Bulgaria: The amendment of the data protection law

Background
With the entry into force of the General Data Protection Regulation (EU) 2016/679 (GDPR), the data protection directive 95/46/EC applicable at that time was repealed. The applicable Bulgarian Data Protection Act had to be revised and adapted to the new requirements. For this purpose, a comprehensive amendment was adopted (state gazette 17 of 2019), through which, amongst other things, the concretisation of the provisions of the GDPR are introduced.

New rules for the controller
People acting as a controller within the meaning of the GDPR are no longer obligated to register with the Bulgarian Data Protection Commission when assuming their work, whereby they naturally have to comply with the legal provisions. The controller may only keep copies of personnel ID if it is provided for in the law. In addition, personal data of deceased persons may only be processed based on an existing legal basis. Measures must be taken to preserve the rights and freedoms of third parties. Free public access to identity numbers of Bulgarian or foreign persons is only permitted in legally regulated cases. The processing of personal data of minors due to consent is only valid if the consent is granted by the respective legal representative or guardian. Processing personal data for journalistic, scientific, artistic or literary purposes may not violate the right to private life. The disclosure of data processed for such purposes by transfer or in another way is permitted only under certain conditions.

New for employers
The employer must have rules and procedures relating to access control, the working hours, the violations, work discipline, amongst others. Both the employer and the HR specialists may only store application documents for longer than 6 months with the consent of the applicant. Original documents that indicate the psychological or physical status of applicants who were not employed must be returned to the data subject within 6 months after the end of the application procedure.

The data subjects
The amendment regulates in detail the exercising of the information rights of the data subjects towards the controller and the procedures for access to their personal data. A very large part of the amendment is dedicated to the procedure for filing legal remedies in the event of violations of the rights of data subjects. However, a complaint to the data protection commission is limited to 6 months after becoming aware of the violation and at the latest two years after the violation was committed. Anonymous complaints or complaints without signature are not processed by the Commission. Data subjects also have the right to compensation for damages. In addition, there is a detailed regulation for the protection of natural persons for data processing in the criminal proceedings.

Author: Cornelia Draganova