Contributed by Djingov, Gouginski, Kyutchukov & Velichkov

Transcription

1 Contributed by Djingov, Gouginski, Kyutchukov & Velichkov General I Data Protection Laws National Legislation General data protection laws The Personal Data Protection Act implemented the Data Protection Directive by being promulgated in the State Gazette, Issue No. 1 of 4 January 2002 and was last amended by the State Gazette, Issue No. 15 of 15 February 2013 with effect as of 1 January 2014 (the PDPA ). Entry into force The PDPA came into force on 1 January National Regulatory Authority Details of the competent national regulatory authority The Commission for Personal Data Protection (the Commission ) 2, Prof. Tsvetan Lazarov Blvd. Sofia 1592 Bulgaria Notification or registration scheme and timing In general, any data controller must apply for registration with the Commission prior to initiating any personal data processing. The registration covers the data controller and the personal data registers controlled by such data controller and is free of charge. Hence, if there is any change in the amount, purpose or scope of data processing, the data controller must notify the Commission prior to administering such amended registers or implementing such changes in the administered registers, respectively. The data controller may start to process the relevant personal data upon filing the registration application in due manner. The Commission has 14 days in which to accept or reject the registration of the data controller. Exemptions Exemptions apply in the following situations: (i) data controllers operating organised filing systems that are, by virtue of the legislation in force, publicly accessible or accessible only to those who can demonstrate a legitimate interest in obtaining access; (ii) non-profit making organisations carrying out certain processing; (iii) data controllers specially exempted by the Commission based on a determination that the processing does not jeopardise the rights and legitimate interests of affected individuals; and (iv) data controllers who are natural persons and carry out data processing for personal or domestic purposes. Appointment of a data protection officer There is no legal requirement to appoint a data protection officer under the PDPA. Personal Data What is personal data? The definition of personal data in the PDPA is closely based on the standard definition of personal data. Is information about legal entities personal data? No. The PDPA only applies to information about individuals as opposed to legal entities. What are the rules for processing personal data? Personal data may be processed if the standard conditions for processing personal data are met. In practice, the grounds most frequently relied on for personal data processing are the data subject s consent, necessary performance under a contract with the data subject and compliance with a legal obligation. Recently, in a limited number of cases the legitimate interests of data controllers, where such interests override the relevant privacy interest of data subject, have also applied in practice as a condition for processing personal data. The PDPA contains exemptions for certain types of processing. For example, processing for domestic purposes is largely exempt from the provisions of the PDPA. Global data protection legislation September

2 Are there any formalities to obtain consent to process personal data? Consent must be informed, specific and express. There are no formalities to obtain consent under the PDPA to process personal data. However, it is recommended for evidential purposes that the consent be in writing. Sensitive Personal Data What is sensitive personal data? Under the PDPA, sensitive personal data includes both: (i) the standard types of sensitive personal data; and (ii) information about the human genome. Are there additional rules for processing sensitive personal data? Processing of sensitive personal data may be initiated only if the data controller has obtained an express statement confirming registration with the Commission. The Commission shall issue a statement if after a preliminary inspection the Commission establishes that the data processing will be carried out in conformity with the applicable requirements of the PDPA and in particular the processing complies with the standard conditions for processing sensitive personal data as a ground for data processing. Are there any formalities to obtain consent to process sensitive personal data? The position is the same as for personal data (see above). Scope of Application What is the territorial scope of application? The PDPA applies the standard territorial test. Who is subject to data protection legislation? The PDPA applies to data controllers. A statutory act may also mandate that an individual, legal entity or state authority shall process personal data and hence shall be a data controller. Data processors are not subject to the PDPA. Are both manual and electronic records subject to data protection legislation? Yes. The PDPA does not differentiate between manual or electronic records. A regulation of the Commission, however, sets forth different obligations for data controllers regarding the level of protection and security of personal data depending on whether the records are manual or electronic. Rights of Data Subjects Compensation Data subjects have a right to compensation for any damage suffered as a result of unlawful processing of his/her personal data by a data controller. Affected data subjects are only entitled to seek compensation for the damages suffered as a result of the acts or actions of the respective data controller when such acts and actions are unlawful and, respectively, infringe their legitimate data privacy rights and interests. Fair processing information A data controller must provide fair processing information to data subjects. They must also provide information about: (i) recipients or categories of recipients to which the data may be transferred; (ii) the mandatory or voluntary nature of the requested provision of personal data by data subjects and the consequences for the data subjects in case of refusal to provide requested data; and (iii) the right of data subjects to access and correct their collected personal data. Data controllers are not obliged to provide data subjects with such processing information if the respective data subjects already have it or the law provides likewise. If the personal data has been obtained from a third party rather than the data subject, there are some exceptions from the obligation to provide processing information (e.g. where it would involve disproportionate effort). Moreover, item (ii) of the above list of fair processing information is not required but instead the data controller must inform the respective data subject about the categories of personal data related to such data subject. Rights to access information Data subjects may obtain their subject access information by written or electronic request to data controllers. This right may be exercised at any time and may be exercised free of charge. Where such access may result in the disclosure of data relating to other individuals, the data controller must provide the data subject with access to only such part of the data as pertains to such data subject alone. 31 September 2016 Global data protection legislation

