We are living in a digital age. The Snowden case has placed certain aspects of personal data processing and related threats in the spotlight. The ripple effects have been seen far beyond the USA, and Bulgaria has also been affected by discussions on how personal data is used. However, personal data protection is a post factum topic when problems and questions arise. Many Bulgarians have heard about personal data, but few are interested in finding out more. The protection of personal data is, generally, not taken seriously.
Unknown to most, Bulgaria’s Personal Data Protection Act (PDPA) has been in place for more than 15 years. The PDPA regulates the rights of individuals and the obligations of data controllers and processors when collecting and processing personal data. Each data controller (e.g., each company that collects, stores, uses, transfers, or somehow processes the personal data of its employees/customers) must apply for registration with the Bulgarian Personal Data Protection Commission (PDPC). Depending on the personal data and the purposes for which it has been collected and processed, registration covers information about the data controller and the personal data controlled, grouped into separate registers (e.g., for “Employees”, “Customers”, “Christmas Marketing Campaign 2016”, and so on). Data controllers must provide information – before starting the processing of personal data – on the legal grounds, the purpose, and the terms of processing; the recipients to whom the personal data may be disclosed; and whether any personal data will be transferred abroad. Data controllers are obliged to use means for processing personal data sufficient to ensure the required level of protection (e.g., encryption if the data is stored electronically, or by locking tangible data (hardcopies) in a safe). So, individuals wanting to know what is going on with their personal data have the statutory right to request and receive all necessary information from a data controller. In most cases individuals can even instruct data controllers to stop processing their personal data. As a result, the PDPA gives individuals sufficient tools to provide informed consent and to control their personal data processing.
However, in Bulgaria, businesses and individuals have generally neglected current data protection regulations. They consider the PDPA a bureaucratic hindrance to doing business rather than a positive step towards a Digital Single Market where individuals and businesses can seamlessly access and exercise online activities under fair competition conditions with a high level of personal data protection. Neglecting data protection laws can lead to the misuse of personal data, such as credit-card numbers being stolen or personal information being sold or shared without authorization to advertisers. Thus, each click of the mouse that discloses personal data opens people up to the possibility that such data may be misused.
The European Union’s new Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the “Regulation”) sets very ambitious targets and provides several completely new concepts. Subsequent to its May 2018 implementation, its application is expected to attract the attention of Bulgarian businesses and individuals alike.
The reasons for this are, on the one hand, the benefits for businesses and individuals and, on the other hand, the new obligations for the data controllers linked with significant sanctions in cases of breach. The Regulation provides individuals with more control over their personal data, as they will have access to more information on how their data is processed, as well as gaining the “right to be forgotten.” In addition, businesses will benefit from the Regulation as a result of the implementation of certain principles such as the “One continent, one law” rule (i.e., the creation of one single set of rules to make it simpler and cheaper for companies to do business in the EU), the “European rules on European soil” (calling for the same rules to be applied to companies based outside of Europe when they offer their services in the EU), and so on. At the same time, data controllers and processors will have some new obligations, such as the requirements that they keep registers on their data processing activities, perform privacy impact assessments, and appoint data protection officers in certain cases. Last but not least, the administrative fines for breach of certain data protection provisions are significantly increased and may reach up to EUR 20 million, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
The increased fines should be an incentive for businesses to undertake the necessary measures and become compliant with the new data protection rules in a timely manner.
By Stefana Tsekova, Partner, and Silvia Ribanchova, Attorney, Schoenherr Sofia
This Article was originally published in Issue 4.2 of the CEE Legal Matters Magazine. If you would like to receive a hard copy of the magazine, you can subscribe here.