Personal data protection – General information
 

In this section you can find the following information:

  • Why it was necessary to amend the personal data legislation?
  • What is important to know about the GDPR (General Data Protection Regulation)?
  • Who must apply the regulation?
  • What are the sanctions for violations of the Regulation's requirements?
  • What are the main terms, which you need to know, in order to ensure compliance with the Regulation?

 

Why it was necessary to amend the personal data legislation?

We are observing a turbulent development of technologies, social networks and cloud services, where huge amount of information is stored, most of which being confidential. Unauthorized access to such information may result in many types of abuse, such as identity theft, illegal transfers of money, event manipulation of the users in order to make them buy certain goods or vote for a certain candidate at the elections. Ever more often emails and social networks are used by children, who are unable to protect from threats. A part of the servers, where such information is stored, are located outside the European Union, where the Member States are unable to perform checks. By introducing the new rules, the European Union has attempted to mitigate the risks, to which its citizens are exposed on the internet, imposing clear requirements and rules for the protection of their personal information, irrespective of the physical location of such information.

 

What is important to know about the GDPR (General Data Protection Regulation)?

The full name of this document is Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)“ or briefly – the “Regulation“. Unlike the repealed Directive, the regulation applies directly and every person can directly refer to it.

While the Directive was in effect, a Working Party was established, pursuant to article 29, issuing guidelines, recommendations and opinions on key matters and issues, and the interpretation of terms and principles, in the area of personal data. Most of these documents are still usable, in order to clarify the proper application of the Regulation.

The Working Party as per article 29 will continue its existence as the European Data Protection Board.

 

Who must apply the regulation?

As of 25 May 2018 every company is obliged to process, store and transfer personal data in accordance with the personal data protection requirements, set out in the Regulation. Тhe Regulation applies to the personal data protection of the EU citizens or persons, residing on its territory. If data of such citizens is stored outside the EU, it must nevertheless be stored in accordance with the requirements of the Regulation.

 

Important to know
Важно е да знаете

The Regulation is not applied by the competent authorities for the purposes of  prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties. It is also not applied when personal data is processed for personal purposes or within households. Тhe Regulation is also not applicable to persons, who are not EU citizens and who do not reside within the EU.

 

What are the sanctions for violations of the Regulation's requirements?

The sanctions for failure to observe the provisions of the Regulation may reach a maximum of EUR 20 000 000 or up to 4% of the total annual global turnover of the company for the preceding financial year.

 

What are the main terms, which you need to know, in order to ensure compliance with the Regulation?

The first step that you must take in order to ensure the security of the personal data that you are operating with, is to understand the key principles and terms, contained in the Regulation:

 

Term
Definition Example/Explanation

Personal data (art. 4, item 1 of the Regulation and See here)

any information relating to an identified or identifiable natural person (“data subject”)


 

names, PIN, email address, telephone No., photo, IP address, another registration number, voice, image, location information

Special personal data categories (art. 9 and 10 of the Regulation)

data revealing racial or ethnic origin, trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person's sex life or sexual orientation, data, related to sentences and violations

 

medical information, fingerprint, scanned image of the retina, document for trade union membership organization, court clearance

Data subject

See here


Always natural persons

clients, suppliers, workers, consumers, managers of companies, persons, video recordings or photos, including you, who are reading this information

 

Processing

(art. 4, item 2 of the Regulation)


operations, performed on personal data

collection, recording, organization, structuring, storage, adaptation or alteration, use, disclosure, dissemination, combination, erasure or destruction

 

Principles of personal data processing

(art. 5 of the Regulation)


lawfulness, fairness, transparency

data must be processed in conformity with the law, without any intention of violation or offence and the relevant persons must be aware of the processing


restriction of purposes

if data is collected for one purpose, they cannot be used for another

 

data minimization

only the minimum necessary data can be processed


accuracy

data must be kept up-to-date and accurate at any time


storage restriction

data must not be stored longer than necessary to achieve the relevant objectives or for the maximum permitted period, according to the law


integrity and confidentiality

all necessary measures must be applied, to limit the possibility for unauthorized access

 

Term Definition Example/Explanation

Objectives

set out in each specific moment, as some of them arise from the law and others from company’s economic activity

 

by law: legal employment relations, access to data, published in the commercial register, economic activity: marketing, sales, office security

Grounds (art. 6-8 of the Regulation)

consent

 

consent is only used, if no other grounds are applicable


contract

personal data, included in the contract, may be processed by the parties, as well as, if the received data of natural persons with respect to the signing of a contract, if the natural person has initiated the process

 


legal obligations

employment obligations of the employer, collection of data, related to the obligations, regarding the measures against money laundering

 


protection of vital interests of the data subject

when hospitals or dental specialists carry out their activity


performing tasks of public interest

cameras-assisted security, during concerts, football games

 

legitimate interest

this interest is related to the specific economic activity, e.g., sales, marketing, etc.

Controller

(art. 4, item 7, art. 24 - 27 of the Regulation and

See here)


a natural person or legal entity, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data

the company as the employer of a person, bound by obligations, related to the measures against money laundering, etc.

Processor

art. 4, item 8, art. 28 of the Regulation

See here)


a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller

cloud service provider, labor and payroll service provider, etc.

Data protection officer

art. 37 – 39 of the Regulation


a position with the company, which is a data controller or processor, which must meet certain conditions

 

Means

See here

Includes not only the technical , but also the organizational parameters of the processing

specific technical products, the organization for the access to the data, etc.

 

 

Term Definition Example/Explanation

Personal data breach

art. 4, item 12 of the Regulation and See here


a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed

 

a hacker attack, loss of electronic information, loss of electronic information carrier, access to the information by an unauthorized person

Pseudonymi-sation

art. 4, item 5 of the Regulation


the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately

 

a cryptographic key, where the data used cannot be readable, to be transformed back to readable information, without the reuse of the cryptographic key

Profiling

art. 4, item 4 of the Regulation and See here


any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person

processing is used  to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements;

 

Automated individual decision-making

art. 22 of the Regulation and See here


Analyzing and evaluation of personal aspects of a natural person, based only on an automated decision, where no analysis is performed by an actual person, but by a machine only

 

 

Impact assessment

art. 35 and 36 of the Regulation and See here


A procedure, which must be applied, if there is data, which is being processed and is considered a significant risk

 

 

Important to know
Important to know

Even if data, such as the names and PIN is not available, natural persons can be identified by, for example, IP address, which is a common approach in the case of “cookies“, as well as using an official number, such as the practice in professional organizations and some employers. It is important to note that the person can also be identified, based on a voice or video recording.

 

Important to know
Important to know

Each of the operations as per art. 4, item 2 of the Regulation is considered data processing on its own. If a company only stores or destroys personal data, without any other operations, it still falls within the scope of the Regulation and must apply its requirements. It is not even necessary that the company’s employees have access to the data or to use it in any other manner.

 

For more information
For more information

For more information, please visit the websites of the:



print this page
 
 


Post comment
Write to us
Ministry of Economy
8, Slavyanska Str., Sofia 1052, Bulgaria
BULSTAT: BG176789453
phone: +359 2 940 7001

fax: +359 2 987 2190
 
Operational Programme
Contacts: 8, Slavyanska Str. Sofia 1000, Bulgaria tel: +359 2 940 7001 e-mail: e-docs@mi.government.bg
Follow us: Facebook Профил на Министерство на икономиката Twitter Профил на Министерство на икономиката