BULGARIA

The Bulgarian Commission for Personal Data Protection Website: http://www.ceecprivacy.org/main.php?s=2&k=bulgaria

Law on Personal Data Protection (No. 1/2002): http://www.ceecprivacy.org/pdf/law_bulgaria.pdf

What needs to be done prior to collection?

NOTIFY THE COMMISSIONER

Article 14

1. The Commission shall keep a register of personal data controllers and of the registers kept by such controllers

2. In the register in paragraph 1 shall be recorded the personal data controllers, the type of personal data, the legal grounds, purposes and means of processing the data, the consent required from the natural person and the legal act which provides for the register keeping procedure

3. The register referred to in paragraph 1 shall be open to the public. The fee paid to receive the information from the register shall be fixed by the Council of Ministers

4. The Commission shall issue a certificate to the registered personal data controllers

Article 15

1. Any person who wants to process personal data and to create a personal data register shall notify the Commission in advance by submitting an application and documents to a model, approved by the commission

2. In the cases referred to in Article 3 Paragraph 3, the public body, designated to be a personal data controller, shall inform the Commission within 10 days of its constitution

3. Personal data controllers shall notify the Commission before carrying out any wholly or partly automated processing operations of the personal data collected other than as stated and of the transfer of personal data to another controller or to a third party

4. In the cases referred to in Paragraph 3 the Commission may decide on carrying out prior check of the controller or to issue mandatory instructions to protect the personal data that are processed or transferred

CONTACT THE DATA SUBJECT

Article 19

1. The Controller shall process personal data relating to the natural person providing that he has given consent save the exceptions provided by Law

2. Before starting the data processing the controller shall be obliged to inform the natural person concerned of:

1)       The purposes and the means of personal data processing;

2)       Whether the provision of data is obligatory or voluntary and the implications of a refusal to provide the data;

3)       The recipients or categories of recipient to whom the data may be disclosed and the sphere of the data use;

4)       The rights of access and rectifications of data collected, the name and address of the personal data controller and of the data processor if other than the controller

3. The information referred to by paragraph 2 shall be submitted by the controller to the natural person concerned prior to data processing, where the personal data of the natural person concerned have been provided by a third party

4. Paragraph 3 shall not apply in the case of explicit prohibition provided for by Law

Article 20

1. The natural person’s consent referred to in Article 19, paragraph 1 shall be given freely and unambiguously. It may be given for the whole or part of the data processing and, where necessary, in writing

2. The consent referred to in Article 19, paragraph 1 shall not be required where the data processing;

1)       Concerns personal data collected the processed in accordance with an obligation provided for by law;

2)       Is carried out solely for the purpose of scientific research or statistics and the data are anonymous;

3)       Is necessary to protect the life or health of the natural person concerned or of another person as well as where the person concerned is not capable of giving his consent for physical or legal reasons

Article 21

1. The processing of personal data which reveal racial or ethnic origin, political, religious or philosophical beliefs, memberships in political parties, trade-unions, organisations and associations with religious, philosophical, political or labour aims and personal data concerning health and sexual life may be carried out only with the explicit consent in writing of the natural person concerned

2.  The explicit written consent concerning the data referred to in Paragraph 1, shall not be required where:

1)       The processing is the obligation of the controller as provided for by law;

2)       The processing is required to protect the life or heath of the person concerned or of another person or the person concerned is not capable of giving his consent for physical or legal reasons;

3)       The processing concerns data that were made public by the natural person concerned or the processing is necessary for the establishment, exercise or defence of his legal rights;

4)       Processing is required for the purposes of carrying out medical aid or health services, or the data are processed by a person who is working in medical or health-care institution and is subject to the obligation of professional secrecy;

5)       Processing of data related to personal data on crimes, administrative violations or torts shall be carried out solely or under the control of a competent public authority;

6)       Processing is required for defence and national security

Article 22

1.       The controller shall publish not later than 31 March each year, in the bulletin of the Commission for personal data protection, the following information on the registers established by him during the last year:

1)       The type of the processed personal data in accordance with the criteria for establishing the identity of natural persons;

2)       The group of persons whom the personal data processing concerns;

3)       Registered address, procedure and conditions of lodging an application for access to personal data;

4)       Description of the purposes for which the personal data are processed and the admissible ways of using them;

5)       Description of the criteria to which the data storage and destruction are subject

2.       The controller shall be obliged to publish in the bulletin of the Commission for personal data protection any alteration in the facts referred to in paragraph 1 within 30 days from the alteration

3. The controller shall be responsible for the authenticity of the data referred to in paragraphs 1 and 2 and shall be obliged to provide public access to them

What needs to be done prior to shipping?

