# 12 Data protection impact assessment – a key part of GDPR compliance

Further to the series of publications regarding the changes introduced by the GDPR, in this publication we will introduce you to one of the new concepts set out in the GDPR, namely the Data protection impact assessment (DPIA).

What is DPIA?

Data controllers are responsible for introducing appropriate safeguards to ensure compliance with the GDPR taking into account “the risks of various likelihood and severity to the rights and freedoms of natural persons”. In this sense, their role is not limited solely to the control and definition of the purposes and means of personal data processing, but also includes their obligation to manage the risks that could arise as a result of that activity.

The main objective of the DPIA is to clarify, to describe all processing processes, to assess their necessity and proportionality, and to contribute to the adequate and appropriate management of risks to the rights and freedoms of natural persons arising from the processing of their personal data.

What is DPIA expressed in and what does it contain?

Article 35, Para.7 of the GDPR sets out the minimum features of a DPIA, namely:

  • a systematic description of the envisaged processing operations and the purposes of the processing;
  • an assessment of the necessity and proportionality of the processing operations in relation to the purposes;
  • an assessment of the risks to the rights and freedoms of data subjects;
  • the measures envisaged to address the risks and demonstrate compliance with thе Regulation.

The assessment of the risks to the rights and freedoms of the processing is one of the main components of the DPIA. Some of the risk assessment guidelines and principles set out in the GDPR partially overlap already existing internationally recognised risk management standards, such as ISO 31000:2009. Examples in this regard are:

  • establishing the context: “taking into account the nature, scope, context and purposes of the processing and the sources of the risk”;
  • assessing the risks: “assess the particular likelihood and severity of the high risk”;
  • treating the risks: “mitigating that risk” and “ensuring the protection of personal data”, and “demonstrating compliance with this Regulation”.

DPIA – when it should be carried out?

It is important to note that the carrying out of a DPIA is only mandatory where a processing is “likely to result in a high risk to the rights and freedoms of natural persons”. In this sense, considered to be the most dangerous is the processing of data that is of a very personal nature by technical means without human intervention (e.g. algorithms / software) including:

  •  Systematic and detailed assessment of personal aspects related to health, workplace performance, personal preferences, location, economic status with respect to individuals, which is based on automatic processing, including profiling, for creating or using personal profiles;
  • Large-scale processing of special categories of data (e.g. data on racial or ethnic origin, political views, sex life, etc.) or personal data on convictions and offenses (Article 9, Para. 1 and Article 10 GDPR);
  • A systematic monitoring of a publicly accessible area on a large scale; etc.

In any case, the DPIA should be carried out before the processing. (Article 35, Para.1 and 10, Rec. 90 and 93). The Working Party under Art. 29 recommends that evaluation should be carried out, even when there is doubt as to the need for such assessment, as “DPIA is a useful tool to help controllers comply with data protection law” [1] and with the principle of accountability (for more information see publication #8 ACCOUNTABILITY AS A NEW PRINCIPLE OF GDPR).

Which data processing activities are considered high risk?

In the Guidelines of the Working Party under Art. 29 there are nine criteria in which the controller can identify operations that may result in a high risk to the rights and freedoms of the natural persons:

1) Existence of assessment or scoring, including profiling and prediction – an example in this respect are financial institutions reporting to their clients in connection with granting credits in databases for fighting against money laundering or terrorist financing; genetic testing for prediction of disease risks; companies that create behavioural or marketing profiles based on a website; etc.

2) Existence of automated decision making with legal or similar significant effect – automated decision making is the ability to make decisions by technological means without any human involvement. An example is when the decision on credit approval is made by a person on the basis of a profile designed entirely by automated means, or when the decision on the approval of the loan is made by means of an algorithm and the person is automatically notified of the decision without first being made a meaningful assessment by a human.

3) Existence of processing used for different types of surveillance or control of data subjects – including monitoring through which personal data is being processed where data subjects do not realize who collects their data and how it will be used, e.g. video surveillance in a public area;

4) Existence of processing of special categories of data – public hospitals that store patients’ medical records should carry out a DPIA because they operate with sensitive data, notably the health of natural persons;

5) Existence of large-scale processing of personal data – determining the scale is a separate process that involves careful consideration of factors such as: the number of data subjects involved, the volume of data or the scope of the different types of data, the duration or continuity, and the geographical scope of the processing activity;

6) Datasets that have been matched or combined, resulting from two or more processing operations performed for different purposes and / or by different controllers in a way that goes beyond the reasonable expectations of the subject – In such cases, the nature of the contractual arrangements, and the balance between the subject and the data controller in particular, should be examined, for example, to what extent the data subject is free to terminate the contract and seek alternative service providers;

7) Processing of data concerning vulnerable data subjects including any case where imbalance between the position of the data subject and the controller can be identified – examples in this respect are children – persons subject to treatment, mentally ill persons, asylum seekers, patients, elderly people, etc.

8) Existence of innovative use or applying technological or organisational solutions – an excellent example in this regard is the use of fingerprints and face recognition to improve access control;

9) Preventing data subjects from exercising the right to use a service or contract – here again is the example with a bank screens a client aganst a credit reference database, i.e. in this case, the processing of the subject’s personal data may lead to them being deprived of the possibility of taking a loan.

As a rule of thumb, a processing operation meeting less than two of the aforementioned criteria may not require the carrying out of a DPIA due to the lower level of risk. Conversely, the more criteria the processing operations meet, the higher the likelihood of high risk with regard to the rights and freedoms of natural persons.

In addition, GDPR imputes an obligation to the supervisory authority for establishment and publishing a list of the processing operations that require a DPIA. Moreover, the supervisory authority could establish and publish a list with the processing operations, for which a DPIA is not mandatory. Currently, the Commission for Personal Data Protection (CPDP) has not made such lists public yet.

What follows after the carrying out of DPIA?

DPIA does not constitute of a single action, but of an entire process of achieving and demonstrating compliance.

However, once carried out, the DPIA could be applied for assessment of numerous processing operations similar to the risks presented, taking into account the nature, scope, context and purposes in light of the concrete case. When the processing operation involves joint controllers, they need to define their respective obligations precisely and clearly. Their DPIA should set out which party is responsible for the various measures designed to treat risks and to protect the rights of the data subjects.

If the data controller considers a DPIA not to be mandatory, he is obliged to make a detailed statement of the reasons for not taking action.

Carrying out the DPIA may be outsourced to an outside person.

If the processing is wholly or partly performed by a data processor, the processor should assist the controller in carrying out the DPIA and provide any necessary information. The roles and responsibilities of the processors must be defined precisely in a separate contract/agreement. Such obligations are usually imposed to the processor in the data processing agreement between the controller and the processor.

The controller will also have to consult the supervisory authority whenever Member – state Law requires such actions.

In the light of the above, it remains intriguing what measures would be provided in the new amendments of the Personal Data Protection Act.

In conclusion, it should be emphasized on the fact that carrying out a DPIA is a key part of complying with GDPR in cases of high risk processing. This means that data controllers should be able to determine whether a DPIA has to be carried-out or not. Of course, the internal data controller policy could extend the list of data processing activities for a DPIA will be carried-out even beyond the requirements of the GDPR. Such an approach shall absolutely result in building greater trust and confidence of data subjects in the controller and in providing for additional safeguards for the lawful and adequate processing of personal data within the company.

[1] Data Protection Working Party under Art. 29: Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to pose a high risk” for the purposes of Regulation 2016/679 (WP 248 rev. 01), available here.

# 11 The Council of Europe updated the only international legally binding instrument for data protection – Convention No. 108

On the 18th of May 2018, in Helsingør, the Council of Europe adopted an Amendment Protocol of Convention № 108 from 28.01.1981 for the Protection of Individuals with regard to Automatic Processing of Personal Data (“The Convention”).

About the Convention

As of now, the Convention is the only globally relevant international agreement in the field of data protection. It has been created in response to the ongoing challenges to the privacy rights, stemming from the use of new information and communication technologies. With the complete revision of the Convention, the Council of Europe seeks to update it, expand its scope and strengthen the mechanisms it provides, in order to guarantee its effective application.

What are the novelties introduced in the Convention?

The changes to the Convention generally aim to facilitate the trans-border exchange of data while further developing the foundational mechanisms for protection of personal data laid down in the Convention in accordance to the legislative changes on European level. The Convention encompasses data processing in both the public and private sectors, hence, the changes seek to improve the level of personal data protection and its current scope. The discussions and the work on the amendment started back in 2012 and ran in parallel with the rest of the legislative changes to the personal data protection framework within the EU, including with the famous General Data Protection Regulation (GDPR).

The Secretary General of the Council of Europe Thorbjørn Jagland points out that the modernization of the Convention is a reflection of the frequent violations of data protection law as for the main focus in its implementation will be preventing of such in the future.

Numerous novelties in the Convention are in accordance with the solutions provided by the GDPR. Some of the main novelties include:

