Bulgarian PDPC has adopted a list of processing operations that require prior consultation which is addressed to the authorities subject to Directive (EU) 2016/680. This list does not directly apply to the activities of the controllers and processors subject to GDPR but provides an indication for operations which rise high risks and require DPIA and eventual prior consultation under GDPR as well.
.png)
Bulgarian Personal Data Protection Commission (PDPC) has adopted a list of personal data processing operations for which a controller or processor under Chapter Eight of the Bulgarian Personal Data Protection Act (PDPA) should conduct a mandatory preliminary consultation with the PDPC. The quoted Chapter Eight of PDPA transpose certain provisions of Directive (EU) 2016/680 among which the requirements of Art. 28 of the Directive. The list was adopted by the PDPC on the basis of Art. 65, para. 3 of the PDPA transposing Art. 28, para 3 of the Directive. This list is non-exhaustive, and it can be updated if necessary, in the order of its acceptance.
Based on this list the processing operations that require mandatory prior consultation with the PDPC before their start are, as follows:
All of the above listed processing operations are considered likely to pose a high risk to the rights and freedoms of data subjects by the PDPC.
The adopted list is applicable to processing operations performed by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, it also provides an indication for types of processing activities which may be considered to rise a high risk to the rights and freedoms of data subjects by the PDPC. Thus, even in cases where the controller does not fall within the scope of the Directive and instead is obliged to comply with the GDPR, if it plans to perform processing operations that are included in the list above or similar to an enlisted operation, this could be an indication that such controller is appropriate to perform at least a data protection impact assessment under Art. 35 GDPR.