Bulgaria: Data Protection in the Financial Sector
1. Governing Texts
The General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') is directly applicable in all Member States of the EU. However, the GDPR permits (and in some cases requires) each individual Member State to introduce some exceptions to the general regulation in certain circumstances. Among the biggest sectors where processing of personal data is fundamental for the business needs is the financial sector, banks and insurers, utility companies, non-banking financial companies, etc. Those companies must comply with a number of requirements related to data protection while conducting their business.
Even during the initial discussions on the GDPR project, it was clear that the financial sector would be among the most affected parties by potential changes. However, several factors specific to the financial services stand out as particularly important in terms of risk. Financial organisations maintain huge amounts of personal data of account holders. They also consume and generate vast amounts of personal data for marketing purposes - to stimulate the sale of financial services and to evaluate the creditworthiness of commercial and individual clients. It is difficult to imagine a bank, an investment firm, an insurance company, a payment service provider, etc. that does not process sensitive personal data of individuals in the EU. In addition, massive data breaches are common in the financial industry.
The following EU legislation, among others, is applicable:
- the GDPR is applicable to financial services with regard to their personal data processing activities;
- the Payment Services Directive (Directive (EU) 2015/2366) ('PSD2'); and
- the Directive (EU) 2018/843 of 30 May 2018 Amending Directive (EU) 2015/849 on the Prevention of the Use of the Financial System for the Purposes of Money Laundering or Terrorist Financing, and Amending Directives 2009/138/EC and 2013/36/EU ('the Fifth Anti-Money Laundering Directive').
The European Data Protection Board ('EDPB') has issued the following relevant Opinion:
- Opinion 4/2019 on the draft Administrative Arrangement for the Transfer of Personal Data between the European Economic Area ('EEA') Financial Supervisory Authorities and non-EEA Financial Supervisory Authorities; and
- Letter regarding the PSD2 Directive.
The Article 29 Working Party ('WP29') has issued the following relevant guidance:
- Opinion 14/2011 on Data Protection Issues related to the Prevention of Money Laundering and Terrorist Financing;
- Opinion 1/2006 on the Application of EU Data Protection Rules to Internal Whistleblowing Schemes in the Fields of Accounting, Internal Accounting Controls, Auditing Matters, Fight against Bribery, Banking and Financial Crime ('WP29 Opinion on Whistleblowing');
- Letter of the Chair of the Article 29 Working Party to FATCA
- Letter regarding the PSD2 Directive.; and
- Guidelines on Transparency under Regulation 2016/679 ('the Guidelines On Transparency').
The European Banking Authority ('EBA') has issued, among others, the following relevant guidance:
- Recommendations on Outsourcing to Cloud Service Providers (20 December 2017) ('the EBA Outsourcing Recommendations');
- Guidelines on major incident reporting under Directive (EU) 2015/2366 (PSD2) (27 July 2017);
- Guidelines on Reporting Requirements for Fraud Data under Article 96(6) PSD2;
- Final Report on EBA Guidelines on Outsourcing Arrangements ('the EBA Outsourcing Guidelines');
- Guidelines on the Security Measures for Operational and Security Risks of Payment Services ('the Guidelines for Payment Service Providers'), which remain effective until 30 June 2020; and
- Guidelines on ICT and Security Risk Management, which will apply from 30 June 2020, repealing and replacing the Guidelines for Payment Service Providers.
The following local legislation, among others, are applicable:
- the Constitution of the Republic of Bulgaria ('the Constitution');
- the Protection of Personal Data Act 2002 (last amended in 2019) ('the Data Protection Act');
- the Payment Services and Payments Systems Act (last amended in 2021) (only available in Bulgarian here) ('PSPSA'), which contains specific requirements to the payment institutions regarding the processing of personal data; and
- the Measures Against Money Laundering Act (only available in Bulgarian here) ('MAMLA'), which contains provisions relating to anti-money laundering ('AML') and implements the Fourth Anti-money Laundering Directive.
