The right to privacy was established as early as 1950 as part of the European Convention on Human Rights. Later, with the invention of the Internet, the need for new legislation protecting personal data increased.
In 1995 the European Union adopted the Data Protection Directive with the goal to establish minimum standards for data protection and security. The new directive was to serve as the basis for new laws that each Member State had to adopt. However, this did not lead to harmonized rules all over the EU.
Thus, in 2016 the European Union passed the General Data Protection Regulation (GDPR).
It is important to note that the European GDPR applies to all companies that:
- offer goods and services to EU citizens;
- monitor the behavior of people in the EU, the so-called profiling
This is the case even if the businesses in question are not based or located in the EU. Therefore, even a US-based website needs to comply with GDPR if they sell to EU customers and collect their data.
For a thorough audit of the internal compliance of your business to GDPR and national legislation, contact our legal experts.
- What personal data is collected
- Why this information is collected
- How it will be used
- How the data is protected
- Whether the company transfers or shares data with other parties
- How users can control this
- Privacy laws, such as GDPR, PIPEDA in Canada, COPPA in the USA or DPA in the UK;
- The requirements of third party service providers, such as Google Analytics or app stores.
Note that although GDPR is a European law, it extends to companies outside the EU. The law poses requirements to businesses that offer goods and services to or profile EU citizens.
An important US law is the Children’s Online Privacy Protection Act. COPPA sets rules for websites/ online services for children under the age of 13.
California State has its own Privacy Protection Law. It applies to commercial websites that collect information about California residents.
Privacy/ Data Protection Laws have been adopted all over the world, such as:
- Privacy Act in Australia (1988),
- Data Protection Act in the UK (1988)
- Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada (2000)
- GDPR in EU (2018)
GDPR applies to businesses both within and outside of Europe that collect and process personal data of EU citizens, so it practically applies anywhere.
The text of GDPR text itself consists of numerous legal requirements with very few specifics. Small and medium sized companies may find it hard to comply with it, and fines are harsh and costly (some reach up to tens of millions of Euros).
Let’s dive into the basic principles of GDPR, specific requirements and compliance issues.
Do you need legal advice and assistance? Contact our experienced lawyers.
Firstly, here are GDPR’s fundamental principles.
7 principles of GDPR
- Lawfulness, transparency of processing and fairness
Users must be informed about personal data used and data processing must comply with the legal requirements.
- Data minimization
Businesses must collect and process only as much data as absolutely necessary for the legally allowed and disclosed purposes.
- Purpose limitation
Personal data must be used only for legitimate purposes and these must be explicitly specified.
- Storage limitation
Personal information must be stored only for as long as it is strictly necessary for the specified purpose.
- Integrity and security
The processing of the personal information must guarantee confidentiality (e.g. through the use of encryption).
The information must be accurate and up to date.
The business collecting and processing personal data must prove GDPR compliance.
How to demonstrate you are GDPR compliant
The accountability principle of GDPR imposes the following requirements:
- Maintain detailed documentation on:
- personal data that is collected
- how it is used or processed
- where it is stored
- who is responsible for data in the company
- Designate staff that will be responsible for data protection
- Train your staff
- Make data protection agreements with 3rd parties that process the data for your business
Certain institutions need to appoint a Data Protection Officer. This is the case for:
- Public Authorities
- Large-scale enterprises collecting personal data, if regular monitoring is involved
- Large-scale enterprises if data collection and processing is their core activity.
For advice and assistance in establishing the legally required data protection procedures, contact our lawyers.
What is considered personal data?
GDPR considers personal data any information that can help to identify an individual, directly or indirectly, such as:
- contact information including email address, mailing address, phone number, etc.
- location information
- religious beliefs
- political opinions
- biometric data
- web cookies.
Note that an IP address is not personal information in itself. However, it can become personal data when combined with other information to build a profile for a given user.
The person whose data is processed, e.g. site visitor or customer, is called a Data subject.
What is considered data processing?
Any action performed on data is considered data processing, whether this is done automatically or manually. This includes data collecting, recording, organizing, storing, using, sharing, erasing, etc.
