DLA Piper Intelligence

Data Protection
Laws of the World

Law

Bulgaria
Bulgaria

Bulgaria implemented the EU Data Protection Directive 95/46/EC with the Personal Data Protection Act (In Bulgarian: Закон за защита на личните данни), promulgated in the State Gazette No. 1 of 4 January 2002, as amended periodically (Act). The Act came into force on1 January 2002.

The Act was last amended by the State Gazette, Issue No. 15 of 15 February 2013.   

Currently, a new Bulgarian data protection law is in process of discussion and is being prepared by a group of experts, including experts from the the Bulgarian Data Protection Authority. The new law is expected to be adopted by May 2018 and to create a new framework in connection to Regulation (EU) 2016/679.

Last modified 26 Jan 2017
Law
Bulgaria

Bulgaria implemented the EU Data Protection Directive 95/46/EC with the Personal Data Protection Act (In Bulgarian: Закон за защита на личните данни), promulgated in the State Gazette No. 1 of 4 January 2002, as amended periodically (Act). The Act came into force on1 January 2002.

The Act was last amended by the State Gazette, Issue No. 15 of 15 February 2013.   

Currently, a new Bulgarian data protection law is in process of discussion and is being prepared by a group of experts, including experts from the the Bulgarian Data Protection Authority. The new law is expected to be adopted by May 2018 and to create a new framework in connection to Regulation (EU) 2016/679.

Last modified 26 Jan 2017
Definitions

Definition of personal data

Personal data means ‘any information relating to an individual who is identified or can be identified directly or indirectly by ID or by one or more specific signs’.

Definition of sensitive personal data

Sensitive personal data means personal data:

  • revealing racial or ethnic origin
     
  • revealing political, religious or philosophical beliefs, political parties or organisations, associations with religious, philosophical, political or trade union purposes, or
     
  • concerning health, sexual life or the human genome.
Last modified 26 Jan 2017
Authority

The Bulgarian data protection authority (DPA) is the Personal Data Protection Commission (In Bulgarian: Комисия за защита на личните данни).

2 Professor Tsvetan Lazarov, Sofia 1592
Bulgaria

kzld@cpdp.bg
www.cpdp.bg

Last modified 26 Jan 2017
Registration

Unless an exemption applies, prior to initiating any personal data processing data controllers must apply for registration with the DPA. The registration covers the data controller and the personal data registers controlled by it. Changes to the initial registration will require notification of the DPA prior to implementing such changes. The registration is free of charge.

The DPA support the following public registers:

  • register of registered data controllers
  • register of data controllers exempt from registration, and
  • register of data controllers with refused registration

The prior notification shall inter alia specify the following information (as outlined in the DPA standard notification forms):

  • Application Form covering data controllers’ details, such as:

    • the controller’s identification details
    • the controller’s location
    • whether the controller processes data for the purposes of defence, national security, public order or criminal proceedings
    • the controller’s main activity
    • whether the purpose and the means of processing are determined by the controller or by the law
    • whether the data is processed by the controller or data processor, or
    • the number of data registers

  • Registry Description Form covering each separate register:

    • name and full address of the register
    • the purpose(s) of the processing
    • legal ground of the processing - whether automatic or non-automatic means are used
    • the categories of data subjects
    • the categories of personal data processed, including sensitive data (if processed)
    • the recipients or categories of recipients of the personal data
    • whether a data transfer to foreign countries is required and the specific countries
    • sources for collection of the data
    • whether an explicit consent of the data subjects is available
    • level of risk assessed for the personal data processed under the register, and
    • descriptions of technical and organisational measures for data protection in accordance with the determined levels of risk and the minimum measures set forth in DPA regulation.

The last two points were introduced with regulation adopted by the DPA requiring each data controller to conduct risk assessment of the personal data registers it operates on the basis of criteria set forth by the DPA. Further, the DPA developed in its regulation minimum technical and organisational measures obligatory for the data controller and proportionate to the level of risk of its registers.

Exemptions apply in the following situations:

  • data controllers operating the public register on the basis of law which is publicly accessible or accessible to those who have a legal interest
     
  • non profit making organisations carrying out enumerated processing, and
     
  • data controllers explicitly exempt from registration by the DPA on the basis that the processing does not endanger the rights and legal interests of data subjects. The rules and conditions for this exemption are specified in a special regulation of the DPA. In such cases the data controller should apply for and obtain the DPA’s decision on the exemption of registration. However, such decision would not relieve the respective data controllers from the DPA’s control under the Act.
Last modified 26 Jan 2017
Data Protection Officers

There is no legal requirement in Bulgaria for organisations to appoint a data protection officer (DPO). Appointment of a DPO is currently only recommended since it helps to build and develop a focus for data protection compliance efforts. It would be a positive signal to the DPA who may investigate the company that the company takes data protection compliance seriously.

Last modified 26 Jan 2017
Collection & Processing

Any personal data must be processed in a way that is consistent with the following general principles:

  • processed fairly and lawfully
     
  • processed only for specific and legal purposes and used only for the purposes stated at the time it is collected
     
  • adequate, relevant and not excessive for the purposes for which it is processed
     
  • accurate, complete and where necessary kept up to date
     
  • not kept in a personally identifiable form longer than necessary
     
  • processed in accordance with the rights of the data subject under applicable law
     
  • kept securely, and
     
  • not transferred to countries that do not have adequate data protection laws unless the data exporter takes certain specific steps to ensure that the data is adequately protected.

In addition to the general principles above, data controllers may only process personal data if one of the following conditions are satisfied:

  • the processing is pursuant to a statutory obligation of the data controller
     
  • the respective person has provided his/her explicit consent
     
  • the processing is necessary for the performance of a contract to which the data subject is a party
     
  • the processing is necessary for the protection of the life and health of the data subject
     
  • the processing is necessary for the controller to carry out certain duties, in the public interest or by virtue of law, or
     
  • the processing is necessary for the purpose of legitimate interests pursued by the data controller or data recipients, provided that the interests of the data subject are protected.

Should the personal data be considered ‘sensitive’ specific processing conditions must be satisfied.

Whichever of the above conditions is relied upon, the controller must first provide the data subject with certain information, unless an exemption applies, namely:

  • identification data of the controller and its representative
     
  • the purposes for which the data will be processed
     
  • the recipients or categories of recipients to whom the personal data may be disclosed
     
  • whether the provision of personal data is obligatory or voluntary and the consequences if the data is not provided (applicable if the data is gathered directly from the person to whom it relates)
     
  • the categories of personal data relating to the respective individual (applicable if the data is not gathered directly from the data subject), or
     
  • information about the right of access to the data and the right to rectify the collected data.

The prior notification obligation is not applicable to a data controller who does not collect the data directly from the data subject and where one of the below conditions is present:

  • processing is made for statistical purposes or for the purposes of historical or scientific research and the provision of the data is impossible or would involve a disproportionate effort
     
  • recording or disclosure of data is explicitly laid down by law, or
     
  • the individual to whom such data relates already has the required information.
Last modified 26 Jan 2017
Transfer

The transfer of personal data within the European Union (EU) and European Economic Area (EEA) is free and should be in compliance with the applicable Bulgarian data protection law.

The transfer of personal data outside of the EU and the EEA is permissible only on the condition that the recipient state can ensure an adequate level of personal data protection within its territory. The assessment concerning the adequacy of the level of personal data protection in the recipient state should be made by the DPA.

The DPA should not undertake an assessment where a decision of the European Commission has to be implemented whereby the European Commission has ruled that:

  1. The country to which the personal data are transferred has ensured an adequate level of protection, or
     
  2. Certain appropriate contractual clauses are in place ensuring the adequate level of protection (the EU model contractual clauses)

It shall be noted that the Personal Data Protection Act does not recognise the use of binding corporate rules (BCR) as a separate legal ground for transfers of personal data. The DPA recently had an occasion to assess (for the first time) the implementation of BCR for transfers of personal data outside Bulgaria and EU within a multinational corporate group. Since the BCRs are not recognised as a separate justification for the transfer, the DPA analysed them as (and if) evidencing appropriate safeguards undertaken by the corporate group to permit the transfer. Thus, most of the data controllers prefer to combine the BCR with EU model contract clauses and facilitate the procedure before the DPA.

Should the DPA consider that the protection level of personal data protection in the recipient state is unsatisfactory, it may prohibit the personal data transfer. Even in such a case, the DPA may authorise the transfer should the data controller provide sufficient warranties with respect to the protection of the individual’s fundamental rights. In any case, the data controller should notify the DPA in advance of its intention to transfer personal data to countries outside the EU and EEA by specifying the countries of transfer, the purpose of the transfer and the categories of personal data subject to transfer.

The invalidation of the US Safe Harbor regime by the Judgment of the Court of Justice of the European Union of 6 October 2015 in the case of Schrems (C-362/14) brings limited effects under Bulgarian law, since the US Safe Harbor regime has never been recognized by the Bulgarian DPA as a separate ground for transfer of personal data to the USA. After the adoption of the EU-U.S. Privacy Shield Adequacy Decision of 12 July 2016, the Bulgarian DPA still requires a prior notification of the proposed transfer of personal data to the USA before it is implemented.