In addition, the Commission for Personal Data Protection ('CPDP') has issued, among others, the following guidance:
- CPDP Opinion on the Role of Payment Service Providers (20 June 2019) (only available in Bulgarian here) ('the PSP Opinion');
- Opinion concerning the Request by Unicredit Bulbank on the Implementation of Regulation (EU) 2016/679 (21 September 2018) (only available in Bulgarian here) ('the Opinion on GDPR Interpretation for Banks');
- Opinion on the right to process personal data of newly appointed persons for the purposes of the Measures Against the Financing of Terrorism Act (MAFTA) (08 April 2020 (only available in Bulgarian here) ('the CPDP Opinion on processing data for the purpose of MAFTA');
- Opinion on the possibility for the employers to process personal data related to COVID-19 vaccination status of employees (06.10.2021) (only available in Bulgarian here) ('the vaccination status Opinion');CPDP Opinion on Rules for Non-Banking Financial Institutions to Uniquely Identify Individuals in a Virtual Environment when Providing Financial Services from Distance (22 November 2018) (only available in Bulgarian here) ('the CPDP Opinion on Identification Rules for Non-Banking Financial Institutions');
- Practical Guidelines on the Cases in which Consent for Personal Data Processing is not Required by the Commission for Personal Data Protection (05.03.2020) (only available in Bulgarian here) ('the Consent Guidelines');
- Brochure of the Commission for Personal Data Protection on the Legal Grounds for Processing Personal Data (05.03.2020) (only available in Bulgarian here) ('the Brochure on Processing').
Separate provisions devoted to the right to privacy were introduced in the Constitution. In particular, Article 32(1) of the Constitution proclaims as follows: 'The privacy of citizens shall be inviolable. Everyone shall be entitled to protection against any unlawful interference in their private or family affairs and against encroachments on their honour, dignity and reputation'. Furthermore, Article 32(2) provides that: 'No one shall be followed, photographed, filmed, recorded or subjected to any other similar activity without their knowledge or despite their express disapproval, except when such actions are permitted by law.' The Constitution also proclaims the inviolability of the freedom and confidentiality of correspondence and all other communications, except where there is a permission by the judicial authorities for the purpose of discovering or preventing a grave crime (Article 34 of the Constitution). It can be said that these constitutional provisions laid down the foundations of the privacy and data protection legislation that was about to be adopted at the beginning of the 21st century in Bulgaria.
The Data Protection Act
During its accession period to the EU, in 2002, Bulgaria adopted the Data Protection Act. The Data Protection Act underwent several amendments through the years to be extensively transformed on 26 February 2019 to harmonise it with the provisions of GDPR and to implement the GDPR into national legislation. Later in 2019 the CPDP also adopted new Rules on the Activity of the Commission for Personal Data Protection and its Administration (only available in Bulgarian here) in order to introduce procedures for fulfilling the tasks of the national supervisory authority set out in Article 57 GDPR. Additional secondary legislation regarding certification mechanisms and accreditation of bodies monitoring approved codes of conduct is expected.
1.2. Supervisory authorities
The GDPR requires every Member State to establish a supervisory authority (Article 54 of the GDPR). In addition, the GDPR provides for a system of cooperation and transparency among all Member States' supervisory authorities in order to ensure consistent application of the GDPR throughout the EU.
As a result of the amendments introduced to the Data Protection Act in accordance with the GDPR, two supervisory authorities under the GDPR have been established:
- the CPDP (established back in 2002 and in active operation ever since) – the competent body for the supervision of all data processing activities except for those performed by the judicial authorities in the performance of their judicial tasks; and
- the Inspectorate to the Supreme Judicial Council ('the Inspectorate').
The CPDP is a collective body headed by a chairperson and including four members, all elected by the National Assembly of the Republic of Bulgaria ('the National Assembly'). The CPDP is the national body performing the tasks specified in Article 57 of the GDPR and ensuring the application of the GDPR. In addition, the CPDP provides advice and issues guidelines, recommendations, and best practices regarding personal data protection.
The Inspectorate, being a body within the judicial system, is responsible for the supervision of data processing activities expressly excluded from the competence of the bodies outside the judicial system, such as the CPDP. This includes data processing activities carried out by the courts when acting in their judicial capacity, as well as activities performed by the prosecution offices and the investigation units (when being a part of the judicial system) for the purposes of the prevention, investigation, detection, or prosecution of criminal offences or the execution of criminal penalties. The purpose of such a distinction is to ensure the independence of the judicial authorities by eliminating the possibility of exercising administrative control over its bodies through an authority which is not part of the judicial system, namely the CPDP. However, all activities of judicial bodies not relating to the performance of judicial tasks, e.g. processing personal data in the field of employment relationships, are still under the supervision of the CPDP.
Other supervisory bodies
The Financial Supervision Commission ('FSC') is an institution that is independent from the executive authorities and reports its activity to the National Assembly. The FSC is a specialised government body for regulation and control over different segments of the financial system, namely the capital market, the insurance market, the health insurance market, and the pension insurance market. The primary mission of the FSC is to assist through legal, administrative, and informational means to the maintenance of stability and transparency on the non-banking financial sector, and to ensure the protection of consumers in products and financial services.
