#26 – The European Data Protection Board issued new guidelines on the concepts of data controller and data processor

Whether an organisation acts as a data controller, a joint controller or a data processor is of crucial importance for the application of the General Data Protection Regulation 2016/679 (GDPR), as this determines what obligations the respective organization has and what responsibilties it bears with regard to the processing of personal data. For this reason, on September 2, 2020 the European Data Protection Board (the EDPB) issued Guidelines on the interpretation of these concepts, providing clarifications and detailed guidance, throughout useful examples, in order to ensure consistent and harmonised approach within the European Union (EU) and the European Economic Area (EEA).

Data controller and data processor

Which entity determines the “essential” elements of the processing is of crucial importance for the distinction between the two concepts. To be considered a controller, one must determine the purposes and means of processing – “why” and “how” the data will be processed. Some non-essential aspects of the means of processing may be left to the discretion of the data processor. According to the EDPB, the “essential” aspects of the processing include the types of personal data processed, the duration of the processing, the categories of data recipients and the categories of data subjects.  

Conversely, the data processor can decide only on “non-essential” aspects (e.g. the type of IT systems or other technical means to be used for the processing, or the security measures based on the security objectives specified by the controller).

The EDPB gives the following example: 

Company A hires Company B to administer the payment of salaries to the employees of A . Company A provides clear instructions on who to pay, what amounts, by what date, to which bank, how long the data will be stored, what data should be disclosed to the tax authority, etc. In this case, the processing is carried out in order for Company A to pay salaries to its employees and Company B cannot use the data for any other purpose. The way in which Company B shall carry out the processing is strictly defined by Company A. Company B can only decide on the non-essential aspects of the processing – which software to use, how to distribute access to data within its own organisation, etc. as long as it does not go against or beyond the instructions given by Company A.

The EDPB gives another example:

Employer A hires hosting service H to store encrypted data on H’s servers. The hosting service H does not determine whether the data it hosts are personal data or not, nor does it process data in any other way than storing it on its servers. Storage falls under the definition of personal data processing activity, therefore the hosting service H processes personal data on behalf of employer A and qualifies as a processor. Employer A must provide to H the necessary instructions on how the processing shall be carried out including which technical and organisational measures shall be applied. These instructions shall be objectified in a data processing agreement concluded between the controller and the processor according to Article 28 GDPR. H must ensure that the necessary security measures are taken and notify A in case of any personal data breach.

Joint controllers

Joint controllership is present when the purposes and means of the processing are determined by not one but two or more legal/ natural persons. To illustrate the dimensions of this type of data controllership in practice, the EDPB gives the following example:

A travel agency, a hotel chain and an airline decide to participate jointly in setting up an internet-based common platform for the common purpose of providing package travel deals. They agree on the essential means to be used, such as the categories of data which will be stored, the means throught which reservations will be allocated and confirmed, and the categories of persons who could have access to the stored information. Furthermore, they decide to share amongst them data of their respective customers in order to carry out joint marketing actions. In this case, the travel agency, the airline and the hotel chain, jointly determine why and how personal data of their customers are processed and will therefore be joint controllers with regard to the processing activities related to their common internet-based booking platform and joint marketing actions.

However, each of them would still retain sole control with regard to their respective processing activities outside the internet based common platform.

Another example provided by the EDPB to distinguish the concept of joint controller from the concepts of controller and processor involves the case of clinical trials:

A health care provider (the investigator) and a university (the sponsor) decide to launch together a clinical trial with a common purpose. They collaborate in the drafting of the study protocol (i.e. purpose, methodology/design of the study, data to be collected, subject exclusion/inclusion criteria, database reuse (where relevant) etc.). For the purposes of this clinical trial the investigator and the sponsor are considered joint controllers as they jointly determine the purpose and the essential means of the processing.

The collection of personal data from the medical record of the patient for the purpose of research is to be distinguished from the storage and use of the same data for the purpose of patient care, for which the health care provider remains the controller.

In the event that the investigator does not participate to the drafting of the protocol (it just accepts the protocol already elaborated by the sponsor), and the protocol is only designed by the sponsor, the investigator should be considered as a processor and the sponsor – as the controller for this clinical trial.

The EDPB also gives an example involving provision of personal data by an employer to the tax authorities, in which case no joint controllership is considered to take place:

The company collects and processes personal data of its employees in order to manage salaries, health insurance, etc. The  company is required, under the applicable legislation, to send all data on salaries to the tax authorities in order to comply with fiscal regulations.

