Personal data protection in Bulgaria and EU from 2018 is regulated by GDPR (General Data Protection Regulation) together with Bulgarian Personal Data Protection Act and the competent data protection authority (DPA) in Bulgaria is the Commission of Personal Data Protection. Bulgarian Data Protection Officers (DPO) can guarantee full law compliance and act as a contact point of any foreign business in its capacity of Data Controller which targets customers in EU and represent it before all European and Bulgarian authorities. GDPR explicitly provides that in case of data processing on a large scale, inclusive of processing of special categories of personal data, the data controller should in all cases be assisted by a person with expert knowledge of data protection law and practices.
Since July 2020, every Data Controller or Processor should comply with the Court of Justice of the European Union (CJEU) Case C-311/18 (Data Protection Commissioner v Facebook Ireland and Maximillian Schrems, a.k.a. the Schrems II judgment). This judgment invalidates Decision 2016/1250 on the adequacy of the protection provided by the EU-US Privacy Shield Framework. By 16th of July 2020, US companies operating in the EU were allowed to transfer data to the United States under the Privacy Shield Framework. The CJEU however ruled that the Privacy Shield Framework is too weak to protect EU citizens’ personal data and US companies should not count on it anymore. Fortunately, this will not freeze the business operations of US and non-EU companies but in order to do it in a perfectly legal manner, they should be GDPR compliant which means to adopt certain personal data protection rules, prepare GDPR compliance documentation and appoint a DPO as described below.
Update: On 10th July 2023 the European Commission adopted new adequacy decision for safe and trusted EU-US data flows. According to the decision, the US ensures an adequate level of personal data protection (comparable to that of the EU) for data transfers from the EU to the US companies under the new EU-US Data Privacy Framework.
Personal data according to GDPR Regulation (EU) 2016/679 of the European parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC is any specific information, regardless of the way of its retrieving, relating to a particular natural person (hence not applicable to legal entities, even most confidential information for a specific legal entity cannot be considered as personal data in the sense given above). Broadly speaking, personal data can be processed either in case of explicit consent given by the natural person, i.e. the data subject, inclusive in case of signing and execution of an agreement, or in case processing is necessary for compliance with a legal obligation of the controller or in the exercise of any special authority. A natural person or a legal entity which collects and processes personal data in Bulgaria is known as personal data controller. Actually, this is the entity which determines the purposes and means of the processing of personal data; for example, in case of an online e-commerce store, offering products to consumers in EU, the controller is the company operating the e-store and not the technical support company or web administrator or any employee that physically processes the orders and collects the personal data of the customers. The latter is just a data processor – a physical person or a legal entity appointed by the controller. In any case the processing is made on behalf of the controller and the relationship between the controller and the processor is arranged by signing an agreement, dedicated to the purpose, by virtue of which one of the parties (the controller) assigns to the other party (the processor) the processing of the personal data in question. The quality of a personal data controller occurs not as a result of some registration procedure but by virtue of law – the moment an entity starts to process personal data, it is recognized as personal data controller and is subject to regulation and sanctions in accordance to Bulgarian legislation and European GDPR regulation.
Non-EU data controllers which process personal data of European citizens are also obliged to comply with the high requirements of the Regulation and to respect its rules. There are two hypotheses here, GDPR is applicable for controllers, physically based outside EU, in case they offer services or goods to natural persons based in the Union. It should be noted that it is applicable even in case of providing services free of charge (for example cloud services or adware, where revenues for the developer is generated from advertisements and not by the client of the software). The other hypothesis includes monitoring of the behaviour of persons based in EU – even when the monitoring party is established outside the Union, compliance with the Regulation is mandatory as far as the monitored behaviour takes place within the Union.