Article 35

1. The provision of personal data by the controller to third parties shall be allowed upon request submitted by them according to the procedure provided for in Chapter V of this Law,  in case where:

1)       The natural person concerned has explicitly given his consent;

2)       The sources of data are public registers or documents containing public information to which access is provided according to a procedure provided for by law;

3)       The life and health of the natural person concerned need to be protected as well as where the person concerned is not capable of giving his consent for physical or legal reasons;

4)       It is required for the needs of the bodies of the judiciary or the executive power, for competition and consumer protection, and is provided by law;

5)       The data are needed for scientific research or statistics and are anonymous;

2. Personal data shall be prohibited to be provided to third parties:

1)       In violation of the notification referred to in Article 19 Paragraph 2 items 1, 3 and ;

2)       With respect to which there is instruction for destruction or the time limit of processing and keeping has expired;

3)       If they concern a particular natural person or a group of persons and such dissemination disagrees with an important public interest

3. Getting familiar with the personal data by a personal data operator or personal data processor in accordance with the instructions of the controller shall not be considered provision of personal data to third parties

Article 36

1. Provision of access to personal data registers and transfer of personal data from one controller to another shall be carried out in accordance with the requirements laid down in this Law and following a permission by the Commission for personal data protection

2. The Provision of personal data by the controller referred to in Article 3, paragraph 1to foreign natural and legal persons or foreign public authorities shall be allowed by a permission of the Commission for personal data protection only where the legislation of the receiving country guarantees equivalent or higher level of protection of personal data than the protection provided for in this Law

3. Where access to personal data is provided or such data are being transferred in the cases specified in paragraphs 1 and 2, the requirements of Article 35, paragraphs 1 and 2 shall be observed

Article 37

1. Within 30 days from the submission of the request the controller shall decide whether to provide personal data to a third party or to another personal data collector or to refuse to provide the data on legal grounds

2. Notification provided for in paragraph 1 shall be in the form of personal service or by mail and the recipient shall sign to acknowledge receipt

3. Persons concerned may appeal against the refusal in accordance with the procedure provided for in this Law

What are the sanctions for non-compliance?

Article 42

(1)     An official, who without any valid reason, has failed to deliver an opinion on an application for access to personal data within the term fixed shall be liable to a fine from BGN 50 to 200 unless liable to a more serious punishment.

(2)     An official who has failed to implement the instructions of the Commission for Personal Data Protection or of the Court and has not provided access to personal data shall be liable to a fine from BGN 100 to 300 unless liable to a more serious punishment.

(3)     For any other infringements of this Law offenders shall be fined with BGN 50 to 300 where they are natural persons and a property sanction of BGN 500 to 1000 shall be imposed where they are sole proprietors or legal persons. In case of a repeated infringement the fine or the property sanction respectively, shall be double.

(4)     In the cases of infringements committed under paragraphs 1, 2 or 3 the personal data controllers who are natural persons shall be fined with BGN 500 to 2000 and a property sanction of BGN 1000 to 1500 shall be imposed on controllers who are sole proprietors or legal persons. In case of a repeated infringement the fine or the property sanction respectively, shall be double.

(5)     A natural person who processes personal data without registration under this Law shall be fined with BGN 300 to 1000. In the cases where a sole proprietor or a legal person has committed the same infringement a property sanction of BGN 1000 to 3000 shall be imposed. In case of a repeated infringement the fine or the property sanction respectively, shall be double.

(6)     Personal data controller who has committed the infringement under Article 22, paragraph 3 shall be fined with BGN 500 to 1000 where a natural person has committed the infringement. If the same infringement was committed by legal person or a sole proprietor a property sanction of BGN 1000 to 3000 shall be imposed. In case of a repeated infringement the fine or the property sanction respectively, shall be double.

(7)     Personal data controller who has committed the infringement under Article 23, paragraphs 1 or 2 shall be fined with BGN 1000 to 1500 if a natural person commits the infringement. If the same infringement has been committed by a legal person or a sole proprietor a property sanction of BGN 1500 to 5000 shall be imposed. In case of a repeated infringement the fine or the property sanction respectively, shall be double.

Please refer to the Bulgarian Commission for Personal Data Protection Website for further details on the Statute.