  • The categories of sensitive data are expanded – additionally to the current personal data related to: race, political views, religious or other beliefs, health conditions, ethnicity, crimes, criminal proceedings and sentences; now genetic and biometric data, as well as syndicate membership and data related to ethnicity have also been included to the category;
  • Some of the data subject rights have been expanded, including:
    – The right not be a subject of automated decision-making, when the decision has a significant impact on the subject, without considering their viewpoint;
    – The right to be informed about the data processing;
    – The right of the subject to be informed about the reasoning for data processing, particularly in cases when algorithms are used for the automated decision-making and profiling;
    – The right to object against the processing of personal data, related to the subject unless in cases where the legitimate interest of the controller is prevailing;
  • Additional obligations to the personal data controllers and processors have been introduced:
    – The measures undertaken for data protection have to be connected with their obligation to be able to prove the lawfulness of the data processing (the so-called “accountability” principle);
    – The principles of data protection shall be applied at all stages of processing, including the designing stage (“privacy by design” and “privacy by default”);
    – The suitable measures that have to be undertaken include: training of personnel, establishing suitable notification procedures (establishing data retention periods and specific deadlines for their deletion from the systems); establishing specific contract clauses for delegated processing; establishing of internal procedures providing the possibility to review and to justify compliance, etc.
    – The powers of the Authority elected by the parties of the Convention have been strengthened in order to guarantee the application of the provisions of the Convention. According to the Explanatory Protocol to the Convention, the Authority can either be sole (a commissioner) or collegiate body. Most importantly the Authority has to possess effective regulatory powers and functions and to be independent;
    – The parties of the Convention may introduce other specific authorities whose activity covers only a very restricted sector (According to the Explanatory Protocol the electronic communications sector, the healthcare sector, the public sector and others);
    – The Authority has to be empowered to initiate or participate in court proceedings related to all data protection violations. This is linked to the powers to conduct an investigation and detection of infringements;
    – An obligatory notification about data protection breach has also been introduced;
  • The measures for proportional data processing and application of the principle of data minimization have been strengthened;
  • Amendment of the current terminology – the term “automated data file” has been repealed and there is one new participant to the data processing, called with the term “receiver” (1) , etc.;
  • One of the most important additions to the Convention is the enhanced role of the Convention Committee, which has advisory, but also evaluation and supervisor capacity. It will determine whether and to what extent a Member State or an international organization has fulfilled the requirements set by the Convention. The Committee has the right to evaluate the compliance of the internal law of a Convention party and to determine the effectiveness of the undertaken measures.

It is important to note that all countries as well as international organizations, including the European Union, can accede to the Convention. This turns the Convention into a key tool for harmonizing various data protection legal regimes, by ensuring high degree of protection on international level.

The modernization of the Convention is a crucial step towards the promotion of global data protection standards. The renewed Convention seeks to stimulate the inclusion of as many countries as possible aiming to encourage the international business and its development, now on the basis of more secure and universally applicable rules regarding personal data and its efficient protection.

You can find more information on the official website of the Council of Europe here.


(1) Art. 3, “e” – “recipient” means a natural or legal person, public authority, service, agency or any other body to whom data are disclosed or made available; Protocol amending the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS No. 108), URL.

# 10 The Act for Amendment and Supplement to the Personal Data Protection Act, synchronized with GDPR, is officially submitted before the National Assembly

On 18th of July the Bill for Amendment and Supplement of the Personal Data Protection Act was submitted before the National Assembly (the New Bill). The New Bill aims to introduce measures to implement EU’s General Data Protection Regulation (the Regulation/GDPR) and transpose Directive 2016/680 on the protection of personal data in the police sector (the changes proposed in this section – Chapter 8a of the New Bill – will be the subject of a follow-up analysis on our blog).

As expected, some rules from the initial bill (the Old Bill) – subject to public consultation since 30.04.2018 – have been revised as a result of the consultation(1).

At first glance and without claiming to be exhaustive, we underline here some of the amendments made in the New Bill:

1. The minimum thresholds for fines and pecuniary sanctions have been removed since such were not provided in the Regulation. Fines/ sanctions will be imposed according to the criteria set out in the Regulation;
2. The envisaged fine for other violations remains up to BGN 5 000 where the minimum threshold of BGN 1 000 is abolished;
3. The New Bill provides safeguards in order to balance the protected secrecy (e.g. the lawyer’s secret) with the investigating powers of the Commission for the Protection of Personal Data (CPDP), insofar such secrecy provides an option to serve the controllers/ processors as grounds for refusal or access to it by CPDP in case of an inspection;
4. The CPDP will maintain a non-public internal register of data breaches and the measures undertaken in accordance with the exercise of its remedial powers. However, new public ones are being introduced:
– Register of controllers and personal data processors who have appointed Data protection officers (DPO);
-The proposal to maintain a DPO register is removed due to concerns of an attempt to introduce a disguised registration regime for this position, which is not provided in the Regulation;Register of the accredited certification bodies;
-Conduct codes register;
5. The provisions empowering the CPDP to conduct trainings of DPOs were also removed;
6. The personal data retention period of all job candidates/applicants cannot be more than 6 months (in the Old Bill the term was 3 years) after the end of the procedure of recruitment. This restriction also applies to documents that certify the physical and mental health of the applicant, the necessary qualifications and experience for the position held. Other provisions on the protection of personal data in the context of the employment relationship are also specified (e.g. the disputed permission to request explicit consent from employees to process their personal data, which is not required by the employer or a legal act is also removed);
7. The requirement for controllers/ processors to appoint a DPO if they process the personal data of more than 10,000 individuals has also been removed since this requirement, as set out in the Old Bill, has raised serious objections in the public consultation procedure (mainly due to the uncertainties of how it would be applied in practice);
8. Structures, whose main activity is related to the spending of public funds, will be considered as a public body/ structure. This will affect their duty to appoint a DPO;
9. The New Bill also provides new provisions regarding the processing of personal data for the purposes of archiving in the public interest, scientific and historical research, statistical purposes and journalistic purposes.

The full text of the New Bill could be found in Bulgarian here.

As your trusted partner we will continue to keep you updated about the New Bill legislation process as well as all the new developments in the personal data protection legislation on a national and European level.

