# 15 DOs and DON’Ts under the new Bulgarian data protection law

As of today, February 26, the long-awaited amendments to the Personal Data Protection Act (the “Act/PDPA”) aimed at harmonizing the Bulgarian legislation with the General Data Protection Regulation (GDPR) are already a fact. In addition, the Act brings about certain specific national regulations.

Below you will find a short list of some of the most important requirements introduced by the new Act:

DОs

  • Adopt explicit internal rules in case you carry out any of the following activities or you have implemented any of the following processes within your organisation:
    – You conduct video surveillance;
    – You have restricted the use of the company’s devices, systems or resources (for example, if you have restricted your employees’ access to certain websites);
    – You have implemented a system for reporting violations (the so-called “whistleblowing” systems);
    – You have implemented systems controlling the access, the working hours or the work discipline (card check-in systems, GPS systems for tracking company’s cars and other company’s technical devices);
  • Inform your employees about the adopted internal rules and provide them with access to these documents;
  • Store the personal data collected within recruitment procedures for no more than 6 months. Request the applicant’s consent to store his/her data for a longer period;
  • Appoint a Data Protection Officer (DPO) in case you fall within the definition of a “public authority” in accordance with the Act – a state or local authority, as well as a structure, the main activity of which is related to expenditure of public funds;
  • Provide the names, PIN/PNF and contact details of your DPO (if designated) to the Commission for Personal Data Protection (CPDP);
  • Whenever minors’ personal data (under the age of 14) is processed on the basis of consent, require consent from parent exercising parent’s rights/from guardian. This requirement applies not only to the provision of information society services, but to any form of processing based on consent as well;
  • In cases where personal data of deceased persons is processed, such processing shall only be carried out in case there is a legal ground therefor and by taking appropriate measures so that such processing shall not adversely affect the rights or freedoms of others or any public interest;
  • When processing personal data for the purposes of journalistic, academic, artistic and or literary expression, always try to strike a balance between freedom of expression, right to information and privacy in compliance with the criteria set out in the PDPA.

DON’Ts

  • Do not copy identification documents (ID card, passport, driver’s license) or residence permit (unless you have ensured a legal ground provided for by law);
  • Do not allow free public access to information containing PIN/PNF, unless otherwise provided by law (for example: publication of lists containing personal data);
  • Do not use PIN as passwords as the Act requires the adoption of appropriate technical and organizational measures to prevent the use of PIN/PNF as the only means of user identification when providing remote access to electronic services (e.g. as a password for access to medical test results).

Tailor your practices to the new requirements, bearing in mind that our list is not an exhaustive one and is intended only to familiarize you with the general structure of the amendments adopted.

Keep an eye on our follow up publications where the most important changes will be analyzed in more detail and we will continue to keep you up-to-date in the field of personal data protection!

# 10 The Act for Amendment and Supplement to the Personal Data Protection Act, synchronized with GDPR, is officially submitted before the National Assembly

On 18th of July the Bill for Amendment and Supplement of the Personal Data Protection Act was submitted before the National Assembly (the New Bill). The New Bill aims to introduce measures to implement EU’s General Data Protection Regulation (the Regulation/GDPR) and transpose Directive 2016/680 on the protection of personal data in the police sector (the changes proposed in this section – Chapter 8a of the New Bill – will be the subject of a follow-up analysis on our blog).

As expected, some rules from the initial bill (the Old Bill) – subject to public consultation since 30.04.2018 – have been revised as a result of the consultation(1).

At first glance and without claiming to be exhaustive, we underline here some of the amendments made in the New Bill:

1. The minimum thresholds for fines and pecuniary sanctions have been removed since such were not provided in the Regulation. Fines/ sanctions will be imposed according to the criteria set out in the Regulation;
2. The envisaged fine for other violations remains up to BGN 5 000 where the minimum threshold of BGN 1 000 is abolished;
3. The New Bill provides safeguards in order to balance the protected secrecy (e.g. the lawyer’s secret) with the investigating powers of the Commission for the Protection of Personal Data (CPDP), insofar such secrecy provides an option to serve the controllers/ processors as grounds for refusal or access to it by CPDP in case of an inspection;
4. The CPDP will maintain a non-public internal register of data breaches and the measures undertaken in accordance with the exercise of its remedial powers. However, new public ones are being introduced:
– Register of controllers and personal data processors who have appointed Data protection officers (DPO);
-The proposal to maintain a DPO register is removed due to concerns of an attempt to introduce a disguised registration regime for this position, which is not provided in the Regulation;Register of the accredited certification bodies;
-Conduct codes register;
5. The provisions empowering the CPDP to conduct trainings of DPOs were also removed;
6. The personal data retention period of all job candidates/applicants cannot be more than 6 months (in the Old Bill the term was 3 years) after the end of the procedure of recruitment. This restriction also applies to documents that certify the physical and mental health of the applicant, the necessary qualifications and experience for the position held. Other provisions on the protection of personal data in the context of the employment relationship are also specified (e.g. the disputed permission to request explicit consent from employees to process their personal data, which is not required by the employer or a legal act is also removed);
7. The requirement for controllers/ processors to appoint a DPO if they process the personal data of more than 10,000 individuals has also been removed since this requirement, as set out in the Old Bill, has raised serious objections in the public consultation procedure (mainly due to the uncertainties of how it would be applied in practice);
8. Structures, whose main activity is related to the spending of public funds, will be considered as a public body/ structure. This will affect their duty to appoint a DPO;
9. The New Bill also provides new provisions regarding the processing of personal data for the purposes of archiving in the public interest, scientific and historical research, statistical purposes and journalistic purposes.

The full text of the New Bill could be found in Bulgarian here.

As your trusted partner we will continue to keep you updated about the New Bill legislation process as well as all the new developments in the personal data protection legislation on a national and European level.

(1) See in this sense also the latest newsletter of CPDP from July 2018, URL 

# 3 Dimitrov, Petrov & Co. contributes to the new Data Privacy Advisor service of Thomson Reuters

As a response to the global dynamics in regulations concerning data privacy, the international mass media corporation Thomson Reuters launched a new online service – Data Privacy Advisor. It aims to combine best-in-class content related to data privacy. In addition to providing timely feeds on news and trends in the field and returning answers to data privacy research questions, the service contains ample information on data privacy rules applicable in different countries.

The materials published in the Bulgarian section were prepared by Desislava Krusteva, head of the Privacy Data Protection Practice at Dimitrov, Petrov & Co., CIPP/E, and Gavrail Poterov, also on the team of the law firm. The collaboration of the law firm with Thomson Reuters on this project is on an ongoing basis. The experts at Dimitrov, Petrov & Co. are seeing to the updates in the Bulgaria-related information on the Data Privacy Advisor.

Data Privacy Advisor presentation and service preview are available here: Data Privacy Advisor Overview