In this case, although the company and the tax authorities process the same data concerning salaries, the lack of jointly determined purposes and means with regard to this data processing will result in qualifying the two entities as two separate data controllers.

In an annex to the Guidelines, the EDPB provides infographics with practical questions to help  organizations assess whether they process personal data as controllers, joint controllers or processors.

The Guidelines are available here.

#24 Personal Data Protection in the Context of Assignment of Receivables (Cession) Agreement

Pursuant to the assignment of receivables (cession) agreement the creditor under a certain receivable (assignor) assigns it to a third party (assignee). As the assignment procedure involves processing of personal data of a third party – a debtor that is not a party to the agreement, thorough examination of the personal data protection rules and their applicability to the assignment of receivables is required. The present analysis examines a situation where the debtor is a natural person. The conclusions outlined below can be applied by analogy to assignments where the debtors are legal entities, taking into account the specifics of the relationship between legal entities (i.e. exchange of information about their legal representatives, proxies, etc.).

Is the debtor’s consent required for the purposes of assigning their receivables?

The consent under an assignment agreement may be approached from two perspectives:

  • Consent for the transaction itself – the debtor is not a party to the assignment agreement and their consent is not required for the transaction to take effect.
  • Consent as a basis for processing the debtors personal data – consent might also be viewed as a one of the legal grounds for processing personal data under Regulation 2016/679 (GDPR). As the debtor needs be able to assess whether, for what purposes and for what period of time to give their consent, it is an inappropriate legal grounds for personal data processing under assignment agreements. This is explained by the fact that if processing is based on consent, it would allow the debtor to block the creditor from disposing of their receivables by preventing the creditor from processing the personal data contained in the debt documentation or debt related documents – information about who the debtor is and what his contact details are, where his obligation arises from, what is its amount and maturity, etc.

What is the basis for the personal data processing under the assignment agreement?

Other legal grounds, equal and alternative to the consent, may serve as basis for processing the debtor’s personal data, namely:

  • Regarding the assignor:
    • Compliance with a legal obligation – to provide the assignee with the debt documentation, i.e. to carry out the related processing of the personal data contained therein;
    • Existence of legitimate interest– to dispose of its receivable as it deems appropriate.
  • Regarding the assignee, besides the legitimate interest to collect their receivable, there is additional legal grounds for the personal data processing – the performance of a contract to which the data subject is a party (this is the contract under which the receivable has arisen). This ground, however, may be relevant, provided that the assignment has lead an action against the debtor by notification under Art. 99, Para. 3 and 4 of the Contracts and Obligations Act.

According to the Commission for Personal Data Protection (CPDP), the legal fact which makes the personal data processing admissible is the assignment of the receivable, not the notification of the debtor. This means that the assignee may lawfully process the debtor’s personal data even prior to this notification.

Other requirements for the personal data protection in the case of assignment of receivables

An essential requirement to be fulfilled in case of an assignment is the notification of the debtor of the processing of their personal data, since the data controller – assignee obtains the personal data not directly from the data subject, but from another source – the assignor. In order to ensure transparent data processing, the data subject needs to be provided with information under Art. 14 of the GDPR, namely:

  1. the identity and the contact details of the controller;
  2. the contact details of the data protection officer, where applicable;
  3. the purposes and legal basis for the processing;
  4. the categories of personal data concerned;
  5. the recipients of the personal data;
  6. the period for which the personal data will be stored;
  7. where applicable, the controller’s intention to transfer the personal data to a third country or international organisation, as well as additional information related to such data transfer;
  8. the legitimate interests pursued by the controller or by a third party when the processing is carried out on this ground;
  9. information on the rights of the data subject with respect to the processing;
  10. the source of the personal data;
  11. additional information in case the data is used for automated decision-making, including profiling.

The GDPR requires the controller to provide this information as follows:

  • within a reasonable period after obtaining the personal data, but at the latest within one month, having regard to the specific circumstances in which the personal data are processed;
  • if the personal data are to be used for communication with the data subject, at the latest at the time of the first communication to that data subject;
  • if a disclosure to another recipient is envisaged, at the latest when the personal data are first disclosed.