(1) See in this sense also the latest newsletter of CPDP from July 2018, URL 

# 9 The Commission for Personal Data Protection has repealed Ordinance No. 1 of 30 January 2013 – what technical and organizational measures the organizations need to undertake from now on?

With State Gazette, Issue 43 of 25.05.2018 Ordinance No. 1 dated 30 January 2013 on the Minimum Level of Technical and Organizational Measures and the Admissible Type of Personal Data Protection (the Ordinance) was repealed. The Commission for Personal Data Protection (CPDP) has announced that the Ordinance is to be revised and transformed into methodical guidelines to the controllers without committing to a specific deadline (https://www.cpdp.bg/en/index.php?p=element&aid=1151).

Thus, among other uncertainties concerning the application of the General Data Protection Regulation (“GDPR”), yet another important question arises – what technical and organizational measures should be applied by the organizations from now on in order to ensure an appropriate level of security of the data they process.

Applicable measures under the repealed Ordinance

The repealed Ordinance provided for 5 types of personal data protection (physical, personnel, documentary protection, protection of automated information systems and/or networks and cryptographic protection) and contained detailed regulation of the technical and organizational measures for their implementation.

The CPDP’s previous approach was to oblige the controllers to carry out an impact assessment on each personal data register they keep. On the basis of the determined level of impact for the register the controllers had to apply corresponding level of data protection – a mandatory minimum set of measures settled for each level of impact in the Ordinance. Now the lack of compulsory list of such measures leaves plenty of room for speculation in this respect, so the analysis below is intended to bring some clarity on the issue.

Art. 32 of the GDPR lists some exemplary, but not mandatory measures such as pseudonymization, encryption, etc., which can offer the organizations guidance in terms of what measures are considered appropriate. Of course, the final choice depends on the context and the purposes of the processing. In this sense, although both controllers and processors are not required to apply any of the measures explicitly listed in the GDPR, their obligation to ensure the security of the data processed remains.

Applicable technical and organizational measures from now on

In the process of assessment every controller or processor should bear in mind the following:

First, the GDPR focuses on the protection of personal data as a fundamental human right of the EU citizens. Therefore, the understanding that the GDPR constitutes а “fully technological framework” is untrue. The requirement to implement technical and organizational measures to ensure data security undoubtedly has an important role, but it is just one of the seven basic principles of data protection laid down in the GDPR. In other words, even if we have applied extremely high security measures, even if all the information we handle is encrypted – if we process these data without legal or for illegal purposes or we have not properly informed individuals about such processing etc., our business will not meet the GDPR requirements whatsoever.

Second, GDPR sets out a number of criteria to guide the controller or the processor in defining these measures and choosing the most appropriate amongst all of them. Through this approach, the European legislator achieves a fairly good balance between the freedom of action and the crucial responsibility for attaining an adequate level of data protection.

Nonetheless, the main set of measures laid down in the repealed Ordinance could serve as a good guidance or as a point of reference in terms of data protection. Of course, the assessment should be tailored to the particularities of each and every type of processed personal data in compliance with the established standards and best practices for information security.

In the meantime, we will continue to monitor and keep you updated on the development of the case and the subsequent regulation on the appropriate personal data protection measures as well as the specific measures, undertaken on local level regarding the implementation of the GDPR.


Following our previous publications regarding the GDPR, we will now review one of the entirely new concepts in data protection introduced by the Regulation, namely accountability.

Accountability in practice means that the data controller is able to demonstrate at any time that personal data are processed lawfully, fairly, in a transparent manner and limited to clearly defined purposes, keeping the data accurate and up to date and retaining it only for the time required to achieve these purposes, while ensuring an appropriate level of security and protection of the personal data.

Accountability implies proper documentation of all the processes of processing personal data within the undertaking. In other words, undertakings should keep documentary track of the processing – relevant written records allowing for traceability of the data processing processes and serving as an element by which to demonstrate compliance with the GDPR requirements in the event of a CPDP inspection.

Among others, some of the most essential tools for achieving accountability are the following:
• maintaining records of the processing activities under Art. 30 GDPR;
• proper regulation of the relations with data subjects with regard to data processing (through personal data protection policies, privacy notices, etc.);
• proper regulation of relations with third parties regarding the transfer of data (contracts between controllers and contracts between controllers and processors);
• designation of a data protection officer, where applicable;
• conducting an impact assessment in the presence of a high risk to the rights and freedoms of the data subjects;
• timely communication to the Commission for Personal Data Protection and the data subject in cases of personal data breaches;
• implementing voluntary certification mechanisms and/or compliance with codes of conduct;
• аdopting internal rules for personal data protection (guidelines, policies, etc.).

Of the above listed tools, particular attention should be given to record-keeping of the processing activities. These records shall be maintained by the personal data controller and the processor and shall be made available to the supervisory authority upon its request. The content of the records is laid down in detailed in the GDPR (Article 30, paragraphs 1 and 2).

The obligation of record keeping does not apply to organisations with fewer than 250 employees unless (i) the processing they carry out is likely to result in a risk to the rights and freedoms of data subjects, (ii) the processing is not occasional, or (ii) includes special categories of personal data or personal data relating to criminal convictions and offences. Regardless of which of these exceptions is present, the organisation concerned shall keep records of the relevant processing activity.

