On 26.02.2019 the Law on amendment and supplement of the Bulgarian Personal Data Protection Act

The Bulgarian National Assembly overruled the President’s veto over the amendments in the Personal Data Protection Act, which are aimed at meeting the requirements of the General Data Protection Regulation, whereas the amendments where published in the State Gazette on 26.02.2019. The amendments regulate the obligations for data controllers to register before the Bulgarian Commission for personal data protection (CPDP) the assigned data protection officers, when such should be appointed in accordance with the regulation. It is explicitly forbidden to take copies from identity documents, when this is not allowed by the law. The PDPA requires data controllers that perform large-scale personal data processing or systematically process on large scale data from monitoring of publicly accessible areas, to adopt rules to regulate the goals and grounds of the processing, the rights of the data subjects (the montiored persons), how are they notified for the data processing and how is limited the access of third parties to the data.

There is a ban in place for free access to registries that contain unique identificators of natural persons (such as unified civil numbers and personal numbers of foreigners), unless such access if provided for by the law. There are special rules for processing of data for purposes of journalism – whereas there is no requirement for grounds for processing, but instead there are requirements for proportionality of the processing, which raise questions whether the freedom of speech shall be preserved.

For employers an obligation is introduced to adopt rules for the scope, related obligations and practical application of systems for violation reporting, limitations of use of company resources, control over access, work shifts and labour discipline. With regard to the procedure for job applications there is an obligation to delete the data and return the original documents of the applicant within 6 months, if the latter is not approved for the job.

The PDPA provides special rules for complaints, whereas such are reviewed insofar they are filed within 6 months from establishing the violation, but no later than 2 years from the date it was perpetrated. Regardless, the actions of the administrator can be appealed before the administrative court in accordance with the rules of the Administrative procedural codex, whereas a compensation for damages can be claimed. The proceedings before the administrative court cannot go through until the CPDP is reviewing a signal for a violation of the personal data protection rules.