In all cases of personal data processing on a large scale controllers or processors outside the European Union are obliged to designate their representative in Bulgaria or EU. Non-EU data controllers can appoint a Bulgarian lawyer as data protection officer (DPO), contact point and representative within EU. The representative acts on behalf of the data controller or processor and supervisory authorities of EU can address him directly on all issues related to processing. This is applicable especially in cases of use of modern technologies such as cloud services, internet of things, etc., where pseudonymisation, encryption and other measures for ensuring security of personal data is recommendable. The representative must be designated explicitly in writing by the controller and mandated to act on behalf of the latter in regards to his obligations and to assist to authorities or data subjects. The company can appoint an employee to the position of DPO (data protection officer), but this function is highly recommendable to be assigned to an expert (for example a lawyer in Bulgaria under a service agreement). The regulation requires that the data protection officer is qualified and with an expert knowledge of relevant legislation and practices. The personal data controller is obliged to announce to the public contact details of the data protection officer and to communicate them to the regulatory body.
The next very important question refers to the obligation of the personal data controller, especially in view of the fact that the new Regulation provides large sanctions (penalties and administrative fines up to € 20 M). To begin with, any personal data controller should study the requirements and make an internal audit of its own activity to assess what type of personal data the company is in touch with, how the data is collected, stored, etc., which of the employees are in charge with the processing, as well as whether business partners or subcontractors, the controller exchanges personal data with, also comply with the legal requirements. Secondly, the controller should draft and maintain a set of compliance documentation concerning the personal data processing activities in Bulgaria or EU as follows:
- Data controllers are obliged to maintain in written and electronic form a record of processing activities under their responsibility (this requirement does not apply to small and some medium sized organizations)
- Data controllers should draft and accept various internal rules, policies and instructions in connection to the personal data protection such as for example: data subjects’ rights policy, action plan in case of personal data breach (for example in case of hacker attack, theft of personal data and so on)
- A declaration of consent as well as other forms for recording the consent of the data subjects shall be pre-formulated by the controller in such a form, which undoubtedly show that the consent is informed and given by free will
- Additionally, the controller is obliged, prior to processing, to carry out a data protection impact assessment regarding the processing operations on the protection of personal data
The above listed documents can be made by the data controller itself or by an expert in the field of personal data protection, for example a lawyer in Bulgaria or EU. The use of such expert is not mandatory but highly recommendable, especially for the following:
- Providing a thorough internal compliance audit of the company activities in its capacity of data controller with reference to conformity with the requirements of Regulation (EU) 2016/679 and national legislation beforehand, i.e. before the Regulation comes into force
- Preparation and drafting of the compliance documentation, mentioned above, which is absolutely mandatory for the activity of the company
- Oral or written consultations in case of complaint or an objection filed by a natural person claiming that his/her personal data have been illegally processed or in case the data subject wants his/her data to be erased, even being legally processed
- Representation and liaising with the data protection authority in Bulgaria – the Commission of Personal Data Protection (CPDP), inclusive but not limited to: eliminating gaps and/or mistakes in compliance documentation, inclusive in cases of breach of security (in such cases both data subject and the regulator shall be notified within 72 hours), representation before the Regulatory body in initiated administrative procedures, as well as in handling complaints by natural persons
- Representation before relevant court authorities for appeals against a decision of the supervisory authority, for decrease of the imposed penalties or other sanctions, etc.
After listing all figures responsible for the data processing we shall now make a summary of the rights of the natural persons – data subjects (in other words the persons whose personal data is being processed). In the first place, this is the right of full information, the data subjects must be duly informed for any processing of their personal data at the time of the actual collection of the data, whereas the personal data controller must be able to prove the data subject has been duly informed in case the latter denies this. Furthermore, natural persons have the right of access to the collected data and to obtain a copy of the personal data undergoing processing free of charge. They can also request rectification of inaccurate data or request ‘to be forgotten’ (their personal data to be erased). In view of the favourable environment and more and more intensive development of direct marketing, the Regulation stipulates that in cases personal data are collected for such purposes, the data subject can object such collection, processing and profiling and he/she should be explicitly pre-informed about this objection right in a clear and plain language. The natural person is entitled to file a complaint to the national regulatory body – the Commission of Personal Data Protection in our case, which interacts with the European Data Protection Supervisor (the official body of EU) whereas judicial control is also applicable. The controller or the processor shall pay compensations for any damage which a natural person may have suffered as a result of data processing in violation of the Regulation.
If you need further information on the subject, advice or guidance, please feel free to contact our data protection consultants at Trifonov Law Offices who can provide you with expert assistance to ensure full compliance with GDPR and other consumer laws related to doing business in EU.