Updated last 26.03.2021
In this section you can find the following information:
What are the main procedures, which must be applied with respect to the processing of personal data?
The key procedures, pursuant to the Regulation, include:
Notification in case of a personal data breach |
In case of a personal data breach, not later than 72 hours after the controller becomes aware of the breach, she/he must notify Commission for Personal Data Protection accordingly.
According to art. 4, item 12 of the Regulation a personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
The personal data breach is a type of security accident, related to the possible breach of the confidentiality, integrity or availability of the data.
It is important that the Commission does not need to be notified of each and every breach, but only of a breach, which may give rise to a risk for the rights and freedom of natural persons. If the breach may cause high risk for the rights and freedoms of natural persons, the persons themselves must be notified accordingly.
The assessment of the risk for the rights and freedom of the natural persons depends on a number of factors:
The risk must be assessed on a case-by-case basis and the Guidelines of the Article 29 Working Party regarding the notification of a personal data breach of 3 October 2017 are useful when determining such risk and when taking decision whether or not to notify the Commission for Personal Data Protection and the natural persons. Тhe notification of the Commission for Personal Data Protection and the natural persons will probably not be necessary, for example, in case of loss of an encrypted database, which cannot be disclosed without a password and/or a cryptographic key, or if such database does not contain a large amount of sensitive information with personal data such as medical or financial information and the availability of the data cannot be restored.
The controller, however, must document each personal data breach, irrespective of the risk it poses. This requires the establishment of a special register.
The notification obligation must be fulfilled by the controller, but if the personal data processor becomes aware of a security breach, he must notify the controller forthwith. For more information regarding the relations between the controller and processor, please, see here.
The notice to the Commission for Personal Data Protection and the natural persons must contain a description of the nature of the personal data breach, including:
The data subjects may not be notified, if the controller has undertaken preliminary measures or certain measures after the breach, so that the high risk for the rights and freedom of the natural persons is not materialized or if the notification would result in disproportionate efforts. In the latter case, a public announcement is possible.
Analysis of the processes of personal data processing and data protection impact assessment |
In order to efficiently protect data, the processes, involving work with personal data at the company, must be thoroughly analysed.
Important to know | |
The impact assessment is a procedure, applied to the processes in the company, the processing of which results in a high risk. It is important to note that it must be accomplished before the personal data processing has started. |
If the impact assessment results in a conclusion that processes are not adequately protected, measures should be taken for their improved and efficient protection. After taking such measures, the procedure shall be performed at lease once and if it is concluded that the measures are adequate and the data is sufficiently protected, the processing may begin.
The data controller is responsible for the implementation of the procedure. Тhe data processor may provide support in such implementation, considering the technical and organizational data protection measures, as well as if he is aware to a greater extent of the specific process. Тhe Data Protection Officer takes part in the procedure, by consulting its implementation.
An example of processes, requiring the procedure impact assessment are the applications, processing personal data and financial information of the employees in the company, regarding the payment of their salaries, the video surveillance process, the processes of storing and archiving information by the cloud service provider and by a provider, storing information as hard copies, as well as any and all other processes, meeting the criteria for high risk.
All personal data processing processes, must be documented and stored by the controller. Storage may also be in electronic form, as the documents must be available to the Commission for Personal Data Protection upon request.
Transferring personal data to countries outside the European Economic Area |
When data is transferred outside the European Economic Area to a third country or international organization, the administrator of personal data must ensure conformity with the Regulation by applying appropriate protection measures. Тhe compliance with such measures shall also apply to subsequent transfers of personal data to other countries or international organizations. Тhe measures depend on the level of reliability of the receiving Member State or international organization. Тhe European Commission has expressed decision, which determines whether or not certain countries provide adequately data protection.
If no such level of protection is provided, the transfer will nevertheless be possible, if there are mandatory corporate rules, standard clauses for data protection in the signed contracts between the transferring companies, an approved code of conduct or approved certification mechanism.
Also, the personal data processor cannot transfer, store or otherwise process personal data outside the European Economic Area without controller’s prior consent.
Development and observation of a code of conduct |
The Regulation provides the option that codes of conduct are developed within individual sectors, enterprises and micro-enterprises, aimed at the proper implementation of the legislation, related to personal data. Тhese codes must contain mechanisms, enabling the mandatory monitoring of the observation of the provisions of Code by the data controllers and processors, who agree to apply it, by an accredited authority of the Commission for Personal Data Protection. Тhe Commission for Personal Data Protection must also approve the Code before the commencement of its application, by registering and publishing it.
If such a code is approved by the European Commission, it can be valid and apply in several Member States or even within the entire EU.
Development and observation of policies and documents |
Below you can find a example list of the policies and documents, which every company must prepare in case of personal data processing. This list is for reference purposes only and every company, based on its specific activity, may have additional policies, corresponding to the internal organization of its activities, related to the personal data processing:
Maintaining registers |
Each controller must keep personal data processing registers, where data processing processes has to be entered:
How to claim our rights?
Natural persons can file applications and claims to the data controllers or processors, if they believe that their rights have been breached. Тhe data processors must transfer to the controller the respective complaint or application and cooperate as fully as possible in the establishment of the facts and circumstances, related to the specific case. Тhe response to the complaint or application must be given by the controller. The state authority, responsible for the personal data protection of natural persons on the territory of Bulgaria is the Commission for Personal Data Protection, which should be addressed by the natural persons with their complaints and signals, if they think that their rights have been breached. More information regarding the Commission, you can find here.
For more information | |
For more information, please visit the websites of the:
|