-scale processing of special categories of data (e.g. data on racial or ethnic origin, political views, sex life, etc.) or personal data on convictions and offenses (Article 9, Para. 1 and Article 10 GDPR);
  • A systematic monitoring of a publicly accessible area on a large scale; etc.

In any case, the DPIA should be carried out before the processing. (Article 35, Para.1 and 10, Rec. 90 and 93). The Working Party under Art. 29 recommends that evaluation should be carried out, even when there is doubt as to the need for such assessment, as “DPIA is a useful tool to help controllers comply with data protection law” [1] and with the principle of accountability (for more information see publication #8 ACCOUNTABILITY AS A NEW PRINCIPLE OF GDPR).

Which data processing activities are considered high risk?

In the Guidelines of the Working Party under Art. 29 there are nine criteria in which the controller can identify operations that may result in a high risk to the rights and freedoms of the natural persons:

1) Existence of assessment or scoring, including profiling and prediction – an example in this respect are financial institutions reporting to their clients in connection with granting credits in databases for fighting against money laundering or terrorist financing; genetic testing for prediction of disease risks; companies that create behavioural or marketing profiles based on a website; etc.

2) Existence of automated decision making with legal or similar significant effect – automated decision making is the ability to make decisions by technological means without any human involvement. An example is when the decision on credit approval is made by a person on the basis of a profile designed entirely by automated means, or when the decision on the approval of the loan is made by means of an algorithm and the person is automatically notified of the decision without first being made a meaningful assessment by a human.

3) Existence of processing used for different types of surveillance or control of data subjects – including monitoring through which personal data is being processed where data subjects do not realize who collects their data and how it will be used, e.g. video surveillance in a public area;

4) Existence of processing of special categories of data – public hospitals that store patients’ medical records should carry out a DPIA because they operate with sensitive data, notably the health of natural persons;

5) Existence of large-scale processing of personal data – determining the scale is a separate process that involves careful consideration of factors such as: the number of data subjects involved, the volume of data or the scope of the different types of data, the duration or continuity, and the geographical scope of the processing activity;

6) Datasets that have been matched or combined, resulting from two or more processing operations performed for different purposes and / or by different controllers in a way that goes beyond the reasonable expectations of the subject – In such cases, the nature of the contractual arrangements, and the balance between the subject and the data controller in particular, should be examined, for example, to what extent the data subject is free to terminate the contract and seek alternative service providers;

7) Processing of data concerning vulnerable data subjects including any case where imbalance between the position of the data subject and the controller can be identified – examples in this respect are children – persons subject to treatment, mentally ill persons, asylum seekers, patients, elderly people, etc.

8) Existence of innovative use or applying technological or organisational solutions – an excellent example in this regard is the use of fingerprints and face recognition to improve access control;

9) Preventing data subjects from exercising the right to use a service or contract – here again is the example with a bank screens a client aganst a credit reference database, i.e. in this case, the processing of the subject’s personal data may lead to them being deprived of the possibility of taking a loan.

As a rule of thumb, a processing operation meeting less than two of the aforementioned criteria may not require the carrying out of a DPIA due to the lower level of risk. Conversely, the more criteria the processing operations meet, the higher the likelihood of high risk with regard to the rights and freedoms of natural persons.

In addition, GDPR imputes an obligation to the supervisory authority for establishment and publishing a list of the processing operations that require a DPIA. Moreover, the supervisory authority could establish and publish a list with the processing operations, for which a DPIA is not mandatory. Currently, the Commission for Personal Data Protection (CPDP) has not made such lists public yet.

What follows after the carrying out of DPIA?

DPIA does not constitute of a single action, but of an entire process of achieving and demonstrating compliance.

However, once carried out, the DPIA could be applied for assessment of numerous processing operations similar to the risks presented, taking into account the nature, scope, context and purposes in light of the concrete case. When the processing operation involves joint controllers, they need to define their respective obligations precisely and clearly. Their DPIA should set out which party is responsible for the various measures designed to treat risks and to protect the rights of the data subjects.

If the data controller considers a DPIA not to be mandatory, he is obliged to make a detailed statement of the reasons for not taking action.

Carrying out the DPIA may be outsourced to an outside person.

If the processing is wholly or partly performed by a data processor, the processor should assist the controller in carrying out the DPIA and provide any necessary information. The roles and responsibilities of the processors must be defined precisely in a separate contract/agreement. Such obligations are usually imposed to the processor in the data processing agreement between the controller and the processor.

The controller will also have to consult the supervisory authority whenever Member – state Law requires such actions.

In the light of the above, it remains intriguing what measures would be provided in the new amendments of the Personal Data Protection Act.

In conclusion, it should be emphasized on the fact that carrying out a DPIA is a key part of complying with GDPR in cases of high risk processing. This means that data controllers should be able to determine whether a DPIA has to be carried-out or not. Of course, the internal data controller policy could extend the list of data processing activities for a DPIA will be carried-out even beyond the requirements of the GDPR. Such an approach shall absolutely result in building greater trust and confidence of data subjects in the controller and in providing for additional safeguards for the lawful and adequate processing of personal data within the company.

