Data Protection – New Ordinance – Impact Assessments and Minimum Standards Introduced

A new Ordinance (Ordinance No 1, dated 30 January 2013), on the minimum level of technical and organizational measures and type of protection of personal data has been promulgated in the State Gazette, Issue 14 of 12 February 2013 (“the Ordinance”) (see link, in Bulgarian only) .
The Ordinance came into effect almost immediately on promulgation, on 15 February 2013. It revokes a previous Ordinance of the same name, adopted in 2007. The Ordinance introduces new obligations for all controllers of personal data. It affects a very large number of enterprises, since pursuant to the Bulgarian Personal Data Protection Act (“the Act”), a “controller of personal data” (“Data Controller” or simply “Controller”) is “any legal entity, physical person or administrative body, which on its own or together with another, determines the purposes and means for processing personal data”. This definition covers the vast majority of businesses operating in Bulgaria.
With the introduction of the Ordinance, all Controllers will be required to perform impact assessments with regard to the personal data they process. Each register of personal data maintained by a Controller will be subject to impact assessment. The purpose of impact assessment will be to determine the level of impact of potential illegal processing of personal data on specific individuals or group of individuals whose personal data is being processed. Impact assessments will be carried on by Controllers themselves (ie, impact assessments will not be conducted by government officials as such).
Based on its own determination of the level of impact, each Controller will determine the level of protection of the personal data necessary, choosing between the four grades of protection – low, average, high and extremely high. The Ordinance explicitly prescribes the minimum level of technical and organizational measures for protection of personal data for each level.
Controllers are required to become compliant with the impact assessment provisions with regard to existing datasets of personal data within six months after entry into force of the new Ordinance with prescribed protections implemented by Controllers within six to twelve months after execution of the impact assessment.
Afterwards, Controllers will be obliged to conduct impact assessments every two years, or whenever the nature and type of the personal data they process changes.
Other obligations introduced with the new Ordinance include the requirement for Controllers to adopt: (i) a special policy on protection of personal data, and (ii) internal instructions to staff or company officers, describing the databases of personal data processed by the Data Controller and the required data protection measures for each.
Should you require any further information or clarifications on the issues discussed above and on how they might affect the business or investment you are carrying on in Bulgaria, please do not hesitate to contact us.



Recent work:

NBLO helps Dutch investor win summary judgment in High Court for the sum of GBP 192,000

New Balkans Law Office has acted for Mr Kooter, the individual claimant in legal proceedings recently covered by the British press (e.g., The Evening Standard) and subsequently also in Bulgarian news media (e.g., 24 Chasa).

NBLO has represented Mr Kooter throughout the matter. We assisted with the enforcement of a worldwide freezing order issued by the High Court in London against real estate, bank account and other assets of the defendant situated in Bulgaria. As part of the attempts to preserving assets for enforcing his claim, the claimant also proceeded on the basis of prejudiced against him as a creditor. NBLO additionally acted on various ancillary aspects.

Separately, through one of NBLO’s partners who is dual-qualified as an English barrister, NBLO formed part of Mr Kooter’s UK legal team. In the UK, Mr Kooter won summary judgment for the sum of £192,000, interest and legal costs. The sum awarded was the entire claim by Mr Kooter relating to sums which Ms Radeva had ostensibly offered to invest on his behalf. For a separate part of the claim (approx. €36,000), the High Court was unable to give a summary (effectively, early-stage) judgment on the basis that unlike the investment related claim, the basis of these transfers could not be established without a full investigation of evidence including oral hearings.

Read More

© New Balkans Law Office 2020