1. Governing Texts

At the beginning of 2023, nearly five years after the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') entered into force, Bulgarian society and national legislation still face the challenges prompted by the enhanced protection. GDPR standards continue to be difficult to implement because the benchmark for regulation, compliance, and enforcement of data protection prior to the GDPR era were significantly lower. This circumstance is further complicated by the ambiguous and fragmented Bulgarian personal data regulations and the entry into force of Regulation (EU) No. 536/2014 on Clinical Trials on Medicinal Products for Human Use ('the Clinical Trials Regulation'), including the use of the new Clinical Trials Information System (‘CTIS'). In addition, the COVID-19 pandemic provoked the Government to implement a large number of online services (such as electronic prescriptions, electronic referrals for medical diagnostic tests, e-documents for medical examinations, and citizen's electronic health entries) and electronic information systems (the National Information System for Combating COVID-19 and the National Health Information System), in advance to the related statutory regulation. Thus companies (especially those in the healthcare and pharmaceutical research sector) are now challenged with entirely new obstacles - they must achieve and maintain data protection compliance in the lack of explicit rules or local guidance, and despite the variety of interpretations. In addition, they need to adapt to the unprecedented dynamics of the amendments to the existing legislation.

1.1. Legislation

Bulgarian law does not provide for a standalone framework regulating the processing of health or pharmaceutical research data. Rather, the statutory rules applicable to such data arise from several legislative acts in the area of data protection, healthcare, and pharmaceutical products, including:

• Constitution of the Republic of Bulgaria;
• the GDPR (which has a direct effect and prevails over conflicting provisions of Bulgarian law);
• Protection of Personal Data Act 2002 (last amended in 2019) ('the Data Protection Act'), which sets out derogations as well as some additional and/or specific local data protection rules;
• the Clinical Trials Regulation, which has a direct effect and is prevailing over the conflicting provisions of the Bulgarian law on clinical trials;
• Medicinal Products in Human Medicine Act 2007 ('the MPHMA'), which regulates some details on the conduct of clinical trials, as well as pharmacovigilance;
• Health Act 2005 (only available in Bulgarian here) ('the Health Act'), which contains general rules concerning health data and information, patients' rights, the National Health Information System, and scientific research;
• Healthcare Facilities Act 1999 (only available in Bulgarian here) ('the Healthcare Facilities Act'), which sets forth the scope of activities, rights, and obligations of healthcare facilities; and
• the respective laws governing the professional organisations of healthcare professionals – medical doctors, nurses, associated medical specialists, and pharmacists.

These primary legislative instruments are supported by a vast number of acts of secondary legislation, such as ordinances, instructions, and regulations containing mandatory statutory rules. Due to the dynamics related to the issuance of secondary legislation, the latter gained significant importance in the last three years. Currently, such instruments are regulating the functioning of the National Health Information System (an electronic information system designed to include the electronic health entries of individuals and to incorporate the registries, databases, and systems, provide for by the Health Act), the conditions and procedures for the diagnosis, prophylaxis and control of COVID-19, monkeypox and certain airborne infectious diseases, for the prescription and dispensing of medicinal products, for the submission of data and information to the EU Portal under Article 80 and for access to the EU Database under Article 81 of Regulation (EU) No 536/2014, the good clinical practice and many other matters. Unfortunately, the new secondary legislation focuses on the importance of a particular healthcare issue, therefore although concerning medical information or document, data protection matters are rarely explicitly regulated. As a result, in these complicated circumstances, the data subjects struggle for their rights, while in the absence of detailed legislation, the burden of careful analysis of each activity is entirely shifted to the participants in the healthcare and medical, and pharmaceutical research sectors.

1.2. Supervisory authorities

The sector-specific regulatory body in the area of pharmaceutical products is the Bulgarian Drug Agency ('BDA'), established with the Ministry of Health. The BDA is responsible for authorising and supervising the manufacturing, import, storage, wholesale, and retail trade of pharmaceutical products and has statutory powers concerning authorisation and carrying out of clinical trials.

The Ministry of Health is responsible for the management and operation of the National Health Information System (information system designed to include the electronic health entries of individuals, including electronic referrals, e-documents on medical exams, and electronic prescriptions), the Specialized Electronic System for Tracking and Analysis of Pharmaceutical Products (designed to collect information on supplied and dispensed/sold quantities of pharmaceutical products in Bulgaria, including a list of pharmaceutical products that are in shortage), the Electronic System for the Purchase of Pharmaceutical Products for Medical Institutions (through which procedures and electronic tenders are conducted for the purchase of pharmaceutical products for the needs of medical institutions in Bulgaria).

None of the BDA and the Ministry of Health, however, have competence in respect of the regulation and supervision of health data processing.

The key regulator in the area of data protection is the Commission for Personal Data Protection ('CPDP'). The CPDP is an independent supervisory and regulatory authority with comprehensive regulatory powers in data protection matters, as well as all powers of national regulatory authority under the GDPR.

