PERSONAL DATA AND GDPR
January 28, 2025
MAIN LEGAL ASPECTS AND CURRENT REGULATION OF THE PROCESSING OF PERSONAL DATA IN BULGARIA
This article provides useful information on the processing and protection of personal data in the context of the European Union’s General Data Protection Regulation (GDPR), which regulates the processing and protection of personal data in the EU.
https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679
Here are some of the main aspects:
General information
In recent years, there has been more and more talk about personal data, its protection, processing and storage. GDPR is a legislative act of the European Union that aims to ensure the protection of the personal data of individuals by requiring businesses to comply with a number of rules when processing this data.
Who does GDPR affect?
GDPR affects any company or institution that processes personal data of its customers or employees.
The GDPR also affects all websites that use cookies to collect information, albeit anonymous, that can identify users and their preferences when surfing the Internet.
The GDPR applies to all companies and organizations that process and store personal data of individuals residing in the European Union, regardless of where the company or organization itself is located.
What is personal data?
Personal data is any information relating to an identified natural person or an identifiable natural person. These can be name, surname, address, social security number, ID card number, location, IP address, email and others.
What is a personal data controller?
A natural or legal person, a body of state power or local self-government, which alone or jointly with another person determines the purposes and means of data processing, as well as which processes personal data, the type of which, the purposes and means of processing are determined by law.
What is the processing of personal data?
Processing of personal data is any action that is performed with them such as collection, recording, organization, structuring, storage. It is necessary to minimize this processing, i.e. to process only personal data that is necessary for the respective purpose.
From the point of view of the protection of personal data, it is important to pay attention to the concept of Third party/third party in the sense of Regulation (EU) 2016/679, since the regulation does not allow the disclosure of personal data of such persons without legal basis. /see “Steps and Procedures”/. A third party can be a natural or legal person, a state authority or a local self-government body, other than the natural person to whom the data refer, the personal data administrator, the personal data processor and the persons who under the direct supervision of the administrator or the processor have the right to process personal data.
Steps and procedures for personal data controllers
After May 25, 2018 there is no longer any obligation to register as a personal data controller with the Personal Data Protection Commission (PCPD). Registration as a personal data controller is being moved from the so-called accountability principle. It is expressed in the obligation to prove at any moment that the requirements of the Regulation have been met, i.e. if an inspection is carried out by the CPLD, to be able to establish what personal data is processed, for what purposes and period of time, how I store it, whether I provide it to third parties and who they are, what measures have been taken to ensure security of personal data. https://cpdp.bg/en/legislation/
If there is no legal or contractual basis (e.g. based on an employment/civil contract or a contract for the provision of services) to store or process an individual’s personal data, their express consent must be obtained. This can be done through a written declaration, including electronically (for example, if there is a site where data is entered, users’ consent to process their personal data, for the specified purposes, must be requested through a corresponding field in which they give their consent).
It is not mandatory to have a designated data protection officer. This employee may be internal to the company or institution, but may also be employed by an external organization. There are certain exceptions where it is mandatory. The official has the duties to supervise compliance with the Regulation and to assist the personal data controller. The personal data protection officer is also the person to whom the CPLD or anyone else can turn in matters related to the processing and storage of personal data.
Are data controllers obliged to provide a higher level of protection for children’s personal data?
Children enjoy special protection in all areas, including in relation to their personal data, as they are not sufficiently aware of the risks, threats and possible adverse consequences of their unlawful processing, as well as of their rights. This protection must be applied in particular when it comes to the use of children’s personal data for marketing purposes, the creation of personal or user profiles, as well as the collection of data about children when using services aimed directly at them. Where data processing is directed at children, any information and communication must be provided in clear and easily understandable terms that the child can understand.
In connection with the direct offering of information society services to children, the processing of their data is lawful if the child is at least 16 years old. If the child is under 16 years of age, this processing is lawful only if and to the extent that such consent is given or authorized by the person having parental responsibility for the child.
Obligations of the controller of personal data
Compliance with general obligations, ensuring the security of personal data, conducting a data protection impact assessment and carrying out preliminary consultations.
Appointing a Data Protection Officer in the event that it falls into one of the following categories:
a) the processing is carried out by a public body or structure, except when it comes to courts in the performance of their judicial functions;
b) the main activities of the controller or processor of personal data consist of processing operations that require regular and systematic large-scale monitoring of data subjects;
c) the main activities of the controller or processor consist of large-scale processing of special categories of data pursuant to Article 9 and of personal data related to convictions and offenses pursuant to Article 10.
GDPR compliance control
In Bulgaria, the supervisory authority is the Commission for the Protection of Personal Data (PCPD). She is responsible for and monitors GDPR compliance. In case of detected violations, the commission, through its acts, imposes administrative penalties (fines/property sanctions), which can reach significantly high amounts.
In the event of a breach of the security of personal data, each company is obliged to notify the Commission without undue delay and no later than 72 hours after becoming aware of the breach. https://cpdp.bg/en/submission-of-notifications/
In this regard, consultation with a lawyer would be useful, both to help you by discussing the main aspects in the processing of personal data concerning your business, and to prepare the necessary documents such as “Privacy Policy” and other important and mandatory elements that must be taken into account to avoid violations of the regulation and possible sanctions.
In case you have any questions or a case study, write to us at: office@lexsofia.com
Legal concepts within the meaning of Regulation (EU) 2016/679:
- “personal data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
- “processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
- “controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
- “processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
- ‘third party” means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
Comments
related posts