In practice, there are numerous cases where assignees have been sanctioned specifically for non-compliance with the above requirement to inform the data subject. The GDPR, as a rule, allows exceptions to the above obligation to provide information if the receipt or disclosure of data is expressly permitted by EU law or the laws of a Member State, which provides for appropriate measures to protect the legitimate interests of the data subject. It is unclear how CPDP will interpret this rule in the context of the assignment agreement (under which the disclosure and receipt of data is explicitly regulated by the Bulgarian legislation). Given the above practice of imposing sanctions, a safer approach for assignees would be to expressly notify the data subjects.

It is permitted to inform the data subject of the processing in parallel with notifying the debtor of the assignment by the assignee. This is explicitly recognized in the case law.

Is it possible that the expired limitation period of the assigned receivable affects the lawfulness of the personal data processing?

Whether the prescribed limitation period for the receivable has expired or not, whether the debtor’s objection to the expired limitation period has been duly exercised, etc., are all issues within the jurisdiction of the civil court and do not affect the lawfulness of the personal data processing.

You may read an article on the topic by Martin Zahariev here: https://www.tita.bg/free/commercial-law/660

#23 Watch out While Watching – GDPR Requirements for Video Surveillance

If you are concerned for your property because of thefts, burglary or vandalism, you have probably already resorted to the use of CCTV or at least you have considered it. From a technical perspective, the placement of video devices is becoming easier and easier with the development of technology. However, the legal risks arising from the use of CCTV do not diminish – exactly the opposite. What requirements should you comply with when using video devices? What are the restrictions on processing of personal data by video devices? What obligations does Regulation 2016/679 (GDPR) impose on you as personal data controller? The European Data Protection Board (EDPB/The Board) gives some practical guidelines, the most important of which are summarized below:

Lawfulness of Processing

If none of the legal grounds listed in Article 6 GDPR applies, the processing of personal data would not be lawful. The most commonly used legal basis in the context of video surveillance is the legitimate interest of the controller (for instance, protection against burglary). It is necessary:

  • Imminent risk or dangerous situation to exist and the controller to be able to prove its existence – for example by means of statistics of the crimes rates in the area;
  • no other means for protecting the legitimate interest to be available, except the installation of CCTV; 
  • the reasonable expectations of the data subjects to be considered – e.g., it is inconceivable CCTV to be used in restrooms, bathrooms, etc.;
  • the surveillance to be strictly limited to the area of the premises that is being protected (the area may be expanded only if this is necessary for achieving effectiveness of the surveillance).

Disclosure of Video Footage to Third Parties

Any disclosure of personal data is a separate kind of processing for which a separate legal basis must be present. Such basis may be legal obligation of the controller to disclose the data to law enforcement authorities (e.g. investigation).

Processing of Special Categories of Data

If the processing of special categories of data is necessary, then at least one of the additional grounds allowing the processing must be present (Art. 9, § 2 GDPR). If the purpose of the processing is to protect the vital interests of the subject and he or she is physically or legally incapable of giving consent, this would justify the processing of such data (Article 9 § 2 (c)). Such an example is the monitoring of a patient, who was brought to the hospital unconscious. If the surveillance began when he was unable to consent, it would not be contrary to GDPR requirements. The Board also comments on the exception in Art. 9 regarding data which is manifestly made public by the data subject. According to the Board, the mere fact of entering the range of a camera does not permit the data controller to process special categories of data on the grounds that the data subject manifestly made them public.

Rights of the Data Subject

It is important to note that data subjects enjoy all the rights provided in the GDPR – the right to information and access to the data being processed, the right to be “forgotten”, etc. However, some of the data subjects’ rights require further clarification in the context of CCTV:

Right to Access

If the controller resorts only to real-time monitoring and no data is stored, then in case of a request by a data subject it is sufficient to confirm that no personal data is being processed any longer.

The Board also draws attention to cases where the data subject could not be provided with access to the processed data relating to him:

• If the disclosure of the data would adversely affect the rights of third parties (for example, providing video footage to one data subject could adversely affect the rights and freedoms of others where other subjects can be identified. In such cases, the Board advises not to restrict the right to access to the data subject, and instead use photo processing tools that hide the identity of third parties).

• If the controller is unable to identify the subject – for example, if plenty of people pass through the monitored area;

• If the request is manifestly unfounded or excessive (due to repetitiveness, for example);

Right to Erasure (Right to be Forgotten)

The personal data collected during processing must be deleted if they are no longer needed for the purposes for which they were processed. Furthermore, the personal data must be erased:

• Upon request of the data subject. If the data was provided to third parties, the latter must also be informed of the request made;

• Depending on the legal basis for the processing, personal data should be erased:

  • when the data subject withdraws his or her consent for processing;
  • when the interests of the subject override the legitimate interest of the administrator;
  • when the data subject objects to the processing of the data for direct marketing purposes.