The impact assessment is also important for adherence to the principle of accountability. The Working Party established by Art. 29 accepts that the data protection impact assessment is a key tool for achieving accountability as it not only contributes to compliance with the requirements but also demonstrates the existence of appropriate safeguards.

The Working Party established by Article 29 – an European Union data protection advisory body – in one of its opinions on the old data protection regime points out some of the categories of general accountability measures other than the ones listed above, the most important of which are[1]:
• identifying all data processing processes within the organisation;
• ensuring adequate level of data protection, training the staff members processing or responsible for personal data (such as heads of human resource departments), but also IT managers, developers and business units directors, as well as allocating sufficient resources for protection of personal data within the organisation;
• establishing an internal mechanism for handling complaints;
• developing internal procedures for the effective management and reporting of data protection breaches;
• implementing and monitoring verification procedures to ensure that all the measures are not only formal ones, but they are actually introduced and implemented (internal or external audits, etc.).

What is the practical need for the principle of accountability and why should an organization make efforts to comply with it?

Personal data are a specific type of “resource” for any organisation. They constitute a powerful business tool as they provide information about the choices, preferences, attitudes and needs of consumers. This opens up great prospects for better marketing, PR, etc. Besides being a resource, personal data are a special category of information that may affect the privacy of the persons they relate to, or allow for malpractices (manipulations, etc. – an example of this is the scandal with Cambridge Analytica and data from the social network Facebook). Therefore, organisations should ensure adequate level of protection for this type of data. This is increasingly important in the context of the new rules and high sanctions introduced by the GDPR.

The purpose of the accountability principle is to gradually develop a culture of proper documentation of the entire movement of any personal data within the organisation. This would allow companies to have greater control and will enable them to more adequately manage their resources, and in a case of an inspection – to demonstrate compliance with the GDPR requirements.

[1] Opinion 3/2010 on the principle of accountability, WP 173, Adopted on 13 July 2010, p. 11-12.

#7 Bill on Amendment and Supplement to the Personal Data Protection Act is published for public consultation

On 30 April 2018, less than a month before the date of which the new European Data Protection Regulation – Regulation 2016/679 (GDPR) begins to apply, a Bill on Amendment and Supplement to the Personal Data Protection Act, currently in force in Bulgaria, was published in the public domain (the Bill). The Bill aims at harmonizing the Bulgarian legislation on the protection of personal data with the European one.

In this publication we will only focus on some of the most important and interesting elements of the Bill, and the whole Bill should be subject to detailed analysis and evaluation by all stakeholders in the following days:

  • The Commission for Personal Data Protection (CPDP), which had so far fulfilled this function, was officially appointed as a supervisory body within the meaning of GDPR. It will be the independent body that will monitor the protection of individuals in the processing of their personal data and the enforcement of the Regulation.
  • GDPR introduced a new figure to society, namely the Data Protection Officer. With the Bill, the Bulgarian legislator provided for a new ground for appointing such a person, setting precise limits for his appointment, namely the processing of personal data of “10,000 individuals”.
  • The Bill provides that the CPDP should organize and conduct trainings of the persons designated for taking the position of a “data protection officer” or of persons wishing to be trained to take up this position. The trainings will be paid at a rate set by the Minister of Finance. This is a specific national solution that has no analogue in GDPR and which is rather controversial, because the European legislation does not require specific certification/mandatory registration for this position.
  • One of the Bill’s interesting innovations relates to following obligation: in case data is received without a legal basis, whether by a controller or a processor, the latter has to return it immediately or deleted it within one month of getting aware of the fact.The age threshold for obtaining children’s consent f
  • or the provision of information society services is reduced (from 16 years under GDPR to 14 years under the Bill). Here the change is quite reasonable considering the “total incapacity” institute, established for persons under 14 years of age under Bulgarian law.
  • According to the Bill, public access to National Identification Number / Foreigner Identification Number will be provided solely if required by law. Therefore, controllers providing electronic services will need to take technical and organizational measures to avoid National Identification Number to be the only identifier for the provision of the service.
  • The Bill contains specific rules for balancing the freedom of academic, artistic and literary, expression with the protection of personal data.

Important changes also stand with regard to employers. The legislator took advantage of the opportunity provided by Art. 88 of the GDPR, by establishing special rules in this respect.

  • The Bill provides for the prohibition of copying the national ID document, the driving license, the worker / civil servant residence permit, with only one admissible hypothesis, namely the existence of an explicit legal obligation on the controller or the processor.
  • Employers will also need to provide for a number of rules and procedures to show compliance with the new law and to ensure that these rules and procedures are brought to the attention of employees. Such will be needed, for example, in the framework of: (i) a system of evidence of breaches, (ii) restrictions on the use of in-house resources, and (iii) access control, working time and labor discipline.
  • The employer will be able to store personal data of participants in personnel selection procedures for up to 3 years.

