Bulgarian List of Processing Operations Requiring Data Protection Impact Assessment

Bulgarian List of Processing Operations Requiring Data Protection Impact Assessment

The Bulgarian Commission on Personal Data Protection adopted a list of processing operations for which it would be mandatory for controllers to conduct data protection impact assessments.

The controllers whose main or only place of establishment is on the territory of the Republic of Bulgaria will be required to conduct a data protection impact assessment in all cases when a specific processing is likely to result in a high risk to the rights and freedoms of the individuals, including in the cases foreseen in Art. 35, paragraph 3 of Regulation 2016/679 (GDPR), as well as when carrying out the following types of processing operations:

  1. Large-scale processing of biometric data for the unique identification of the individual which is not sporadic.
  2. Processing of genetic data for profiling purposes which produces legal effects for the data subject or similarly, significantly affects him/her.
  3. Processing of location data for profiling purposes which produces legal effects for the data subject or similarly, significantly affects him/her.
  4. Processing operations for which the provision of information to the data subject pursuant to Art. 14 of GDPR is impossible or would involve disproportionate effort or is likely to render impossible or seriously impair the achievement of the objectives of that processing, when they are linked to large-scale processing.
  5. Personal data processing by a controller with a main place of establishment outside the EU when its designated representative for the EU is located on the territory of the Republic of Bulgaria.
  6. Regular and systematic processing for which the provision of information pursuant to Art. 19 of GDPR by the controller to the data subject is impossible or requires disproportionate efforts.
  7. Processing of personal data of children in relation to the offer of information society services directly to a child.
  8. Migration of data from existing to new technologies when this is linked to large-scale data processing.

In parallel to the above list, controllers should keep in mind the recommendations contained in the Guidelines on Data Protection Impact Assessment (DPIA) and determine whether processing is „likely to result in a high risk” for the purposes of Regulation 2016/679, adopted by Article 29 Working Party on 4 April 2017 and last revised and adopted on 4 October 2017, subsequently endorsed by the European Data Protection Board on 25 May 2018.

How can BOYANOV & Co. help you?

BOYANOV & Co.’s team has significant experience in dealing with the Bulgarian and EU personal data protection legal framework and in conducting compliance assessments. Carrying out a Data Protection Impact Assessment is a complicated process which requires coordinated efforts from the IT and legal departments of a controller together with the respective data owners. The firm can assist you with the necessary legal assessment and support the IT and business teams in documenting the process, as required by the GDPR.

The Bulgarian Commission on Personal Data Protection adopted a list of processing operations for which it would be mandatory for controllers to conduct data protection impact assessments.

The controllers whose main or only place of establishment is on the territory of the Republic of Bulgaria will be required to conduct a data protection impact assessment in all cases when a specific processing is likely to result in a high risk to the rights and freedoms of the individuals, including in the cases foreseen in Art. 35, paragraph 3 of Regulation 2016/679 (GDPR), as well as when carrying out the following types of processing operations:

  1. Large-scale processing of biometric data for the unique identification of the individual which is not sporadic.
  2. Processing of genetic data for profiling purposes which produces legal effects for the data subject or similarly, significantly affects him/her.
  3. Processing of location data for profiling purposes which produces legal effects for the data subject or similarly, significantly affects him/her.
  4. Processing operations for which the provision of information to the data subject pursuant to Art. 14 of GDPR is impossible or would involve disproportionate effort or is likely to render impossible or seriously impair the achievement of the objectives of that processing, when they are linked to large-scale processing.
  5. Personal data processing by a controller with a main place of establishment outside the EU when its designated representative for the EU is located on the territory of the Republic of Bulgaria.
  6. Regular and systematic processing for which the provision of information pursuant to Art. 19 of GDPR by the controller to the data subject is impossible or requires disproportionate efforts.
  7. Processing of personal data of children in relation to the offer of information society services directly to a child.
  8. Migration of data from existing to new technologies when this is linked to large-scale data processing.

In parallel to the above list, controllers should keep in mind the recommendations contained in the Guidelines on Data Protection Impact Assessment (DPIA) and determine whether processing is „likely to result in a high risk” for the purposes of Regulation 2016/679, adopted by Article 29 Working Party on 4 April 2017 and last revised and adopted on 4 October 2017, subsequently endorsed by the European Data Protection Board on 25 May 2018.

How can BOYANOV & Co. help you?

BOYANOV & Co.’s team has significant experience in dealing with the Bulgarian and EU personal data protection legal framework and in conducting compliance assessments. Carrying out a Data Protection Impact Assessment is a complicated process which requires coordinated efforts from the IT and legal departments of a controller together with the respective data owners. The firm can assist you with the necessary legal assessment and support the IT and business teams in documenting the process, as required by the GDPR.