In the light of the upcoming EU General Data Protection Regulation (the “GDPR”) implementation in May 2018, the Bulgarian Personal Data Protection Commission (the “Commission”) introduced an action plan during the 15 November 2017 regular session of the Commission.  

The Commission’s action plan consists of 10 successive steps for Bulgarian personal data controllers:

  1. Ensure individuals are aware of the new rules regarding personal data protection – appoint a compliance officer/team to be responsible for the implementation of the changes;
  2. Conduct an internal analysis of personal data processing related activities – assess the types and categories of personal data processed, purposes of data processing, access to personal data, data transfers, data storage and existing technical and organisational measures;
  3. Assess whether the personal data administrator is required to appoint a data protection official (“DPO”) – in addition to the provided GDPR scenarios, the Commission has established a mandatory obligation for Bulgarian data controllers, who process the personal data of more than 10,000 individuals, to have a DPO;
  4. Risk management of personal data security - perform a data protection impact assessment and prior consultation with the Commission, if necessary. Also, select proper technical and organisational measures to be taken by the personal data controller and possible commitment to code of conducts;
  5. Adopt a concrete action plan – approve the necessary technical and organisational measures, appoint responsible employees and terms for implementation; and provide the required financial, technical and human resources;
  6. Governance and accountability – establish and regularly update the internal records related to data processing activities; and update data processing agreements, declarations and consent (if necessary);
  7. Review the existing legal grounds for personal data processing, including consent of the individuals – review the existing legal grounds for data processing and assess whether they comply with new GDPR provisions. Evidence consent of individuals in written documents;
  8. Provide information on and be transparent about processed personal data – provide some brief information about the data controller, the categories of data processed, storage terms, and any data transfers, through the webpage of the company, or in any other possible way;
  9. In practice, uphold data subjects’ rights – implement internal procedures which correspond to the rights of data subjects under the GDPR, including right of access, rectification, erasure, restriction of processing, etc.;
  10. Notify the Commission of any personal data breaches – implement internal procedures and appoint responsible employee(s) to notify the Commission within 72 hours of a personal data breach.

The action plan is available on the Commission’s public website as of 21 November 2017.