1.3. Guidelines

The Bulgarian Act on the Hierarchy of Statutory Instruments 1973 (as amended) (only available in Bulgarian here) does not recognise guidelines as a source of statutory rules of mandatory nature. As a result, guidelines are very rare in Bulgarian legal practice. Since 2006, governmental bodies have had the option, under Article 13 of the Administrative Procedure Code 2006 (as amended), to disclose publicly 'the criteria, the internal rules and the established practice' in the exercise of their operational autonomy for implementation of the law. Nevertheless, regulators and supervisory authorities still guard their operational autonomy by avoiding disclosure through guidelines of their practices or the criteria used for assessing statutory compliance.

The same is valid in the area of data protection in particular. Following the national legal tradition, unless explicitly vested with legislative competence, the CPDP's instructions are very rare and tend to focus on areas of public interest, such as political elections, money laundering, and the approval of codes of conducts under Article 40 of the GDPR. Although so far, such tradition remains unchanged, because of the public pressure for transparency, in October 2021 the CPDC published its internal instruction for carrying out various control and supervisory procedures (i.e., procedures for review of complaints, for on-site or document checks, for response to data breach notification, etc.). Following such publication, the activities of the regulator related to supervision and control will be more transparent and predictable for the regulated entities.

Bulgarian data protection framework, however, is part of the wider EU data protection system and just like the former Article 29 Working Party ('WP29'), the European Data Protection Board ('EDPB') is very keen on guiding the activities of the key players. Some of the most relevant of their guidelines are:

• Guidelines 07/2020 on the Concepts of Controller and Processor in the GDPR;
• Guidelines 05/2020 on Consent under the GDPR;
• Guidelines 4/2019 on Article 25 Data Protection by Design and by Default;
• WP29 Guidelines on Data Protection Impact Assessment (DPIA) and determining whether the processing is "likely to result in a high risk" for the purposes of Regulation 2016/679;
• Opinion 3/2019 Concerning the Questions and Answers on the Interplay Between the Clinical Trials Regulation and the General Data Protection Regulation ('the GDPR/CTR Opinion');
• Guidelines 03/2020 on the processing of data concerning health for the purpose of scientific research in the context of the COVID-19 outbreak;
• Guidelines 01/2022 on data subject rights - Right of access; and
• EDPB-EDPS Joint Opinion 03/2022 on the Proposal for a Regulation on the European Health Data Space.

Although not of mandatory nature under Bulgarian law, these guidelines are most welcomed. In the absence of detailed national rules or regulatory practice, they serve as a model for the participants in the healthcare and pharmaceutical research who would hope that, when assessing compliance, the CPDP would not develop national practices that contradict those provided by the WP29 and the EDPB.

Unlike other Bulgarian regulatory authorities, the CPDP does not restrain itself from providing an opinion on certain issues raised by the party concerned. Such opinions are not mandatory in nature and do not serve as general guidelines, as they are provided in respect of particular facts and circumstances raised by the inquirer. Nevertheless, they are highly appreciated and may be applied by analogy. One of the examples of such opinions under the GDPR is the CPDP opinion on the allocation of the roles of controller and processor in clinical trials (the 'Clinical Trials Opinion'). Published on 10 June 2019, the Clinical Trials Opinion states that in the carrying out of clinical trials, the healthcare facilities and the sponsor of the clinical trial act as joint controllers. Under the CPDP opinion in respect of data processing in the context of infection with COVID-19 (only available in Bulgarian here) ('the COVID-19 Opinion'), employers are not authorised to request information on the health status of an employee and their family while they are in a home office regime and any measures related to the identification of the individuals being in contact with infected employees must be undertaken by the health authorities, not by the employer. The Opinion concerning vaccination status (only available in Bulgarian here) states that there are no legal grounds for the use of the EU digital green certificate for purposes other than those set forth in Regulation (EU) 2021/953 of the European Parliament and of the Council of 14 June 2021. However, to comply with the epidemic measures: (i) employers may process aggregated data for the vaccination status of their employees to take occupational health and safety-related decisions; and (ii) a digital green certificate may be verified, if presented voluntarily, without keeping records for the results of such verification and provided that refusal to present the certificate must not be used for limitation of the rights and freedoms of the individuals.

1.4. Definitions

The most important statutory concepts relevant for data processing of health data is data concerning health, special categories of data, biometric and genetic data, consent, and informed consent. Bulgarian legislation does not have a unified approach as to the definitions of these concepts. As an example, concerning the concepts of genetic and biometric data and data concerning health after the entry into force of the GDPR, the Bulgarian legislator has implemented explicit reference to the GDPR, rather than setting forth a full language definition in the local legislation. Thus, for instance, pursuant to the Data Protection Act, the below listed GDPR definitions are directly applicable in Bulgarian law.

Genetic data: Personal data relating to the inherited or acquired genetic characteristics of a natural person, which give unique information about the physiology or the health of that natural person, and which result, in particular, from an analysis of a biological sample from the natural person in question (Article 4(13) of the GDPR).

