The majority of the specific additional requirements concern compliance with core GDPR requirements and data processing for employment purposes

May 2018 – The Bulgarian government has announced a set of specific requirements relating to the processing of personal data that it plans to introduce to national legislation in addition to the requirements under the EU General Data Protection Regulation (the "GDPR"). Such specific requirements (commonly known as "derogations") are allowed by the GDPR in certain areas, such as employment, the role of data protection officers, and data protection impact assessments, as long as they introduce more detailed or tailored rules on data processing without deviating from the letter or spirit of the GDPR.

Bulgaria apparently plans to take advantage of this possibility under the GDPR to introduce, among others, specific requirements with respect to:

  • The appointment of data protection officers ("DPOs"): In addition to those cases when a company would be required to appoint a DPO under the GDPR (regular and systemic monitoring, large-scale data processing), Bulgaria-based businesses would also be required to designate a DPO if they process the personal data of more than 10,000 individuals.
  • Need of bespoke policies in case of large-scale systemic monitoring of publically accessible areas: Bulgaria-based companies would need to introduce bespoke rules and procedures for systemic large-scale surveillance of public areas (such as video surveillance). Such rules would need to clearly set out, among others, the grounds, scope and mechanics, purposes and duration of the surveillance, as well as means for the protection of the rights of individuals. To devise adequate rules in this respect, companies would first need to complete a data processing impact assessment ("DPIA") as required under the GDPR, and then reflect the DPIA's conclusions and recommendations in its bespoke policies on surveillance.
  • Individuals' personal identification numbers may not be made public unless required by law. Personal identification numbers may not be used as the sole identification to grant access to IT systems or for the provision of services.
  • Data processing for employment purposes:

    • Employers may not make and keep on file copies of employees' personal identification documents unless explicitly required by law.
    • Employers must adopt a set of internal policies regulating whistleblowing systems, acceptable/restricted use of internal resources (e.g. IT systems, devices and equipment, etc.), and systems for monitoring access to work premises, working hours and work order. These policies must be tailored to the essence and specificities of the employer's activities and not merely boilerplate documents.
    • If employers collect and process data that is not directly related to and necessary for the employment relationship, they must seek the employee's consent for this additional data processing. Businesses should take care not to over-rely on such consent, as under the GDPR it would be considered invalid if not freely given, which is often the case in an employer-employee relationship.
  • Data processing in the context of recruitment:Employers must have in place clear rules regarding the period of time that they retain and store the personal data of job applicants. The time period for retention/storage of an applicant's data must be adequate and proportionate and can in no event exceed three years.
  • Minors' consent to data processing: Bulgaria-based information services providers may collect and rely on consent directly from minor (underage) users only if they are of the age of 14 or older. Otherwise, consent must be sought from the minor's parents or guardians.
  • Data processing by media: Media outlets need to strike a balance between data protection and freedom of expression and information. While data protection does not by default override freedom of expression/information, media outlets may process personal data for journalistic purposes only if – based on a set of assessment criteria – the media coverage in essence would not affect the inviolability of the individual's personal life.

The proposed additional requirements are currently subject to public consultations. Interested third parties may submit their views on the feasibility of the above additional requirements by 30 May 2018 via the portal for public consultations of the Council of Ministers of the Republic of Bulgaria. Kinstellar would be pleased to assist you/your company further, should you consider taking part in the public consultations.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.