# 18 The Bulgarian Commission for Personal Data Protection published an opinion on the determination of the figures of “controller” and “processor” in the conduct of clinical trials

Crucial for the pharmaceutical sector opinion of the Bulgarian Commission for Personal Data Protection (CPDP/Commission) on the determination of the figures of “controller” and “processor” in the conduct of clinical trials was published on 10.06.2019 on the website of the Commission.

According to the opinion, when conducting clinical trials, the medical institutions and the sponsor of the clinical trial act in the capacity of joint controllers under the meaning of Art. 26 of the Regulation (EU) 2016/679 (GDPR).

The opinion has been published after CPDP examined a request by a company having the capacity of a “sponsor” under the meaning of § 1, item 8 of the Additional Provision of the Medical Products in the Human Medicine Act (MPHMA), i.e. a company which is responsible for initiating, management and/or financing a clinical trial and is participating in the clinical trials initiated by it. The requesting company states that while conducting clinical trials, the sponsor also has relations with other persons participating in the clinical trials, namely with the principal investigator and the investigators, as well with the members of the investigator’s team – collaborators, monitors and auditors of the trial.

To clearly determine the roles of the parties, CPDP examines the figures of “Controller” and “Processor” in the light of the national and EU legislation regulating clinical trials. Furthermore, CPDP explains that the Regulation (EU) No 536/2014 of the European Parliament and of the Council on Clinical Trials on Medicinal Products for Human Use and the MPHMA exhaustively determines the functions and tasks of all persons participating in a clinical trial. According to the Commission, the data processing activities related to the conduct of clinical trials, could not be carried out “on behalf” of the sponsor of the trial, since such activities cannot be carried out by it, but only by organizations authorized in accordance with the applicable procedures and having the status of a “medical institution”. This is yet another confirmation of the thesis long ago adopted both in theory and practice (including that of CPDP), that not each assignment contract automatically leads to arising of relationship of the type of controller-processor and that in order to adequately determine the roles and responsibilities of the parties with regard to the processing of personal data, the nature of the rights and obligations of the parties in the contractual relationship need to be taken into account.

An additional argument for classification of the parties‘ roles according to CPDP is the Opinion 1/2010 of the Article 29 Data Protection Working Party (now European Data Protection Board) on the concepts of “controller” and “processor” which explicitly states that when conducting clinical trials, the participants are processing personal data in the capacity of joint controllers (p. 30 from the Opinion).

The main consequence of this opinion for the pharmaceutical companies and the medical institutions that conduct clinical trials is that they will need to conclude an agreement between themselves that shall in a transparent manner determine their respective responsibilities for compliance with the obligations in the field of data protection. In particular, they will have to regulate matters related to exercising the rights of the data subject and their respective duties to provide the information referred to in Art. 13 and 14 of GDPR. Furthermore, the data subjects-participants in the clinical trial may exercise their rights in respect of and against each any of the controllers. (Art. 26, Para. 3 of GDPR).

# 17 The Territorial Scope of GDPR

Further to the series of publications regarding the changes introduced by the GDPR, in this publication we will introduce to you the territorial scope of the GDPR.

The territorial scope of the GDPR is a key factor of importance for achieving compliance with the data protection requirements since nowadays many services are delivered globally and online. Especially, companies outside the EU are in the need to determine whether they are directly subject to the strict requirements of the GDPR. To help companies, in the late 2018 the WP29’s successor, the European Data Protection Board (EDPB) published, Guidelines on the territorial scope of the GDPR.

This article aims to summarize and clarify the criteria as well to provide some useful insights and guidelines on the territorial scope of the GDPR.

The territorial scope of the GDPR is determined by its Article 3 as the norm contains three basic criteria.

Establishment in the EU
The first criterion for determining the applicability of the territorial scope of the GDPR is the establishment of controller or processor in the Union (Article 3 (1)).

According to the GDPR, ‘establishment’ implies the effective and real exercise of activity through stable arrangements. The form of the arrangements, for example, whether the activity is being carried out through a branch or a subsidiary, is not relevant.

The CJEU in its practice ruled that the notion of establishment extends to any real and effective activity exercised through stable arrangements. In fact, even the presence of one single employee or agent of the non-EU entity may be enough to constitute a stable arrangement if that employee or agent acts with a sufficient degree of stability.

Circumstances that the non-EU entity does not have a branch or subsidiary in a Member State do not preclude it to be considered as having an establishment there within the meaning of the GDPR. This means that when a company with headquarters in the US has a branch, a sales office or when just performing activities for revenue raising in the EU, it could be considered as to have stable arrangements thus establishment in the EU and the GDPR to be applicable on its activities.

Article 3 draws also the attention that the criterion for establishment in EU should be evaluated on both the controller as well as the processor. The EDPB takes the view that when it comes to the identification of the different obligations triggered by the applicability of the GDPR, the personal data processing activities by each legal subject be it controller or processor should be seen as a separate topic.

For example. where a controller established in the EU mandates a processor located outside the EU, the non-EU processor will not be considered as having an establishment in the EU just because the controller in an EU entity. In such case, the GDPR will not directly be applicable to the non-EU processor. Only the EU-controller will be required to comply with all the GDPR requirements applicable to controllers (the ‘GDPR controller obligations’). One of those obligations is, namely, to ensure by contract or other legal act that also the non-EU processor will process the data in accordance with the GDPR.