Biometric data: Personal data resulting from specific technical processing relating to the physical, physiological, or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data (Article 4(14) of the GDPR).

Data concerning health: Personal data related to the physical or mental health of a natural person, including the provision of healthcare services, which reveal information about their health status (Article 4(15) of the GDPR).

The local legislator's approach to healthcare legislation, however, is quite different – it simply provides various definitions of similar concepts. Accordingly, the Health Act, the Organ Tissue and Cell Transplantation Act (only available in Bulgarian here), the MPHMA, and Ordinance No. 31/2007 on Setting Forth Guidelines for Good Clinical Practice (only available in Bulgarian here) ('Ordinance 31') provide various definitions for 'informed consent'. However, these definitions are not identical; they refer to the consent granted in respect of the provision of healthcare services and serve the purposes of the respective activity (see the section on Consent below).

In addition, the Health Act defines 'health information' as personal data related to the health status, and physical and psychological development of the individuals, as well as any other information contained in medical prescriptions, protocols, certificates, and other medical documents. On the face of it, this definition seems to broaden the applicability of the law to cases where health information concerns the physical or mental development of the individual or information in medical documents. However, in light of the clarifications on data concerning health provided in Recital 35 of the GDPR, such an extension is of very little practical use. This is because the specific rules on health information outlined in the Health Act only regulate the individuals and entities eligible to collect and access health data in the context of the provision of medical services. On the other hand, the enhanced protection of data concerning health stemming from the GDPR is of general applicability and, due to the clarification of Recital 35, is far broader.

2. Clinical Studies and Clinical Trials

Under the Clinical Trials Regulation, a clinical trial of a pharmaceutical product is any clinical study where the assignment of the subject to a particular therapeutic strategy is decided in advance and does not fall within normal clinical practice, or the decision to prescribe the investigational medicinal products is taken together with the decision to include the subject in the clinical study, as well as where diagnostic or monitoring procedures are applied to the subjects in addition to normal clinical practice.

Currently, the requirements for the conducting of clinical trials in Bulgaria are provided for by the Clinical Trials Regulation and the related Bulgarian legislative instruments – the MPHMA and Ordinance 31. As a regulatory authority in the field, the BDA performs the activities of the reporting and concerned Member State, as well as it is designated as the national contact point.

The sector-specific legislation, however, regulates the clinical trial authorisation process, the rights and obligations of the participants in the clinical trial (sponsor, study subjects, investigator), the commencement, conducting, and termination of the trial, as well as pharmacovigilance in the process. The primary focus of the sector-specific legislation is to ensure the rights, safety, and health of the trial subjects and the scientific value of the clinical trial data, therefore, based on the explicit provision (Article 93 of the Clinical Trial Regulation) the GDPR applies to the processing of personal data carried out during clinical trials. This legislative approach avoids conflicts between the two areas of legislation but given the lack of local Bulgarian rules or guidance on the matter, equally means that detailed statutory rules for processing health data in the framework of the clinical trial are absent. Because of this, when carrying out their data protection-related obligations, the sponsors and institutions in Bulgaria rely heavily on the GDPR/CTR Opinion, especially where legal basis, informed consent and its withdrawal, transparency in respect of data subjects, transfers and use of data outside the protocol (secondary use) are concerned.

2.1. Data collection and retention

Bulgarian legislation on clinical trials does not set forth additional or specific rules in respect of personal data collection. Data collected during the conducting of a clinical trial usually encompasses identification data of the participants in the trial (such as trial subjects, investigators, and study team members), as well as data related to the health of trial subjects. Under the applicable data protection legislation, data related to health is generally treated as a special category of data that is subject to enhanced protection. Under the GDPR, the processing of special categories of personal data is generally prohibited. To lawfully process health data, the sponsor and the institution, in their capacity as controllers, must identify both a lawful basis under Article 6 of the GDPR (e.g., participant's consent, compliance with a legal obligation, processing in the public interest, or prevailing legitimate interest of the controller) and a separate condition for processing under Article 9 of the GDPR (e.g., processing necessary for scientific research purposes, provided that the necessary safeguards are in place).

The rules for data retention in the clinical trial process are set forth in the Clinical Trial Regulation, under which the sponsor and the investigator shall archive the content of the clinical trial master file (the file containing the essential documents relating to that clinical trial that allow for verification of the conduct of a clinical trial and the quality of the data generated) for a period of 25 years after the end of the clinical trial. Such statutory retention period takes precedence over the rules of Ordinance 31, which require keeping the basic documents of the trial for at least two years after the expiry of the last marketing authorisation; or two years after the official ceasing of the clinical development of the investigational product.

2.2. Consent

The informed consent of the trial subject for participation in the clinical trial and the safeguarding of their right to privacy and personal data protection are among the mandatory requirements for conducting a clinical trial under the Clinical Trials Regulation.

