THE NEW REGULATION No. 679 / 27.04.2016 on the protection of personal data

On the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (General Data Protection Regulation)

        From May 25, 2018, Regulation (EC) 2016/679 will apply. It concerns the protection of individuals with regard to the processing of personal data. The General Regulation introduces a number of significant changes to the current legal framework and places higher requirements on data subject actors, which is the reason for its postponement. It will be binding on all EU Member States. However, they have the right not to apply the Regulation to matters concerning their national security. Its purpose is to introduce more rigorous control over the personal data processors, which would, respectively, lead to a higher level of protection against the data subjects. The processor is obliged to observe all established rules and norms for the protection of personal data and bears joint and several liability for the damages caused by the administrator. The Regulation introduces an obligation for the data processor to seek the consent of the controller whenever he subcontracts the processing of a subcontractor.
      To which companies will the Regulation apply?
The fact is that the Regulation applies to almost all companies because all companies have employees and process their personal data. Of course, some companies have individuals - clients, certain industries - financial institutions, banks, hospitals, e-commerce companies, hotels - row companies are closely related to individuals-clients. So there the large amount of personal data they process is for their clients. But from the employer's point of view, each company will be the administrator of personal data, and that is why it is true for all companies.
     How does it change the procedure by which a company can become a data administrator?
The current regime was such that every administrator, any company that is an employer or processes personal data of its clients, has the status of administrator and should register with CPDP. This obligation will be abolished, it will not exist under the new regulation. But there will be a lot of other reporting obligations that companies will have to observe. They will need to maintain special registers for the processing of personal data. There will be new hypotheses where they will have to address specific inquiries and requests for approval to the Commission, for example in the context of risk assessment. So, with the dropping of the registration requirement as a personal data administrator, we can not say that the reporting and communication obligations of employers to the Commission will be alleviated.
     Duty of accountability
This is one of the main new rules under the Regulation. It is such an obligation for all employers and companies processing personal data to document the processing of personal data, there must be a documentary record of the processes and procedures for processing personal data in companies: what personal data are being processed, what is the basis for the processing, how they are stored, are made available to third parties and what these third parties are, what are the risks for individuals to process these data, and what are the protection measures that the controller is considering to take to prevent a data security breach. So there will be a wider documentation and an obligation to keep track of the types of processing that employers are doing, and also on which legal entities they provide their personal data as processors. Employers must make sure that they have the consent of individuals to provide their specific data to a specific legal entity.
      Register for processing of personal data
A requirement is created for creating a Personal Data Processing Register. According to Art. 13 small, medium and micro enterprises (up to 250 employees) are exempted from this obligation. It may be in writing or in electronic form. It will record: the type of personal data being processed; what are the purposes of the processing; are there any third parties who have access to these data? what are the organizational and technical security measures the administrator has taken to prevent a security breach and what he would do if a security breach occurs.
      How will the supervision of compliance with the new legal framework on personal data protection be implemented?
The only data protection supervisory authority in the Republic of Bulgaria is the Personal Data Protection Commission. As such, the Commission will monitor compliance with the Regulation. Within the scope of its powers, the Commission has the right to examine complaints from individuals, to carry out inspections of administrators and processors, to issue opinions, mandatory prescriptions and proprietary sanctions. The new Regulation significantly increases the maximum fines and pecuniary sanctions - up to € 10 million or up to 2% of the annual turnover of the company for the previous year (whichever is the higher).
      Personal data subjects' rights that administrators must obey:
According to the Regulation, the data subject (the natural person to whom the data relate) is entitled to:
• Awareness;
• Access to their own personal data;
• Correction (if data is inaccurate);
• Delete personal data (the right to be forgotten);
• Limitation of processing by the administrator or the personal data processor;
• Portability of personal data between individual administrators;
• Objection to the processing of his or her personal data;
• The data subject is also entitled not to be the subject of a decision based solely on automated processing involving profiling that produces legal consequences for the data subject or similarly affects him or her significantly;
• Right to judicial or administrative redress if the rights of the data subject have been violated.
A special category of personal data
This category includes genetic data (RNA and DNA samples), data on the health of the subject. The data subject must be explicitly informed by the administrators of their processing and have explicitly given their consent. This image category does not include the photo material.
Processing of personal data of children
Children are given a special protection of personal data because they are not sufficiently aware of the risks, threats and possible adverse effects of unauthorized data processing as well as their rights. This special protection should apply in particular to the use of children's personal data for the purposes of marketing or to the creation of personal or user profiles and the collection of personal data concerning children when using services provided directly to children. When child-directed treatment, any information and communication should be provided with clear and unambiguous formulations that are easy to understand for the child.
In relation to the direct provision of information society services to children, the processing of child data is lawful if the child is 16 years old. If she is under 16, this processing is lawful only if the parent or guardian has given her explicit consent.
         The Commission for Personal Data Protection is about to bring more clarity about the implementation of the new Regulation.
Author: Yanka Kasapska, lawyer


THE NEW REGULATION No. 679 / 27.04.2016 on the protection of personal data THE NEW REGULATION No. 679 / 27.04.2016 on the protection of personal data