Data Protection – New Ordinance – Impact Assessments and Minimum Standards Introduced

A new Ordinance (Ordinance No 1, dated 30 January 2013), on the minimum level of technical and organizational measures and type of protection of personal data has been promulgated in the State Gazette, Issue 14 of 12 February 2013 (“the Ordinance”) (see link, in Bulgarian only) .
The Ordinance came into effect almost immediately on promulgation, on 15 February 2013. It revokes a previous Ordinance of the same name, adopted in 2007. The Ordinance introduces new obligations for all controllers of personal data. It affects a very large number of enterprises, since pursuant to the Bulgarian Personal Data Protection Act (“the Act”), a “controller of personal data” (“Data Controller” or simply “Controller”) is “any legal entity, physical person or administrative body, which on its own or together with another, determines the purposes and means for processing personal data”. This definition covers the vast majority of businesses operating in Bulgaria.
With the introduction of the Ordinance, all Controllers will be required to perform impact assessments with regard to the personal data they process. Each register of personal data maintained by a Controller will be subject to impact assessment. The purpose of impact assessment will be to determine the level of impact of potential illegal processing of personal data on specific individuals or group of individuals whose personal data is being processed. Impact assessments will be carried on by Controllers themselves (ie, impact assessments will not be conducted by government officials as such).
Based on its own determination of the level of impact, each Controller will determine the level of protection of the personal data necessary, choosing between the four grades of protection – low, average, high and extremely high. The Ordinance explicitly prescribes the minimum level of technical and organizational measures for protection of personal data for each level.
Controllers are required to become compliant with the impact assessment provisions with regard to existing datasets of personal data within six months after entry into force of the new Ordinance with prescribed protections implemented by Controllers within six to twelve months after execution of the impact assessment.
Afterwards, Controllers will be obliged to conduct impact assessments every two years, or whenever the nature and type of the personal data they process changes.
Other obligations introduced with the new Ordinance include the requirement for Controllers to adopt: (i) a special policy on protection of personal data, and (ii) internal instructions to staff or company officers, describing the databases of personal data processed by the Data Controller and the required data protection measures for each.
Should you require any further information or clarifications on the issues discussed above and on how they might affect the business or investment you are carrying on in Bulgaria, please do not hesitate to contact us.



Recent work:

Stopping the improper use of insolvency proceedings

A client of our dispute resolution team (led by Kamen Shoylev and Yordan Neshkov) was recently the subject of an indirect claim by a Bulgarian bank with which this client has been engaged in a multi-stage dispute. Unusually, the bank acted through a vehicle registered in an African state, which made an unfounded claim in the tens of millions of euros against our client and sought the commencement of judicial insolvency proceedings against this client. The offshore vehicle was chosen to isolate the bank from liability and create certain evidential difficulties for our client's representation.

NBLO succeeded in terminating the insolvency proceedings, with direct loss fully awarded to our client. A second claim to recover our client's indirect losses is currently under way.

Where targeted in this way through insolvency proceedings, a company may be prevented from trading properly (e.g., by suffering restrictions on its financing or being unable to participate in public procurement).

Through our considerable experience in insolvency litigation, both entirely domestic and where there are European and cross-border elements, we are ideally placed to assist clients in resisting such attacks and recovering the real and considerable losses that may be suffered.

© New Balkans Law Office 2020