While under the pre–Clinical Trials Regulation regime, the informed consent for participation in a clinical trial in Bulgaria was a document, whose content and form were explicitly regulated, currently the informed consent is a dated and signed decision, that must be in writing and obtained in accordance with the procedural requirements of Article 28 of the Clinical Trial Regulation. Such a decision must be taken freely after duly providing the individual with adequate information to meet the requirements of the regulation.

It should be noted that the informed consent for participation in the clinical trial is not identical to the consent for personal data processing under the data protection laws. The two types of consent serve different purposes (one is aimed at participating in the trial, the other - at processing personal data), and they have different objectives (a measure for ensuring the human right of dignity and integrity, as opposed to a data protection compliance measure), and different regulation of the form and procedure to obtain (one has detailed regulation of the form and procedure for obtaining, the other must meet more general requirements).

Under the former data protection regime, using consent as the basis for personal data processing, and obtaining both types of consent (data protection and for participation in the trial) via the same form, was the standard approach in Bulgaria. However, given the higher consent standard of the GDPR, obtaining lawful consent as a legal basis for processing clinical trial data is significantly more difficult. This is mainly due to the imbalance in the relations between the parties. Typically, trial subjects in Bulgaria are economically or socially vulnerable individuals having health issues. Some of them tend to view the clinical trial as access to new drugs or therapy, that may save their life, and therefore they usually act under circumstances that may influence their free will. As a result, controllers (e.g., sponsors, investigators, and institutions) should very carefully assess the applicability of consent as the legal basis for processing. In the light of the GDPR/CTR Opinion, they should seek a more appropriate legal basis, such as the legitimate interest of the controller, or a task carried out in public interest, in conjunction with the additional conditions for processing under Article 9 of the GDPR (e.g., processing for reasons of public interest or for scientific research purposes).

Children's consent

The Clinical Trials Regulation (Article 30) sets forth conditions for the validity of minor's informed consent, which are in addition to the general requirements. According to its provisions, any person under the age of 18 must take part in the informed consent procedure and obtain relevant information in a way adapted to his/her age and mental maturity, including from investigators or members of the investigating team who are trained or experienced in working with children. In addition, individuals and their representatives must not be given incentives/financial inducements and the clinical trial must be intended to investigate treatments for a medical condition that occurs in minors. There must be scientific grounds for expecting that participation will produce a direct benefit for the minor and their explicit wish to refuse to participate, or the wish to withdraw should be respected by the investigator.

As explained above, consent for personal data processing is separate from the informed consent for participation in the trial. In the absence of sector-specific data protection rules, the consent standards of the GDPR shall apply in all cases where controllers endeavour to base the personal data processing on consent. In addition, from the point of view of the civil law, children lack full legal capacity. Consequently, for obtaining consent in respect of personal data processing, the consent of the parents/guardians (if minor e.g. under 14 years of age) or the individual and both parents/guardians (if of no full age e.g. between 14 and 18 years of age) would be required.

2.3. Data obtained from third parties

Sector-specific legislation in the area of clinical trials does not set for any rules in respect of obtaining data from third parties (public health service providers, hospitals, etc.), and so the requirements of Article 14 GDPR apply if personal data has been obtained, yet not directly from the trial subject.

In particular, within a reasonable period after obtaining the data (but later within one month), the controller (investigator, sponsor, the institution), must provide the trial subject with information, including on the identity and contact details of the controller and its data protection officer ('DPO'), if any (see the section on Data Management below); and the purposes and legal basis of processing, the categories of personal data, recipients, and international transfers, if any.

 3. Pharmacovigilance

Following the implementation of Directive 2010/84/EU of the European Parliament and of the Council, amending, as regards Pharmacovigilance, Directive 2001/83/EC on the Community Code relating to Medicinal Products for Human Use, Bulgarian law is, in general, harmonised with EU rules applicable to pharmacovigilance. As per the effective legislation, the BDA maintains a system for monitoring the safety of the medicinal products which is used to gather information on the health-related risks arising from their use. Such information encompasses adverse reaction reports related to the use of medicinal products. Marketing authorisation holders ('MAH') have the statutory obligation to maintain a pharmacovigilance system and to carry out the required reporting of adverse reactions. All healthcare professionals, on the other hand, must notify immediately either the MAH or the BDA of any suspected serious adverse reaction. In addition, patients have the option to report either to a healthcare specialist or directly to BDA. Due to the specific mindset of Bulgarian patients, strongly believing that the healthcare professional is responsible for the medical treatment and the related decisions, for many years the role of the patients in adverse reaction reporting remained on a legislation level and went completely unnoticed by them. The COVID-19 pandemic, however, brought significant change in this respect, especially after the information about the patient's opportunity to report adverse reactions has been included in the informed consent form used during the COVID-19 vaccination in Bulgaria. This event has focused public attention and induced significant awareness in patients, not only about vaccines, but pharmaceutical product pharmacovigilance as whole. As a result, patients started to participate more actively, thus contributing to the safety reporting.

