New regulations on personal data protection

In 2016, a General Regulation on personal data protection was adopted – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR). The regulation introduces new obligations for personal data controllers and processors. By 25 May 2018 all controllers should bring their personal data processing activities in conformity with the regulation. The Regulation significantly increases the maximum fines and pecuniary sanctions imposed for violations of data protection legislation up to 20.000.000 euro or up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.

The controllers are being discharged of the obligation to register with the Commission for Personal Data Protection (CPDP) – supervisory authority under the Regulation for Bulgaria. Instead, they are obliged to keep records of processing activities. This obligation also concerns the personal data processors – natural or legal persons, acting on behalf of the controller. Upon verification the controller/ processor should prove that they are processing the data in accordance with the rules and the principles established. Otherwise, they are subject to sanctions.

Another main obligation is the designation of data protection officer. The requirement applies to enterprises in case they perform data processing operations that require regular and systematic monitoring of the data subjects (natural persons). The data protection officer may be an employee of the controller or a service provider, professionally developing this activity. His/ hers duties are to ensure the compliance with the rules and the implementation of the internal policies of the controller regarding the personal data protection. The DPO is also responsible for the communication with the supervisory authority – the Commission for Personal Data Protection (CPDP).

In certain cases, the controller is required to carry out an impact assessment of the operations on personal data protection planned by him. When carrying out a data protection impact assessment, the controller shall seek the advice of the data protection officer. Consultation with the supervisory authority prior to the processing is mandatory where a data protection impact assessment indicates that the processing would result in a high risk.

Another important obligation, the fulfillment of which is required, is the implementation of appropriate technical and organisational measures to ensure data security. Such technical measures are: encryption, pseudonymisation etc. Among the organizational measures is the regular evaluation of the effectiveness of the protection provided and cooperation with the supervisory authority in the performance of the obligations.

Personal data processing is only lawful with the consent of the person, whose data is being processed or under certain other conditions under the Regulation. Where the processing is made on the basis of consent, the controller shall bear the burden of proving that it has been given. The requirements for a valid consent are: specificity, awareness and unambiguousness of the statement. The consent may be withdrawn at any time.

The controller shall notify the supervisory authority and the data subject in case of personal data breach. He shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken.

Transfer of personal data in third country or international organization is admissible, when upon decision of the Commission, the third country/ organization offers an adequate level of data protection. In other cases, the transfer may be carried out after obtaining authorization by the supervisory authority. Exceptions are provided, including the cross-border data transfer between companies of the same group, while complying with the binding corporate rules/ codes of conduct, approved by the supervisory authority.

The processor shall comply with all rules set and the regulations on personal data protection, and shall be jointly liable with the controller for damages caused. The personal data processor is required to seek the consent of the controller when assigning the processing to a subcontractor. Requirements are defined to the contracts between the controller and the data processor.

The regulation introduces new rights of the natural persons by processing their personal data. They include: access to their own personal data, awareness, rectification (if data is inaccurate), erasure of personal data (‘right to be forgotten’), restriction of processing by the personal data controller or processor, portability of personal data between controllers, objection to the processing of his/hers personal data. The person has the right not to be subject to a decision, which is based solely on automated processing, including ‘profiling’ (the use of personal data to analyze or predict aspects concerning that natural person’s performance at work, economic situation, etc.). The natural persons also have the right to judicial or administrative remedy, in case the rights of the subject were infringed.

GDPR extends the territorial scope of the European regulations on personal data protection. They shall also apply to controllers not established in the EU, but processing personal data of people who are in the Union. The mentioned controllers are obliged to implement the rules of the Regulation, where the data processing activities are related to offering goods or services to natural persons in the Union, irrespective of whether connected to a payment, or monitoring of the behaviour of their in so far as this behaviour takes place within the Union.

The one stop shop principle for cross-border data processing within the Union is introduced, according to which each organization is subject to supervision by only one supervisory authority – the authority of the state where its principal place of business.

Popov & Partners offers a special package of services in relation to the preparation of private and public clients for compliance with the new requirements for personal data protection. The package also includes the performance of the function of Data protection officer. The expert team consists of lawyers, who can communicate with the client in English, German, Spanish and French.

If you are interested, please contact us by e-mail or on the mentioned telephone numbers.