Personal Data Protection – What Should We Expect by Adoption of the New EU Regulation No. 679/2016

Each company, trader, lawyer, doctor, civil servant, etc., is required to collect and process personal data every day for the purpose of their activity (when hiring employees, entering into contracts, form completion, etc.). Companies have to get registered as personal data controllers and to ensure protection for the data that they will operate with in order to be able to process such data.

Personal data protection is a complicated and long process covering anything from the time of receiving the data, keeping them in a safe place (locked cabinets, safe boxes or encrypted software) through their processing and disposal. To ensure the best protection for these data, lawmakers have introduced numerous protection measures.

With a view of the advanced technology and the huge amount of personal data that are processed every day, the European Union (EU) has taken steps to unify the rules on personal data processing in all Member States and thus aiming at ensuring a better protection for personal data.

At the end of April 2016 EU adopted a new Regulation (a new law being obligatory for all Union Members) by means of which Member States set out as their purpose to establish a unified procedure and protection in personal data processing.

The new Regulation will enter into force on 25 May 2018 – as of this date it will be obligatory for all EU Member States, including the personal data processors themselves.

In the following lines I will summarize the major changes that are forthcoming and how they will affect the personal data processing in Bulgaria:

At the moment, everyone processing personal data must get entered into the personal data controller register maintained by the Commission for Personal Data Protection. This procedure is slow and long, which sometimes results in unexpected problems. The new Regulation entry into force will remove this registry procedure and there will not be such an obligation for entering into that registry.

This change and cancellation of the registration procedure will cause changes in terms of the responsibility and obligations of the entities who process and who will process our personal data:

  1. Each company must employ an officer in charge of personal data protection;
  2. Each controller – company, freelance medical professional, lawyer, state administration, etc., should make an obligatory impact assessment of the personal data protection level;
  3. Obligatory reporting to the Commission for Personal Data Protection will be introduced for some company controllers (depending on the company size);
  4. When receiving personal data, each controller should provide a larger amount of preliminary information – who and for what purpose will process the data;
  5. A new duty will also be the maintenance of registers – only for certain companies (having more than 250 employees) and depending on the data processed by them;
  6. Everyone who processes personal data must set out mandatory rules on data protection;
  7. If a problem occurs with specific personal data (information leakage), the company must immediately notify the regulator – the Commission for Personal Data Protection;
  8. The Regulation also has envisaged higher criteria for providing an efficient protection for personal data according to the given level of impact (introduction of stronger protection measures).

Except the duties above for personal data processors, data subjects will also have new rights:

  1. Right to erasure (“right to be forgotten”) – everyone providing some personal data may request that the personal data controller should stop processing their data;
  2. Right to data portability (data subject has the right to transfer their data from one controller to another without any trouble);
  3. Right to request restricted processing (for a given time, for certain data or for certain purposes);
  4. Requirement for explicit consent in “profiling” (in the cases where data are processed for the purpose to make a profile).

The new Regulation is the first to set out rules for data protection of individuals who are minor or underage establishing numerous of responsibilities and obligations for those who will process such data.

By entering into force, this Regulation makes a revolutionary change in personal data portability within the European Union by means of which information transfer will only be checked and supervised by one authority for personal data protection (in Bulgaria this authority is the Commission for Personal Data Protection). This is how companies will have the opportunity to transfer personal data within the European Union without the need for obtaining a preliminary permission from a body of each Member State.

Last but not least is also the significant increase in penalties in case of personal data abuse and/or breach of the law in the field of personal data. The fine is the higher amount of the two, i.e.: up to EUR 10 million or up to 2% of the total annual turnover from the previous fiscal year.

If you would like to learn more about the forthcoming changes, we will be happy to contact us.

Dimitar Yanev, Attorney-at-law