Author: Preslav Baldzhiev
On 25.05.2018, the General Data Protection Regulation (GDPR/Regulation) entered into force, which became fundamental not only for the EU but also for countries outside the European Union. According to Article 97, every 4 years, starting from 25.05.2020, the European Commission must create a report to evaluate and review the Regulation.
What is GDPR?
The GDPR is a legal act (regulation) that is binding in its entirety for all EU Member States. Upon its entry into force, it repeals a previous legal act (Directive 95/46), which is a different type of legal act (directive) and which determines only what result to be achieved. By comparison, the Regulation obliges the EU member states to take concrete steps to achieve concrete results.
The GDPR can be defined as a comprehensive legal act, as it introduces new terms (example: Data Protection Officer), clarifies the models that the Member States must follow, and provides sanctions.
What changes have the GDPR introduced?
For the most part, the provisions laid down in the GDPR are also found in one form or another in the national legislation of the Member States. This legal act was drafted to unify the legislation that EU countries have adopted in the field of personal data. Whether it introduces innovations or only completes already established hypotheses, the GDPR emphasizes the importance of several key elements:
- Guaranteeing the rights of the users – The new obligations of Data controllers stem from the guarantees that the Regulation provides for the user’ rights. An example of a guaranteed right is the right to be forgotten (refusal to further processing of personal data).
- Privacy – The GDPR guarantees privacy and especially protection of personal data. One of the mechanisms by which this privacy is achieved is the right of users to refuse to process their personal data for purposes other than those for which the personal data were collected.
- Transparency – The Regulation obliges Data controllers to prove that they comply with the requirements of this legal act. This includes the proper storage, processing and protection of personal data, the appointment of a Data Protection Officer and others.
- Public Awareness – This is a purely psychological consequence. The importance of the Regulation has made more and more EU citizens aware of their rights and possible ways of protection, and not only in the field of personal data.
What are the most common violations of the GDPR?
In a typical rebellious style, one would say that the rules are designed to be broken. Alas, this is not the case with the provisions that the Regulation introduces – the idea of compliance with the provisions set out in the GDPR is reinforced by the fines provided for in it. However, there are many violations that the competent authorities have found. The reason for these violations to be a fact cannot be explained by the ineffectiveness of the sanctions, but rather by the lack of awareness of the Data Controllers.
The most common violation is related to the grounds for processing personal data. The ORD provides for 6 grounds, which are applicable in different situations, namely:
- Consent – This consent should be freely, specifically and explicitly expressed by the data subject, and his or her judgment (whether or not to give consent) should be based on his or her informed opinion. However, in the minds of many Data controllers there is a perception that this reason is always applicable and it eliminates the need for the other five reasons for processing personal data. In fact, if the processing of personal data is based on any other grounds, the data subject does not need to give consent (such consent would even be invalid).
- Performance of a contract – Once personal data is processed on the basis of “performance of a contract”, the data subject must be a party to the contract. The form of the contract does not matter but in order to facilitate proof, it is advisable to conclude a written contract between the parties.
- Legal obligation – The legal obligations is deriving from the law and they concern only the Data Controller. The key point here is that the Data Controller should be able to specify a legal norm, be it in the Bulgarian or European legislation, on which to base his obligation to process personal data.
- Vital interests – The vital interests concern the life or health of the data subject (possibly another individual). As can be seen from the brief explanation, this ground applies to sensitive personal data.
- Public interest – Public interest should be understood as everything related to the well-being of society. On this basis, personal data are processed by state and municipal authorities within their competence and powers.
- Legitimate interest – The legitimate interest is important for the Data Controller (and possibly for third parties). Relying on this ground, the Data Controller should establish whether his legitimate interest takes precedence over the interests and fundamental rights and freedoms of the Data subject. If the answer is in the affirmative, then the ground will be lawful. Otherwise, the legitimate interest will not be a valid ground.
Apart from the illegality of the grounds, another common violation is non-compliance with the principles of processing (they will be discussed in detail in one of the following articles). The most frequently violated principles are reduced to four in number, namely:
- processed in legal compliance and in a bona fide manner;
- consideration of the volume of personal data with the purposes for their processing;
- integrity;
- accurate and updated, if necessary.
