Updated last 26.03.2021
In this section you can find the following information:
- What are the main procedures, which must be applied with respect to the processing of personal data?
- How to claim our rights?
What are the main procedures, which must be applied with respect to the processing of personal data?
The key procedures, pursuant to the Regulation, include:
- Notification in case of a personal data breach;
- Analysis of the processes of personal data processing and data protection impact assessment;
- Transfer of personal data to countries outside the European Economic Area;
- Development and observation of a code of conduct;
- Development and observation of policies;
- Maintaining registers.
Notification in case of a personal data breach
In case of a personal data breach, not later than 72 hours after the controller becomes aware of the breach, she/he must notify Commission for Personal Data Protection accordingly.
According to art. 4, item 12 of the Regulation a personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
The personal data breach is a type of security accident, related to the possible breach of the confidentiality, integrity or availability of the data.
It is important that the Commission does not need to be notified of each and every breach, but only of a breach, which may give rise to a risk for the rights and freedom of natural persons. If the breach may cause high risk for the rights and freedoms of natural persons, the persons themselves must be notified accordingly.
The assessment of the risk for the rights and freedom of the natural persons depends on a number of factors:
- A key factor may be the type of security accident: if, for example, the confidentiality of medical information is subject to the case, this may have serious consequences for the natural person;
- The nature and scope of the personal data is of immense significance – if, for example, a large number of names are disclosed, in combination with financial information for credit and debit cards or the names of the biological parents and adopters of a child, this may give rise to a significant risk;
- If, as a result of the breach, the person can be easily identified, this could doubtlessly result in a number of complications;
- If the consequences for the natural persons are serious and can result in harm to the reputation of the natural person, to fraud, physical injury and even identity theft, the risk can definitely be classified as high;
- If the breach of the personal data integrity results in disclosure of data of children or a large amounts of data of a natural persons, this may also result in high risk levels.
The risk must be assessed on a case-by-case basis and the Guidelines of the Article 29 Working Party regarding the notification of a personal data breach of 3 October 2017 are useful when determining such risk and when taking decision whether or not to notify the Commission for Personal Data Protection and the natural persons. Тhe notification of the Commission for Personal Data Protection and the natural persons will probably not be necessary, for example, in case of loss of an encrypted database, which cannot be disclosed without a password and/or a cryptographic key, or if such database does not contain a large amount of sensitive information with personal data such as medical or financial information and the availability of the data cannot be restored.
The controller, however, must document each personal data breach, irrespective of the risk it poses. This requires the establishment of a special register.
The notification obligation must be fulfilled by the controller, but if the personal data processor becomes aware of a security breach, he must notify the controller forthwith. For more information regarding the relations between the controller and processor, please, see here.
The notice to the Commission for Personal Data Protection and the natural persons must contain a description of the nature of the personal data breach, including:
- Description of the nature of the breach of the personal data’s security, including if possible an approximate number of the subjects affected;
- Description of the possible consequences;
- The undertaken or proposed measures for dealing with the breach and its possible consequences;
- Contact details of the controller or his employee, appointed as a Data Protection Officer.
The data subjects may not be notified, if the controller has undertaken preliminary measures or certain measures after the breach, so that the high risk for the rights and freedom of the natural persons is not materialized or if the notification would result in disproportionate efforts. In the latter case, a public announcement is possible.
Analysis of the processes of personal data processing and data protection impact assessment
In order to efficiently protect data, the processes, involving work with personal data at the company, must be thoroughly analysed.
- Determination of the processes: the company must determine all the processes, involving personal data processing.
- Analysis of the processes: Processes must be analysed and systematized and monitoring of the entire processing of the data need to be conducted: where does it come from, in what individual departments of the company is it processed, whether or not these change as a result of processing and what third parties or governmental institutions are provided with the data in the final stage.
- Determination of the personal data categories, to be processed: The categories of personal data, to be processed in each process must be determined, as well as what these data are exactly about: whether it is special personal data categories or data, related to sentences and violations or just names, email address and PIN (ordinary categories personal data). Whether the special categories of personal data include e.g. medical information. It is important to clarify what this medical information is: is it a case merely of storing a sick leave or genetic and biometrical data, whether or not such information is in combination with names and PINs of the specific natural person, so that he is easily identifiable.
- Analysis based on the processing purposes: Based on the structured processes it is necessary to analyse to what extent the data collected, correspond to the objectives for their collection.
- Analysis of the adequacyof the technical and organisational protection masures: It should be determined whether or not the means, applied for the personal data protection, are adequate, i.e. whether or not they provide the required level of security, in terms of technical parameters and analyse the organization of the protection in terms of level of access or whether the premises meet the current state-of-the-art development.