On the contrary, a non-EU controller cannot be considered as having an establishment in the EU just because it uses a processor established in the EU. In the latter case, the GDPR would be applicable only to the EU-processor, and, only it will be required to comply with the GDPR requirements applicable to processors (the ‘GDPR processor obligations). These are, for example, for the EU-processor to implement appropriate technical and organizational measures in accordance with the GDPR, to notify the controller without undue delay after becoming aware of a personal data breach, or to designate a data protection officer.

Targeting persons EU
The second criterion is the so-called ‘targeting’ of persons in the EU (Article 3 (2)). The GDPR defines the targeting criterion in the ‘offering of goods or services irrespective of whether a payment is required to data subjects in the EU’, and in the ‘monitoring of their behavior as far as their behavior takes place within the EU’.

This largely focuses on the question whether the activities of an entity are addressed/targeted at users in the EU which is to be determined on a case-by-case basis.

The location of the subject data in the territory of the EU is a determining factor for the application of the targeting criterion. The EDPB considers that the nationality or legal status of a data subject cannot limit or restrict the territorial scope of the GDPR. Therefore, also activities addressed at citizens of third-countries who are in the EU may trigger the application of the targeting criterion and lead to applicability of the GDPR on these activities.

In order for companies to determine whether their activities are to be considered as offering of goods or services to data subjects in the EU, the latter should assess all for their business model relevant circumstances such as their intention to offer goods or services in the EU, whether their website, support or maintenance services are being offered in a local language and accept local currency, whether they have appointed a local point of contact for sales and support services etc.

To trigger the application of the second targeting criterion mentioned by the GDPR, namely, the ‚monitoring of behavior‘, the monitoring activity must first relate to a data subject in the EU and the monitored behavior must take place within the territory of the EU. The GDPR and the EDPB mention as few examples for monitoring activities the behavioral advertisement, geo-localization activities, online tracking through the use of cookies or other tracking techniques, personalized diet and health analytics services online, CCTV, market surveys and other behavioral studies based on individual profiles, monitoring or regular reporting on an individual’s health status etc.

It is important to note that the processing of personal data of persons located outside the territory of the EU, be it EU citizens or not, does not trigger the application of the GDPR, as long as the processing is not related to a specific offer directed at individuals in the EU or to a monitoring of their behavior in the EU.

Application of Member State Law by virtue of public international law
The provision of Article 3(3) is expanded upon in Recital 25 which states that where Member State law applies by virtue of public international law, the GDPR should also apply to a controller not established in the EU.

This means GDPR could also apply to personal data processing carried out by EU Member States’ embassies and consulates, or in EU ships in international waters. The fact that a data processing activity is being carried out on an EU-registered cruise ship means that by virtue of public international law the GDPR shall be applicable.

Controllers or processors not established in the Union must appoint a local representative
Finally, please be always advised that a controller or processor not established in the EU but subject to the GDPR is, obliged to designate a representative in the EU in accordance with Article 27 and failing to designate such a representative would consequently be in breach of the Regulation by the respective controller or processor.

The GDPR and EDPB provide some further guidance on the designation process, establishment obligations and responsibilities of the representative in the EU. For example, it is important to know that the representative:
• can be natural or legal person established in the Union;
• should be explicitly designated by a written mandate such as written contract with the controller or the processor to act on its behalf with regard to its obligations under the GDPR such a service contract;
• in general, cannot be at the same time data protection officer (DPO) of the company;

Article 27(2) foresees some exceptions from the mandatory designation of a representative in the Union such as when:
• the processing is occasional, does not include, on a large scale, processing of special categories of data or processing of personal data relating to criminal convictions and offences; or
• the processing is carried out by a public authority or body.
Article 27(3) foresees that the representative shall be established in one of the Member States where the data subjects, whose personal data are processed in relation to the offering of goods or services to them, or whose behavior is monitored, are.

The EDPB further recommends, that the representative must remain easily accessible for any data subjects in any Member State where the services or goods are being offered or where the behavior is being monitored.

Please be advised that the representative in the Union acts on behalf of the controller or processor it represents with regards to the controller or processor’s obligations under the GDPR. This implies notably the obligations relating to the exercise of data subject rights, and in this regard the identity and contact details of the representative must be included in all information documents of the controller in accordance with the requirements of Article 13 and 14 such as their privacy notices.

The representative should also perform its tasks according to the mandate received from the controller or processor, including cooperating with the competent supervisory authorities regarding any action taken to ensure compliance with this Regulation.

The Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) of the European Data Protection Board can be found here.

# 16 INFORM e-Learning platform – a convenient means for introduction to data protection law

Recently our colleagues from Law and Internet Foundation have launched an online platform that introduces data protection law in an easily accessible manner. The e-learning platform is built as part of the INFORM (INtroduction of the data protection reFORM to the judicial system) project and is available on the following link.

The registration is quick and straightforward, allowing the user to choose his/ her role (judiciary, court staff & legal practitioner) since the platform is organised in three distinct modules. Each of the modules provides tailored content according to the specifics of each of the roles.