3 Objection to direct marketing A data subject may object by opting out to this effect or require that a data controller stops processing data for direct marketing purposes. Data controllers must provide data subjects with the option of opting out, and if a data subject objects to or requires his/her personal data not to be processed for direct marketing purposes, the data controller must comply with such a request. Other rights Data subjects may obtain from the data controller the erasure, correction or blocking of their personal data if processing of those data fails to meet the requirements of the PDPA. Data subjects may object to the processing of their personal data if there is a legal justification for such objection. Data subjects must also be given the opportunity to object to the disclosure of their personal data to third parties. Data subjects may also require that the data controller notify any third parties to whom personal data have been revealed, of any erasure, rectification or blocking of such data. Security Security requirements in order to protect personal data The data controller must apply the general data security obligations. The Commission regulates in detail the requirements of the general data security obligations by a regulation passed to this effect under the PDPA in February By this regulation the Commission determines the minimum level of technical and organisational measures and the permissible type of security to be provided by a data controller to various types of data processing. Specific rules governing processing by third party agents (processors) The processing of personal data by a data processor must be in accordance with a statutory act, a written contract or other act of the data controller, which sets out the obligations of the data processor. The data controller will be jointly liable for damages caused to third parties resulting from acts or omissions of the data processor. The data processor may only process personal data in accordance with instructions from the data controller unless otherwise directed by law. In the case of data processing by a data processor, it is the data controller who is liable for the security measures adopted. It is the obligation of the data controller to ensure the data processor adopts certain security measures in respect of the processed data. Notice of breach laws The PDPA does not provide any obligation for data controllers to inform the Commission or data subjects of a security breach. The Commission has not issued any guidelines or other directions to this effect. Specific notice of breach laws apply to the electronic communications sector under the ECA (as defined below) which implements the Privacy and Electronic Communications Directive, as amended. The Commission must be notified within three days of the breach being identified. Transfer of Personal Data to Third Countries Restrictions on transfers to third countries The transfer of personal data outside of the EEA shall only be permissible if the recipient state is able to ensure an adequate level of personal data protection in its territory. Data controllers, as data exporters, may not make their own assessment of whether or not the jurisdiction of the data importer provides adequate levels of protection in the case of transborder dataflow. The assessment concerning the adequacy of the level of personal data protection in the recipient state shall be made by the Commission. Transfers outside of the EEA are also permitted if the standard conditions for transborder dataflow are satisfied. Compliance with binding corporate rules does not constitute a permissible condition under the PDPA for transborder dataflows. Notification and approval of national regulator (including notification of use of Model Contracts) In the event of transborder dataflow under the standard conditions for transborder dataflow, there is no obligation under the PDPA for the data controller, as a data exporter, to obtain the approval of the Commission regarding such transborder dataflow (except where transborder dataflow is made pursuant to binding corporate rules). In the event of transborder dataflow on any other grounds, a data controller may carry out transborder dataflow only after receiving the approval of the Commission for the specific transborder dataflow. In this case, to issue the approval, the Commission must first verify the merits of the contemplated transborder dataflow in view of the requirement for an adequate level of protection for data subjects. Global data protection legislation September

