June 30, 2023

Bulgarian DPA Enforces Resource-intensive Procedures in Case of Data Breach Notifications

The Bulgarian DPA started implementing on a regular basis new detailed and resource-intensive procedures in case of data breach notifications. These involve complex questionnaires exceeding the scope of the breach and closer to full audit of the data processing activities of the controller and extensive requests for provision of documents and information within short deadlines.

I. Data Breach Procedure in Bulgaria

The Bulgarian Data Protection Authority (the Commission for Personal Data Protection – CPDP) started enforcing burdensome procedures in cases of data breach notification.  

Data Breach Notification

Notification of data breaches in Bulgaria is carried out by using a form published by the CPDP which, in addition to the information required under Art. 33 of GDPR, includes an assessment whether the data breach can lead to high risk for the rights and freedoms of the data subjects. First the CPDP examines the information provided in this form.

Methodology for Measuring the Level of Risk

The CPDP uses a Methodology for measuring the level of risk for the rights and freedoms of the data subjects. According to this methodology, the level of risk is assessed based on:

  1. severity of impact
  2. likelihood of the impact to occur.

Based on the result of the assessment the CPDP determines what measures to undertake after a data breach notification. According to the CPDP’s internal instruction in cases of:

- low level of risk the CPDP sends a notice that it accepted the data breach notification ‘for information’,

- middle level of risk the CPDP starts a documentation check,

- high level of risk the CPDP conducts an audit on-site. As a note, according to the CPDP’s Rules of Procedure an on-site audit may be carried out in all cases.

Questionnaires

The part of the data breach procedure which affects controllers the most is that the CPCP published and started implementing voluminous questionnaires for controllers. It sends them in cases of data breach notifications if it assesses that the level of risk is middle or high.

The main points of concern are:

  • Based on the methodology described above the CPDP sometimes may decide that the risk is middle or high even in cases where from a practical point of view the impact of the breach on data subjects is quite small. Sometimes even if small amounts of data or a limited number of data subjects are affected, the CPDP may still request filling of the questionnaires and sending additional information and documents.
  • The scope of the questionnaires usually exceeds the scope of the data breach and contains tens of general questions, and the procedure resembles more a full audit of the controller than a data breach check.

The questionnaire requires detailed information not only on the activities concerned by the data breach, but general information on the main activities and structure of the controller, as well as what records under Art. 30 GDPR it maintains, the legal grounds for processing it applies, the categories of data it processes, the assignment of processing activities under Art. 28, data exchange between controllers, data transfers and others. A whole part of the questionnaire is dedicated to the implemented technical and organizational measures, including concrete questions regarding specific measures for physical, personal and documental protection and protection of the automatic information systems and/or networks and encryption protection. Example: the questionnaire contains a question requesting a description of the established computer network and the information systems used for the processing of personal data.

  • The CPDP provides a really short deadline for getting back to them with all the information, usually seven days.
  • The CPDP may send additional questions after receiving the first batch of information and provide again a short deadline for their addressing.  
  • The CPDP may request numerous additional documents, such as a risk analysis carried out by the controller, a notification received from a data processor, and others.
  • All the information needs to be provided in Bulgarian, which additionally encumbers international companies.

II. Key Takeaways

CPDP’s practices concern all controllers with activities in Bulgaria and their legal counsels in case of data breach notification to the Bulgarian authority. In addition, although for the moment we at DPC do not have such cases, in accordance with the CPDP’s internal instruction it is possible for the authority to start sending questionnaires also in cases of complaints or alerts for data protection infringements.

*This text was first published in the Newsletter for Google Hubs prepared by Traple Konarski Podrecki i Wspólnicy.

Related insights

News

First steps towards ESG compliance in Bulgarian legislation

News

National mechanism for screening foreign direct investment related to the security or public order

News

DPC advised Evrotrust in a new investment round

News

Are your employees trustworthy enough not to get involved in money laundering?

How can we help you?

Innovative solutions and customer care.
Get in touch
+359 (2) 421 42 01
TeamCareersExpertiseAbout DPCInsightsContact
PRACTICES
Banking & Finance
Competition and Antitrust
Corporate and M&A
Dispute Resolution
Employment & Benefits
Energy Law
Environment & Natural Resources
Intellectual Property
Life Sciences
Public Procurement
Real Estate and Construction
Restructuring & Insolvency
Tax
Technology & Data
Telecom & Media
INDUSTRIES
Aviation
Banks
Capital Markets
Consumers & Retail
Digital & Technology
Energy
FinTech
Food & Beverages
Healthcare & Pharma
Infrastructure
Manufacturing
Real Estate
Telecoms
Transport
© All rights reserved 2007-2024 Dimitrov, Petrov & Co.
Design by StanVision
Terms & Conditions
|
Privacy policies
|
Cookie policyCookies