The basis of adverse reaction reports is not only the medicinal product concerned, but also the personal data of the reporting individuals (usually identification and contact data) and the affected patient (both identification and certain data related to health, such as description of the adverse reaction itself). Given the statutory obligations imposed on all participants in the pharmacovigilance process (the BDA, the MAH, and the healthcare professional), all of them act in the capacity of controllers. As such, they have the obligation to process personal data in respect of the adverse reaction reporting in accordance with the respective GDPR principles of fairness, lawfulness, purpose limitation, and data minimisation.

Given the fact that processing for pharmacovigilance purposes is carried out for the protection of health (both individual and public) and for ensuring the quality and safety of the medicinal product, in order to gather the relevant data and for the disclosure to the BDA, controllers may employ as the legal basis Article 6(1)(c) of the GDPR (i.e., a legal obligation to which the controller is subject) in conjunction with Article 9(2)(i) of the GDPR (i.e., for the purposes of the public health).

One of the challenges some controllers, including the BDA, currently encounter in respect of pharmacovigilance is the transparency and data minimisation principle in adverse reaction reporting. The BDA has prepared adverse reaction reporting forms both for healthcare professionals and patients, that explicitly mark the minimum data needed for the validity of the report. However, the regulator failed to provide the relevant transparency information, while at the same time calling for provision of as much data as possible and providing for the e-submission of the said forms. Thus, reporting individuals do not have the relevant information in order to make informed decisions as to the personal data, they provide. This is especially challenging for healthcare professionals, as in their capacity of controllers, they have to adhere to the data protection principles of lawfulness, transparency and data minimization, instead of automatically filling in the report under the assumption that if the form has been set by the BDA, they act under statutory obligation.

4. Biobanking

A biobank is a biorepository that stores biological samples for use in research and gives multiple researchers access to samples and data derived from such samples. Biobanks are not explicitly regulated by Bulgarian law. Bulgaria joined the Biobanking and BioMolecular Resources Research Infrastructure – European Research Infrastructure Consortium ('BBMRI-ERIC') as its 21st member in May 2018. At present, the Ministry of Education and Science and Medical University - Sofia are working with BBMRI-ERIC to set up the BBMRI National Node.

Bulgarian law, in general, construes the human body as a public good and regulates the obtaining of tissues, organs, and cells mainly for the purposes of transplantation (e.g., for medical, rather than scientific, research purposes). Such approach has been undertaken because the legislator must balance the interests of the patient (e.g., recipient) with the interests of the donor – a healthy individual that has risked damaging their health in order to support the healing process of the recipient. Organs, tissues, and cells of any deceased person may be used for transplantation by virtue of the law (presumption for donorship), provided that prior to their death the individual has not undertaken the additional procedures for exclusion from such assumption.

Pursuant to Ordinance No. 12/2004 on the Terms and Conditions for Provision of Organs, Tissues and Cells that Cannot be Used for Transplantation Due to Medical Reasons (only available in Bulgarian here) ('Ordinance 12'), organs, cells, and tissues that cannot be used for the purposes of transplantation due to medical reasons (transmission of deceases, potential rejection of the organ by the recipient, inappropriate age, improper storage or transportation, etc.), should be provided to medical facilities making transplantations, to medical diagnostic and medical technical laboratories, and to universities or scientific organisations. Such entities are authorised to use the organs, cells, and tissues for other treatments, diagnostic and scientific purposes, in accordance with the law.

Regarding the data protection related aspect of both transplantation and the use of organs, cells, and tissues for diagnostic and scientific purposes, Ordinance 12 explicitly forbids the provision of any information that has the potential to identify either the donor or the recipient by any of the participants in the process for provision of organs, tissues, and cells that cannot be used for transplantation. There are no other data protection rules set forth in the sector-specific legislation, therefore the general rules of the GDPR shall apply.

5. Data Management

Data management process starts from the protocol and case report form design and encompasses all subsequent stages of the clinical trial – application for authorisation, gathering of trial subject's data, preparation and completion of notifications and reports, as well as storage and archiving of the data. Such activities are currently regulated by the Clinical Trials Regulation, that provides for rules in respect of the data contained in the application dossier (Article 25), information provided during the informed consent process (Articles 28-35), notifying the launch and termination of the clinical trial (Article 36), safety reporting in the clinical trial process, including its technical aspect (Chapter VII), reporting the results of the trials (Article 37), performing safety reporting (Articles 41-43), archiving clinical trial master file, compliance with inspection obligations (Article 78), as well as the single entry point for the submission of data and information relating to clinical trials – CTIS (Article 80-82).

