Bulgarian PDPC Adopted a List of Processing Operations Requiring Prior Consultation

Bulgarian Personal Data Protection Commission (PDPC) has adopted a list of personal data processing operations for which a controller or processor under Chapter Eight of the Bulgarian Personal Data Protection Act (PDPA) should conduct a mandatory preliminary consultation with the PDPC. The quoted Chapter Eight of PDPA transpose certain provisions of Directive (EU) 2016/680 among which the requirements of Art. 28 of the Directive. The list was adopted by the PDPC on the basis of Art. 65, para. 3 of the PDPA transposing Art. 28, para 3 of the Directive. This list is non-exhaustive, and it can be updated if necessary, in the order of its acceptance.

Based on this list the processing operations that require mandatory prior consultation with the PDPC before their start are, as follows:

1.Regular and systematic processing of location data with technical means in order to control compliance with restrictive measures under Art. 58 of the Criminal Procedure Code.

2.Large-scale processing of personal data of children for the purposes of prevention, investigation or disclosure of anti-social acts or crimes committed by or against minors, incl. for the purposes of applying educational measures or punishments.

3.Large-scale processing of special categories of personal data, when it is related to automated decision-making, incl. for the purpose of performing a criminological analysis.

4.Carrying out systematic large-scale monitoring of publicly accessible areas, when this is related to automated decision-making, incl. facial recognition.

5.Carrying out data migration from existing to new technologies when it is related to large-scale data processing.

All of the above listed processing operations are considered likely to pose a high risk to the rights and freedoms of data subjects by the PDPC.

The adopted list is applicable to processing operations performed by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, it also provides an indication for types of processing activities which may be considered to rise a high risk to the rights and freedoms of data subjects by the PDPC. Thus, even in cases where the controller does not fall within the scope of the Directive and instead is obliged to comply with the GDPR, if it plans to perform processing operations that are included in the list above or similar to an enlisted operation, this could be an indication that such controller is appropriate to perform at least a data protection impact assessment under Art. 35 GDPR.

By Dimitrov, Petrov & Co., Bulgaria, a Transatlantic Law International Affiliated Firm.  

For further information or for any assistance please contact bulgaria@transatlanticlaw.com

Disclaimer: Transatlantic Law International Limited is a UK registered limited liability company providing international business and legal solutions through its own resources and the expertise of over 105 affiliated independent law firms in over 95 countries worldwide. This article is for background information only and provided in the context of the applicable law when published and does not constitute legal advice and cannot be relied on as such for any matter. Legal advice may be provided subject to the retention of Transatlantic Law International Limited’s services and its governing terms and conditions of service. Transatlantic Law International Limited, based at 42 Brook Street, London W1K 5DB, United Kingdom, is registered with Companies House, Reg Nr. 361484, with its registered address at 83 Cambridge Street, London SW1V 4PS, United Kingdom.