In addition to the obligation of the controller to erase the data upon request, the principle of minimizing the data must also be kept in mind – the data processed should be relevant and limited to what is necessary for the purposes for which it is processed.

Right to Object

The data subject has the right to object to the processing of the data (before entering, monitoring, or leaving the surveillance zone). The controller must demonstrate that his or her legitimate interest or the protected public interest outweighs the subject’s rights and interests (for example, processing is necessary for the conduct of an internal investigation).

Transparency and Information Obligations in the Context of CCTV:

Some of the most useful guidelines given by the Board are related to the way the data subjects must be informed. A good practice that meets the standards of the Regulation is the so-called layered approach for presenting the information:

First layer: A warning sign that informs in a clear and unambiguous manner about the video surveillance. There is no need to indicate the exact location of the cameras. First layer – content:

  • Identity of the controller, including representatives and contacts of Data Protection Officer, if such is appointed;
  • Purposes and legal grounds for processing;
  • Data subject rights;
  • Information on the greatest impacts of the processing;
  • Any information that could surprise the data subject.

The second layer of information includes further details regarding the CCTV. It may be presented in the form of information leaflets placed in an easily accessible and visible place.

Storage Period and Technical Requirements

The longer the storage period (especially over 72 hours), the more evidence for the necessity of storage must be provided. Usually, the storage is justified by the potential need for the data to be used as evidence. However, a period of 24 hours is usually sufficient for this purpose.

When selecting technical means of monitoring, the controller must comply with all the principles concerning the data processing laid down in the Regulation. Appropriate technical and physical protection of the components of the CCTV system must be implemented. The access to the system and the recordings must be limited only to subjects authorized by the controller.

Impact Assessment

In the last part of the Guidelines, the Board recalls that if processing is carried out through systematic monitoring of publicly accessible areas on a large scale or when special categories of data are processed, the Regulation requires that a data protection impact assessment (DPIA) be carried out. The guidеlines on DPIA and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679 are available here. A summary of them can be found in other posts on our blog (here and here).

#22 The Bulgarian Constitutional Court declared the provision of PDPA on data processing for journalistic purposes unconstitutional

By decision of November 15, 2019 the Constitutional Court (CC) declared unconstitutional the provision governing the processing of personal data for journalistic purposes and for the purposes of academic, artistic or literary expression (Article 25h of the Personal Data Protection Act – PDPA). The text was adopted within the option provided by Regulation 2016/679 (GDPR) for Member States to align the right to protection of personal data with the right to freedom of expression and information.

The decision of the CC put an end to the turbulent history of the provision. Initially, the provision was widely criticized by the media and journalistic organizations, then the President vetoed changes to the act because of it, and in March 2019 the CC was seised by 55 members of parliament with an appeal to declare it unconstitutional.

The primary reason for the controversy was the criteria introduced for assessing the balance between freedom of expression and the right to information and the right to protection of personal data, in which those seeking to declare the provision unconstitutional saw a potential threat of legal censorship on freedom of expression.

In its decision, the CC refers to European legislation, international human rights instruments and the case law of the Court of Justice of the European Union (ECJ) and the European Court of Human Rights (ECHR). The CC has repeatedly emphasized that it follows the principles of “balance of interests” and proportionality which are agreed and adopted at European level.

CC finds the provision of the PDPA unconstitutional for the following primary reasons:

  • The CC accentuates that the balancing of the various rights, in this case the protection of personal data and the right to freedom of expression and information, has to be carried out through a rational and pragmatic approach, taking into account the specific circumstances of each individual case; therefore the introduction of criteria into a general legal rule creates a risk to the proper balancing of interests and is contrary to the practice of the ECJ and the ECHR to make an objective assessment;
  • According to the CC, the provision does not meet the requirements for comprehensibility, precision, unambiguity and clarity, as it does not clearly define to its addressees what is inadmissible. The CC criticizes several criteria in particular which make it impossible for the media/journalists to align their behavior with the law and to apply the so-called “journalistic exemption” allowing them to process personal data under specific conditions. The decision of the CC also states that the ambiguity of the criteria gives the law enforcement bodies unpredictable power.
  • According to the CC, the provision runs counter to the GDPR spirit and reason, since the Regulation seeks to allow Member States to introduce exemptions and derogations to the general rules that balance the protection of personal data and the right to freedom of expression and information, rather than to allow them to adopt rules that are “burdensome to the media/journalists”. The CC expressly emphasizes that such interpretation of the GDPR by the Bulgarian legislature “makes it extremely difficult to further limit state interference in terms of freedom of expression of the media/journalists”, and that the provision would distort the balance between fundamental rights to the detriment of the right to expression and information;
  • Last but not least, the CC considers the provision disproportionate to the objective it pursues as it excessively restricts the right to freedom of expression and information; The CC assumes that the provision impedes the attainment of the objectives of journalistic activity and the function of the media, as it may lead to self-censorship motivated by an attempt to comply with unclear criteria. In addition, the CC accentuates that the measure is unnecessary because there is a much less restrictive and well-established alternative – to improve self-discipline in the media industry, including by adopting codes of conduct drafted jointly by media organizations and CPDP, as is the practice in democracies and what is explicitly provided for in the GDPR.

In conclusion, the CC announced the provision of 25h, Para 2 PDPA as unconstitutional due to unpredictability, legal uncertainty and limitation of the right to freedom of expression and information disproportionate to the objective pursued in the context of journalistic expression.

We have yet to see whether the lawmaker will try to formulate a new legal rule to strike a balance between the right to protection of personal data and the right to freedom of expression and information, or similar to the recommendations in the decision of the CC – the balance will be sought through self-regulation of the media industry – e.g. through codes of conduct. The full text of the decision is available only in Bulgarian here.

# 21 Websites with a Facebook “Like“ button – the recent CJEU judgement sheds light on some key questions regarding the application of GDPR

If a website operator embeds a social plugin, such as the Facebook “Like” button, this triggers the collection and transmission of the visitors’ personal data to the plugin provider. The processed data include the IP address and the page content accessed by the visitors and are transmitted automatically by the browser even if the visitor does not have a social media account and regardless of whether the visitor clicks on the button.

This caused a legal dispute in Germany after the Verbraucherzentrale NRW, a public-service association tasked with safeguarding the interests of consumers, brought legal proceedings against the online retailer FashionID that used such social plugins, collecting and transmitting personal data to Facebook Ireland without informing its visitors or requesting their consent. Following a decision of the Regional Court Düsseldorf that ruled against FashionID, the Higher Regional Court Düsseldorf referred the case to the Court of Justice of the European Union (CJEU) requesting interpretation of several provisions of the former Data Protection Directive of 1995.

Although the Directive was repealed by the General Data Protection Regulation (GDPR) last year, the recent judgement of the CJEU can lead to a better understanding of the current European data protection law.

Admissibility of the Action

The Court held that consumer protection associations are granted the right to bring legal proceedings against a party that is allegedly responsible for the infringement of the protection of personal data under both the former Directive and the new General Data Protection Regulation.

Processing of Data

The Court found that FashionID shall be considered a joint controller together with Facebook Ireland regarding the processes it has influence on, namely the collection and transmission of personal data on its website. However, FashionID is not liable for the data processing carried out by Facebook after the data has been transmitted.

Therefore, the website operators must thoroughly inform their visitors about the data processing operations. Furthermore, a legal basis is necessary to lawfully process the personal data of the website visitors. The Court provides interpretation of two of the legal grounds enlisted in Article 6 GDPR.

The website operator must obtain the consent of the visitors regarding the operations in which it acts as a joint controller, namely the collection and transmission that occurs through the website plugins.

When it comes to the pursuit of a legitimate interest, it can be a legal basis only if the processing is necessary for the legitimate interests of both joint controllers.

A social plugin brings a lot of advantages for a website such as bigger outreach of its content, optimisation of its visibility on social media, keeping track on the popularity of the goods offered. In order to still use it and avoid liability, a website operator should inform the website visitors on all points enlisted in Article 13 GDPR such as the ways it processes data, the purposes of processing and legal grounds and the recipients of the data. In most cases these would be Facebook and Google as the most popular social plugin providers.