With the Bill, in addition to synchronizing national provisions with GDPR requirements, the legislator will also transpose the Directive (EU) 2016/680 of the European parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA, and has dedicated a whole chapter of the Bill to this end.

Interestingly, the legislator set out minimum thresholds (such do not exist under the GDPR) of BGN 10,000 for infringements punishable with a fine of up to EUR 20,000,000 and BGN 5,000 for infringements punishable with a fine of up to EUR 10,000,000.

For offenses other than those specified in the GDPR, a fine of BGN 1,000 to 5,000 is introduced. For failure to comply with the CPDP’s prescription, the sanctions will also vary in quite high amounts, namely between BGN 2,000 and BGN 200,000.

It remains to be seen whether this Bill will be adopted according to the proposed draft version. In any case, the positive intention of the Bulgarian legislator to settle the issue of bringing national legislation in line with the new rules on personal data protection before 25 May 2018 should be appreciated. Unfortunately, however, the short deadlines for public discussion (opinions on the Bill can be submitting by 14 May 2018) may be a barrier to the possibility of a detailed and comprehensive national discussion of the proposed measures.

Link to the Bill

# 6 Administrative Fines under the GDPR

Following our previous publications regarding the GDPR, we shall now look into the most sensitive GDPR-related topic, namely fines and penalties.

We shall discuss the limits for these administrative fines, the criteria applicable to determining the amount thereof, as well as the specificities in work when determining fine amounts in case of undertakings and how group corporate structures shall be affected by the specificities in question.

The Regulation provides for two limits of administrative fines depending on the type of infringement:

  • Infringements of any of the obligations of the controller/processor (stipulated in Article 8, 11, 25-39, 42 and 43 of the GDPR) are subject to administrative fines up to 10 000 000 EUR, or up to 20 % of the total worldwide annual turnover of the preceding year of an undertaking.
  • Infringements of the principles of processing inherent in the Regulation, the data subjects’ rights, the transfers of personal data to a recipient in a third country, any obligations pursuant to Member State law and pertinent to special processing situations, as well as non-compliance with an order or a temporary definitive limitation by the supervisory authority are subject to administrative fines up to 20 000 000 EUR, or up to 4 % of the total worldwide annual turnover of the preceding financial year of an undertaking.

The aforementioned amounts are the upper limits of administrative penalties to be imposed. Depending on the specific infringement and the ratio between due care and care actually exercised, the amounts of administrative fines may vary greatly. Different circumstances weigh in when assessing amounts. For instance, in case of infringement of several provisions of the Regulation for the same or linked processing operations, the total amount of the administrative fine shall not exceed the amount specified for the gravest infringement. In case of a minor infringement or if the fine likely to be imposed would constitute a disproportionate burden to a natural person, a reprimand may be issued instead of a fine.

This raises the question of the criteria for setting the amounts of fines. The Regulation allows for a number of interpretations, but the Article 29 Working Party considers that assessment must depend on the degree of interference and remedy needed for any wrongful conduct or on whether any such interference or remedy is dissuasive or punitive in nature.

So far as the general rules and conditions for imposing administrative fines are concerned, those are detailed in Article 83 of the Regulation. A key element is the requirement to impose effective and proportionate fines. Such fines may be settled based on a number of circumstances such as:

  • The nature and duration of infringement;
  • The purpose of the processing concerned as well as data categories affected thereby. Certain special data categories, such as the ones revealing racial or ethnic origin, political opinions and religion are subject to higher protection[1];
  • The circumstances surrounding the infringement, namely if it is of intentional or negligent character;
  • The degree of responsibility of the controller/processor when establishing the infringement and upon termination thereof. Notification to the supervisory body and cooperation with the supervisory body in order to mitigate the infringement constitute mitigating factors;
  • Any other mitigating or aggravating factors also matter, such as previous infringements, financial benefits from the infringement, etc.

The amounts of fines imposed to undertakings may be significant. It is, therefore, reasonable to specify what is meant by “undertaking” in the Regulation. Here the legislator refers to Articles 101 and 102 of the Treaty on the Functioning of the European Union (TFEU).

Although not explicitly defined therein, the term is given a broader interpretation in the case law of the Court of Justice of the EU, and according to it, for the purposes of Articles 101 and 102, the term “undertaking” is to be understood as an economic unit that may consist of a parent unit and any subsidiaries thereof. Any structures where one company exerts control over another company, whereby both companies are economically and organizationally related, shall constitute one undertaking. Such an interpretation of “undertaking” is likely to result in significant increase in the amounts of fines based on the total worldwide annual turnover of the entire corporate group, not the turnover of the specific business entity to have committed the infringement.

In conclusion, we would like to specify that the amounts of administrative fines discussed above and stipulated in the Regulation, are the upper limits of fines and sanctions that may be imposed in case of graver infringements. The Regulation reads that any case of infringement has to be subjected to extensive evaluation with due consideration of any mitigating or aggravating factors.[2] We would like to reiterate that due to the broad interpretation of the term “undertaking”, the annual turnover of the entire group of companies may be considered when determining the amount of the fine, thus significantly increasing thereof. That is why compliance with the requirements of the Regulation is of paramount importance.


