Bulgaria has introduced a set of specific requirements relating to the processing of personal data in addition to the requirements under the EU General Data Protection Regulation (the “GDPR”). Such specific requirements (commonly known as “derogations”) are allowed by the GDPR in certain areas, such as employment, the role of data protection officers, and data protection impact assessments, as long as they introduce more detailed or tailored rules on data processing without deviating from the letter or spirit of the GDPR.
Bulgaria has taken advantage of this possibility under the GDPR to introduce, among others, specific requirements with respect to:
- Bulgaria-based businesses may appoint as data protection officers (“DPOs”) also individuals who are based abroad. However, those individuals need to be registered with the Bulgarian data protection authority in the same way as Bulgaria-based DPOs are, based on standard registration form. The new rules set no further specific requirements regarding the appointment of DPOs. Some of you may recall that the initial draft of the rules envisaged that Bulgaria-based businesses would also be required to designate a DPO if they process the personal data of more than 10,000 individuals. This requirement has been now set aside and not introduced. DPOs would need to be appointed only in the hypotheses envisaged under the GDPR, i.e. in cases of regular and systemic monitoring or large-scale data processing.
- Need of bespoke policies in case of large-scale data processing or large-scale systemic monitoring of publically accessible areas: Bulgaria-based companies would need to introduce bespoke rules and procedures for data processing in cases of: (i) large-scale data processing; or (ii) systemic large-scale surveillance of public areas (such as video surveillance). Such rules would need to clearly set out, among others, the grounds, scope and mechanics, purposes and duration of the surveillance, as well as means for the protection of the rights of individuals and information security measures. In cases of video surveillance, such rules must also elaborate on territorial scope and means of video surveillance, duration of storage of the video footage, and ensure appropriate means/media for informing data subjects of video surveillance. To devise adequate rules in this respect, companies would first need to complete a data processing impact assessment (“DPIA”) as required under the GDPR, and then reflect the DPIA’s conclusions and recommendations in their bespoke policies on surveillance.
- Individuals’ personal identification numbers may not be made public unless required by law. Personal identification numbers may not be used as the sole identification to grant access to IT systems or for the provision of services.
- Collecting and storing copies of personal identification documents (e.g. ID cards and driving licenses) is in principle prohibited: Copies of such documents may be made and stored only when required by law. i.e. consent or legitimate interest would not serve as a reliable grounds of such processing.
- Data processing for employment purposes:
- Employers may not make and keep on file copies of employees’ personal identification documents unless explicitly required by law (as per above);
- Employers must adopt a set of internal policies regulating whistleblowing systems, acceptable/restricted use of internal resources (e.g. IT systems, devices and equipment, etc.), and systems for monitoring access to work premises, working hours and work order. These policies must be tailored to the essence and specificities of the employer’s activities and not merely boilerplate documents;
- If employers collect and process data that is not directly related to and necessary for the employment relationship, they must be able to justify their legitimate interest or seek the employee’s consent for this additional data processing. Businesses should take care not to over-rely on such consent, as under the GDPR it would be considered invalid if not freely given, which is often the case in an employer-employee relationship.
- Data processing in the context of recruitment: Employers must have in place clear rules regarding the period of time that they retain and store the personal data of job applicants. Employers may store personal data of candidates that have been collected in the course of a recruitment procedure for as long as strictly necessary but, in any event, for no longer than six months, unless the candidate has explicitly consented to storage/processing for a longer period. Copies of documents that evidence unsuccessful candidate’s physical or mental fitness for the job, his/her qualification or time served on previous positions, may not be stored for a period longer than six months following completion of the recruitment procedure, irrespective of possible consent granted, unless specifically requested by law.
- Minors’ consent to data processing: Bulgaria-based information services providers may collect and rely on consent directly from minor (underage) users only if they are of the age of 14 or older. Otherwise, consent must be sought from the minor’s parents or guardians.
- Data processing by media: Media outlets need to strike a balance between data protection and freedom of expression and information. While data protection does not by default override freedom of expression/information, media outlets may process personal data for journalistic purposes only if – based on a set of assessment criteria – the media coverage in essence would not affect the inviolability of the individual’s personal life.