- Risk analysis: The most important step is to determine whether or not the processing is likely to give risk for the rights and freedom of the natural persons and whether such risk is high. For this purpose, the Guidelines of the Article 29 Working Party Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” of 4 April 2017 may provide useful information on how risk is determined. Тhe risk analysis is not strictly regulated, it is performed to a significant extent by the application of discretion by the company regarding the risk profile of the processing. It is necessary, however, that this discretion complies with the requirements of the Regulation and efficiently protects the rights and freedoms of the natural persons.
- Impact assessment:
|Important to know|
The impact assessment is a procedure, applied to the processes in the company, the processing of which results in a high risk. It is important to note that it must be accomplished before the personal data processing has started.
If the impact assessment results in a conclusion that processes are not adequately protected, measures should be taken for their improved and efficient protection. After taking such measures, the procedure shall be performed at lease once and if it is concluded that the measures are adequate and the data is sufficiently protected, the processing may begin.
The data controller is responsible for the implementation of the procedure. Тhe data processor may provide support in such implementation, considering the technical and organizational data protection measures, as well as if he is aware to a greater extent of the specific process. Тhe Data Protection Officer takes part in the procedure, by consulting its implementation.
An example of processes, requiring the procedure impact assessment are the applications, processing personal data and financial information of the employees in the company, regarding the payment of their salaries, the video surveillance process, the processes of storing and archiving information by the cloud service provider and by a provider, storing information as hard copies, as well as any and all other processes, meeting the criteria for high risk.
All personal data processing processes, must be documented and stored by the controller. Storage may also be in electronic form, as the documents must be available to the Commission for Personal Data Protection upon request.
Transferring personal data to countries outside the European Economic Area
When data is transferred outside the European Economic Area to a third country or international organization, the administrator of personal data must ensure conformity with the Regulation by applying appropriate protection measures. Тhe compliance with such measures shall also apply to subsequent transfers of personal data to other countries or international organizations. Тhe measures depend on the level of reliability of the receiving Member State or international organization. Тhe European Commission has expressed decision, which determines whether or not certain countries provide adequately data protection.
If no such level of protection is provided, the transfer will nevertheless be possible, if there are mandatory corporate rules, standard clauses for data protection in the signed contracts between the transferring companies, an approved code of conduct or approved certification mechanism.
Also, the personal data processor cannot transfer, store or otherwise process personal data outside the European Economic Area without controller’s prior consent.
Development and observation of a code of conduct
The Regulation provides the option that codes of conduct are developed within individual sectors, enterprises and micro-enterprises, aimed at the proper implementation of the legislation, related to personal data. Тhese codes must contain mechanisms, enabling the mandatory monitoring of the observation of the provisions of Code by the data controllers and processors, who agree to apply it, by an accredited authority of the Commission for Personal Data Protection. Тhe Commission for Personal Data Protection must also approve the Code before the commencement of its application, by registering and publishing it.
If such a code is approved by the European Commission, it can be valid and apply in several Member States or even within the entire EU.
Development and observation of policies and documents
Below you can find a example list of the policies and documents, which every company must prepare in case of personal data processing. This list is for reference purposes only and every company, based on its specific activity, may have additional policies, corresponding to the internal organization of its activities, related to the personal data processing:
- General personal data protection policy, including the personal data processing processes and the general rules for working with them, the relevant storage periods, etc.;
- Policy on the data protection impact assessment procedure;
- Template of the notices of data confidentiality;
- Template of the consent to personal data processing;
- Policy on the management of personal data protection breaches;
- Policy on the rights of data subjects;
- Policy on information security;
- Policy on the confidentiality and information security (Code of Conduct regarding working with personal data by the employees and Standards);
- Policy on the use of mobile devices by the employees and information protection;
- Other policies on the personal data processing processes, if necessary.
Each controller must keep personal data processing registers, where data processing processes has to be entered:
- register of the processing activities, for which the company is responsible. This register must be kept both for the activities, for which the company is a controller, and for those, for which it is a processor;
- register of the personal data security breaches. This register must contain not only breaches, posing a risk or high risk, but also each personal data breach, irrespective of the risk level and on whether or not the Commission for Personal Data Protection and/or natural persons are notified of the accident;
- register of the signals and requests, submitted by data subjects in view of the protection of their rights and interests.
How to claim our rights?
Natural persons can file applications and claims to the data controllers or processors, if they believe that their rights have been breached. Тhe data processors must transfer to the controller the respective complaint or application and cooperate as fully as possible in the establishment of the facts and circumstances, related to the specific case. Тhe response to the complaint or application must be given by the controller. The state authority, responsible for the personal data protection of natural persons on the territory of Bulgaria is the Commission for Personal Data Protection, which should be addressed by the natural persons with their complaints and signals, if they think that their rights have been breached. More information regarding the Commission, you can find here.
|For more information|
For more information, please visit the websites of the:
Text of the Regulation.