A possible solution to data protection concerns is implementing social plugins in a way that prevents the automatic transmission of data. In the case of Facebook, the technological giant provides the Like and Share Button as a program code. Instead of embedding it without changing anything, the button can be designed as a link to a pop-up window – the so called “Two-click method“.This way, the plugin and the transmission of data it facilitates are activated not by just opening the website, but only after clicking on the button and giving consent to the processing of data. All this information must be included in the privacy policy statement and its terms and conditions.

Sources:

Case C-40/17, CJEU, Second Chamber, 29 July 2019, available at: http://curia.europa.eu/juris/document/document.jsf;jsessionid=C928F3FB3CCCF093027557F27F1CCD39?text=&docid=216555&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=8508664

#20 Proceedings before the Commission for Personal Data Protection

The Rules of Procedure for the Commission for Personal Data Protection were published on the 30 July 2019. They provide details regarding the Commission’s internal structure and organisation, the proceedings before it, as well the consulting and advising activities through which the Commission provides assistance to controllers.

The Rules of Procedure contain a list of all the proceedings before the Commission: handling of complaints regarding data rights violations; application of the powers granted to supervisory authorities by Regulation (EU) 679/2016 (GDPR); issuing statements on queries regarding personal data protection; approval of standard data protection contractual clauses in accordance with the Regulation; observation of procedures for the transfer of personal data to third parties or international organisations; conduct of preliminary consultations; investigations of notifications of personal data breach; approval of codes of conduct; accreditation and revocation of accreditation of code of conduct of the monitoring bodies.

Other procedures may also be established in legislation. In this article we will examine the main proceedings and the ones applicable to most subjects.


Complaints and alerts for data subject rights violations
Complaints and alerts are the means of informing the Commission of a violation of rights protected under the GDPR and the Personal Data Protection Act (PDPA). A complaint is filed for the violation of one’s own rights, whereas an alert is sent when another person’s rights have been violated. Such complaints and alerts cannot be anonymous or unsigned and must explicitly identify the person or entity, against which they are submitted, date and nature of the violation being specified as well. In case of irregularities, the person lodging the complaint or alert is given 3 days to correct the complaint. The validity, admissibility and merits of the complaint are assessed by the Legal Proceedings and Surveillance Direction of the Commission. The hearings for examination of complaints and alerts are public and the parties concerned are informed about their date and hour. At the end of the proceedings the Commission may decide to apply measures according to GDPR or PDPA and, alternatively or cumulatively, impose administrative penalties.

Notifications of a personal data breach
This notification is submitted by a controller, and the required content is set out in Article 67, paragraph 3 PDPA and Article 33, paragraph 3 GDPR. Once the notification is submitted, the Commission, within a period of two weeks, conducts an investigation, to determine its own level of involvement (whether it is the lead authority or it is supporting other personal data protection authorities in other Member States), the nature of the breach, the number of affected data subjects and records, the possible consequences and measures taken, as well as the level of risk involved in the breach.

Prior consultation
The Regulation requires controllers to consult the Commission where a data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk. The Commission is given all the information related to the data processing, and base on it the Commission issues a written statement. The Regulation also provides for the for the possibility for Member States to make this procedure mandatory for certain types of data processing activities concerning public interest, public health, and social protection. The CPDP’s Rules of Procedure also provides that that in some cases the Commission may require controllers to seek consultation and preliminary permission regarding a particular processing operation where public interest and social protection are concerned. This prior consultation is intended to provide preliminary supervision, on the one hand, and to assist controllers in taking the necessary precautions to ensure protection of the data subjects’ rights. After the consultation, the Commission can exercise any of its powers under the Regulation (for example to impose a temporary or definitive limitation including a ban on processing, to impose an administrative fine or to issue warnings to the data controller or processor), or to issue a permission for the planned processing.

Approval of Codes of Conduct
Enterprises, associations, representative structures and categories of controllers are provided with the possibility to adopt their own Code of Conduct. Its purpose is to facilitate the application of the Regulation’s requirements and to guarantee the rights and freedoms of the data subjects whose data will be processed. The proceedings are again initiated by filing an application which must contain information on the applicant proposing the Code of Conduct, a unique name for the Code, and the categories of controllers it is applied to. The draft Code is evaluated as to whether it complies with the Regulation, facilitates the uniform application of the Regulation and guarantees the observation of data subject rights. In case a draft is not approved, it is sent back to the applicant for complementing or amending. The approved draft is translated and sent to the European Data Protection Board. This procedure is also applied to amendments and supplements to Codes of Conduct already in effect.