These aspects are further complemented by requirements, as to organisational measures. Pursuant to the Clinical Trials Regulation (Article 56), the sponsor or investigator (as the case may be) are vested with the principal obligation to:

• record, process, handle, and store all clinical trial information in such a way that it can be accurately reported, interpreted and verified while the confidentiality of records and the trial subject's personal data remain protected in accordance with data protection rules;
• implement appropriate technical and organisational measures to protect the information and personal data processed against unauthorised or unlawful activities, especially where the processing involves transmission over a network.

Sector-specific rules concerning the preparation, processing, and storing of documents in the case of clinical trials will supersede the more general rules of the GDPR. However, for matters not outlined in clinical trial regulations, the provisions of the GDPR shall apply. For example, in the process of a clinical trial the need to carry out Data Protection Impact Assessments ('DPIAs'), as per Article 35 of the GDPR might arise more often than in other activities. A DPIA evaluates the likelihood of data protection risks and their severity, as well as whether prior consultation with a supervisory authority is needed. Conducting clinical trials is not amongst the activities explicitly included in the CPDP's List of the Types of Operations Requiring DPIA by Article 35 of the GDPR ('the DPIA list'). However, the DPIA list is not exhaustive. Some operations may amount to the processing of special categories of data on a large scale. In addition, some e-health technologies may be regarded as systematic and extensive evaluations of personal aspects based on automatic processing having legal effects on individuals. Such processing operations, based on the general principles of the GDPR, will require a DPIA.

Appointing a DPO

Article 37 of the GDPR requires designation of a DPO where:

• the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
• the core activities of the controller or the processor consist of processing of special categories of data on a large scale (e.g., health data).

Given such provision, for many sponsors, clinical research organisations, or healthcare facilities acting as institutions, the appointment of a DPO will be required, either because the scope, nature, and purposes of the clinical trial involve regular or systematic monitoring (e.g., not occasional) on a large scale, or because the trial requires processing of health data on a large scale. Unfortunately, the GDPR does not define 'large scale'. Pursuant to the DPO Guidelines, a numerical definition of 'large scale' is not possible, given the variety of processing operations and organisations. Nevertheless, the guidelines set forth certain criteria for determining processing on a large scale, such as:

• the number of subjects concerned (either as a specific number or as a proportion of the relevant population);
• the volume of data and/or the range of different data items being processed; and
• the duration, or permanence, of the data processing activity.

The Data Protection Act uses the same criteria. Pursuant to item 15 of its Supplementary Provisions, processing on a large scale means the processing of personal data of a significant or unlimited number of data subjects or data volume, when the core activities of the controller or processor, including the means for its exercise, consists of such operations.

Following the entry into force of the GDPR, controllers and processors, including those involved in the clinical trial process, considered the appointment of a DPO as additional administrative burden. Only after some time, controllers began to consider the role of the DPO as facilitating everyday processing. In 2020, such point of view has been strengthened, due to the issuance of CPDP's instruction regarding controller's and processor's obligation for compliance with the obligation to notify CPDP in the event of designation of a DPO (only available in Bulgarian here). Pursuant to such instruction, the role of a DPO might be carried out not only by individual, but by legal entities as well, subject to identification of a particular individual within such entity, that shall be responsible for particular controller/processor. As a result of such guidelines, the legal entities have become more confident to designate DPO on voluntary basis, by engaging legal entities providing professional DPO services instead of struggling with the limited internal resources of a single individual.

6. Outsourcing

Outsourcing means 'contracting out of a business function (commonly one that has been previously performed in-house) to an external provider'. Bulgarian law does not provide for explicit provisions related to outsourcing and, indeed, the term 'outsourcing' is used rather inconsistently both in practice and in legal writings. The difference between outsourcing and assignment is that outsourcing is related to contracting out of entire business function to an external provider, while the assignment is the supply or delivery of particular result/service.

Clinical trials outsourcing in Bulgaria is best illustrated through the activities of the clinical research organisation ('CRO'). According to Article 71 of the Clinical Trials Regulation, the sponsor has the option to delegate by virtue of a written contract any or all of its tasks to an individual, a company, an institution, or an organisation (the CRO), however, remaining fully responsible for the safety of subjects and the reliability and robustness of the data generated in the clinical trial. There are no further detailed rules in respect of the CRO or the sponsor – CRO relations and the outsourced function is regulated by respective application of the rules regulating the rights and obligations of the sponsor, as well as under contractual provisions.

From a purely theoretical perspective, since CRO agreements would be qualified as sui generis agreements concluded on the grounds of freedom of contract, the general principles of contract law apply. Without specific statutory regulation, court, and administrative practice, it is recommendable that all clinical trial-specific obligations, including data processing and data management, are explicitly set out in the agreement. In addition, the functions and obligations transferred from the sponsor to the CRO should be explicitly identified. Those that were not specifically transferred will remain with the sponsor and, where unclear, a dispute may arise as to the roles of the parties. From the point of view of data protection laws, the CRO would have the role of data processor except for in circumstances where the data has been processed for its own purposes. A need for DPIAs and the designation of DPO may arise for the CRO as well.