Who is the person responsible for data?
The Data controller is the person who decides why and how personal information is processed. This may be the business owner or an employee in the organization who handles the data.
The Data processor is the 3rd party that processes the data on behalf of the data controller. Special GDPR rules apply to data processors like cloud servers or email service providers.
Large-scale organizations need to appoint a Data Protection Officer.
Businesses have to comply with both the GDPR and Bulgarian legislation if:
- they are selling goods or services to Bulgarian citizens;
- they are processing the personal data of Bulgarian citizens.
Large-scale enterprises need a local representative with good knowledge of both national and EU laws. For further information and assistance, do not hesitate to contact us.
Who is allowed to process data?
To protect personal data, GDPR imposes strict requirements on data processors. They are legally allowed to process data only in case:
- The personal data is necessary to enter into contract (e.g. for a background check when a property deal is being made)
- The personal data is needed to comply with legal obligations (e.g. due to a court order)
- The personal data is necessary for a task in public interest
- The personal data is necessary to save somebody’s life
- The data subject has given his explicit and unambiguous consent
- There is a legitimate interest to process data
Establishing the legitimate basis for processing data is the first step for businesses. The next important stage is getting the consent of the user or consumer. The law sets the following requirements in regards to consent:
- It must be given freely, in an informed and explicit manner
- The request for consent must be clearly presented to the user; it must use plain language
- The data subject must be able to withdraw their consent at any given time
- Children under 13 need their parents’ permission to give consent
- All relevant documentation must be kept to prove consent has been given.
- What personal data is collected by the data collector
- The purpose of the data collection (for example improvement of the offered product or service)
- The way data is processed
- The way personal information is protected
- What rights data subjects have
Do you need legal advice and assistance? Contact our experienced lawyers.
- footer: this section is visible on all web pages which guarantees easy access;
- sign-up or registration form: these collect account information like email addresses, usernames, etc.;
- checkout or payment submission section: this collects important data such as names, contact details, mailing address, payment information;
- email collection form: if visitors are prompted to sign-up for a newsletter and emails are collected.
- app menu: within the section About/ Settings, etc.;
- app listing in the App store: most app stores require this to make sure they are compliant;
- sign-up or log-in screen: as this collects personal data;
- checkout or payment screen: as this collects sensitive payment information, mailing address, etc.
Although there are templates online, these must be used with caution and always checked by a legal expert.
To comply with GDPR, most Privacy Policies include the following sections:
- What data is collected
- How is this data collected and used
- Data storage
- Data security
- Third-party services (including marketing)
- Tracking and cookies
- Modifying or deleting personal data
- How to contact us
- How to contact the relevant authorities
Keep in mind that companies often face technical issues when implementing their privacy policies. Therefore it is essential to invest in the necessary technical measures to protect customers' data.
Google and Facebook, among others, know that non-compliance with GDPR is a costly mistake. Google has been levied a €50 million fine in France, about 6 million in Sweden and €600,000 in Belgium. In 2019 German authorities fined Facebook €2 million for failing to comply with the transparency rule under GDPR.
As the GDPR covers all types of businesses, the applicable fines are flexible and scale with the company.
GDPR sets 2 tiers of fines:
- Up to €10 million or 2% of the company’s annual revenue (worldwide), whichever is higher
- Up to €20 million or 4% of the company’s annual revenue (worldwide), whichever is higher
The higher fines are levied in cases of:
- infringement of the basic principles of GDPR (fairness, transparency, etc.)
- Failure to comply with the rules regarding the right to be forgotten;
- Failure to comply with the rules regarding transferring data to 3rd parties.
The fine amount depends also on various aspects, such as:
- The gravity and nature of the infringement
- Intent - whether the infringement was intentional or caused by negligence
- Mitigation - whether the company tried to mitigate the damages suffered by the person whose personal data was affected by the infringement
- Precautions taken by the company to comply with GDPR
Responsibility for 3rd party infringements
Under GDPR, the data controller (business owner) must make sure that his partners or subcontractors comply with data protection laws. Thus, the transfer of personally identifiable information to 3rd parties will make both the data controller and the data processor liable.