Trainings
Organizing and conducting training programmes on personal data protection is the activity of the Commission where the widest range of subject might be involved. Such training can be organised upon the Commission’s initiative or at a specific request. The request must include the names, address and phone number of the applicant, the relevant documents and information, and it also has to be signed and dated. Regarding activities of high public interest and ones that, by their nature, require special attention, the Commission takes the initiative to organise training programmes for controllers and data processing personnel. According to the Rules of Procedure, data subjects, certifying bodies, controllers, data processing personnel and data protection officers may take part in the trainings. Sessions begin with a test for determining the level of initial knowledge, and there is a final exam as well. The participants receive a certificate confirming successful completion of the training.

#19 The Bulgarian Commission for Personal Data Protection Published an Opinion on the Form of Authorisation regarding the Exercise of Rights of Data Subject before Medical Institutions

Crucial for any controller opinion of the Bulgarian Commission for Personal Data Protection (the Commission) on the form of authorisation regarding the exercise of rights of the data subject before medical institutions has recently been published on their website.

The Commission made its statement in response to an enquiry submitted by a medical institution regarding patients’ access to their personal data, as well as regarding the exercise of their rights as data subject through an authorised person. The issue arose in the process of preparation of the institution’s internal rules on data protection aimed at synchronizing their data processing activities with the requirements of Regulation (EU) 2016/679. There are no clear provisions on this issue neither in the European, nor in the national legislation. To put it short, is a notarized form of authorization required for the exercise of the data subjects’ rights by another person under Articles 15-22 of the Regulation?

In its legal analysis, the Commission examines the conditions for the exercise of the data subjects’ rights as set out in Art. 12 of the Regulation. For the controller, the verification of the data subject’s identity is the the thing to begin with. The manner in which such verification is carried out depends on the specifics of each case, but the controller is generally supposed to use the already available data on the subject. Where there is doubt, the controller may request additional information from the data subject, and in case such is not provided or is unconvincing, the controller may refuse a remedy bearing the burden of proof regarding the unverifiability of the subject’s identity. With regards to the data subject, the procedure for the submission of rights requests is laid down in the Personal Data Protection Act – namely, a written application to the controller is required, unless otherwise specified by the controller, including by electronic means or an user interface. The Act states that an application submitted by an authorised person shall be accompanied by the respective form of authorisation. The Commission furthermore addresses the Health Act and the opportunity provided therein for patients to authorize another person in a written form to get acquainted with their medical files and make copies thereof . Taking into account the general regulatory framework regarding authorisation contained in the Obligations and Contracts Act which provides for an aggravated form of authorisation only upon the conclusion of transactions in aggravated form, as well as considering the absence of requirements in the special legislation relevant to the case, the Commission makes its final statement in response to the submitted enquiry, namely the medical institutions, in their capacity of controllers, have no legal grounds to require notary certification of the signature when authorizing another person to exercise the data subjects’ rights under Art. 15-22 of the Regulation.

Despite in the context of the exercise of rights of the data subject before a specific type of controllers – namely, the medical institutions, the conclusions drawn by the Commission can be applied in all cases of exercise of data subjects’ rights under the Regulation. In the absence of specific regulation, the “standard” written authorisation should always be sufficient for their exercise through an authorised person.

# 18 The Bulgarian Commission for Personal Data Protection published an opinion on the determination of the figures of “controller” and “processor” in the conduct of clinical trials

Crucial for the pharmaceutical sector opinion of the Bulgarian Commission for Personal Data Protection (CPDP/Commission) on the determination of the figures of “controller” and “processor” in the conduct of clinical trials was published on 10.06.2019 on the website of the Commission.

According to the opinion, when conducting clinical trials, the medical institutions and the sponsor of the clinical trial act in the capacity of joint controllers under the meaning of Art. 26 of the Regulation (EU) 2016/679 (GDPR).

The opinion has been published after CPDP examined a request by a company having the capacity of a “sponsor” under the meaning of § 1, item 8 of the Additional Provision of the Medical Products in the Human Medicine Act (MPHMA), i.e. a company which is responsible for initiating, management and/or financing a clinical trial and is participating in the clinical trials initiated by it. The requesting company states that while conducting clinical trials, the sponsor also has relations with other persons participating in the clinical trials, namely with the principal investigator and the investigators, as well with the members of the investigator’s team – collaborators, monitors and auditors of the trial.