The Bulgarian National Bank ('BNB') exercises supervision over the activities of banks and foreign bank branches in Bulgaria. It has the right to demand from them any accounting or other documents, and any information on their activities, and to carry out on-site examinations. In exercising its supervisory powers, the BNB Deputy Governor in charge of the Banking Supervision Department may enforce, in an autonomous and independent manner, any remedy measures and sanctions as provided by law. In addition, the BNB maintains a public register which contains data on bank account numbers, their account holders, and the authorised persons that can dispose with the accounts.
2. Personal and Financial Data Management
2.1. Legal basis for processing
Under the GDPR, personal data must be processed in accordance with the principles of fairness, lawfulness, and transparency, among others. In addition, processing shall only be lawful if (Article 6(1) of the GDPR):
- the data subject has given consent to the processing for one or more specific purpose;
- the processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of a data subject prior to entering a contract;
- the processing is necessary for the compliance with a legal obligation to which the controller is subject;
- the processing is necessary in order to protect the vital interests of the data subject or of another natural person;
- processing is necessary to for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; and
- processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
Moreover, under Article 9 of the GDPR, processing of special categories of personal data is prohibited unless one of the conditions in Article 9(2) applies.
Several opinions on the roles and functions of certain entities regarding data protection have been issued by the CPDP. The Opinion on GDPR Interpretation for Banks provides explanation on the role of the bank in relation to the conflicting interpretation of the legal roles of the 'data controller' and 'data processor' in the context of the bank's relationship with its customers. Service providers that are subject to strict and exhaustive state regulation and perform their activities after acquiring a licence or another form of individual permission by the state are considered to be provided under the control of explicitly determined government bodies and cannot be regarded as data processors. The entities falling into this category are insurance companies, banks, payment services providers, pharmacies, and postal service operators. Moreover, the CPDP states that not every data exchange in the course of assigning a contract automatically leads a controller-processor relationship, and an exchange between data controllers themselves does not automatically mean that a joint controllership exists – the CPDP acknowledges that controllers may exchange and process data not necessarily for joint purposes but for their own purposes, i.e. in their capacity as independent data controllers.
The Consent Guidelines highlight that consent is not hierarchically superior to the other grounds for processing and is simply one of the possible grounds for data processing. The Consent Guidelines also contain a non-exhaustive list of practical examples where consent is not required – e.g. for the purposes of the regular business activities of banks and other credit institutions. This, however, does not include the processing of personal data for direct marketing, where consent must always be obtained. On another hand, the CPDP stated that there is no regulatory impediment on joint controllers to use 'one consent' on the part of the entity whose data they process to offer direct marketing.
In addition, the Brochure on Processing includes detailed explanations and clarifications on the legal grounds to be used for data processing. According to the Brochure on Processing, the legal grounds under Article 6 GDPR cannot be cumulatively used; in other words, each processing activity requires only one legal basis. We are yet to see whether the CPDP's future decisions will reflect this concept, as in certain cases in the past the CPDP has stipulated that more than one legal basis might be applicable to a particular data processing activity.
Furthermore, the Brochure on Processing specifies that processing may be required in order to comply with an obligation that applies to the controller and is provided by law. The overall purpose of processing should comply with a legal obligation specifically required by the national or EU law. The controller should be able to identify the obligation provided in a specific legal provision, or otherwise by citing the source. Financial institutions are cited as an example. A financial institution identifies its potential or current customer through a copy of an identity documents (including an identity card) based on the legal obligation under MAMLA.
It is to be noted that the national identifier used for all Bulgarian citizens is called 'personal identification number' ('PIN'). A different identifier, 'personal number of a foreigner' ('PNF'), is applied to continuous, permanent and long-term resident foreigners. The information containing these numbers is not publicly accessible unless otherwise provided by law. In this respect, a new practice was recently introduced by the public authorities. Until the end of 2021, the number which each self-employed person was obtaining by the public register for administrative and tax purposes ('BULSTAT number') was identical to their PIN/PNF. As the BULSTAT number was publicly available in the register and this was not provided by law, from the beginning of 2022 the BULSTAT number will be converted into 9-digit code.
In addition, the controllers providing electronic services must take appropriate technical and organisational measures so that PIN or PNF are not the only means of identification of the user upon providing remote access to the service (e.g. PIN or PNF should not be used as passwords – a practice that has been very common in the past).
