Data protection is not only confidentiality, but also availability, completeness, accuracy of the data.

On May 25th, 2018 the General Data Protection Regulation (GDPR) entered in force for each of the EU Member States.

The period prior and after the date put many of the businesses in situations of defining how to continue their business and communication in compliant with Regulation way. It is hard and confusing since there are plenty of vaguenesses, lack of correspondence between GDPR and the national Data Protection Law of the Member States. AmCham Bulgaria addressed our member “Law and Internet Foundation” to gave their expert opinion on the subject. Attn. Dessislava Krasteva answers some of the key questions of the topic.



What does personal data mean? Are there any protection categories? What are our sensitive data?

Any information that permits identification of a person is personal data. The GDPR provisions will apply to all personal data. For the processing of some sensitive data, the Regulation provides stricter rules. These are data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or membership in trade unions, genetic data, biometric data, health status, sex life, or sexual orientation of a person. Their processing is only acceptable in a limited number of cases.

The most rigorous regime is related to the data on convictions and violations – they can be only processed under the control of an official body or when provided for by the current legislation.


Who benefits from the implementation of GDPR?

Regulation (EU) 2016/679 (GDPR) aims to ensure the protection of individuals in regard to the processing of their personal data. The main focus is on the protection of the fundamental rights and freedoms of individuals. GDPR increases the level of protection of personal data and gives a significantly strengthened set of rights to every citizen of the European Union. Each of us, as a citizen, will enjoy these rights.


Which business are challenged the most?

It is extremely important to emphasize that the Regulation does not prohibit the processing of personal data but only reinforces the requirements to be observed during such activities. The rules of the Regulation are common, and every business will have to follow them. Of course, for some businesses, GDPR poses more serious challenges. These are mainly businesses that have direct contact with a large number of individuals (popular online services, banks, telecom operators, other utilities, large-scale employers, etc.). Another area that requires increased attention is the work of dealing with a substantial set of specific (sensitive) categories of data (e.g. health, political beliefs, ethnicity, sexual life, etc.). All public authorities will also have to worry about the information they process.


Why our e-mail communication can be hindered by the new regulation? 

The regulation is not intended to make our communication difficult. In the public space misleading statements are being circulated that the Regulation prohibits the exchange of personal data via one or another communication channel. This is not the case at all. There is no prohibition on exchanging personal data via e-mail. Virtually every email contains some personal data – we do not have to communicate with each other in an anonymous way. The idea, however, is to use adequate data-sharing mechanisms for personal data exchange and to take data protection measures. For example, not to send large amount of personal data through an unsecured channel, access to sensitive personal information is controlled and done through a secret password, and so on.


How much will cost the new profession – Data Protection Officer – for the business?

Currently, business and public authorities have a much more significant cost problem. The labor market simply lacks a sufficient number of specialists with adequate experience and knowledge to meet the demand.


What do users benefit from the Regulation?

Enhanced guarantees to respect their rights and greater control over what happens to their personal data.


How can the administration implement the Regulation? Will their basic functions be hampered?

The administration is required to provide adequate protection of our personal data. This is crucial for the rights and freedoms of every citizen. When we talk about data protection, we should not only mean confidentiality, but also availability, completeness, accuracy of the data. Our rights as citizens depend on whether the administration handles correct information about us, whether it has all the information it needs, whether it guarantees its preservation and that it will be available if necessary. Imagining a situation where there is a loss of information about our taxes or key official registers and databases contains erroneous or outdated data. The administration must apply adequate measures to avoid such situations. It is not a difficulty, but a basic element of its purpose.



Our expert: Desislava Krusteva

Attn. Krusteva graduated from Sofia University, Faculty of Law (LL.M. 2003). Her practice now focuses on e-Commerce and Internet Law, Telecommunications Law, Personal Data Protection, Contract Law and Corporate and Commercial Law. She has been a regular speaker at conferences and trainings on the legal aspects of the electronic government, personal data protection, etc.

She is a member of the Sofia Bar Association and the International Association of Privacy Professionals (IAPP). She is Certified Information Privacy Professional Europe (CIPP/E) by the latter, as well as Certified Information Privacy Manager (CIPM).