The platform provides comprehensive introduction to EU data protection law, focusing not only on GDPR but also on the provision of Directive 2016/680. The users can quickly check their knowledge on the topic as the e-learning platform maintains self-assessment functionality.

This article is created as part of the INFORM (INtroduction of the data protection reFORM to the judicial system) project, financed under the Justice Program of the European Commission. The contents of this article are the sole responsibility of the authors and can in no way be taken to reflect the views of the European Commission.

# 15 DOs and DON’Ts under the new Bulgarian data protection law

As of today, February 26, the long-awaited amendments to the Personal Data Protection Act (the “Act/PDPA”) aimed at harmonizing the Bulgarian legislation with the General Data Protection Regulation (GDPR) are already a fact. In addition, the Act brings about certain specific national regulations.

Below you will find a short list of some of the most important requirements introduced by the new Act:

DОs

  • Adopt explicit internal rules in case you carry out any of the following activities or you have implemented any of the following processes within your organisation:
    – You conduct video surveillance;
    – You have restricted the use of the company’s devices, systems or resources (for example, if you have restricted your employees’ access to certain websites);
    – You have implemented a system for reporting violations (the so-called “whistleblowing” systems);
    – You have implemented systems controlling the access, the working hours or the work discipline (card check-in systems, GPS systems for tracking company’s cars and other company’s technical devices);
  • Inform your employees about the adopted internal rules and provide them with access to these documents;
  • Store the personal data collected within recruitment procedures for no more than 6 months. Request the applicant’s consent to store his/her data for a longer period;
  • Appoint a Data Protection Officer (DPO) in case you fall within the definition of a “public authority” in accordance with the Act – a state or local authority, as well as a structure, the main activity of which is related to expenditure of public funds;
  • Provide the names, PIN/PNF and contact details of your DPO (if designated) to the Commission for Personal Data Protection (CPDP);
  • Whenever minors’ personal data (under the age of 14) is processed on the basis of consent, require consent from parent exercising parent’s rights/from guardian. This requirement applies not only to the provision of information society services, but to any form of processing based on consent as well;
  • In cases where personal data of deceased persons is processed, such processing shall only be carried out in case there is a legal ground therefor and by taking appropriate measures so that such processing shall not adversely affect the rights or freedoms of others or any public interest;
  • When processing personal data for the purposes of journalistic, academic, artistic and or literary expression, always try to strike a balance between freedom of expression, right to information and privacy in compliance with the criteria set out in the PDPA.

DON’Ts

  • Do not copy identification documents (ID card, passport, driver’s license) or residence permit (unless you have ensured a legal ground provided for by law);
  • Do not allow free public access to information containing PIN/PNF, unless otherwise provided by law (for example: publication of lists containing personal data);
  • Do not use PIN as passwords as the Act requires the adoption of appropriate technical and organizational measures to prevent the use of PIN/PNF as the only means of user identification when providing remote access to electronic services (e.g. as a password for access to medical test results).

Tailor your practices to the new requirements, bearing in mind that our list is not an exhaustive one and is intended only to familiarize you with the general structure of the amendments adopted.

Keep an eye on our follow up publications where the most important changes will be analyzed in more detail and we will continue to keep you up-to-date in the field of personal data protection!

# 14 The Bulgarian Commission for Personal Data Protection adopted list of the processing activities where data protection impact assessment under GDPR is mandatory

Further to publication #12 Data Protection Impact Assessment from our Blog we inform You that the Commission for Personal Data Protection published a list of the types of processing operations for which data protection impact assessment (DPIA) is required. The list was published on 13.02.2019 on the Commission’s website.

Pursuant to the above-mentioned list data controllers whose main or single establishment is on the territory of the Republic of Bulgaria are required to conduct compulsory DPIA in each of the following cases:
• Large scale processing of biometric data for the purposes of the unique identification of a natural person, which is not occasional;
• Processing of genetic data for profiling purposes which produces legal effects for the data subject or similarly significantly affects them;
• Processing of location data for profiling purposes which produces legal effects for the data subject or similarly significantly affects them;
• Processing operations for which the provision of information to the data subject pursuant to Art. 14 of GDPR is impossible or would involve disproportionate effort or is likely to render impossible or seriously impair the achievement of the objectives of that processing, when this is related to large scale processing;
• Personal data processing by controller whose main place of establishment is outside the EU when its designated representative for the EU is located on the territory of the Republic of Bulgaria;
• Regular and systematic processing for which the provision of information pursuant to Art. 19 of GDPR by the controller to the data subject is impossible or involves disproportionate efforts;
• Processing of personal data of children in relation to the offer of information society services directly to a child;
• Migration of data from existing to new technologies when this is related to large scale data processing.

The current list – adopted on the basis of Art. 35 Para 4 of GDPR – is non-exhaustive and can be updated, if necessary. We will inform You accordingly for any such updates.

# 13 First law in the field of cyber security was adopted in Bulgaria

The first Bulgarian act entirely on cyber security is already a fact.

The new Cyber Security Act (CA/the Act) was promulgated on November 13, 2018. The Act was adopted in compliance with the obligation to transpose Directive (EU) 2016/1148 of 6 July 2016 of the European Parliament and the Council concerning measures for a high common level of security of network and information systems across the Union.

