Author: Preslav Baldzhiev
Personal data represents a huge part of the information flow that passes through the Internet. Whether we send the location of our new home so that our guests can find it more easily, or leave details such as names and phone numbers so that the courier can contact us – personal information is always in circulation, and recipients it is processed in one form or another.
But is all processing permitted? When is it necessary for the Data Controller or the Data Processor to conduct preliminary consultations with the competent authority, the Commission for the Protection of Personal Data (CPPD)? What are the consequences if such consultation does not take place? The answer to these and other questions, directly or indirectly related to the processing of personal data, will be given in the following lines.
What is personal data processing?
The basic act concerning the processing of personal data is Regulation 2016/679, known in public circles as GDPR. Thanks to its comprehensiveness, the Regulation regulates several key concepts, one of which is the processing of personal data.
According to Art. 4 paragraph 2 of the GDPR under Processing means „means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction“.
When are consultations mandatory?
According to Article 65, para. 1 Personal Data Protection Act (PDPA) Data Controller or Data Processors should consult in advance (before the start of personal data processing) with the CPPD or the Inspectorate of the Supreme Judicial Council (Inspectorate) when the processing will be part of a new, not yet created a register of personal data if this processing:
- poses a high risk (regardless of the measures taken); or
- involves new technologies, mechanisms, or procedures that imply a high degree of risk to the rights and freedoms of the subjects of personal data.
As written, the provision does not carry any specifics but relies entirely on the discretion of the Data Controller or Data Processors. For a clearer understanding of these conditions and their greater refinement, the CPPD approved and published on its official website a list of personal data processing operations (called the List) based on Art. 65, para. 3 PDPA. The list is not exhaustive, and the Commission reserves the right to update and change it at any time.
What does the List contain?
The list is divided into two parts, the first presenting general situations – generally speaking, the reasons for preparing and approving such a document. Particular attention should be paid to the second part of the List, as it contains a non-exhaustive list of personal data processing operations that require prior consultations. The listed grounds (at the time of writing the article) are 5 and they are:
- The regular and systematic processing of data on the location of persons with technical means in order to control compliance with a measure of non-abortion under Art. 58 of the Code of Criminal Procedure – This refers to the measures of signature, guarantee, house arrest, and detention. This ground is applied to the relevant bodies of pre-trial and judicial proceedings, which monitor compliance with the imposed measure.
- Large-scale processing of personal data of children for the purposes of prevention, investigation, or disclosure of anti-social acts or crimes committed by or against minors, incl. for the purposes of applying educational measures or punishments – This ground again concerns the bodies of the pre-trial and judicial proceedings.
- Large-scale processing of special categories of personal data under Art. 51, para. 1 of the PDPA, when it is related to automated decision-making, incl. for the purpose of carrying out criminological analysis – According to the PDPA, special categories of personal data are data revealing racial or ethnic origin, political views, religious or philosophical beliefs, membership in trade unions, processing of genetic data, biometric data for the purpose of uniquely identifying the natural person, data related to the state of health or sex life and sexual orientation of the person. The processing of such information carries greater risks than standard categories of personal data.
- Carrying out systematic large-scale monitoring of publicly accessible areas, when this is related to automated decision-making, incl. facial recognition – Such publicly accessible areas can be bus stops, stadiums, sports and concert halls, etc. Such surveillance is carried out as a preventive measure and with the idea of preserving the property located in the publicly accessible area.
- Migration of data from existing to new technologies, when this is related to large-scale data processing – Migration should be understood as the transfer, transfer of this data at the initiative of the Data Controller or the Personal Data Processor.
What happens if no consultation takes place?
The mandatory nature of consultations is also reinforced by a sanction, as the PDPA refers to the GDPR. In the event that the Data Controller or the Data Processor does not comply with their legal obligations, a fine or a pecuniary sanction of up to 10,000,000 euros or, in the case of an enterprise, up to 2% of the total annual worldwide turnover for the previous financial year shall be imposed (applicable the amount that is higher).
The legislation governing personal data has focused on the priority protection of the subjects of personal data – something clearly visible from the reviewed List. Such an approach is equivalent to an increased number of obligations for the Data Controller and Data Processors, which often leads to the abstractness of the formulated rules of conduct. This lack of specificity is often avoided with similar acts (such as the List), through which Administrators and Processors of personal data receive the guidance they need in their activities.
This material prepared by Preslav Baldzhiev aims to provide more information about personal data processing operations for which prior consultation is needed. It does not constitute a legal opinion and cannot be interpreted as individual consultation on any concrete facts or circumstances. The advice of a specialist should be obtained for specific questions and situations. For more information on the above-mentioned issues and individual consultations, please contact the team of the law firm of Krasimira Kadieva at 00359 882 308 670 or make an inquiry using the contact form of the website. Since 2017 Preslav Baldzhiev is a law student at Sofia University “St. Kliment Ohridski “, having previously graduated from the High School of mathematics and natural science “Acad. Nicola Obreshkov” in Burgas. In February 2020 he took a course for industrial property representatives at the Patent Office of the Republic of Bulgaria in the field of trademarks, geographical indications, and industrial designs. He is interested in intellectual property, personal data protection, commercial and law on obligations and contracts and also regularly attends conferences, practical courses, seminars, and webinars.