The CRO industry in Bulgaria is growing rapidly (especially given monitoring and regulatory processes that employ large workforces, local specifics, use of databases, electronic data capture, and language barrier) and such a trend is expected to continue in the years to come.

7. Data Transfers

The rules of the sector-specific legislation related to clinical trials in this country do not regulate personal data transfers to third countries (e.g., countries outside the EEA), therefore, the respective rules of the GDPR shall apply. Any anticipated data transfer to a third country or access to personal data from a third country would be lawful only provided that the transfer of personal data to third countries (i.e., the processing related to disclosure of personal data) complies with the general principles of Article 5 GDPR, rely on a legal basis under Article 6 GDPR, and either an adequacy decision (Article 45 of the GDPR), appropriate safeguards (Article 46 of the GDPR) are in place. In the absence of an adequacy decision or of appropriate safeguards, a transfer of personal data to a third country shall take place only when one of the relevant derogations under Article 49 of the GDPR applies (for example, when the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers that are due to the absence of an adequacy decision and appropriate safeguards).

8. Breach Notification

Unauthorised and incident disclosure of personal data can negatively impact trial subjects or patients' personal and professional life (e.g., disclosure to employers, insurers, or colleagues may result in discrimination in the working place or insurance and banking). In a data protection context, such risks are addressed by several mechanisms, one of which is the rules for notification and handling of a data breach.

The GDPR defines a data breach as a 'breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed', and provides for strict notification rules both in respect of processors and controllers. As per such rules, if a breach occurs, the controller has the following obligations:

• Notification to the CPDP: as per Article 33 of the GDPR, the controller shall, without undue delay and, where feasible, not later than 72 hours after having become aware of the data breach, notify the CPDP. The minimum specific requirements as to the content of the notification are outlined in Article 33 and include:
  • description of the facts;
  • the nature of the breach;
  • categories and approximate number of data subjects and data records concerned;
  • contact details of the DPO;
  • description of the likely consequences of the personal data; and
  • the measures taken or proposed to be taken for mitigating the risks.
• Notification to the individual concerned: in limited cases, where the relevant personal data breach is likely to result in a high risk to the rights and freedoms of the individual, the controller should communicate the data breach to the individual concerned. Such notification should be transparent and describe in clear and plain language the nature of the personal data breach The obligation has certain exceptions where notifying the data subject is not required (Article 34 of the GDPR). For example, the obligation to notify the data subject does not apply, if:
  • the controller has implemented appropriate technical and organisational protection measures, such measures were applied to the personal data, and the data has become unintelligible to any person who is not authorised to access it; or
  • the controller has taken subsequent measures, which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialise.

In September 2021, the CPDP approved and published a standard form of data breach notifications under Article 33 of the GDPR (only available in Bulgarian here), containing a detailed questionnaire. According to the instructions accompanying the publication, the use of the standard form breach notification is not mandatory, however, regulated entities should be aware that if relevant information is not provided with the initial notification, the CPDP will request the provision of such in the sufficient details.

9. Data Subject Rights

The GDPR regulates a number of data subjects' rights, including the right to be informed, the right of access to personal data, the right to rectification, the right to erasure, the right to restriction of processing, the right to data portability, the right to object, and rights related to profiling and automated decision-making. Due to the lack of any explicit provisions in the sector-specific legislation, all such rights are also valid for trial subjects.

To balance individuals' rights with the interest of society, however, Article 89 of the GDPR provides for the option for derogation of some of the individual's rights, and in particular the right of access to personal data, the right of rectification, and the right for restriction of the processing. These rights may be restricted under certain conditions - provided that the personal data are processed for scientific or historical research purposes, the derogation is outlined in the EU or Member State law, and if such rights are likely to render impossible or seriously impair the achievement of specific purposes, and where such derogations are necessary for the fulfilment of those purposes. In addition, the derogations could be used under appropriate safeguards, which (except for the pseudonymisation mentioned in Article 89 of the GDPR) are yet to be detailed.

Bulgarian law sets out a limited number of exceptional cases in addition to the GDPR, where the controller has no obligation to comply with the abovementioned rights of the data subject. Under the Data Protection Act, the controller may reject completely or partially the exercise of the data subject rights if the fulfilment of the corresponding obligation by the controller may put at risk important objectives of public interest, including public health. The Data Protection Act does not define the term public health. In most cases, public health should be construed under the World Health Organization's definition of public health as 'the art and science of preventing disease, prolonging life and promoting health through the organised efforts of society', and should not be confused with the interest of individual players such as insurers or employers.

The terms and conditions for implementing the public health exception should, however, be outlined in a legislative instrument complying with Article 23(2) of the GDPR. So far there is no such measure provided for in Bulgarian law.