This means that if the external organization is not in compliance, your organization is not in compliance.
The law also imposes strict requirements for reporting breaches and personal data theft. All staff members in the chain are required to comply with these rules.
GDPR also requires organizations to inform their customers and users of their rights. In addition, they have to provide contact details of the appropriate authorities in case an issue needs to be reported.
Businesses that need assistance in establishing the necessary procedures, training and drafting all relevant documentation, may contact our legal experts.
Data Protection Authorities
The EU has appointed an independent body to ensure data protection rules are applied consistently in all Member States. This is the European Data Protection Board (EDPB).
The EDPB is responsible for:
- Issuing guidelines on interpreting the basic concepts of GDPR
- Making binding decisions on cross-border processing disputes
In addition, all EU countries have created national bodies in charge of protecting personal data. Contact details for these authorities are publicly available.
All Member States have national authorities enforcing the GDPR. Individuals may contact them also for issues related to the Data Protection Law Enforcement Directive (regulating criminal offenses).
The European Data Protection Supervisor, Mr Wojciech Wiewiórowski, is based in Brussels.
The Irish Data Protection Commission is based in Dublin and headed by Ms Helen Dixon.
The relevant authority in Bulgaria is the Commission for Personal Data Protection, based in Sofia.
Contact information for EU national authorities is available at the EDPR Member States page of the official EU website.
The UK is still obliged to comply with the GDPR even after Brexit. For more information, see the Information Commissioner's Office website.
GDPR in Bulgaria
The Bulgarian Commission for Personal Data Protection is the authority responsible for GDPR application.
Data protection in Bulgaria is regulated by both EU and Bulgarian legislation.
EU data protection legal framework:
- Directive on Data Protection in Police and Criminal Justice Activities (Directive EU 2016/ 680)
The applicable national legal framework includes:
- Constitution of the Republic of Bulgaria
- Personal Data Protection Act
- Electronic Communications Act
- Other Rules and Ordinances
International laws also apply, such as:
- The universal declaration of human rights
- Charter of Fundamental Rights of the European Union
Legal counselling for GDPR compliance in Bulgaria
No registration for data controllers
Businesses should know that GDPR requires no registration. The moment they start processing personal data, they are considered a data controller. They are then subject to regulation and sanctions according to the Bulgarian and EU laws, regulations and legal processes.
As of July 2020, US companies that operate in the EU are not allowed to transfer data to the US freely. Up until then data transfer occurred under the Privacy Shield Framework but now it is seen as too weak. Therefore, US companies need to:
- adopt data protection rules that comply with GDPR,
- draft all necessary documentation, and
- appoint a Data Protection Officer (DPO).
Large-scale data controllers and processors are required to have their representatives in Bulgaria or the EU.
A Bulgarian lawyer can be appointed DPO in this case. They can serve as a contact point and representative for the company if any data protection issues arise.
This designation as DPO must be done explicitly and in writing by the data controller. The most suitable form is a service agreement. It should be made with a qualified legal expert with comprehensive knowledge of both GDPR and Bulgarian data protection legislation.
EU authorities will be able to contact this person directly regarding all data protection issues. Therefore, the contact details of the DPO must be publicly announced and provided to the relevant regulatory bodies.
The legal experts at Danailova, Todorov and partners can assist with:
- Legal counseling for compliance, according to the needs of the specific company and the type of data collected
- Legal advice on the processing and storing of personal information
- Assigning employees in charge of data protection under GDPR
- A thorough audit of internal compliance
- Drafting internal rules, policies and instructions for data protection
- Drafting a Declaration of Consent compliant with GDPR
- Representation with data protection authorities in Bulgaria
- Representation in court for appeals against a decision made by relevant authorities
If you need to consult a good lawyer, contact us. We will be happy to assist you on these and all other legal matters.
“Danailova, Todorov and Partners'' Law Firm provides top-quality legal services on all aspects of contractual law and trade law. Our experts also specialize in employment law, tax law and administrative law.