4 However, in 2012 the Commission amended its internal regulations of operation and, as a result, changed some rules relating to transborder dataflows so that it is necessary for data controllers to: (i) undergo verification by the Commission of the merits of the contemplated transborder dataflows; and (ii) to obtain the Commission s approval for transborder dataflows where the data export is being made: (a) with the consent from the data subject; (b) for the performance of a contract with, or in the interest of, the data subject; (c) for important public interest grounds, or for legal claims; (d) for the protection of the life or vital interests of the data subject; or (e) from a public register. The Commission s regulations of operation take effect as secondary legislation under the PDPA and are unlikely to be upheld by the courts in the case of a dispute between a data controller and the Commission. The Commission has not yet made any official statement on these new requirements nor taken formal enforcement action to enforce them. In all cases of transborder dataflow, regardless of the conditions on which they are carried out, the data controller must register the transborder dataflow with the Commission as a change in its effective status as data controller (to that of data exporter) prior to initiating such dataflow (unless the data controller has already registered its status as a data exporter and the respective transborder dataflow). Use of binding corporate rules Although Bulgaria is listed as a member of the mutual recognition club for binding corporate rules, on 31 October 2013, after a long period of abstaining from making any official statement on the matter, the Commission officially stated that it does not approve and does not recognise the use of binding corporate rules as valid grounds for transfer of personal data to third countries. Enforcement Sanctions Administrative sanctions in the form of fines for violations of the PDPA range from BGN 500 to BGN 100,000. Where processing results in a violation of the applicable data protection laws, the Commission has the power to restrict or prohibit the processing of personal data by a data controller for a limited period of time and subject to a prior notice to the relevant data controller. The transfer or distribution of computer or system passwords which results in the illegitimate disclosure of personal data constitutes a crime under the Criminal Code, promulgated in the State Gazette, Issue No. 26 of 2 April 1968, last amended by the State Gazette, Issue No. 47 of 21 June 2016, and the penalty for such crime includes imprisonment for up to three years. Practice According to the Commission s 2015 Annual Report, in 2015 the Commission approved the registration of 5,347 new data controllers. As a result, the total number of registered data controllers is 278,416. The registration applications of data controllers regarding sensitive data processing filed with the Commission for 2015 amounted to 424, as no applications were rejected. Most of these applications came from data controllers occupied in the health care area. In 2015, the Commission carried out a total of 687 on-site examinations. 511 of these examinations were of a preliminary control nature and executed in relation to the issuance of approvals for processing of sensitive personal data. In 20 of the on-site examinations, the Commission found non-compliance with the PDPA and took administrative action against the respective data controllers. As a result of the examinations carried out in respect of data controllers in 2015, the Commission issued 12 binding directions. 48 subsequent examinations were carried out in 2015 (compared to 77 for the previous year), as a result of which the Commission issued 6 binding directions and took administrative action against 16 data controllers. Enforcement authority The Commission has full supervisory powers over the activity of data controllers and is competent to issue binding directions to, and impose fines and restrictions on, data controllers for breaches of the PDPA. Public prosecutors also have enforcement powers but their scope of competence is limited. Public prosecutors usually act on the request of the Commission. eprivacy I Marketing and cookies National Legislation eprivacy laws Article 13 of the Privacy and Electronic Communications Directive has been implemented by virtue of the Electronic Communications Act (the ECA ), promulgated in the State Gazette, Issue No. 41 of 22 May 2007, last amended and supplemented in the State Gazette, Issue No. 50 of 1 July The ECA came into force on 26 May September 2016 Global data protection legislation