10. Penalties

The measures and sanctions concerning data protection infringements are set forth in the GDPR. Under the GDPR, there are two maximum levels for the penalties. For particularly severe violations (Art. 83(5) GDPR), the CPDP, taking into account the nature of the infringement and several other factors, may impose penalties of up to €20 million or 4% of the relevant undertaking's total annual worldwide turnover in the preceding year, whichever is higher. The maximum amount of €10 million or 2% of the undertaking's total annual worldwide turnover in the preceding year, whichever is higher, applies to the less severe violations listed in Art. 83(4) GDPR. In addition, for infringements of obligations that are not provided for in the GDPR, the Data Protection Act provides for a fine against the controller or processor not exceeding BGN 5,000 (approx. €2,560) for the first infringement and double the amount of such sanction in case of repeated violation.

The CPDP has also the power to use other administrative measures, such as issuing warnings, temporary or definitive limitations on data processing, and orders for rectification or erasure of personal data. By law, the supervisory authority may decide to only apply administrative measures, impose a monetary penalty, or apply both types of sanctions together.

Based on the 2021 CPDP Annual Activity Report (the latest annual report issued by the CPDP, available in Bulgarian only here), in 2021 the CPDP reviewed 29 complaints in the healthcare sector. The predominant number of these complaints were for violations of Article 6 GDPR - processing of personal data without a legal basis, as well as the processing of personal data in violation of the principles of Article 5 GDPR. Violations related to data security and the technical and organisational measures taken by the controllers to protect personal data, as well as violations related to failure to act on data subject requests or to act in delay of the statutory terms, have also been identified. According to the same report, the number of fines and pecuniary sanctions imposed in 2021 ranges from BGN 100 (approx. €50) for violation of Article 12(3) of the GDPR, to BGN 30,000 (approx. €15,000) for violation of Article 5 of the GDPR.

11. Other Areas of Interest

Since 1 January 2019, the Health Act has been providing for the establishment of the National Health Information System that is to keep electronic health entries for each citizen and provide for the centralised management and storage of the information regarding electronic prescriptions and electronic referrals for medical diagnostic tests. Said system started to function de facto at the end of 2020 without statutory regulation of the specific details concerning data processing. In particular, following the amendment in the Ordinance for exercising the right of access to medical care made in December 2020 and the implementation of the specialised medical and pharmacy software packages in mid-2021, physicians (both primary care physicians and medical doctors with the healthcare facilities for out-patient and in-patient care) can sign electronic prescriptions and issue electronic referrals for medical diagnostic tests to patients from their registry. In 2022 the e-documents for medical examinations also became part of the healthcare activity in Bulgaria.

Currently, the terms and procedures for use of the statutory registries and the databases and information systems that are part of the National Health Information System, including the terms and conditions for access to citizens' electronic health entries are regulated by the Health Act and the Ordinance for the functioning of the National Health Information System. Based on the rules set out therein, the information in the electronic health entry will be fed in by the medical facilities. Certain statutory authorities that have been legally granted access to registries of national importance, shall have access to the electronic health entry as well. Access for certain other parties (insurers, medical facilities, and the National Health Insurance Fund) shall be granted only under the explicit consent of the individual and solely for carrying out their functions. Participants in the clinical trial (sponsor, investigator, and institution) are not amongst the entities explicitly listed as having access to the electronic health entry. Thus, to access the data, the sponsor, for example, needs explicit consent from the trial subject. In addition, the electronic health entry shall contain data concerning health and the sponsor may not be able to obtain valid consent for personal data processing due to the imbalance in the relationship between the parties.

Initially, stakeholders hoped that before the full implementation of the National Health Information System, the CPDP will focus on health-related data processing issues and that many of the problematic areas will be resolved by the upcoming legislation through closer collaboration between the legislator and the CPDP. Indeed, the CPDP was consulted under the procedure of Article 36 (4) GDPR in respect of the draft of the Ordinance for the functioning of the National Health Information System. Its opinion, strongly criticized the draft, identifying many issues, including:

• the lack of comprehensive description of the purposes pursued by processing and very vague wording of such purposes, resulting in difficulties in clearly, comprehensively, and accurately defining the categories of data required to be processed and to assess the roles and functions of the actors in the system;
• the lack of detailed regulation of the ways and means of providing information and ensuring transparency in the processing of personal data through the system;
• the Data Governance Act, as well as other relevant upcoming EU regulations, such as the Artificial Intelligence Act, the European Health Data Area Regulation, and others have not been taken into consideration;
• the rights of data subjects were a key concern of the proposed regulation since the draft simply references to the general GDPR regime and does not take into account the specificity, objectives, and complexity of the system;
• the principles for Data Protection by Design and by Default were not taken into consideration insofar as the ordinance was developed in respect of the information system already in place; and
• data transfers to third countries and the terms and conditions for such transfers are not regulated, although such absence undermines the control.

Most of the important issues that the CPDP has identified, however, were not addressed in the final version of the Ordinance for the functioning of the National Health Information System, which was published at the end of 2022 and is in force since 1 January 2023.

Milka Ivanova Senior Associate
[email protected]
Djingov, Gouginski, Kyutchukov & Velichkov, Sofia