New EU Data Protection Rules

By Martin Zahariev, attorney-at-law, Desislava Krusteva, partner, Dimitrov, Petrov & Co. Law Firm
The analysis is published in the Autumn issue of Business Conenct magazine

In today’s technological world personal data processing and exchange is an integral part of any business entity’s activity (from multinational corporate groups to small family businesses or sole practices). Therefore, the changes introduced by Regulation 2016/679 (GDPR/the Regulation), which shall apply from May 25, 2018, will inevitably affect every company and business.

Personal data

The Regulation supplements the definition of the term “personal data”, by including new indicative lists of data categories that may be considered personal data, such as location data and online identifiers. The term “special categories of data” is expanded, that is data which due to their sensitive nature are prohibited for processing except subject to a limited range of grounds. The genetic data (in Bulgaria these data are in a “special/sensitive” data regime since 2005) and biometric data (such as facial images or dactyloscopic data) used for the purposes of the unique identification of the natural person will now constitute a special category of data.

New rules for valid consent

Silent consent, pre-ticked boxes and inactivity shall not be considered a valid consent. If the consent is included in a declaration covering also other matters, the consent should be distinct from them, should be in an intelligible and easily accessible form, using clear and plain language. The consent will not be considered freely given and respectively valid if no possibility is provided for giving consent for some of the specified processing operations only or if the performance of a contract/provision of a service is made dependant on giving a consent although this is not necessary for the performance. The consent will be withdrawable at any time and this should be as easy as its giving.

Enhanced rights for data subjects

The GDPR creates a more detailed regulation of a number of rights already existing under the current legislation, such as the data subject’s right to request the deletion of the data from the data controller – the so-called right to erasure or right “to be forgotten”. As has been the case up to now, in certain occasions data subjects may request that their data be erased without undue delay from a data controller and the relevant grounds and procedure are described in far greater detail than before. The regulation and scope of some other of the already existing rights of data subjects, such as the right to information, have been expanded.

Some entirely new rights have been created for data subjects. Among them is the right to data portability. If the processing of data is based on consent or contract and is carried out by automated means, the data subject may receive his/her data which he/she has provided to the controller in a structured, commonly used, machine-readable format, and may have those data transmitted to another controller. Where technically feasible, the data subject may request direct transmission of his/her data from one controller to another.

New obligations for companies

The new “principle of accountability” is of fundamental significance for understanding the logic of the Regulation. Controllers shall be responsible for and shall be able to prove at any time that they comply with the principles for personal data processing set forth in the Regulation. According to the Recital 82 and Art. 30 of GDPR, the mandatory requirement for data controllers to register with the Commission for Personal Data Protection (CPDP) is expected to be cancelled and instead data controllers will have to maintain written registers of the processing activities.

The requirements for notification of data security breaches are of key importance and entirely new. The controller shall be obliged to communicate any data breach to the CPDP within 72 hours as the controller’s becoming aware thereof. In some cases, in addition thereto controllers shall also communicate to all subjects whose data are affected – a requirement that may exert significant influence on the respective controller’s reputation.

The figure of the data protection officer (DPO) is also introduced – an expert in the data protection legislation and practices who will be involved in all data protection matters in the company. Appointing DPO is mandatory if: the data controller/processor is a public authority, except for courts acting in their judicial capacity, or its core activities consist of:

  • processing operations which require regular and systematic large-scale monitoring on data subjects;
  • large-scale processing of special categories of data or data relating to criminal convictions and offences.