Bulgaria has adopted a few local specific provisions the practical implications of which are yet to be seen. As pointed out above, Article 25d of the Data Protection Act is the most restrictive provision prohibiting the copy of certain official identity documents. Article 25d poses a great number of issues and challenges for businesses and every controller needs to take it into account, in particular employers and online service providers (when requiring identification with a copy of ID document), which seem to be most affected by this provision.
Pursuant to Article 25d of the Data Protection Act, a controller or processor may copy an identity document, a driving license or a residence document only if this is prescribed by law (e.g. such is provided for as part of the identification means regarding natural persons under the anti-money laundering legislation). This provision is consistent with the long-established CPDP practice stating that copying such documents without being legally authorised to do so is unlawful and contradicts the principle of data minimisation. This rule imposes serious restrictions on the processing of such data and might create problems for businesses in any case where such a copy is required, but as no explicit legal obligation is provided for, the processing will be considered unlawful (e.g. copying ID cards in the employment context). It should also be pointed out that this restriction is applicable in all relations regardless of the purposes of processing and essentially permits making and storing copies of the specified documents solely on the basis of performing legal obligation/ exercising official authority vested in the controller, thus, prohibiting the use of all other legal grounds under the GDPR.
In relation to the COVID-19 pandemic, in 2021 the local Minister of Health issued numerous orders which are related with epidemic measures in the workplaces. This raised the question of the possibility for the employees in the affected sectors to collect personal data with respect to the health and vaccination status of their employees. As the financial sector, banks and insurers, utility companies, non-banking financial companies, etc. were not among the sectors specifically affected by the imposed measures by the government, there are no specific rules for processing which are directed at this industry. However, the general rules applicable for all employees with regard to their vaccination status shall apply.
In general, there are a number of provisions introduced by the Data Protection Act which are to be applied and interpreted by the competent authorities in the coming years, including procedural provisions, given the fact that no proceedings on claims for damages under the data protection legislation have been completed so far. It remains to be seen what position national authorities and courts would adhere to regarding the data subject rights and data protection requirements.
The GDPR establishes the principle of transparency (Article 5 of the GDPR). In addition, when data is being processed, information on the controller, purposes for processing, recipients of the data, retention period, and details of the data subject's rights shall be provided to the data subject (Article 13 of the GDPR).
There are no sector-specific requirements to provide customers with notice of the institution's privacy policies and practices.
However, according to the Consumer Credit Act 2010 (only available in Bulgarian here), prior to signing a credit contract the creditor makes an assessment of the consumer's solvency on the basis of comprehensive information, including information provided by the consumer and, if necessary, refers to the Central Credit Register or to other databases used in the Republic of Bulgaria for assessment of consumer solvency. When, after signing the consumer credit contract, the parties reach an agreement to change the total amount of the credit, the creditor is obliged to update the available financial information about the consumer and to assess the consumer's solvency prior to each increase in the total amount of the credit which exceeds by 25% the agreed amount of the credit. Therefore, the financial institutions should process the credit scoring information of their clients in order to be compliant with a legal obligation to which the controller is subject. Thus, in the privacy notices, as a reason for the processing of such data, the controllers should indicate compliance with a legal obligation, and not processing based on legitimate interests.
Taking into account the costs of implementation, nature, scope, context and purposes of processing, as well as the level of risk to the rights and freedoms of natural persons, data controllers and processors must implement technical and organisational measures to ensure a level of security appropriate to the risk (Article 32 of the GDPR).
Prior to the entry into force of the GDPR, there was secondary legislation of the CPDP (Ordinance No.1 on the Minimum Level of Technical and Organisational Measures and the Admissible Type of Personal Data Protection (30 January 2013) ('the Data Security Ordinance')) which identified the suitable technical and organisational measures based on the level of risk. The Data Security Ordinance served as an innovative and practical instrument as data protection authorities do not normally provide detailed guidance on this matter the Data Security Ordinance was repealed as of on 25 May 2018, since enlisting statutory security measures was considered contradictory to the risk-based approach adopted by the GDPR. The CPDP is currently revising the Data Security Ordinance and it is expected to be transformed into methodological guidelines for controllers.
Based on the above, no specific legislation at national level is currently applicable. Financial sector institutions are, however, obliged entities under the Cybersecurity Act 2018 (only available in Bulgarian here) ('the Cybersecurity Act'). On a secondary legislation level, the Ordinance for Minimal Requirements for Network and Information Security 2019 (only available in Bulgarian here) was adopted. It implements security measures under the Cybersecurity Act, among which there are measures related to the processing of personal data.
Personal data must not be retained in a form which permits the identification of the data subject for longer than is necessary for the purposes the data was processed (Article 5(1)(e) of the GDPR). Moreover, the period for which the personal data are stored should be limited to a strict minimum, and to these ends, time limits should be established by the controller for erasure or a periodic review (Recital 39 of the GDPR).
The local personal data legislation is not prescriptive as to the relevant retention period. Specific retention periods could be determined by the specific legislation of each area, or by the controller itself where no period is set in legislation. In most cases, a minimal storing period is defined, and very rarely a maximum period. Below are some specific legislation provisions, concerning the financial sector which provide for mandatory retention periods.
According to the Credit Institutions Act 2006 ('CIA') last amended in March 2021, the BNB establishes and maintains an information system on the money liabilities of the clients of banks, financial institutions, the payment institutions, and electronic money institutions. The system information is obtained against payment of fees in accordance with a methodology. Information on the persons who are co-debtors and credit guarantors shall also be kept in the system. The information in the system shall be kept for a period of five years from the date of the last reporting period. With regards to this register the banks, financial institutions, payment institutions, and electronic money institutions are responsible for the establishment and maintenance of a special register in which they record the data of the checks carried out, and the records therein shall be kept for five years from the date of the inspection.
The PSPSA provides that payment institutions shall keep all appropriate accounting and other information and records regarding the payment services they provided, including any contracts concluded and any additional services provided, for at least five years. The payment service provider issuing a payment instrument has the obligations to store for no less than five years any information which allows tracing the transactions executed with the payment instrument. In addition, the participants in the payment system and the system operator keep the orders to the payment system for at least a five-year period as from the date they are submitted.
The obliged entities under MAMLA have to keep for a period of five years all documents, data and information collected and drawn up in accordance with MAMLA, including data and information received by means of electronic identification. The internal rules and documents regarding the organisation of the money laundering measures have to be retained throughout the exercise of the respective activity and for a period of one year from its discontinuation.
MAMLA requires the collection and processing of large amounts of personal data in order to prevent the financial sector from being used as a means for money laundering and the financing of terrorism. The GDPR, on the other hand, places restrictions on why personal data can be collected and processed. Therefore, it is recommended that obliged entities pay attention in order to avoid violations of the rules for protection of personal data while trying to comply with their obligations under MAMLA.
Article 83(1) of MAMLA explicitly stipulates that in relation to the processing of personal data for the purposes of the prevention of money laundering and the financing of terrorism, the GDPR and the Data Protection Act shall apply, as long as MAMLA provides otherwise. Conversely, Article 83(2) of MAMLA stipulates that the processing of personal data for the purposes of the prevention of money laundering and the financing of terrorism is considered to be a matter of public interest according to the GDPR and cannot be limited by the requirements of Article 12 to 22 and Article 34 of the GDPR.
In addition, as already mentioned, Article 25d of the Data Protection Act states that a controller or processor may copy an identity document, a driving license, or a residence document only if this is provided for by law. Such case has been laid down in MAMLA, which explicitly states that the identification of natural persons by the obliged entities shall be done by presenting an official identity document and taking a copy thereof.
Finally, it is to be considered that an Agreement between the Government of the Republic of Bulgaria and the Government of the United States of America to Improve International Tax Compliance and to Implement the Foreign Account Tax Compliance Act (FATCA) ('the FATCA Agreement') was ratified by law on 26 May 2015. The provisions herein are currently applicable.
The FATCA Agreement was concluded following controversies with the application of FATCA. Bulgarian financial institutions were not able to comply with certain aspects of FATCA due to legal obstacles in the local legislation. The concluded agreement regulates the implementation of FATCA based on the internal provision of information and the automatic exchange of information under the conditions provided in the agreement.
Under the CIA, 'banking secrecy' are the facts and circumstances concerning balances and operations on accounts and deposits held by clients of the bank. The CIA imposes an obligation not to disclose or use to their personal benefit or the benefit of the members of their families, any information which is a bank secret. A number of persons are obliged entities under this requirement, such as:
- the bank employees;
- the members of the bank's management and controlling bodies;
- the officials in the BNB;
- the employees and the members of the management board of the Bulgarian Deposit Insurance Fund;
- the liquidators, the temporary assignees in bankruptcy, and the assignees in bankruptcy; and
- any other person working for the bank.
An interesting question is whether the International Bank Account Number ('IBAN') of the bank account is content that falls within the definition of banking secrecy. The prevailing opinion is that the sole IBAN number cannot give information about the funds or the operations on a given account, which leads to the conclusion that it is not a bank secret. Payment accounts maintained by banks are designated by an IBAN, which, in its BNB format, determines the name of the bank maintaining the account and the type of the account (current, deposit, saving, fundraising, etc.). The bank account information, as far as it may directly or indirectly identify an individual, may be considered as personal data. Such information has the potential to disclose, or at least to direct, information about a person's activity. In this context, it may be assumed that the bank account of an individual is personal data.
In addition, the BNB maintains a public register which contains data on bank account numbers, their account holders, and the authorised persons that can dispose with the accounts, as well as information about persons that have rental of safe deposit boxes in banks and their proxies.
The CIA defines 'professional secret' as any information received or created by the BNB for the purposes of banking supervision or in relation thereto. The members of the management board, the employees, external auditors, experts and other persons working for the BNB shall be bound by the obligation of a professional secret, including after termination of their relations with the BNB. They could use information which is a professional secret only for the purposes and in the course of their duties. The CIA provides for a limited number of exceptions when a professional secret can be disclosed.
Finally, it should be mentioned that in cases where information which is a professional secret also meets the definition for a bank secret, the regime for disclosure of banking secrecy is applicable.
The CIA provides certain exceptions to the obligation for not disclosing banking secrecy. In general, there are three ways for revealing banking secrecy information:
- The consent of the individual - for example, credit debtors can waive their rights which would prevent or limit the ability of the creditor to provide information for the purpose of using the credit as a financial security. The CIA does not impose requirements on the form of consent, but in practice, it should be granted in writing.
- Following a court order in cases in which this is necessary for the purpose of clarifying the circumstances on the considered case. The regional court is competent when requested by a competent authority and when establishing the circumstances to which the law relates to the provision of information.
- At the request of a public authority - in cases explicitly provided by the law, banks are obliged to disclose a bank secret directly to certain public authorities.
The Insurance Code (only available to download in Bulgarian here) explicitly states in its additional provisions that the possibility of processing of the personal data for a health condition, constitutes an additional condition for the lawful processing of personal data regarding health status within the meaning of Article 9(4) of GDPR. This information includes as follows:
- for establishing the insurance event and the harms caused by it, the insurance company, and the person claiming for compensation have the right to receive the needed information, stored by the Ministry of Interior, the investigating bodies, other state bodies, the GP, the medical and health establishments and by the persons, who have the right to establish the occurrence of the circumstances, as well as filed records and documents. Where the required information is part of the materials of the pre-trial procedure, the prosecutor shall allow the access to it; and
- before signing the life insurance, as well as during the term of the contract, the insurer shall have the right to receive detailed and exact information about the age, sex, health and financial condition of the person, whose life health or body integrity are subject to insurance. With occurrence of the insurance event, the insurer has the right to access to the whole medical documentation in relation to the health condition of the person, whose life, health and body integrity are insured and he may require it from all persons, storing such information, including under the Health Care Establishments Act 1999 (only available in Bulgarian here), the Health Insurance Act 1998 and the Health Act 2004 (only available in Bulgarian here).
The processing of personal data in connection with the carrying out of medical examinations and tests could not be carried out on behalf of the insurance company (controller) because it is not a health institution. The special legislation in the field of healthcare provides for a number of obligations, measures, mechanisms, procedures and conditions for protection of health information containing personal data, which cannot be derogated by a contract within the meaning of Article 28 of the GDPR. The provision of services in which the personal data between the client and the contractor are normally exchanged does not automatically lead to a legal relationship between the controller and the processor within the meaning of Article 28 of the GDPR.
There are no specific regulations in the local payment service providers legislation. The PSPSA, states that payment service and payment systems providers should process the personal data of payment service users in compliance with the requirements for personal data protection, and when preventing, investigating and detecting fraud related to payment services, processing may be carried out without the consent of the person to which the data relates.
On 20 June 2019 CPDP published an opinion on the role of payment service companies – the PSP Opinion. The provision of payment services to individuals and legal entities is a specific activity, regulated in detail in the PSPSA and the relevant regulations, which is carried out by banks, electronic money companies, and payment institutions etc., on the basis of a license issued by the BNB and under the supervision of the BNB. It should be noted that one of the conditions for issuing a license is the provision of 'security rules that protect payment service users against identified risks, fraud or illegal use of sensitive and personal data' (Arg. Article 10, paragraph 4, item 6(k) of the PSPSA). In addition, the provision of Article 3, paragraph 4 of the PSPSA obliges payment service providers and payment systems to process personal data of payment service users in compliance with the requirements for personal data protection. Therefore, the PSP Opinion states that the payment service providers, just like banks and postal operators, process data under strict and comprehensive regulatory frameworks, and they could not be considered as processors but as independent data controllers.
