News from Bulgaria
The Personal Data Protection Commission has issued an opinion on cases where no consent is needed for the collection and processing of personal data
The direct application of Regulation (EU) 2016/679 ("General Data Protection Regulation", "GDPR"), which has fundamentally amended the regulation on the personal data processing and protection, has began as of 25.05.2018.
Not a small part of the innovations in the regime are also aimed at enhancing the importance and requirements of the legal bases for the lawful personal data processing. The purpose lies therein, where these grounds reflect the needs of the modern information society and the and increasingly entrant digitization. Primary among the grounds for processing personal data, at least in terms of media interest, is the consent given freely and informed by any individual - subject of personal data. In view of the novelty of the Regulation and the lack of a long-standing practice on a number of issues concerning its application, both at European and national level, including on the grounds for processing, the Personal Data Protection Commission was daily bundled with questions from the administrators concerning the need for requirement of consent by individuals with regard to the processing of their personal data. Practically from a possibility, the consent turned into a main ground for processing of personal data, probably because of the subjective feeling of security and guarantee. As a result, we witnessed an all over gathering of declarations-consents from different administrators in the provision of their services.
With regard to the reasonable application of the Regulation and for the purpose of clarification of the ambiguities surrounding the latter, the Personal Data Protection Commission published on its web page an opinion on its website entitled "When it is not necessary to consent to the collection and processing of personal data". At the end of the opinion a Sample inexhaustive list of the administrators, who in the exercise of their normal professional activity, should not require the consent of individuals to process their personal data is specified.
Here are the hypothesis, listed in the commission’s opinion:
- Administrator – public or private, gathering a certain amount of personal data in execution of their obligation by law, by virtue of the law such as the Health Act, the Accountancy Act, the Administrative Violations and Sanctions Act, the Labour Code, the Social Insurance Code, the Ministry of Interior Act, the Civil Registration Act, the Tourism Act, the Pre-school and School Education Act etc.
- Personal data is gathered in connection with offering different administrative services by national authorities, or bodies of local self-government.
- Personal data is gathered and processed for the sake of an employment relation.
- Personal data is necessary for contract conclusion and execution, to which the subject of the data is a party.
- Personal data is necessary for the protection of the legitimate interests of the administrator or of third parties, in case that these interests have advantage over the interests and/or fundamental freedoms of the individual.
- The personal data is transferred from one administrator to another as a result of a transfer of receivables (cession).
- The personal data is transferred from the administrator to a personal data processor.
- Photography and filming of individuals in public.
- In cases when there is processing of special categories (sensitive) personal data, such as data regarding ethnic origin, political views, religious beliefs, union membership biometric data, health status data, sexual orientation and others., the grounds for legality are indicated in Art. 9, para. 2 of the GDPR – the processing of data for health state is lawful if it is done for the purposes of preventive or occupational medicine, for assessment of the working capacity of the employee, medicine diagnose, the provision of health and social care, treatment, for management of healthcare and social care systems, in the field of public health, for the protection against serious cross-border treats for the health and others.
In its opinion the Commission points out an example inexhaustive list of cases in which administrators, in the exercise of their normal professional activity, should not require consent. Among these administrators are doctors, dentists, pharmacists, lawyers, employers, banks and other credit institutions, insurers, educational institutions, etc.
The full content of the opinion of the Personal Data Protection Commission can be found on the following link: https://www.cpdp.bg/index.php?p=element&aid=1158
The National Assembly has adopted the long-awaited Measures Against Money Laundering Act
The National Assembly of the Republic of Bulgaria adopted at a second reading the new Measures Against Money Laundering Act (MAMLA) which implements the requirements of Directive (EU) 2015/849 of the European Parliament and of the Council of 20 May 2015 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing in the Bulgarian legislation (the 4th Anti-Money Laundering Directive).
The range of the persons obliged under the new MAMLA is similar to the one provided for in the previously applicable law. Besides the main subjects for which the act imposes obligations – the companies operating in the financial sector (credit, financial and payment institutions, electronic money companies, etc.), a wide range of persons, including non-profit legal entities (associations and foundations), wholesalers, registered auditors, persons who provide professionally accounting services or certain types of legal advice, notaries, private enforcement agents, etc. are also obliged.
A significant innovation is the creation of a register of the beneficial owners of the legal entities established within the territory of the Republic of Bulgaria who are obliged to provide and dispose with appropriate, accurate and up-to-date information about the natural persons who are their beneficial owners. It is envisaged that this information (names, citizenship, PIN etc. of the beneficial owner) shall be filled in the Commercial Register, respectively in the BULSTAT register, and shall lead to a disburden of the persons obliged upon performance of their obligation to identify the beneficial owner of their customers.
A fundamental principle enshrined in the new act (as well as in the 4th Anti-Money Laundering Directive) is related to the so-called risk-based approach which should be applied by the persons obliged. On this basis, the persons supervised are obliged to apply the measures for customer due diligence at such an intensity that corresponds to the risk typical for the particular business relationship or occasional operation or transaction. Thus, in theory, the persons obliged could apply simplified measures for customer due diligence in situations characterized with lower risk and on the contrary shall be obliged to apply measures for expanded verification in situations with a higher risk.
Along with the above mentioned, the new act introduces other changes compared to the previously existing legal framework in the sector – the creation of a National Risk Assessment is envisaged, on the basis of which the persons obliged will have to prepare their own internal risk assessments, the range of the persons falling under the notion of politically exposed persons has been expanded, a more detailed legal framework has been developed regarding the criteria and procedures for performance of expanded and simplified customer due diligence, etc.
The adoption of the new legal framework requires a wide range of persons to update their internal rules against money laundering and terrorist financing, to prepare and / or update their internal risk assessments defining risk factors, transactions, clients, etc. which are characteristic for the activity of the particular persons, as well as to comply with the new procedures provided for in the law.
Once the Commission for Protection of Competition authorized the business concentration, a final agreement for the transfer of 100% of the capital of "Bulfeld" Ltd. - the company which owns the Paradise Center, was signed on the 1st of December 2017.
Thus, the biggest real estate transaction of the year was successfully completed. "Penkov, Markov & Partners", Attorneys-at-Law, represented the interests of the seller "Bulfeld" Ltd in the process of the transaction.
Are the rules of antitrust violations in Bulgaria uniform as these in Europe?
In a special article for Capital daily from 27.11.2017 our colleague Emil Lukaev has discussed the transposition in the national legislation of the European rules governing the actions for damages for infringements of the competition law.
The analysis consists of some of the highly recommended practices in the European countries, regarding the antitrust violations, established in Directive 2014/104/EU of the European parliament and of the Council of 26.11. 2014 on certain rules governing actions for damages under national law for infringements of the competition law, which is to be transposed in the Bulgarian national legal framework. The article aims to focus on the possibilities for more effective protection of the business and the consumers and, hence, to the overall strengthening of the internal market.
The practices for providing evidences for such claims, the passing-on of overcharges and the limit of liability of the offenders are also a scrutinized topic.
An exhaustive commentary on this topic could be found at: