The EU Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and replacing Directive 95/46/EC (General Data Protection regulation) (the “GDPR”) was adopted on 27 April 2016 and will come into full enforce and effect in all Member States, including Bulgaria, on 25 May 2018.
After approximately 2 years of transitional period, as of 25 May 2018 the GDPR will be directly applicable in Bulgaria (as in all other Member States) without the need for any primary or secondary act of national legislation implementing its provisions locally and will fully replace the now existing local regulation in Bulgaria in the area of data protection that was adopted under Directive 95/46/EC. In case of conflict between a Bulgarian law rule and the relevant GDPR rule, the later rule would prevail by virtue of the law.
The material and territorial scope of the GDPR and the definition of “personal data” thereunder are such that the GDPR rules prove actually applicable to almost all businesses established and/or operating in the EU and/or targeting and/or offering goods or services to individuals in the EU.
The main purpose of the GDPR is to ensure a consistent and high level of protection of natural persons with regard to their personal data.
The enforcement mechanisms under the GDPR include – but are not limited to - financial fines of unusually high amounts (when compared to the fines amounts under the currently effective legislation) as well as other types of administrative sanctions of material impact. For example, the financial fine for the gravest violations of the GDPR may reach up to the higher of EUR 20 million or 4% of the annual worldwide turnover of the relevant data controller.
Given all that, it is quite understandable that many of our clients are already working around the clock to bring their business operations and systems involving processing of personal data in compliance with the GDPR.
For these and for any other existing or potential clients we hereby kindly ALERT that under the GDPR:
- Compliance requires a new – higher - level of care, security and accountability by companies processing personal data in one way or another as data controllers or data processors;
- Data controllers have to demonstrate that the technical and organizational measures that they have implemented in respect of a personal data processing ensure that such processing is continuously compliant;
- By 25 May 2018 companies that now process personal data need to review and analyze their systems and processes in view of the new principles and requirements of the GDPR and change and updated them in accordance therewith, while new start-ups potentially involving personal data processing, to follow the new GDRP principle of Privacy by Design in the design and set up their operations and systems;
- As of 25 May 2018 there will be no more prior notifications to the Bulgarian Commission for Personal Data Protection. Instead, data controllers will have to implement the principle of data protection by design and default, to maintain certain internal documentation regarding the different types of data processing carried as well as to conduct a data protection impact assessment for data processing that involves high risks;
- New data protection rules apply not only to data controllers established in the EU but also to data controllers and processors that are not established in the EU but that process personal data of data subjects residing in the EU by offering to such data subjects goods or services or monitoring of their behavior;
- Data processors are directly charged with specific obligations and responsibilities and, accordingly, may be held directly liable for non-compliance;
- Biometric data is unconditionally qualified as special category of personal data and, like data concerning health, are subject to special - more stringent and restrictive - regulation;
- Subject to certain conditions, the appointment of a data protection officer by a data controller or a data processor is mandatory; and
- The Bulgarian Commission for Personal Data Protection will have significantly larger and greater supervisory and regulatory powers under the GDPR than the Bulgarian data protection authority has now under the effective local legislation.
Further to the alert we also hereby CONFIRM that we have THE CAPACITY and CAN OFFER our clients LEGAL SUPPORT in relation to the GDPR as follows:
- General legal advice on GDPR rules and implications;
- GDPR compliance review and analysis of client’s specific activity;
- Provision of tailored-made advice and hands-on assistance for bringing a client’s activity in compliance with the GDPR;
- Limited but tailored-made advice on the applicability of individual rules of the GDPR to a client and/or to its activity;
- Review and update of existing and/or drafting of new client’s legal documents as required under the GDPR;
- Legal advice and assistance to data processors in relation to their obligations under the GDPR;
- Legal assistance with preparation of data protection impact assessment, as may be required;
- Legal advice and assistance with handling data subjects’ complains and (damages) claims;
- Tailored-made training to client’s personnel on the GDPR implications for their everyday work with personal data; and
- Legal support in any other lawful and permissible form, format or content.