Instruction under Ordinance No. 1 of 30 January 2013 for the minimum level of technical and organizational measures and the allowed type of personal data protection

According to the Personal Data Protection Act, the personal data controller shall take appropriate technical and organizational measures to protect data against accidental or unlawful destruction, or against accidental loss, unauthorized access, alteration or dissemination, as well as against other unlawful forms of processing. The personal data controller shall determine the time limits for carrying out a periodical assessment of the data processing needs and personal data deletion. The data controller shall take special protection measures when processing involves the transmission of data by electronic means. The measures shall take into account the modern technological achievements and ensure a level of security adequate to the risks related to processing, and the nature of the data to be protected. The measures and the time limits shall be determined in an instruction issued by the personal data controller. Therefore the personal data controller is obliged to accept instruction on the protection of personal data under Ordinance No. 1 of 30 January 2013 for the minimum level of technical and organizational measures and the allowed type of personal data protection.

According to Article 20 of Ordinance No. 1 of 30 January 2013 the instruction on the protection of personal data shall include:

  1. identification of the data controller;
  2. general description of the registers maintained – categories of personal data and reasons for their processing;
  3. technological description of maintained registers – data media, processing technology, a period of storage life and services rendered;
  4. determining the positions associated with processing and protection of personal data, their rights, and obligations;
  5. impact assessment and determination of the respective level of protection – extremely high, high, medium, low;
  6. description of the technical and organizational measures taken;
  7. actions for protection in case of accidents, incidents, and disasters (fire, flood, etc.);
  8. provision of personal data to third parties – reasons, purposes, categories of personal data;
  9. time-limit for conducting periodic reviews of the need for data processing and deletion of data;
  10. determining the procedure for the implementation of the obligations under Article 25 of the Personal Data Protection Act. According to Article 25 of the Personal Data Protection Act after the achievement of the purpose of personal data processing or before the termination of the personal data processing, the data controller shall be required either to destroy the data or transfer them to another data controller by preliminary notification to the Commission, if such transfer is specified in a law and the purposes of processing are identical.

It is important to note that the information referred to under item 2 to 10 above shall be described for each of the registers maintained. The main registers maintained by the personal data controller are “Staff – full-time and part-time” register as well as “Contractors” register.

Due to the above-mentioned peculiarities when drafting an instruction on the protection of personal data the assistance of a specialist with experience in this area is recommended to be sought. The specialist will draft the instruction on the protection of personal data, that will contain all the information required under Article 20  of Ordinance No. 1 of 30 January 2013.

Krasimira Kadieva will gladly assist you with the drafting of the instruction on the protection of personal data as well as with the registration as a data controller by providing professional advice and preparation of all necessary documents.

EACH CLIENT WILL RECEIVE A FREE E-BOOK CONTAINING ARTICLES WITH USEFUL INFORMATION ABOUT TRADEMARKS.

FOR YOUR NEXT ORDER OF ANY OF OUR SERVICES YOU WILL RECEIVE UP TO 15% DISCOUNT.

For more information on the above-mentioned issues and individual consultations, please contact Krasimira Kadieva at 00359 882 308 670 or make an inquiry using the contact form of this website. Krasimira Kadieva is a Bulgarian and European trademark and design attorney. Krasimira Kadieva will gladly assist you with the drafting of the instruction on the protection of personal data as well as with the registration as a data controller.