The adoption of the Act is of key importance to ensuring an adequate level of security when using digital technologies and the successful counteraction to deliberate harmful attacks, since there was no such instrument for resolving cyber security issues until now, just separate rules in a number of special Acts (e.g., The Counter-Terrorism Act, the Electronic Governance Act, the Electronic Communications Act, the Criminal Code, the Ordinance on the Common Requirements for Network and Information Security, etc.).

Which authorities are going to be responsible for the cyber security?

The new Act creates new competent authorities and structures in the cybersecurity area:

  • Cyber ​​Security Council;
  • National Single Point of Contact for Cyber Security Issues;
  • National Cyber ​​Security Coordinator;
  • National Competent Authorities for Network and Information Security with administrative authorities, determined by the Council of Ministers;
  • National Response Team for Computer Security Incidents;
  • Sector Response Teams for Computer Security Incidents;
  • Cyber crime Center within the Chief Directorate “Combating Organized Crime” of the Ministry of Interior will be set up to carry out activities concerning the detection, investigation and documentation of computer crimes at national level;

The new Act regulates the powers in this matter of authorities such as:

  • the Chairman of the State Agency for Electronic Governance;
  • the Minister of Defense;
  • the Minister of Interior;
  • the Chairman of State Agency Of National Security;

Who is affected by the new requirements?

CA contains rules addressed to several different categories of liable entities (public and private):

  • administrative authorities;
  • operators of essential services operating in the following sectors:
    – energy;
    – transport;
    – banking;
    – financial market infrastructures;
    – health sector;
    – drinking water supply and distribution;
    – digital infrastructure. Essential service providers may be both public and private entities of those categories that meet each of the following criteria: 1) they provide essential service; (2) the provision of the essential service should depend on networks and information systems; and 3) network and information security incidents should have a significant disruptive effect on the provision of the service. The operators of essential services will be designated by the competent administrative authorities according to these criteria and in accordance with a methodology adopted by the Council of Ministers. In this regard, the Chairman of the State Agency for Electronic Governance has to make a list of the essential services, which list will not be public though;
  • digital service providers providing any of the following services:
    – online marketplace;
    – online search engine;
    – cloud computing services;
  • organisations providing public services that are not designated as essential service providers or digital service providers when these organisations provide administrative services by electronic means. Public services are services in relation to provision of which administrative services may be provided, namely:
    – educational;
    – health care;
    – water supply;
    – sewage;
    – heat supply;
    – electricity supply;
    – gas supply;
    – telecommunications;
    – postal;
    – banking;
    – financial;
    – trust services within the meaning of Regulation (EU) 910/2014; and
    – other similar services provided in order to satisfy public needs, including services provided as a commercial activity;
  • persons exercising public functions, which are not designated as essential service providers, when providing administrative services by electronic means.

Obviously, the new Act has a potentially very wide range of addressees which justifies the need to know it so that the respective obligated persons can comply with it.

In order to avoid the imposing of a disproportionate financial and administrative burden, enterprises that are micro and small digital service providers, within the meaning of the Micro and Small Enterprises Act, are among the entities, that are excluded from the scope of the new Act.

How does this affect the private sector?

As already emphasized, besides public sector entities, a number of companies from the private sector shall have obligations under this Act as well. Some of the key requirements can be outlined depending on the addressee:

  • Administrative authorities:
    – take appropriate and proportionate measures to ensure network and information security;
    – take appropriate measures to prevent and minimize the impact of accidents affecting their network and information security, in order to ensure the continuity of their activities;
    – notify the sector response teams for computer security incidents that have an impact on the continuity of their activities;
    – take minimum measures for achieving network and information security, which shall be determined with an ordinance to be adopted within 6 months from the entry into force of CA;
  • Persons exercising public functions and organisations providing public services;
    – provide and are responsible for their network and information security when providing administrative services by electronic means;
    – notify the sector response teams for computer security incidents that have an impact on the continuity of the administrative services they provide electronically;
  • Essential service providers:
    – take appropriate and proportionate measures to ensure a level of network and information security, corresponding to the existing risk;
    – take appropriate measures to prevent and minimize the impact of incidents affecting their network and information security, in order to ensure the continuity of the essential services they provide;
    – notify the sector response teams for computer security incidents for incidents that have an impact on the continuity of the essential services they provide;
    – notify the digital service provider in case of an incident that may have a significant detrimental effect on the continuity of the provided essential service and affects the digital service provider, when the essential service provider relies on a digital service provider to provide a given essential service;
    – take minimum measures for ensuring network and information security, which shall be determined with an ordinance to be adopted within 6 months of entering into force of the CA. The network and information security requirements provided for by the Act must be applied by essential service providers only in respect to the provided essential services;
  • Digital service providers:
    – take appropriate and proportionate technical and organisational measures to manage the risks to the security of the networks and their information systems, used for providing digital services within the territory of Bulgaria;
    – take appropriate measures to prevent and minimize the impact of accidents affecting their network and information security;
    – notify the sector response teams for computer security incidents of incidents that have a significant impact on the continuity of the digital services they provide.

