Data protection – New ordinance: Impact Assessments and Minimum Standards introduced
20 February 2013A new Ordinance (Ordinance No 1, dated 30 January 2013), on the minimum level of technical and organizational measures and type of protection of personal data has been promulgated in the State Gazette, Issue 14 of 12 February 2013 (“the Ordinance”) (see link, in Bulgarian only) .
The Ordinance came into effect almost immediately on promulgation, on 15 February 2013. It revokes a previous Ordinance of the same name, adopted in 2007. The Ordinance introduces new obligations for all controllers of personal data. It affects a very large number of enterprises, since pursuant to the Bulgarian Personal Data Protection Act (“the Act”), a “controller of personal data” (“Data Controller” or simply “Controller”) is “any legal entity, physical person or administrative body, which on its own or together with another, determines the purposes and means for processing personal data”. This definition covers the vast majority of businesses operating in Bulgaria.
With the introduction of the Ordinance, all Controllers will be required to perform impact assessments with regard to the personal data they process. Each register of personal data maintained by a Controller will be subject to impact assessment. The purpose of impact assessment will be to determine the level of impact of potential illegal processing of personal data on specific individuals or group of individuals whose personal data is being processed. Impact assessments will be carried on by Controllers themselves (ie, impact assessments will not be conducted by government officials as such).
Based on its own determination of the level of impact, each Controller will determine the level of protection of the personal data necessary, choosing between the four grades of protection – low, average, high and extremely high. The Ordinance explicitly prescribes the minimum level of technical and organizational measures for protection of personal data for each level.
Controllers are required to become compliant with the impact assessment provisions with regard to existing datasets of personal data within six months after entry into force of the new Ordinance with prescribed protections implemented by Controllers within six to twelve months after execution of the impact assessment.
Afterwards, Controllers will be obliged to conduct impact assessments every two years, or whenever the nature and type of the personal data they process changes.
Other obligations introduced with the new Ordinance include the requirement for Controllers to adopt: (i) a special policy on protection of personal data, and (ii) internal instructions to staff or company officers, describing the databases of personal data processed by the Data Controller and the required data protection measures for each.
Should you require any further information or clarifications on the issues discussed above and on how they might affect the business or investment you are carrying on in Bulgaria, please do not hesitate to contact New Balkans Law Office.