In addition, according to Article 160 of the PSPSA while exercising its supervision functions the BNB shall cooperate with the relevant competent supervisory authorities for payment institutions and electronic money institutions of the Member States and, if needed – with the European Central Bank and the national central banks, with competent supervision bodies over the other providers of payment services, as well as with the relevant competent supervision bodies over payment systems and settlement systems of securities, as well as with the EBA.
For this supervision, the BNB has the right to exchange the information, needed with these bodies, as well as with other bodies of the Member States, responsible for observation of the legislation in the area of protection of personal data and prevention of using the financial system for the purposes of money laundering and the financing of terrorism. The exchange of supervision information shall be performed while observing the requirements of a professional secret, including by guaranteeing the protection of personal data and trade secrets. Where it exchanges information with other competent bodies on issues, related to the realisation of the supervision, while transferring information, the BNB may indicate, that this information will be disclosed only with its explicit permission and will be exchanged only for the purpose for which the BNB has given its permission.
See Chapter V of the GDPR for the general requirements regarding transfers of personal data to third countries or international organisations.
There are no specific requirements in the local legislation regarding the transfer of personal data. The GDPR is directly applicable.
Specific outsourcing requirements for the payment institutions
Where a payment institution intends to outsource to an entity the performance of operational functions relating to payment services, it shall notify the BNB by providing information and documents regarding the entity to which such activities will be outsourced, as well as a detailed description of the services the payment institution intends to outsource to such entity. The outsourcing of important operational functions, including functions related to information systems, shall not be undertaken in a way that materially impairs the quality of the payment institution's internal control or the ability of the BNB for monitoring. Payment institutions shall take reasonable steps to ensure that the requirements of the PSPSA are complied with by the entities to which operational functions have been outsourced.
The EBA Outsourcing Guidelines, which incorporate the EBA Outsourcing Recommendations should also be considered. These guidance provide a clear definition of outsourcing and specify the criteria to assess whether an outsourced activity, service, process or function (or part of it) is critical or important. They aim at establishing a more harmonised framework for outsourcing arrangements of all financial institutions in the scope of the EBA's action. The guidance also intend to ensure the effective supervision of institutions and payment institutions when functions are outsourced to service providers located in third countries. Financial institutions are expected to ensure compliance with EU legislation and regulatory requirements (e.g. a professional secret, access to information and data, protection of personal data), in particular, regarding critical or important functions outsourced to service providers.
As a general rule, it is mandatory for a data controller to notify the competent supervisory authority of any suffered personal data breach (Article 33(1) of the GDPR). For further information on general data breach requirements, see EU – GDPR – Data Breach.
However, the CPDP Opinion on Identification Rules for Non-Banking Financial Institutions states that, upon identifying that a fraudulent application for a loan has been submitted and/or approved (e.g. a loan has been granted) under the Distance Marketing of Financial Services Act 2006 (only available to download in Bulgarian here), the non-banking financial institution, as a data controller, should notify the supervisory authority for the occurrence of a personal data breach in accordance with the requirements of Article 33 of GDPR. Such situations are considered by the CPDP as 'identity thefts', e.g. one person fraudulently represents himself/herself as another.
At the EU level, there is currently no harmonised framework for FinTech regulation. In March 2018 the European Commission adopted an action plan on FinTech in addition to publishing discussion papers on the same. Moreover, many EU financial regulators have signalled support for the development of a more comprehensive regulatory FinTech framework.
Although there is no specific legislation aimed to regulate the processing of personal data in this innovative sector, a lot of cases lately appear which require regulatory interpretation. In 2019 the CPDP published an opinion (only available in Bulgarian here) related to the implementation by a local bank of 'VoiceBiometrics' – a voice recognition system which uses authentication through a pre-made voice print that will depend on basic physical configuration of the mouth and throat, diaphragm, speaking speed, pauses, breathing, and intonation, with a view to servicing questions and problems requiring customer identification in connection with the management of banking services to obtain information on the balance and account movements. According to CPDP this activity could be performed, but only under the following conditions:
- with the explicit consent of the bank's clients in writing, after they have been informed in detail about the purposes, methods, and risks of processing their personal data with the system;
- ensuring the right to choose alternative methods of identification which do not involve the processing of biometric data, and respectively the possibility of refusal of the service without causing negative consequences for the clients of the bank; and
- the bank (the controller) shall be obliged to carry out a Data Protection Impact Assessment in relation to envisaged processing operations data, under Article 35 of GDPR.
