As of 25.07.2018

25 July 2018

The Personal Data Protection Commission has issued an opinion on cases where no consent is needed for the collection and processing of personal data

The direct application of Regulation (EU) 2016/679 ("General Data Protection Regulation", "GDPR"), which has fundamentally amended the regulation on the personal data processing and protection, has began as of 25.05.2018.

Not a small part of the innovations in the regime are also aimed at enhancing the importance and requirements of the legal bases for the lawful personal data processing. The purpose lies therein, where these grounds reflect the needs of the modern information society and the and increasingly entrant digitization. Primary among the grounds for processing personal data, at least in terms of media interest, is the consent given freely and informed by any individual - subject of personal data. In view of the novelty of the Regulation and the lack of a long-standing practice on a number of issues concerning its application, both at European and national level, including on the grounds for processing, the Personal Data Protection Commission was daily bundled with questions from the administrators concerning the need for requirement of consent by individuals with regard to the processing of their personal data. Practically from a possibility, the consent turned into a main ground for processing of personal data, probably because of the subjective feeling of security and guarantee. As a result, we witnessed an all over gathering of declarations-consents from different administrators in the provision of their services.

With regard to the reasonable application of the Regulation and for the purpose of clarification of the ambiguities surrounding the latter, the Personal Data Protection Commission published on its web page an opinion on its website entitled "When it is not necessary to consent to the collection and processing of personal data". At the end of the opinion a Sample inexhaustive list of the administrators, who in the exercise of their normal professional activity, should not require the consent of individuals to process their personal data is specified.

Here are the hypothesis, listed in the commission’s opinion:

  1. Administrator – public or private, gathering a certain amount of personal data in  execution of their obligation by law, by virtue of the law such as the Health Act, the Accountancy Act, the Administrative Violations and Sanctions Act, the Labour Code, the Social Insurance Code, the Ministry of Interior Act, the Civil Registration Act, the Tourism Act, the Pre-school and School Education Act etc.
  2. Personal data is gathered in connection with offering different administrative services by national authorities, or bodies of local self-government.
  3. Personal data is gathered and processed for the sake of an employment relation.
  4. Personal data is necessary for contract conclusion and execution, to which the subject of the data is a party.
  5. Personal data is necessary for the protection of the legitimate interests of the administrator or of third parties, in case that these interests have advantage over the interests and/or fundamental freedoms of the individual.
  6. The personal data is transferred from one administrator to another as a result of a transfer of receivables (cession).
  7. The personal data is transferred from the administrator to a personal data processor.
  8. Photography and filming of individuals in public.
  9. In cases when there is processing of special categories (sensitive) personal data, such as data regarding ethnic origin, political views, religious beliefs, union membership biometric data, health status data, sexual orientation and others., the grounds for legality are indicated in Art. 9, para. 2 of the GDPR – the processing of data for health state is lawful if it is done for the purposes of preventive or occupational medicine, for assessment of the working capacity of the employee, medicine diagnose, the provision of health and social care, treatment, for management of healthcare and social care systems, in the field of public health, for the protection against serious cross-border treats for the health and others.

In its opinion the Commission points out an example inexhaustive list of cases in which administrators, in the exercise of their normal professional activity, should not require consent. Among these administrators are doctors, dentists, pharmacists, lawyers, employers, banks and other credit institutions, insurers, educational institutions, etc.

The full content of the opinion of the Personal Data Protection Commission can be found on the following link: https://www.cpdp.bg/index.php?p=element&aid=1158