5 Cookies The rules of the E-Commerce Act, promulgated in the State Gazette, Issue No. 51 of 23 June 2006 (in force since 24 December 2006), last amended by the State Gazette, Issue No. 57 of 28 July 2015, are also of relevance. Some of the amendments to the Privacy and Electronic Communications Directive made by the Citizens Rights Directive, such as the obligation on providers of public electronic communication services to notify the Commission of personal data breaches, have been implemented by virtue of amendments to the ECA, adopted in December However, other amendments to the Privacy and Electronic Communications Directive have not been implemented into Bulgarian national law. For example, the E-Commerce Act has not been amended yet to implement the consent requirements for cookies. Conditions for use of cookies The E-Commerce Act allows the use of cookies provided that the user has been informed of the use of cookies and he/she has been given the opportunity to refuse the storage of or access to such cookies. Such restrictions are not applicable: (i) to any subsequent use of cookies in so far that the user has not explicitly objected to such use; and (ii) the cookies are used for the sole purpose of carrying out the transmission of a communication over an electronic communication network or for the provision of an information society service requested by the user. However, the amendments to the Privacy and Electronic Communications Directive requiring express consent for the storage of or access to cookies, have not been implemented yet. Regulatory guidance on the use of cookies There is no effective regulatory guidance on the use of cookies. Marketing by Conditions for direct marketing by to individual subscribers The ECA (Art. 261, para. 1) requires the consent of the individual subscriber as a condition for legally making direct marketing and advertising by with or without human intervention. Such consent is subject to withdrawal at any time. Conditions for direct marketing by to corporate subscribers Using the defined term subscriber to cover legal and natural persons, using or applying for usage of public electronic communications services, the ECA does not differentiate between individual or corporate subscribers with respect to the conditions for legally performing direct marketing by . Thus, corporate subscribers may be sent direct marketing e- mails only subject to their consent to that effect. Additionally, pursuant to the E-Commerce Act, the Bulgarian Commission on Consumer Protection keeps a register of the addresses of legal entities which have expressly opposed receiving unsolicited commercial communication. Sending unsolicited commercial communication to those addresses, including for direct marketing purposes, is prohibited. Exemptions and other issues As an exemption to the rule of the ECA, no prior consent is required for cases where the similar products and services exemption applies. The ECA prohibits direct marketing and advertising s from being sent if: (i) the identity of the sender is disguised or concealed; or (ii) the provided opt-out address is not valid. Pursuant to the E-commerce Act, in case of non-solicited communication, the sender must also include the ecommerce information. Marketing by Telephone Conditions for direct marketing by telephone to individual subscribers (excludes automated calls) Pursuant to the ECA, direct marketing and advertising by telephone is subject to the same conditions and exemptions as s. Thus, such telephone communications are allowed only subject to the consent of the subscribers. Additionally, a Bulgarian regulation on the rules of issuing of telephone directories expressly provides for the possibility for indexing those subscribers that have expressly consented to receiving unsolicited commercial communications. Conditions for direct marketing by telephone to corporate subscribers (excludes automated calls) Since the ECA does not differentiate between natural and legal entities, the same rules apply with respect to corporate subscribers. Thus, such telephone calls are allowed only subject to the consent of the subscribers. As is the case with individual subscribers, telephone directory indexing is a way, provided for by the law, of expressing consent to receiving unsolicited commercial communications. Global data protection legislation September

6 Exemptions and other issues Direct marketing and advertising by telephone is subject to the same exemptions and other issues as marketing or advertising by . Marketing by Fax Conditions for direct marketing by fax to individual subscribers Direct marketing by fax is subject to the same conditions and exemptions as s pursuant to the ECA. Thus, such fax calls are allowed only subject to the consent of the subscribers. Additionally, a Bulgarian regulation on the rules of issuing of telephone directories expressly provides for the possibility of indexing those subscribers who have expressly consented to receiving unsolicited commercial communications. Conditions for direct marketing by fax to corporate subscribers Since the ECA does not differentiate among natural and legal entities, the same rules apply with respect to corporate subscribers. Thus, such fax communications are allowed only subject to the consent of the subscribers. As is the case with individual subscribers, telephone directory indexing is a way, provided for by law, of expressing consent to receiving unsolicited commercial communications. Exemptions and other issues Direct marketing and advertising by fax is subject to the same exemptions and other issues as marketing or advertising by September 2016 Global data protection legislation