A number of criteria are taken into account in determining the impact of an incident;
– take minimum measures for ensuring network and information security, which shall be determined with an ordinance to be adopted within 6 months from the entry into force of CA;
– a digital service provider that is not established in a EU Member State but offers any of the above-mentioned services within the EU, the digital service provider must designate a representative in the EU that must be established in a Member State where the services are offered;
– in certain occasions, it may be necessary for the public to be notified of incidents that have occurred.

It should also be noted that the Act expressly states that where it is provided for in a EU legal act or a sector-specific or service-specific act, the operators of essential services or the digital service providers are required either to ensure the security of their network and information systems or to notify of incidents, those acts apply, provided that their requirements are at least equivalent in effect to the obligations laid down in CA.

  • Persons not expressly designated as obligated persons under the Act:
    – Except for persons, expressly mentioned in the Act, other persons may notify on a voluntary basis the sector response teams for computer security incidents of incidents that have an impact on the continuity of the services they provide. The obligated persons’ notifications shall be processed with priority.

Regarding the notification obligations

The notification under the Act in the event of the specified incidents occurring should be made within two hours of identifying the incident and the complete data should be sent within 5 days.

Notifications shall be submitted following the sample form approved in accordance with an ordinance on the minimum scope of network and information security measures, along with other recommended measures to be adopted by the Council of Ministers under Art. 3, Para. 2 CA.

By-law legislation is yet to be adopted.

Sanctions

The CA provides for sanctions for violation of its requirements, with fines amounting to BGN 20,000 and property sanctions – up to BGN 25,000.

It should be emphasised that the CA also provides for sanctions for officials who commit or allow a violation under Chapter Two of the Act to be committed, with fines amounting up to BGN 15,000.

The Act has entered into force as of November 16, 2018 for most of its part. The provisions on the establishment and functions of an Incident Monitoring and Response Center for incidents with a significant detrimental impact on the communication and information systems of strategic sites and activities relevant to national security as well as certain obligations of the Sector Response Teams for Computer Security Incidents for notification shall take effect as of January 1, 2022.

Ensuring the secure and orderly functioning of networks and information systems is essential to the facilitation of the cross-border movement of goods, services, capital and people. From this point of view, the European Union is increasingly focusing on the creation of common rules on cybersecurity, as it is an important step towards the establishment of a single digital economy within the internal market. We are about to observe how the new regulation will affect the public and private sectors, but in any case, the EU’s and the Bulgarian legislature’s ambition to create a legal framework on cybersecurity is commendable.

# 12 Data protection impact assessment – a key part of GDPR compliance

Further to the series of publications regarding the changes introduced by the GDPR, in this publication we will introduce you to one of the new concepts set out in the GDPR, namely the Data protection impact assessment (DPIA).

What is DPIA?

Data controllers are responsible for introducing appropriate safeguards to ensure compliance with the GDPR taking into account “the risks of various likelihood and severity to the rights and freedoms of natural persons”. In this sense, their role is not limited solely to the control and definition of the purposes and means of personal data processing, but also includes their obligation to manage the risks that could arise as a result of that activity.

The main objective of the DPIA is to clarify, to describe all processing processes, to assess their necessity and proportionality, and to contribute to the adequate and appropriate management of risks to the rights and freedoms of natural persons arising from the processing of their personal data.

What is DPIA expressed in and what does it contain?

Article 35, Para.7 of the GDPR sets out the minimum features of a DPIA, namely:

  • a systematic description of the envisaged processing operations and the purposes of the processing;
  • an assessment of the necessity and proportionality of the processing operations in relation to the purposes;
  • an assessment of the risks to the rights and freedoms of data subjects;
  • the measures envisaged to address the risks and demonstrate compliance with thе Regulation.

The assessment of the risks to the rights and freedoms of the processing is one of the main components of the DPIA. Some of the risk assessment guidelines and principles set out in the GDPR partially overlap already existing internationally recognised risk management standards, such as ISO 31000:2009. Examples in this regard are:

  • establishing the context: “taking into account the nature, scope, context and purposes of the processing and the sources of the risk”;
  • assessing the risks: “assess the particular likelihood and severity of the high risk”;
  • treating the risks: “mitigating that risk” and “ensuring the protection of personal data”, and “demonstrating compliance with this Regulation”.

DPIA – when it should be carried out?

It is important to note that the carrying out of a DPIA is only mandatory where a processing is “likely to result in a high risk to the rights and freedoms of natural persons”. In this sense, considered to be the most dangerous is the processing of data that is of a very personal nature by technical means without human intervention (e.g. algorithms / software) including:

  •  Systematic and detailed assessment of personal aspects related to health, workplace performance, personal preferences, location, economic status with respect to individuals, which is based on automatic processing, including profiling, for creating or using personal profiles;
  • Large-scale processing of special categories of data (e.g. data on racial or ethnic origin, political views, sex life, etc.) or personal data on convictions and offenses (Article 9, Para. 1 and Article 10 GDPR);
  • A systematic monitoring of a publicly accessible area on a large scale; etc.

In any case, the DPIA should be carried out before the processing. (Article 35, Para.1 and 10, Rec. 90 and 93). The Working Party under Art. 29 recommends that evaluation should be carried out, even when there is doubt as to the need for such assessment, as “DPIA is a useful tool to help controllers comply with data protection law” [1] and with the principle of accountability (for more information see publication #8 ACCOUNTABILITY AS A NEW PRINCIPLE OF GDPR).

