A new Ordinance (Ordinance No 1, dated 30 January 2013), on the minimum level of technical and organizational measures and type of protection of personal data has been promulgated in the State Gazette, Issue 14 of 12 February 2013 (“the Ordinance”) (see link, in Bulgarian only) .
The Ordinance came into effect almost immediately on promulgation, on 15 February 2013. It revokes a previous Ordinance of the same name, adopted in 2007. The Ordinance introduces new obligations for all controllers of personal data. It affects a very large number of enterprises, since pursuant to the Bulgarian Personal Data Protection Act (“the Act”), a “controller of personal data” (“Data Controller” or simply “Controller”) is “any legal entity, physical person or administrative body, which on its own or together with another, determines the purposes and means for processing personal data”. This definition covers the vast majority of businesses operating in Bulgaria.
With the introduction of the Ordinance, all Controllers will be required to perform impact assessments with regard to the personal data they process. Each register of personal data maintained by a Controller will be subject to impact assessment. The purpose of impact assessment will be to determine the level of impact of potential illegal processing of personal data on specific individuals or group of individuals whose personal data is being processed. Impact assessments will be carried on by Controllers themselves (ie, impact assessments will not be conducted by government officials as such).
Based on its own determination of the level of impact, each Controller will determine the level of protection of the personal data necessary, choosing between the four grades of protection – low, average, high and extremely high. The Ordinance explicitly prescribes the minimum level of technical and organizational measures for protection of personal data for each level.
Controllers are required to become compliant with the impact assessment provisions with regard to existing datasets of personal data within six months after entry into force of the new Ordinance with prescribed protections implemented by Controllers within six to twelve months after execution of the impact assessment.
Afterwards, Controllers will be obliged to conduct impact assessments every two years, or whenever the nature and type of the personal data they process changes.
Other obligations introduced with the new Ordinance include the requirement for Controllers to adopt: (i) a special policy on protection of personal data, and (ii) internal instructions to staff or company officers, describing the databases of personal data processed by the Data Controller and the required data protection measures for each.
Should you require any further information or clarifications on the issues discussed above and on how they might affect the business or investment you are carrying on in Bulgaria, please do not hesitate to contact us.
Asset tracing and fraud: Use of evidence from parallel criminal proceedings in a civil trial
Over the last year, we have assisted the victims of a multi-million dollar large-scale international fraud. Certain of the scheme’s operations were embedded in Bulgaria’s thriving business process outsourcing (BPO) ecosystem.
As part of our representation for clients, we have pursued a claim in a regional Bulgarian court (the organisers of the fraudulent scheme having transferred the registration of the relevant entity to a disused building in that location). We were pleased to obtain a very helpful intervention from the court at first instance including an order to append files containing a substantial amount of evidence generated through a criminal investigation into the fraud to the civil case. This provides rich evidential pickings for proceedings which are either already being conducted or are being contemplated in a range of international jurisdictions as well as Bulgaria.
© New Balkans Law Office 2019