Amendment to the Bulgarian Personal Data Protection Act

Amendment to the Bulgarian Personal Data Protection Act

Today, the long-awaited amendment to the Personal Data Protection Act was promulgated in the Bulgarian State Gazette. Most notably, the law designates the Commission on Personal Data Protection as the Bulgarian supervisory authority under the GDPR and officially repeals the registration regime for personal data controllers which was inapplicable in practice since 25 May 2018.

Following the entry into effect of the amendment, the Commission is to adopt additional ordinances and amendments to its internal rules. Furthermore, the law implements the rules of Directive (EU) 2016/680 related to the processing of personal data in the course of criminal investigations and proceedings.

The Personal Data Protection Act introduces several derogations from the GDPR:

  • Controllers and processors must notify the Commission regarding the appointment of a data protection officer in accordance with the established procedural rules;
  • The age of consent for providing information society services is 14;
  • Copying identity documents, driving licenses and residence documents is permissible only when expressly required by law;
  • Providing free public access to information containing unified civil numbers or personal foreigner numbers is forbidden unless required by law. Those categories of data are not to be used as sole identifiers when providing remote access to services;
  • Criteria for the legality of processing personal data for journalistic purposes, or for the purposes of academic, artistic or literary expression;
  • Personal data of job applicants cannot be kept by employers for more than 6 months except with their consent;
  • Controllers must adopt internal rules regulating certain types of processing: in cases of large-scale processing or systematic surveillance of public areas on large scale, when using whistleblowing schemes, when introducing restrictions of the usage of internal resources, or systems for controlling access, working hours and labour discipline.

How can BOYANOV & Co. help you?

BOYANOV & Co.’s team has significant experience in dealing with the Bulgarian and EU personal data protection legal framework and in conducting compliance assessments. The firm can assist you with the respective legal review and implementation of measures required for compliance.

Today, the long-awaited amendment to the Personal Data Protection Act was promulgated in the Bulgarian State Gazette. Most notably, the law designates the Commission on Personal Data Protection as the Bulgarian supervisory authority under the GDPR and officially repeals the registration regime for personal data controllers which was inapplicable in practice since 25 May 2018.

Following the entry into effect of the amendment, the Commission is to adopt additional ordinances and amendments to its internal rules. Furthermore, the law implements the rules of Directive (EU) 2016/680 related to the processing of personal data in the course of criminal investigations and proceedings.

The Personal Data Protection Act introduces several derogations from the GDPR:

  • Controllers and processors must notify the Commission regarding the appointment of a data protection officer in accordance with the established procedural rules;
  • The age of consent for providing information society services is 14;
  • Copying identity documents, driving licenses and residence documents is permissible only when expressly required by law;
  • Providing free public access to information containing unified civil numbers or personal foreigner numbers is forbidden unless required by law. Those categories of data are not to be used as sole identifiers when providing remote access to services;
  • Criteria for the legality of processing personal data for journalistic purposes, or for the purposes of academic, artistic or literary expression;
  • Personal data of job applicants cannot be kept by employers for more than 6 months except with their consent;
  • Controllers must adopt internal rules regulating certain types of processing: in cases of large-scale processing or systematic surveillance of public areas on large scale, when using whistleblowing schemes, when introducing restrictions of the usage of internal resources, or systems for controlling access, working hours and labour discipline.

How can BOYANOV & Co. help you?

BOYANOV & Co.’s team has significant experience in dealing with the Bulgarian and EU personal data protection legal framework and in conducting compliance assessments. The firm can assist you with the respective legal review and implementation of measures required for compliance.