Which data processing activities are considered high risk?

In the Guidelines of the Working Party under Art. 29 there are nine criteria in which the controller can identify operations that may result in a high risk to the rights and freedoms of the natural persons:

1) Existence of assessment or scoring, including profiling and prediction – an example in this respect are financial institutions reporting to their clients in connection with granting credits in databases for fighting against money laundering or terrorist financing; genetic testing for prediction of disease risks; companies that create behavioural or marketing profiles based on a website; etc.

2) Existence of automated decision making with legal or similar significant effect – automated decision making is the ability to make decisions by technological means without any human involvement. An example is when the decision on credit approval is made by a person on the basis of a profile designed entirely by automated means, or when the decision on the approval of the loan is made by means of an algorithm and the person is automatically notified of the decision without first being made a meaningful assessment by a human.

3) Existence of processing used for different types of surveillance or control of data subjects – including monitoring through which personal data is being processed where data subjects do not realize who collects their data and how it will be used, e.g. video surveillance in a public area;

4) Existence of processing of special categories of data – public hospitals that store patients’ medical records should carry out a DPIA because they operate with sensitive data, notably the health of natural persons;

5) Existence of large-scale processing of personal data – determining the scale is a separate process that involves careful consideration of factors such as: the number of data subjects involved, the volume of data or the scope of the different types of data, the duration or continuity, and the geographical scope of the processing activity;

6) Datasets that have been matched or combined, resulting from two or more processing operations performed for different purposes and / or by different controllers in a way that goes beyond the reasonable expectations of the subject – In such cases, the nature of the contractual arrangements, and the balance between the subject and the data controller in particular, should be examined, for example, to what extent the data subject is free to terminate the contract and seek alternative service providers;

7) Processing of data concerning vulnerable data subjects including any case where imbalance between the position of the data subject and the controller can be identified – examples in this respect are children – persons subject to treatment, mentally ill persons, asylum seekers, patients, elderly people, etc.

8) Existence of innovative use or applying technological or organisational solutions – an excellent example in this regard is the use of fingerprints and face recognition to improve access control;

9) Preventing data subjects from exercising the right to use a service or contract – here again is the example with a bank screens a client aganst a credit reference database, i.e. in this case, the processing of the subject’s personal data may lead to them being deprived of the possibility of taking a loan.

As a rule of thumb, a processing operation meeting less than two of the aforementioned criteria may not require the carrying out of a DPIA due to the lower level of risk. Conversely, the more criteria the processing operations meet, the higher the likelihood of high risk with regard to the rights and freedoms of natural persons.

In addition, GDPR imputes an obligation to the supervisory authority for establishment and publishing a list of the processing operations that require a DPIA. Moreover, the supervisory authority could establish and publish a list with the processing operations, for which a DPIA is not mandatory. Currently, the Commission for Personal Data Protection (CPDP) has not made such lists public yet.

What follows after the carrying out of DPIA?

DPIA does not constitute of a single action, but of an entire process of achieving and demonstrating compliance.

However, once carried out, the DPIA could be applied for assessment of numerous processing operations similar to the risks presented, taking into account the nature, scope, context and purposes in light of the concrete case. When the processing operation involves joint controllers, they need to define their respective obligations precisely and clearly. Their DPIA should set out which party is responsible for the various measures designed to treat risks and to protect the rights of the data subjects.

If the data controller considers a DPIA not to be mandatory, he is obliged to make a detailed statement of the reasons for not taking action.

Carrying out the DPIA may be outsourced to an outside person.

If the processing is wholly or partly performed by a data processor, the processor should assist the controller in carrying out the DPIA and provide any necessary information. The roles and responsibilities of the processors must be defined precisely in a separate contract/agreement. Such obligations are usually imposed to the processor in the data processing agreement between the controller and the processor.

The controller will also have to consult the supervisory authority whenever Member – state Law requires such actions.

In the light of the above, it remains intriguing what measures would be provided in the new amendments of the Personal Data Protection Act.

In conclusion, it should be emphasized on the fact that carrying out a DPIA is a key part of complying with GDPR in cases of high risk processing. This means that data controllers should be able to determine whether a DPIA has to be carried-out or not. Of course, the internal data controller policy could extend the list of data processing activities for a DPIA will be carried-out even beyond the requirements of the GDPR. Such an approach shall absolutely result in building greater trust and confidence of data subjects in the controller and in providing for additional safeguards for the lawful and adequate processing of personal data within the company.

[1] Data Protection Working Party under Art. 29: Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to pose a high risk” for the purposes of Regulation 2016/679 (WP 248 rev. 01), available here.

# 11 The Council of Europe updated the only international legally binding instrument for data protection – Convention No. 108

On the 18th of May 2018, in Helsingør, the Council of Europe adopted an Amendment Protocol of Convention № 108 from 28.01.1981 for the Protection of Individuals with regard to Automatic Processing of Personal Data (“The Convention”).

About the Convention

As of now, the Convention is the only globally relevant international agreement in the field of data protection. It has been created in response to the ongoing challenges to the privacy rights, stemming from the use of new information and communication technologies. With the complete revision of the Convention, the Council of Europe seeks to update it, expand its scope and strengthen the mechanisms it provides, in order to guarantee its effective application.