To clearly determine the roles of the parties, CPDP examines the figures of “Controller” and “Processor” in the light of the national and EU legislation regulating clinical trials. Furthermore, CPDP explains that the Regulation (EU) No 536/2014 of the European Parliament and of the Council on Clinical Trials on Medicinal Products for Human Use and the MPHMA exhaustively determines the functions and tasks of all persons participating in a clinical trial. According to the Commission, the data processing activities related to the conduct of clinical trials, could not be carried out “on behalf” of the sponsor of the trial, since such activities cannot be carried out by it, but only by organizations authorized in accordance with the applicable procedures and having the status of a “medical institution”. This is yet another confirmation of the thesis long ago adopted both in theory and practice (including that of CPDP), that not each assignment contract automatically leads to arising of relationship of the type of controller-processor and that in order to adequately determine the roles and responsibilities of the parties with regard to the processing of personal data, the nature of the rights and obligations of the parties in the contractual relationship need to be taken into account.

An additional argument for classification of the parties‘ roles according to CPDP is the Opinion 1/2010 of the Article 29 Data Protection Working Party (now European Data Protection Board) on the concepts of “controller” and “processor” which explicitly states that when conducting clinical trials, the participants are processing personal data in the capacity of joint controllers (p. 30 from the Opinion).

The main consequence of this opinion for the pharmaceutical companies and the medical institutions that conduct clinical trials is that they will need to conclude an agreement between themselves that shall in a transparent manner determine their respective responsibilities for compliance with the obligations in the field of data protection. In particular, they will have to regulate matters related to exercising the rights of the data subject and their respective duties to provide the information referred to in Art. 13 and 14 of GDPR. Furthermore, the data subjects-participants in the clinical trial may exercise their rights in respect of and against each any of the controllers. (Art. 26, Para. 3 of GDPR).

# 16 INFORM e-Learning platform – a convenient means for introduction to data protection law

Recently our colleagues from Law and Internet Foundation have launched an online platform that introduces data protection law in an easily accessible manner. The e-learning platform is built as part of the INFORM (INtroduction of the data protection reFORM to the judicial system) project and is available on the following link.

The registration is quick and straightforward, allowing the user to choose his/ her role (judiciary, court staff & legal practitioner) since the platform is organised in three distinct modules. Each of the modules provides tailored content according to the specifics of each of the roles.

The platform provides comprehensive introduction to EU data protection law, focusing not only on GDPR but also on the provision of Directive 2016/680. The users can quickly check their knowledge on the topic as the e-learning platform maintains self-assessment functionality.

This article is created as part of the INFORM (INtroduction of the data protection reFORM to the judicial system) project, financed under the Justice Program of the European Commission. The contents of this article are the sole responsibility of the authors and can in no way be taken to reflect the views of the European Commission.

# 14 The Bulgarian Commission for Personal Data Protection adopted list of the processing activities where data protection impact assessment under GDPR is mandatory

Further to publication #12 Data Protection Impact Assessment from our Blog we inform You that the Commission for Personal Data Protection published a list of the types of processing operations for which data protection impact assessment (DPIA) is required. The list was published on 13.02.2019 on the Commission’s website.

Pursuant to the above-mentioned list data controllers whose main or single establishment is on the territory of the Republic of Bulgaria are required to conduct compulsory DPIA in each of the following cases:
• Large scale processing of biometric data for the purposes of the unique identification of a natural person, which is not occasional;
• Processing of genetic data for profiling purposes which produces legal effects for the data subject or similarly significantly affects them;
• Processing of location data for profiling purposes which produces legal effects for the data subject or similarly significantly affects them;
• Processing operations for which the provision of information to the data subject pursuant to Art. 14 of GDPR is impossible or would involve disproportionate effort or is likely to render impossible or seriously impair the achievement of the objectives of that processing, when this is related to large scale processing;
• Personal data processing by controller whose main place of establishment is outside the EU when its designated representative for the EU is located on the territory of the Republic of Bulgaria;
• Regular and systematic processing for which the provision of information pursuant to Art. 19 of GDPR by the controller to the data subject is impossible or involves disproportionate efforts;
• Processing of personal data of children in relation to the offer of information society services directly to a child;
• Migration of data from existing to new technologies when this is related to large scale data processing.

The current list – adopted on the basis of Art. 35 Para 4 of GDPR – is non-exhaustive and can be updated, if necessary. We will inform You accordingly for any such updates.