Long expected amendments in the Personal Data Protection Act (PDPA) are promulgated in the State Gazette, issue No 17 of 26 February 2019, and enter into force as of 2 March 2019. The PDPA implements the rules set out in Regulation (EU) 679/2016 of 27 April 2016, commonly known as the General Data Protection Regulation or GDPR, as well as the rules of Directive (EU) 2016/680 of 27 April 2016 (usually referred to as the Police Directive).
The PDPA introduces specific provisions for the processing of personal data in various fields of public life. The Act answers a number of questions which have been in the spotlight of public attention since the adoption of the GDPR.
Data protection in the employment context
The PDPA now lays down several rules dedicated to data protection in the employment context, including recruitment practices.
The PDPA explicitly provides that each employer will solely determine the retention period for CVs and supporting documentation of job applicants. The period cannot be longer than six months, unless the job applicant consented to a longer retention period. Further, if an employer requested originals or notarized copies of documents, such as diplomas, certificates, etc., these need to be returned within six months of the completion of the respective recruitment campaign.
A specific rule will now oblige employers to adopt and inform employees of policies/procedures dedicated to: (i) implemented system for reporting of violations, such as hotlines; (ii) restrictions with regard to the use of corporate resources, such as internet and email usage; (iii) implementation of a system for supervision over access to premises, working hours and labour discipline in general. These policies aim to reconcile the conflict between employees' right of privacy and the exercise of disciplinary power.
Processing of personal data for specific purposes
PDPA expressly prohibits the production of copies of identity documents, driving licenses and residence documentation, unless this is expressly set out by the law, e.g. in the context of anti-money laundering activities. This rule will put an end to illicit practices of copying such documents by employers since in general there is no such need or obligation.
The PDPA lays down rules on processing personal data in several specific situations, namely for journalistic, statistical, scientific purposes, as well as for purposes of archiving in the public interest. Specifics are also provided for the production of videos and photos at public places and in the course of the performance of public service by an individual.
The overall aim of the provisions is to set the criteria and establish legitimate limitations for the rights of individuals when their personal data are used or made accessible for the above purposes.
The PDPA sets out specific rules for restricting the access to personal identification numbers and the processing of personal data concerning deceased people. Access to data concerning deceased people would be allowed only to their successors and other individuals and/or entities with legal interest.
Data Protection Officers (DPOs)
As regards DPOs, the PDPA establishes that data controllers and processors shall inform the Commission for Personal Data Protection (CPDP) of the appointment of a DPO by means of a specific application form. In this regard, the CPDP already published a sample application form in May 2018.
The initial draft provisions included a special criterion for the appointment of a DPO - processing of personal data of more than ten thousand individuals. Due to the fact that the mere number of data subjects cannot justify the necessity of the appointment, this specific provision was not included in the final text.
Commission for Personal Data Protection
There are now rules for the appointment of the CPDP Chair and members. A detailed description of the CPDP powers is included to match the thorough list of powers conferred by the GDPR.
Additionally, the CPDP will accredit certification bodies and approve draft codes of conduct in accordance with the rules of the GDPR. Furthermore, the CPDP will maintain the following public registers: (i) Register of data controllers and processors which have appointed a DPO; (ii) register of certification bodies; (iii) register of approved codes of conduct.
Supervision and sanctions
The PDPA now includes specific provisions regarding the rights of data subjects to seek administrative and judicial remedy against violations of their rights with regard to data protection.
Every data subject will be entitled to address the CPDP in case of a violation of the individual's rights under the GDPR and the PDPA. The application may be submitted via post, fax or via electronic means in compliance with the Electronic Documents and Electronic Trust Services Act. Anonymous applications will not be admissible.
In case of a violation of the individual's rights under the GDPR and PDPA, each individual will be entitled to directly seek remedy from the court against data controllers and processors.
The PDPA further provides clarity on the corrective measures that may be imposed on data controllers and processors. The PDPA sets out that the measures will be imposed by means of specific resolution of the CPDP, which may be appealed in accordance with the Code of Administrative Procedure.
Last but not least, the PDPA outlines the sanctions to be imposed for violations of the GDPR and, particularly, for violations of specific provisions of the PDPA. For example, non-compliance with the prohibition on providing unlimited public access to personal identification numbers will entail a fine of up to EUR 20 million or up to four per cent of the total worldwide annual turnover for the preceding financial year.
© 2019 KPMG Bulgaria EOOD, a Bulgarian limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
KPMG International Cooperative (“KPMG International”) is a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm.