1. Governing Texts

1.1. Legislation

• The General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). For requirements under the GDPR, please see our EU - Vendor Privacy Contracts Guidance Note, or select 'EU' within the Comparison tool
• The Protection of Personal Data Act 2002 (last amended in 2019) ('the Act')

1.2. Regulatory authority guidance

The European Data Protection Board ('EDPB') has released:

• Opinion 14/2019 on the draft Standard Contractual Clauses submitted by the DK SA (Article 28(8) GDPR) (12 July 2019); and
• Guidelines 07/2020 on the Concepts of Controller and Processor in the GDPR (version under public consultation).

The Commission for Personal Data Protection ('the Commission') has issued the following Opinions:

• Opinion on issues related to the determination of the qualities 'controller' and 'processor of personal data' in the relationship between insurance companies and medical institutions (only available in Bulgarian here); and
• Opinion on the clarification of the relationship between controllers and processors between the National Health Insurance Fund and pharmacies under the GDPR (only available in Bulgarian here).

The Inspectorate with the Supreme Judicial Council ('the Inspectorate') has not issued any guidance or opinion.

1.3. Regulatory authority templates

The European Commission has released the following decisions on standard contractual clauses ('SCC') for transfers of personal data to jurisdictions outside of the EU/EEA:

• Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council;
• Commission Decision of 27 December 2004 amending Decision 2001/497/EC as regards the introduction of an alternative set of standard contractual clauses for the transfer of personal data to third countries; and
• Commission Decision of 15 June 2001 on standard contractual clauses for the transfer of personal data to third countries, under Directive 95/46/EC (2001/497/EC).

The Article 29 Working Party ('WP29') released the following documents, which have been endorsed by the EDPB:

• Recommendation on the Standard Application form for Approval of Controller Binding Corporate Rules for the Transfer of Personal Data | WP 264 rev.01 (18 April 2018);
• Recommendation on the Standard Application form for Approval of Processor Binding Corporate Rules for the Transfer of Personal Data | WP 265 rev.01 (18 April 2018);
• Working Document setting up a table with the elements and principles to be found in Binding Corporate Rules | WP 256 rev.01 (9 February 2018); and
• Working Document setting up a table with the elements and principles to be found in Processor Binding Corporate Rules | WP 257 rev.01 (9 February 2018).

2. Definitions

Data controller: The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law (Article 4(7) of the GDPR).

Data processor: A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller (Article 4(8) of the GDPR).

3. Contractual Requirements

3.1. Are there requirements for a contract to be in place between a controller and processor?

Article 61(3) of the Act requires that processing by a processor must be governed by a contract or other legal act under Union or the legislation of the Republic of Bulgaria, that is binding on the processor.

In addition, Article 61(4) of the Act provides that the contract shall be in writing, including in electronic form.

3.2. What content should be included?

Article 61(3) of the Act stipulates that the contract should set out the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects, and the obligations and rights of the controller

In addition, the contract or other legal act shall stipulate, in particular, that the processor (Article 63(1) to (6) of the Act):

• acts only on instructions from the controller;
• ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
• assists the controller by any appropriate means to ensure respect for the rights of the data subject;
• at the choice of the controller, deletes or returns all the personal data to the controller after the end of the provision of data processing services, and deletes existing copies unless Union law or the law of the Republic of Bulgaria requires storage of the personal data;
• makes available to the controller all information necessary to demonstrate compliance with this Article; and
• complies with the conditions referred to above and Article 63(2) of the Act in engaging another processor.

4. Data Subject Rights Handling & Assistance

4.1. Are processors required to assist controllers with handling of data subject requests?

Article 61(3)(3) of the Act stipulates that the contract or legal act shall stipulate that the processor assists the controller by any appropriate means to ensure respect for the rights of the data subject (see the section on Contractual Requirements above).

Furthermore, Article 25e of the Act states that the data controller or processor shall adopt and apply rules for large scale personal data processing or for a large-scale systematic monitoring of publicly accessible areas, including video surveillance, if the controller or processor implements appropriate technical and organisational measures for safeguarding the rights and freedoms of data subjects. Article 25e further outlines that the rules on large scale systematic monitoring of publicly accessible areas shall state the legal grounds for setting up a monitoring system, its scope and means, storage period of the information records and their erasure, the individuals' right of access, the provision of information to the public about the monitoring, as well as restrictions with regard to the access of third parties.

In addition, Article 37a of the Act provides that data controller or processor may deny the data subjects the exercise, wholly or partially, of the rights pursuant to Articles 12 to 21 of the GDPR and may not perform the obligation pursuant to Article 34 of GDPR, where the exercise of the rights or the performance of the obligation would result in a risk to:

• national security;
• defence;
• public order and security;
• the prevention, investigation, detection or prosecution of criminal offences or the enforcement of criminal penalties, including the safeguarding and the prevention of threats to public security;
• other important objectives of general public interest, in particular, an important economic or financial interest, including monetary, budgetary and taxation matters, public health and social security;
• the safeguarding of judicial independence and judicial proceedings;
• the prevention, investigation, detection and prosecution of breaches of codes of ethics for specifically regulated professions;
• the protection of the data subject or the rights and freedoms of others; or
• the enforcement of civil law claims. 

For further information see Bulgaria – Data Subject Rights.

For further information on data subject rights under the GDPR see EU-GDPR Data Subjects Rights.

5. Processor Recordkeeping

5.1. Are processors required to keep records of their processing activities?

Article 62(2) of the Act provides that a data processor shall maintain a record of the categories of personal data processing activities which shall contain:

• the name and contact details of the processor or processors, of each data controller on behalf of which the processor is acting, and, where applicable, of the data protection officer ('DPO');
• the categories of processing of personal data carried out on behalf of each controller;
• where applicable, transfers of personal data to a third country or an international organisation where explicitly instructed to do so by the controller, including the identification of the said third country or international organisation; and
• where possible, a general description of the technical and organisational security measures referred to under Article 66 of the Act.

6. Security Measures

6.1. Are processors required to implement specific security measures? If so, what measures must be implemented?

Article 61(1) of the Act stipulates that a data controller may entrust the processing of personal data, only to processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the Act, and ensure the protection of the rights of the data subject.

Further to this, Article 66(1) of the Act states that the controller and the processor, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing as well as the risks for the rights and freedoms of natural persons, shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in particular as regards the processing of the categories of personal data referred to in Article 51(1) of the Act. In addition, Article 66(2) of the Act goes further to stipulate that, in respect of automated processing, the controller or processor, following an evaluation of the risks, shall implement measures designed to:

• equipment access control: deny unauthorised persons access to processing equipment used for processing of personal data;
• data media control: prevent the unauthorised reading, copying, modification, or removal of data media;
• storage control: prevent the unauthorised input of personal data and the unauthorised inspection, modification, or deletion of stored personal data;
• user control: prevent the use of automated processing systems by unauthorised persons using data communication equipment;
• data access control: ensure that persons authorised to use an automated processing system have access only to the personal data covered by their access authorisation;
• communication control: ensure that it is possible to verify and establish the bodies to which personal data have been or may be transmitted or made available using data communication equipment;
• input control: ensure that it is subsequently possible to verify and establish which personal data have been input into automated processing systems and when and by whom the personal data were input;
• transport control: prevent the unauthorised reading, copying, modification, or deletion of personal data during transfers of personal data or during transportation of data media;
• recovery: ensure that installed systems may, in the case of interruption, be restored;
• reliability: ensure that the functions of the system perform and that the appearance of faults in the functions is reported; and
• integrity: ensure that stored personal data cannot be corrupted by means of a malfunctioning of the system.

7. Breach Notification

7.1. Are processors under an obligation to notify controllers in the event of a data breach? If so, are there timeframe and content requirements?

Article 67(2) of the Act stipulates that the processor shall notify the controller of a personal data breach without undue delay, but not later than 72 hours, after having become aware of the breach.

Moreover, Article 67(6) of the Act provides that the personal data breach involves personal data that have been transmitted by or to the controller of another EU Member State, the information referred to in Paragraph (3) shall be communicated to the said controller without undue delay but not later than seven days after the breach has been ascertained.

Additionally, Article 67(3) of the Act outlines the following information to be included in the breach notification:

• a description of the personal data breach including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
• the name and contact details of the DPO or other contact point where more information can be obtained;
• a description of the likely consequences of the personal data breach; and
• a description of the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

For further information on breach notifications, see Bulgaria – Data Breach.

For further information on breach notifications under the GDPR, see EU – GDPR – Data Breach.

8. Subprocessor

8.1. Are subprocessors regulated? If so, what obligations are imposed?

Article 61(2) of the Act provides that a processor may not engage another processor for processing, without prior specific or general written authorisation of the controller under Article 61(1) of the Act. Further, it states that, in the case of general written authorisation, the processor shall inform the controller of any intended changes concerning the addition or replacement of other processors, and the controller shall have the opportunity to object to such changes.

9. Cross-Border Transfers

9.1. Do transfer restrictions apply to processors? If so, what restrictions and what exemptions apply?

Article 62(2)(3) of the Act provides that the processor shall maintain a record of the categories of personal data processing activities carried out on behalf of a controller, which includes, where applicable, transfers of personal data to a third country or an international organisation where explicitly instructed to do so by the controller, including the identification of the said third country or international organisation. 

However, the Act does not stipulate any restrictions or exemptions.

Following the publication of the CJEU's judgment C-311/18 Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems ('Schrems II') on 16 July 2020, which generally validated the SCCs while invalidating the EU-US Privacy Shield data transfer certification mechanism, the EDPB has released its Recommendations on Measures that Supplement Transfer Tools to Ensure Compliance with the EU Level of Protection of Personal Data, as well as complementary Recommendations on the European Essential Guarantees for Surveillance Measures, aimed to assist controllers and processors to 'verify, on a case-by-case basis and, where appropriate, in collaboration with the recipient of the data, whether the law of the third country of destination ensures adequate protection, under EU law, of personal data transferred pursuant to standard data protection clauses, by providing, where necessary, additional safeguards to those offered by those clauses'.

For further information on data transfers under the GDPR, see EU – GDPR – Data Transfers.

10. Regularory Assistance

10.1. Are processors required to assist controllers with regulatory investigations?

Generally, Article 12a of the Act stipulates that requested to do so, the data controller and processor shall provide assistance to the Commission in the fulfilment of its tasks and powers.

11. Processor DPO / Representative

11.1. Are processors required to appoint a DPO / representative?

Data Protection Officer ('DPO')

Generally the Act does not require processors to appoint DPOs however, Article 15(1) stipulates that the Commission shall maintain a register of data controllers and processors which have designated a DPO.

Further to this, Article 25b of the Act establishes that the data controller and processor shall notify the Commission of the full name, the personal identification number or the foreigner personal number or another similar identifier, and of the contact details of the DPO, as well as of any ensuing changes. The form and content of the notification and the procedure for the submission of the said notification shall be determined by the Rules of Procedure pursuant to Article 9(2) of the Act.

For more information see Bulgaria - Data Protection Officer Appointment.

For further information on DPOs under the GDPR, see EU - Data Protection Officer Appointment.

Representative

There are no national variations.

12. Supervision & Monitoring

12.1. Are controllers obliged to supervise or monitor processors' compliance with the law and contract?

The Act does not explicitly stipulate requirements for ongoing monitoring of processors' compliance. However, Article 61(3)(5) of the Act stipulates that the contract or other legal act shall stipulate that the processor makes available to the controller all information necessary to demonstrate compliance with Article 62 of the Act.

Authored by OneTrust DataGuidance.

DataGuidance's Privacy Analysts carry out research regarding global privacy developments, and liaise with a network of lawyers, authorities and professionals to gain insight into current trends. The Analyst Team work closely with clients to direct their research for the production of topic-specific Charts.