The GDPR provides for administrative fines of up to (Article 83 of the GDPR):
- €10 million, or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher, for infringing provisions on the obligations of a controller, processor, certification body or monitoring body; and
- €20 million, or in the case of an undertaking, up to 4% of the total worldwide annual turnover for the preceding financial year, whichever is higher, for infringing provisions on the basic principles for processing, data subjects’ rights, transfer of personal data to a recipient in a third country or international organisation, or non-compliance with an order or a limitation on processing by the supervisory authority.
In accordance with Article 83(5)(d) of GDPR, the Data Protection Act provides for sanctions up to the maximum amounts under the GDPR for non-compliance with the rules for processing personal data, for example processing for journalistic purposes, in the employment context, or for scientific or historical research purposes or statistical purposes. The Data Protection Act sets a general penalty of up to BGN 5,000 (approx. €2,560) for 'other infringements', i.e. for all infringements for which no higher penalty is provided by the GDPR or the national legislation. No further specific legislation in the financial sector exists.
For the time being, the CPDP has imposed two fines that are significantly larger than the ordinary practice which rarely exceeds BGN 10,000 – 20 000 (approx. €5,110 – €10,230). The first one concerns a data breach from a bank, described in section 11 below and the second – a data breach at the National Revenue Agency.
However, it could be concluded that, in the majority of cases, the CPDP has imposed fines when it has considered that there was either an infringement of the principles of GDPR, unlawful processing or failure on behalf of the controller or processor to implement appropriate technical and organisational measures. The latter infringement, for the moment, is the cause for the imposition of the largest fines.
11. Additional Areas of Interest
In August 2019, the CPDP imposed a fine of BGN 1 million (approx. €511,290) on a Bulgarian bank for its failure to apply suitable technical and organisational measures and failure to ensure continued confidentiality, security, integrity, availability, and sustainability of the systems and servers for processing personal data. The personal data of the bank customers (around 33,500 persons) and related third parties were compromised, including names, citizenship, PIN, permanent or current address, copies of identity cards, personal data contained in tax documents, certifying the income and health insurance of the borrowers and third parties, as well as health status information, payment accounts details, registration numbers and dates of acts with notarised signatures. According to the bank's press release, they were contacted by a person claiming he held the data base containing bank client data. The bank announced that there had been no successful digital attack against its informational systems and that it had informed CPDP and the judicial authorities of the incident. The bank also stated that they would accept the fine (i.e. would not appeal it) and would work in cooperation with the authorities to further improve their data protection measures.
CFT legal reform
On 4 April 2020 the CPDP published an opinion on the right to process personal data of newly appointed persons for the purposes of the MAFTA (only available to download in Bulgarian here). Said opinion concerns specific categories of persons obliged under the MAFTA to process personal data in order to prevent and detect actions of individuals, legal entities, groups and organisations aimed at terrorist financing. The opinion of the CPDP is in response to a request for information inquiring:
- if the obligated persons under the MAFTA can process personal data of their employees, respectively job applicants on the grounds of compliance with their legal obligations under the MAFTA within the meaning of Article 6(1)(c) of the GDPR; and
- if not, is there another legal ground within the meaning of Article 6 of the GDPR, on the basis of which the persons obliged under the MAFTA can process personal data of their employees, respectively job applicants – for example, for the purposes of legitimate interests (Article 6(1)(f) of the GDPR).
In its motives, the CPDP stated that, as regulated in the MAFTA, banks and financial institutions are one of the categories obliged to comply with the MAFTA and they should apply the respective measures to the persons with whom they have a legal relationship (e.g. contractual or pre-contractual relationship) in connection with the financial services they provide. However, the measures are applied only to natural persons, legal entities, groups and organisations against which sanctions have been imposed.
In view of the foregoing, the CPDP stipulated that the banks and financial institutions will be able to process personal data of their employees on the ground of compliance with their legal obligations under the MAFTA as long as the relations between the employer and its employees fall within the scope of the MAFTA. Such processing will be considered as lawful on the ground of Article 6(1)(c) of the GDPR. Additionally, the CPDP stated that the legal relationship with the job applicants does not fall within the material scope of the MAFTA, therefore processing of their personal data on the grounds of compliance with the MAFTA would be unlawful.
Also, with respect to both categories – employees and job applicants, the CPDP argued that processing of personal data for the purposes of the legitimate interests of the respective banks and financial institutions in their capacity as controllers, would be unlawful given the high degree of importance of the public relations regulated on a national level under the MAFTA.