Last modified 26 Jan 2017
Security

Data controllers must implement appropriate technical and organisational measures to protect personal data against accidental or intentional destruction or loss, unauthorised disclosure or access, amendments or distribution and against all other unlawful forms of processing. Data controllers must implement special protection measures in cases of electronic data transfer.

The minimum level of technical and organisational measures, as well as the minimum required type of protection are determined by the DPA in accordance with the different levels of risk of the registers and further specified by the DPA in a regulation. The Act requires data protection measures to be adopted in an internal instruction issued by the data controller and to be announced in the registration application before the DPA.

Last modified 26 Jan 2017
Breach Notification

The Act does not provide for a data security breach notification duty. However, following the entering into force of Regulation (EU) No 611/2013 of 24 June 2013 on the measures applicable to the notification of personal data breaches under Directive 2002/58/EC of the European Parliament and of the Council on privacy and electronic communications, the notification requirements/obligations and procedures introduced therein shall be applicable for the Bulgarian DPA and data controllers as well.

Last modified 26 Jan 2017
Enforcement

The DPA is responsible for the enforcement of the Act. Either acting ex officio or upon a complaint from a data subject the DPA is entitled to:

  1. initiate an investigation
     
  2. provide mandatory instructions, including but not limited to ordering the database to be erased when it does not comply with the data protection regulations
     
  3. provide a mandatory term for rectification of the breach
     
  4. temporarily prohibit any unlawful data processing, after preliminary notification (temporary prohibition of data processing could be imposed also in case of failure by the data controller to comply with the Commission’s mandatory instructions), and
     
  5. impose administrative sanctions.

Administrative sanctions in the form of fines for violations of the Act range from BGN 10,000 to BGN 100,000 (approximately EUR 5,000 to EUR 50,000).

Data controllers are liable for any damage caused to an individual as a result of unlawful processing or by breaching the technical requirements of data protection. The data controller is also liable for any damage caused by a data processor acting on behalf of the data controller.

The DPA decisions are subject to appeal before the Administrative Court-Sofia within 14 days of receipt. Decisions of the Administrative Court are subject to appeal before the Supreme Administrative Court which decisions are final.

The transfer or distribution of computer or system passwords which results in the illegitimate disclosure of personal data constitutes a crime under the Bulgarian Criminal Code (promulgated in the State Gazette No. 26 of 2 April 1968, as amended periodically) and the penalty for such a crime includes imprisonment for up to three years.

Last modified 26 Jan 2017
Electronic Marketing

Data protection of electronic marketing falls under the general regulations of the Personal Data Protection Act which currently requires the explicit consent of the data subject for processing of his/her personal data.

There are grounds for lawful processing of personal data listed in the Personal Data Protection Act (as mentioned above) but taking into account their limited and specific scope, for the purposes of e‑marketing the explicit consent of the data subject is likely to be the only applicable ground. The absence of a special legal framework concerning exclusively data protection in e‑marketing makes the opt‑in regime the only possible legitimate method of pursuing e‑marketing. In addition, the Personal Data Protection Act explicitly provides, as part of the rights of the data subjects given under law, the right to subsequently object to any data processing for the purposes of the direct marketing. This is further supported by the current regulations in other legal acts concerning specifically direct marketing activities.

The Bulgarian E‑commerce Act explicitly requires, when it comes to direct marketing to natural persons, the opt‑in mechanic to be mandatorily applied. Moreover, after the natural person's consent is provided, the person shall always be given the opportunity to opt‑out from the direct marketing network and refuse his/her personal data to be further processed for such purposes.

Last modified 26 Jan 2017
Online Privacy

Neither the current Personal Data Protection Act, nor other legislative act in force, presents a general framework or protection regime for processing of personal data as part of any kind of online activities, including cookies and traffic and location data. Certain regulations in this regard are set forth in the Electronic Communications Act concerning specifically providers of electronic communicational services (such as telecoms) and certain categories of users' data they can keep for the purposes of criminal and other investigations but under strictly regulated circumstances and for a limited time. In the absence of other rules, the general regime for processing of personal data shall apply and the data controller shall insure lawful processing, complied with the abovementioned requirements.

Last modified 26 Jan 2017
Contacts
Anna Rizova
Anna Rizova
Partner
T +359 2 8613703
Last modified 26 Jan 2017