The third type of violation is related to the measures taken to protect the processed personal data. Although we have placed them in third place, such breaches have serious consequences, as they are related to the leakage of personal data, and this, in itself, creates conditions for the misuse of personal data.
The fourth type is infringements in which personal data subjects are not given the opportunity to exercise their right. Examples of such rights are The right to be forgotten, The right to withdraw consent, and so on. This may seem like a minor violation at first glance, but such an inability to exercise a right is of particular burden to the Data Controller, especially in light of the perception that the Data subject is the weaker party.
Tips to avoid the most common breaches of GDPR
With such problems, it is quite natural to look for ways to avoid these violations, and thus avoid imposing sanctions. The advice to be given to the Data Controllers can be grouped into the following three groups:
- High theoretical and practical qualifications – In most cases, breaches of the provisions of the Regulation can be avoided with a good knowledge of the theoretical statements in the document, as well as its practical application. It is quite natural for Data Controllers to turn to specialists in the field of personal data protection, who will give them guidelines and recommendations on the methods and rules of processing.
- Adequate and complete protection – When it comes to personal data, each of the Data subjects will approach with cautious before providing personal data. This is where the role of the Data Controller comes, and in certain cases also of the Data Processor, who are obliged to ensure the necessary physical, technical and software protection of the provided data. Such protections may be related to the use of a safe if the data is contained on paper or the using of passwords to access certain premises or computer networks. More detailed guidance can be provided by security experts and its cybersecurity unit.
- Clear judgment in the collection of personal data – As mentioned above, there are many cases in which fines are imposed simply because the Data controller has exceeded his rights in processing them. The reasons for such, let’s call them conditionally, errors can be different, but most often they are limited to the lack of a clear idea of why and for what purpose personal data is collected. The rule “The more, the better” is not always the best advice that a Data Controller should follow. A specific recommendation in the light of this prevention mechanism is difficult to give, especially given that each processing of personal data is different. Therefore, it is necessary for the Data Controller have a clear idea of why, how and in what way this personal data will be processed by him.
What follows from now on?
Although the GDPR came into force about four years ago, its implementation is an ongoing dynamic process that requires constant attention to the development of technology. This is exactly what requires the setting of new targets for the next 4-year period until the new Report of the European Commission:
- Harmonization of National legislation – The GDPR currently contains provisions that can be specified by Member states. It is envisaged that this approach will not be used in the future and this should lead to a reduction and possible elimination of fragmentation in the National legislations.
- Ensuring the independence of National authorities – National authorities involved in monitoring and enforcing the GDPR have proved to be a key link in implementing the Regulation. Therefore, the European Commission will continue to promote their independent activity and provide them with any necessary means related to the implementation of the Regulation.
- Assisting Member States – Even before the GDPR came into force, a Working Group was set up to facilitate communication with each Member State. This Working Group will continue to exist and provide the necessary assistance to the countries of the European Union.
Conclusion:
Since its entry into force, the GDPR has proved to be a key long-term legal act that ensures that personal data, related to the free movement of goods, persons, services, and capital will remain protected. The Regulation not only provides security for data subjects but creates a single legislative system to make it easier for each Data Controller, whether from a Member state or from outside the European Union.
This material prepared by Preslav Baldzhiev aims to provide more information about the implementation of the GDPR in Bulgaria several years after the entry into force of the Regulation as well as the most common infringements of personal data protection rules. It does not constitute a legal opinion and cannot be interpreted as individual consultation on any concrete facts or circumstances. The advice of a specialist should be obtained for specific questions and situations. For more information on the above-mentioned issues and individual consultations, please contact the team of the law firm of Krasimira Kadieva at 00359 882 308 670 or make an inquiry using the contact form of the website. Since 2017 Preslav Baldzhiev is a law student at Sofia University “St. Kliment Ohridski “, having previously graduated from the High School of mathematics and natural science “Acad. Nicola Obreshkov” in Burgas. In February 2020 he took a course for industrial property representatives at the Patent Office of the Republic of Bulgaria in the field of trademarks, geographical indications, and industrial designs. He is interested in intellectual property, personal data protection, commercial and law on obligations and contracts and also regularly attends conferences, practical courses, seminars, and webinars.