[1] Articles 9 and 10 of the Regulation provide definitions of these special categories.

[2] Guidelines of the Article 29 Working Party on the application and setting of administrative fines for the purposes of the Regulation 2016/679.

# 5 The Transparency Principle under the GDPR

Following our previous publications regarding the key points introduced by the GDPR, now we will focus on one of the new principles of data protection – transparency.

Transparency is a long-established feature of EU law which is all about engendering trust in the processes which affect citizens by enabling them to understand and, if necessary, to challenge those processes[i]. Transparency is intrinsically linked to fairness and the new principle of accountability under the GDPR. The principles of fair and transparent processing require that the data subject should be informed about the existence of the processing operation and its purposes.

Transparency allows data subjects to keep data controllers and processors accountable and to exercise control over their personal data. Transparency requirements apply regardless of the legal ground for processing and throughout the entire life cycle of processing. Transparency as a principle applies to the following three stages of the cycle of processing:

1) Before the processing – when providing information to data subjects in relation to the collection of their data and how these data will be processed;

2) Throughout the whole processing period – in the manners in which data controllers communicate with data subjects in relation to their rights under the GDPR;

3) In specific cases during the processing – e.g. in case of data breaches or substantial changes to the processing.

What is the meaning of transparency? The principle of transparency in general requires that any information and communication relating to the processing of personal data should be easily accessible and intelligible, and clear and plain language should be used. That principle concerns especially information on the controller’s identity and the purposes of processing that is provided to data subjects, as well as further information ensuring fair and transparent processing in respect of data subjects and their right to obtain confirmation of their personal data processing.

Natural persons should be made aware of the risks, rules, safeguards and rights in relation to the processing of personal data, and how to exercise their rights in relation to such processing.

Article 12 of the GDPR provides the requirements to the information provided to data subject in relation to the processing:

  • it must be concise, transparent, intelligible and easily accessible;
  • clear and plain language must be used;
  • the requirement for clear and plain language is of particular importance when providing information to children – children merit special protection as they may be less aware of the risks and their rights in relation to the processing of personal data, so the information addressed to a child must be in such a clear and plain language that the child could easily understand it;
  • It must be provided in writing or by other means, including where appropriate, by electronic means;
  • Where requested by the data subject, the information may be provided orally (including by automated means like audio recording) – GDPR specifically requires that information may be provided orally on request provided that the identity of the data subject is proven by other means. This precondition applies only in relation to information provided under Art. 15 – 22 and Art. 34 of the GDPR. General information under Art. 13 and Art. 14 of the GDPR may be provided without the controller requiring the data subject’s identity to be proven[ii];
  • It must be provided free of charge – controllers cannot charge data subjects for the provision of information. Exception may exist where requests from a data subject are manifestly unfounded or excessive (for example repetitive) – in these cases the controller can either charge a reasonable fee or refuse to act on the request. The controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.

The categories of information that must be provided are listed in Art. 13 and Art. 14 of the GDPR – these are basically details of the data controller, purposes, legal basis, processing time, information on the rights of the data subject, information on whether the provision of personal data is a legal or contractual requirement, and the consequences of a failure to provide data. A new requirement introduced by the GDPR is to provide information on the legal basis for the processing purposes – controllers should be able to relate each specific processing purpose to a specific legal basis. This actually means that controllers should be aware of the reasons for the processing of personal data and can properly identify the legal basis which is applicable to a particular purpose.

Besides the content, the form and manner in which information under Art. 13 and 14 of the GDPR should be provided are also important.  The information in relation to the processing of personal data should be provided to the data subject at the time of collection from the data subject, or, where the personal data are obtained from another source, within a reasonable period, depending on the circumstances of the case, but not later than 1 month. With a view to these requirements, controllers should develop mechanisms to inform data subjects within the specified time limit whenever they collect and store information that is not received from the data subjects themselves, but is obtained from the Internet, a public register, etc.

Information about the processing should be provided separately from any other information – in practice, separate documents should be prepared (declarations, notices, privacy policies, and etc.). The Art. 29 Working Party, an EU data protection advisory body, advises on using layered privacy statements and push/pull notices[iii]. Information which must be provided to data subjects can also be provided in combination to standardized icons allowing the controller to give a meaningful overview of the intended processing. Where the icons are presented electronically, they should be machine-readable.

In conclusion, we should summarize that the principle of transparency requires providing information to data subjects with regard to every personal data processing, which guarantees their right to be aware of the process and challenge it if needed. Exceptions to this requirement are very limited – where the data subject already has the information or where providing the information proves impossible or would involve a disproportionate effort.

Duly documenting how the principle of transparency is guaranteed becomes even more important in the context of the new principle of accountability according to which controllers carry the burden and must at all times be able to demonstrate compliance with the GDPR requirements. Therefore, it is advisable for all companies to develop mechanisms to ensure the compliance with the transparency requirement – the development of appropriate tools (privacy policies, communications, declarations) as well as procedures for informing the subjects (e.g. in case of breaches of the data security).