[1] Data Protection Working Party under Art. 29: Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to pose a high risk” for the purposes of Regulation 2016/679 (WP 248 rev. 01), available here.

# 11 The Council of Europe updated the only international legally binding instrument for data protection – Convention No. 108

On the 18th of May 2018, in Helsingør, the Council of Europe adopted an Amendment Protocol of Convention № 108 from 28.01.1981 for the Protection of Individuals with regard to Automatic Processing of Personal Data (“The Convention”).

About the Convention

As of now, the Convention is the only globally relevant international agreement in the field of data protection. It has been created in response to the ongoing challenges to the privacy rights, stemming from the use of new information and communication technologies. With the complete revision of the Convention, the Council of Europe seeks to update it, expand its scope and strengthen the mechanisms it provides, in order to guarantee its effective application.

What are the novelties introduced in the Convention?

The changes to the Convention generally aim to facilitate the trans-border exchange of data while further developing the foundational mechanisms for protection of personal data laid down in the Convention in accordance to the legislative changes on European level. The Convention encompasses data processing in both the public and private sectors, hence, the changes seek to improve the level of personal data protection and its current scope. The discussions and the work on the amendment started back in 2012 and ran in parallel with the rest of the legislative changes to the personal data protection framework within the EU, including with the famous General Data Protection Regulation (GDPR).

The Secretary General of the Council of Europe Thorbjørn Jagland points out that the modernization of the Convention is a reflection of the frequent violations of data protection law as for the main focus in its implementation will be preventing of such in the future.

Numerous novelties in the Convention are in accordance with the solutions provided by the GDPR. Some of the main novelties include:

  • The categories of sensitive data are expanded – additionally to the current personal data related to: race, political views, religious or other beliefs, health conditions, ethnicity, crimes, criminal proceedings and sentences; now genetic and biometric data, as well as syndicate membership and data related to ethnicity have also been included to the category;
  • Some of the data subject rights have been expanded, including:
    – The right not be a subject of automated decision-making, when the decision has a significant impact on the subject, without considering their viewpoint;
    – The right to be informed about the data processing;
    – The right of the subject to be informed about the reasoning for data processing, particularly in cases when algorithms are used for the automated decision-making and profiling;
    – The right to object against the processing of personal data, related to the subject unless in cases where the legitimate interest of the controller is prevailing;
  • Additional obligations to the personal data controllers and processors have been introduced:
    – The measures undertaken for data protection have to be connected with their obligation to be able to prove the lawfulness of the data processing (the so-called “accountability” principle);
    – The principles of data protection shall be applied at all stages of processing, including the designing stage (“privacy by design” and “privacy by default”);
    – The suitable measures that have to be undertaken include: training of personnel, establishing suitable notification procedures (establishing data retention periods and specific deadlines for their deletion from the systems); establishing specific contract clauses for delegated processing; establishing of internal procedures providing the possibility to review and to justify compliance, etc.
    – The powers of the Authority elected by the parties of the Convention have been strengthened in order to guarantee the application of the provisions of the Convention. According to the Explanatory Protocol to the Convention, the Authority can either be sole (a commissioner) or collegiate body. Most importantly the Authority has to possess effective regulatory powers and functions and to be independent;
    – The parties of the Convention may introduce other specific authorities whose activity covers only a very restricted sector (According to the Explanatory Protocol the electronic communications sector, the healthcare sector, the public sector and others);
    – The Authority has to be empowered to initiate or participate in court proceedings related to all data protection violations. This is linked to the powers to conduct an investigation and detection of infringements;
    – An obligatory notification about data protection breach has also been introduced;
  • The measures for proportional data processing and application of the principle of data minimization have been strengthened;
  • Amendment of the current terminology – the term “automated data file” has been repealed and there is one new participant to the data processing, called with the term “receiver” (1) , etc.;
  • One of the most important additions to the Convention is the enhanced role of the Convention Committee, which has advisory, but also evaluation and supervisor capacity. It will determine whether and to what extent a Member State or an international organization has fulfilled the requirements set by the Convention. The Committee has the right to evaluate the compliance of the internal law of a Convention party and to determine the effectiveness of the undertaken measures.

It is important to note that all countries as well as international organizations, including the European Union, can accede to the Convention. This turns the Convention into a key tool for harmonizing various data protection legal regimes, by ensuring high degree of protection on international level.

The modernization of the Convention is a crucial step towards the promotion of global data protection standards. The renewed Convention seeks to stimulate the inclusion of as many countries as possible aiming to encourage the international business and its development, now on the basis of more secure and universally applicable rules regarding personal data and its efficient protection.

You can find more information on the official website of the Council of Europe here.

 

(1) Art. 3, “e” – “recipient” means a natural or legal person, public authority, service, agency or any other body to whom data are disclosed or made available; Protocol amending the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS No. 108), URL.