What are the novelties introduced in the Convention?

The changes to the Convention generally aim to facilitate the trans-border exchange of data while further developing the foundational mechanisms for protection of personal data laid down in the Convention in accordance to the legislative changes on European level. The Convention encompasses data processing in both the public and private sectors, hence, the changes seek to improve the level of personal data protection and its current scope. The discussions and the work on the amendment started back in 2012 and ran in parallel with the rest of the legislative changes to the personal data protection framework within the EU, including with the famous General Data Protection Regulation (GDPR).

The Secretary General of the Council of Europe Thorbjørn Jagland points out that the modernization of the Convention is a reflection of the frequent violations of data protection law as for the main focus in its implementation will be preventing of such in the future.

Numerous novelties in the Convention are in accordance with the solutions provided by the GDPR. Some of the main novelties include:

  • The categories of sensitive data are expanded – additionally to the current personal data related to: race, political views, religious or other beliefs, health conditions, ethnicity, crimes, criminal proceedings and sentences; now genetic and biometric data, as well as syndicate membership and data related to ethnicity have also been included to the category;
  • Some of the data subject rights have been expanded, including:
    – The right not be a subject of automated decision-making, when the decision has a significant impact on the subject, without considering their viewpoint;
    – The right to be informed about the data processing;
    – The right of the subject to be informed about the reasoning for data processing, particularly in cases when algorithms are used for the automated decision-making and profiling;
    – The right to object against the processing of personal data, related to the subject unless in cases where the legitimate interest of the controller is prevailing;
  • Additional obligations to the personal data controllers and processors have been introduced:
    – The measures undertaken for data protection have to be connected with their obligation to be able to prove the lawfulness of the data processing (the so-called “accountability” principle);
    – The principles of data protection shall be applied at all stages of processing, including the designing stage (“privacy by design” and “privacy by default”);
    – The suitable measures that have to be undertaken include: training of personnel, establishing suitable notification procedures (establishing data retention periods and specific deadlines for their deletion from the systems); establishing specific contract clauses for delegated processing; establishing of internal procedures providing the possibility to review and to justify compliance, etc.
    – The powers of the Authority elected by the parties of the Convention have been strengthened in order to guarantee the application of the provisions of the Convention. According to the Explanatory Protocol to the Convention, the Authority can either be sole (a commissioner) or collegiate body. Most importantly the Authority has to possess effective regulatory powers and functions and to be independent;
    – The parties of the Convention may introduce other specific authorities whose activity covers only a very restricted sector (According to the Explanatory Protocol the electronic communications sector, the healthcare sector, the public sector and others);
    – The Authority has to be empowered to initiate or participate in court proceedings related to all data protection violations. This is linked to the powers to conduct an investigation and detection of infringements;
    – An obligatory notification about data protection breach has also been introduced;
  • The measures for proportional data processing and application of the principle of data minimization have been strengthened;
  • Amendment of the current terminology – the term “automated data file” has been repealed and there is one new participant to the data processing, called with the term “receiver” (1) , etc.;
  • One of the most important additions to the Convention is the enhanced role of the Convention Committee, which has advisory, but also evaluation and supervisor capacity. It will determine whether and to what extent a Member State or an international organization has fulfilled the requirements set by the Convention. The Committee has the right to evaluate the compliance of the internal law of a Convention party and to determine the effectiveness of the undertaken measures.

It is important to note that all countries as well as international organizations, including the European Union, can accede to the Convention. This turns the Convention into a key tool for harmonizing various data protection legal regimes, by ensuring high degree of protection on international level.

The modernization of the Convention is a crucial step towards the promotion of global data protection standards. The renewed Convention seeks to stimulate the inclusion of as many countries as possible aiming to encourage the international business and its development, now on the basis of more secure and universally applicable rules regarding personal data and its efficient protection.

You can find more information on the official website of the Council of Europe here.

 

(1) Art. 3, “e” – “recipient” means a natural or legal person, public authority, service, agency or any other body to whom data are disclosed or made available; Protocol amending the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS No. 108), URL.

# 10 The Act for Amendment and Supplement to the Personal Data Protection Act, synchronized with GDPR, is officially submitted before the National Assembly

On 18th of July the Bill for Amendment and Supplement of the Personal Data Protection Act was submitted before the National Assembly (the New Bill). The New Bill aims to introduce measures to implement EU’s General Data Protection Regulation (the Regulation/GDPR) and transpose Directive 2016/680 on the protection of personal data in the police sector (the changes proposed in this section – Chapter 8a of the New Bill – will be the subject of a follow-up analysis on our blog).

As expected, some rules from the initial bill (the Old Bill) – subject to public consultation since 30.04.2018 – have been revised as a result of the consultation(1).