[i] Guidelines on transparency under Regulation 679/2016 of Article 29 Data protection working party (project), p. 5

[ii] Guidelines on transparency under Regulation 679/2016 of Article 29 Data protection working party (project), p. 11

[iii] Guidelines on transparency under Regulation 679/2016 of Article 29 Data protection working party (project), p. 17-18.

# 4 Consent as one of the six legitimate grounds for data processing

Dear clients and partners,

Again with GDPR in mind, we will examine consent as one of the six legitimate grounds for data processing.

By paying a lot of attention to the Regulation, partially due to the high fines it introduces, the media has provided a wide coverage of GDPR issues and key terms, including ‘consent’.

What do we know about consent so far? It is well-known that in order to be valid, consent should be:

  • freely given – the data subject should have a genuine and free choice and be able to refuse or withdraw consent without detriment;
  • specific – consent should refer to clear purpose and specified term for processing as well as to defined persons who will have access to the data;
  • informed – the data subject should be informed at least of the identity of the controller and the purposes of the processing;
  • unambiguous – it is necessary that consent is provided through a clear affirmative action – a statement or an act clearly showing that the data subject agrees to the processing.

Having briefly outlined these main features of consent validity, this publication will focus on further key aspects of the use of consent as а legal ground for processing, which are not as familiar, but which require some particular attention.

The meaning of consent as a ground for processing should not be taken too far, nor should its use be considered a panacea. There are a few reasons for that.

First, consent is only one of the six grounds for processing and its application is limited in case any of the other five legal grounds applies. For instance, consent should not apply when processing is required for the purposes of a contract. In such cases, using consent as grounds for processing is neither required, nor desirable. Remember – consent may be withdrawn! What would happen to contractual relations then…

Second, according to the understanding of the Working Party under Art. 29 (WP29), a processing activity for a specific purpose cannot be based on multiple lawful grounds. In this sense, when we process data on the grounds of consent, we cannot combine or “strengthen” consent with another legal basis, just in case the data subject withdraws their consent. Besides, if we have already started processing data on the grounds of consent, we cannot change those grounds later on. The reason is again the fact that consent may be withdrawn – a hypothesis that is non-existent with regards to the rest of the legal bases for processing.

Third, consent as a ground for processing depends on the context in which it is given. GDPR pays a special attention to the imbalance in the relations between the personal data controller and the data subject. Labour relations are just one of the many examples of such an imbalance. There is hardly a company not facing the issue of ensuring compliance of labour relations with the Regulation’s requirements. How much can we rely on consent in this context?

According to WP29, consent cannot be used as a legitimate ground here. The reason is in the imbalance between the parties and the impossibility for the employee, who constitutes a data subject, to make a free choice under fear or discomfort of potential adverse effects, which contradicts one of the main requirements for the validity of consent – the free choice.

The same example can be given with respect to the relations in which the controller is a public authority. In this case again it cannot be assumed that the data subject makes a realistic choice on whether to give their consent or not, insofar as the other party is in fact the stronger one. Such relations are marked by an obvious inequality in the context of which consent would not be valid.

Any type of influence or pressure on data subjects is considered to be an obstacle to making a free choice that deprives consent of validity and processing – of lawfulness. The controller should be able to prove at any time that consent is obtained without any threat of potential adverse effects in case of refusal.

Fourth, consent should be given separately for each and every purpose of processing. Even if the purpose recurs in certain periods of time, it is recommendable to renew the consent and inform the data subject of the processing again. It should not be assumed that once consent for processing for a particular purpose is given, it will be sufficient for subsequent data processing for other purposes.

Finally, if you imagine that obtaining consent involves some sophisticated terminology and complex language, you can relax. The information provided for the purpose of obtaining data subject consent should be simple and easy to understand by the average citizen. In this sense, exquisite legal style is in no way useful according to the GDPR.

In conclusion, we will highlight a key aspect of consent that will prove to be particularly beneficial to the online business environment – there is no legislative requirement for consent to be obtained in writing. Various techniques, particularly those related to IT solutions, would allow for consent to be accepted as explicit and therefore valid. The European legislator has provided data controllers with the opportunity to obtain consent through various manners and means, including by ticking a checkbox upon visiting a website, adjusting online service settings, etc.


# 2 How to Avoid a €20m or a 4% from your annual turnover sanction. Meritas Guide to the Steps Companies Should Take to Comply with GDPR

In the light of the new Regulation (EU) 2016/679 (GDPR) concerning personal data protection that shall apply as of May 25, 2018, MERITAS – a leading global network has prepared a short informative video to illustrate recommended steps to companies in order to ensure GDPR compliance.

The preparation process is divided into three major stages:

  • Discovery/audit of the personal data processing practices applied in the organization;
  • Gap analysis;
  • Development and implementation of internal policies and procedures that correspond to GDPR requirements.

As a global legal network, MERITAS has a cross-border Data Protection Group that brings together leading experts in the field from the member law firms across EU. Their collaboration allows them to resolve their clients’ domestic and international data protection issues.

Dimitrov, Petrov & Co. is the exclusive member of MERITAS for Bulgaria since 2005 and is also actively preparing its customers for ensuring compliance with the GDPR requirements.