In 2016, a General Regulation on personal data protection was adopted – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR). The regulation introduces new obligations for personal data controllers and processors. By 25 May 2018 all controllers should bring their personal data processing activities in conformity with the regulation. The Regulation significantly increases the maximum fines and pecuniary sanctions imposed for violations of data protection legislation -upto 20.000.000 euroor upto 4 % ofthe total worldwide annual turnover of the preceding financial year, whichever is higher.
The controllers are being discharged of the obligation to register with the Commission for Consumer Protection (CCP) – supervisory authority under the Regulation for Bulgaria. Instead, they are obliged to keep records of processing activities. This obligation concerns also the personal data processors – natural or legal persons, acting on behalf of the controller. Upon verification the controller/ processor should prove that they are processing the data in accordance with the rules and the principles established. Otherwise, they are subject to sanction.
Another main obligation is the designation of data protection officer. The requirement applies to enterprises in case they perform data processing operations that require regular and systematic monitoring of the data subjects (natural persons). The data protection officer may be employee of the controller or a service provider, professionally developing this activity. His/ hers duties are to ensure the compliance with the rules and the implementation of the internal policies of the controller regarding the personal data protection. The DPO is also responsible for the communication with the supervisory authority – the Commission for Personal Data Protection (CPDP).
In certain cases, the controller is required to carry out an impactassessment of the operations onpersonaldataprotection planned by him. When carrying out a data protection impact assessment, the controller shall seek the advice of the data protection officer. Consultation with the supervisory authority prior to the processing is mandatory where a data protection impact assessment indicates that the processing would result in a high risk.
Another important obligation, the fulfillment of which is required, is the implementation of appropriate technical and organisational measures to ensure data security. Such technical measures are: encryption, pseudonymisation etc. Among the organizational measures is the regular evaluation of the effectiveness of the protection provided and cooperation with the supervisory authority in the performance of the obligations.
Personal data processing takes place with the consentoftheperson, whose data is being processed. Obligation of the controller is to prove the presence of consent. The consent of the respective person subject shall be in the form of a freely given, specific, informed and unambiguous statement. The consent may be withdrawn at any time.
The controller shallnotifythesupervisoryauthorityandthedatasubjectincaseofpersonal data breach. He shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken.
Transferofpersonaldatainthirdcountryorinternationalorganization is admissible, when upon decision of the Commission, the third country/ organization offers an adequate level of data protection. In other cases, the transfer may be carried out after obtaining authorization by the supervisory authority. Exceptions are provided, including the cross-border data transfer between companies of the same group, while complying with the binding corporate rules/ codes of conduct, approved by the supervisory authority.
The processor shall comply with all rules set and the regulations on personal data protection, and shall be jointly liable with the controller for damages caused. The personal data processor is required to seek the consent of the controller when assigning the processing to a subcontractor. Requirements are defined to the contracts between the controller and the data processor.
Theregulationintroducesnewrights of the natural persons by processingtheir personaldata. They include: access to their own personal data, awareness, rectification (if data is inaccurate), erasure of personal data (‘right to be forgotten’), restriction of processing by the personal data controller or processor, portability of personal data between controllers, objection to the processing of his/hers personal data. The person has the right not to be subject to a decision, which is based solely on automated processing, including ‘profiling’ (the use of personal data to analyze or predict aspects concerning that natural person’s performance at work, economic situation, etc.). The natural persons have also the right to judicial or administrative remedy, in case the rights of the subject were infringed.
GDPR extends the territorial scope of the European regulations on personal data protection. They will also apply to controllers not established in the EU, but processing personal data of people who are in the Union. The mentioned controllers are obliged to implement the rules of the Regulation, where the data processing activities are related to offering goods or services to natural persons in the Union, irrespective of whether connected to a payment, or monitoring of the behaviour of their in so far as this behaviour takes place within the Union.
The ‘onestopshop’ principle for cross-border data processing within the Union is introduced, according to which each organization is subject to supervision by only one supervisory authority – the authority of the state where its principal place of business.
Popov&Partners offers a special package of services in relation to the preparation of private and public clients for compliance with the new requirements for personal data protection. The package includes also the performance of the function of Data protection officer. The expert team consists of lawyers, who can communicate with the client in English, German, Spanish and French.
If you are interested, please contact us by e-mail dataprotection@popov-partners.com.