At first glance and without claiming to be exhaustive, we underline here some of the amendments made in the New Bill:

1. The minimum thresholds for fines and pecuniary sanctions have been removed since such were not provided in the Regulation. Fines/ sanctions will be imposed according to the criteria set out in the Regulation;
2. The envisaged fine for other violations remains up to BGN 5 000 where the minimum threshold of BGN 1 000 is abolished;
3. The New Bill provides safeguards in order to balance the protected secrecy (e.g. the lawyer’s secret) with the investigating powers of the Commission for the Protection of Personal Data (CPDP), insofar such secrecy provides an option to serve the controllers/ processors as grounds for refusal or access to it by CPDP in case of an inspection;
4. The CPDP will maintain a non-public internal register of data breaches and the measures undertaken in accordance with the exercise of its remedial powers. However, new public ones are being introduced:
– Register of controllers and personal data processors who have appointed Data protection officers (DPO);
-The proposal to maintain a DPO register is removed due to concerns of an attempt to introduce a disguised registration regime for this position, which is not provided in the Regulation;Register of the accredited certification bodies;
-Conduct codes register;
5. The provisions empowering the CPDP to conduct trainings of DPOs were also removed;
6. The personal data retention period of all job candidates/applicants cannot be more than 6 months (in the Old Bill the term was 3 years) after the end of the procedure of recruitment. This restriction also applies to documents that certify the physical and mental health of the applicant, the necessary qualifications and experience for the position held. Other provisions on the protection of personal data in the context of the employment relationship are also specified (e.g. the disputed permission to request explicit consent from employees to process their personal data, which is not required by the employer or a legal act is also removed);
7. The requirement for controllers/ processors to appoint a DPO if they process the personal data of more than 10,000 individuals has also been removed since this requirement, as set out in the Old Bill, has raised serious objections in the public consultation procedure (mainly due to the uncertainties of how it would be applied in practice);
8. Structures, whose main activity is related to the spending of public funds, will be considered as a public body/ structure. This will affect their duty to appoint a DPO;
9. The New Bill also provides new provisions regarding the processing of personal data for the purposes of archiving in the public interest, scientific and historical research, statistical purposes and journalistic purposes.

The full text of the New Bill could be found in Bulgarian here.

As your trusted partner we will continue to keep you updated about the New Bill legislation process as well as all the new developments in the personal data protection legislation on a national and European level.

(1) See in this sense also the latest newsletter of CPDP from July 2018, URL 

# 9 The Commission for Personal Data Protection has repealed Ordinance No. 1 of 30 January 2013 – what technical and organizational measures the organizations need to undertake from now on?

With State Gazette, Issue 43 of 25.05.2018 Ordinance No. 1 dated 30 January 2013 on the Minimum Level of Technical and Organizational Measures and the Admissible Type of Personal Data Protection (the Ordinance) was repealed. The Commission for Personal Data Protection (CPDP) has announced that the Ordinance is to be revised and transformed into methodical guidelines to the controllers without committing to a specific deadline (https://www.cpdp.bg/en/index.php?p=element&aid=1151).

Thus, among other uncertainties concerning the application of the General Data Protection Regulation (“GDPR”), yet another important question arises – what technical and organizational measures should be applied by the organizations from now on in order to ensure an appropriate level of security of the data they process.

Applicable measures under the repealed Ordinance

The repealed Ordinance provided for 5 types of personal data protection (physical, personnel, documentary protection, protection of automated information systems and/or networks and cryptographic protection) and contained detailed regulation of the technical and organizational measures for their implementation.

The CPDP’s previous approach was to oblige the controllers to carry out an impact assessment on each personal data register they keep. On the basis of the determined level of impact for the register the controllers had to apply corresponding level of data protection – a mandatory minimum set of measures settled for each level of impact in the Ordinance. Now the lack of compulsory list of such measures leaves plenty of room for speculation in this respect, so the analysis below is intended to bring some clarity on the issue.

Art. 32 of the GDPR lists some exemplary, but not mandatory measures such as pseudonymization, encryption, etc., which can offer the organizations guidance in terms of what measures are considered appropriate. Of course, the final choice depends on the context and the purposes of the processing. In this sense, although both controllers and processors are not required to apply any of the measures explicitly listed in the GDPR, their obligation to ensure the security of the data processed remains.

Applicable technical and organizational measures from now on

In the process of assessment every controller or processor should bear in mind the following:

First, the GDPR focuses on the protection of personal data as a fundamental human right of the EU citizens. Therefore, the understanding that the GDPR constitutes а “fully technological framework” is untrue. The requirement to implement technical and organizational measures to ensure data security undoubtedly has an important role, but it is just one of the seven basic principles of data protection laid down in the GDPR. In other words, even if we have applied extremely high security measures, even if all the information we handle is encrypted – if we process these data without legal or for illegal purposes or we have not properly informed individuals about such processing etc., our business will not meet the GDPR requirements whatsoever.

Second, GDPR sets out a number of criteria to guide the controller or the processor in defining these measures and choosing the most appropriate amongst all of them. Through this approach, the European legislator achieves a fairly good balance between the freedom of action and the crucial responsibility for attaining an adequate level of data protection.

Nonetheless, the main set of measures laid down in the repealed Ordinance could serve as a good guidance or as a point of reference in terms of data protection. Of course, the assessment should be tailored to the particularities of each and every type of processed personal data in compliance with the established standards and best practices for information security.

In the meantime, we will continue to monitor and keep you updated on the development of the case and the subsequent regulation on the appropriate personal data protection measures as well as the specific measures, undertaken on local level regarding the implementation of the GDPR.