Rules on the Activity of the Commission for Personal Data Protection and its Administration
In force as from 30 July 2019
Promulgated in the State Gazette No. 60 of 30 July 2019, corrected in the State Gazette No. 63 of 9 August 2019, amended SG No. 52 of 9 June 2020, amended SG No. 32 of 26 April 2022
Chapter One
GENERAL PROVISIONS
Article 1. (1) These Rules regulate the structure and the organisation of proceedings of the Commission for Personal Data Protection, hereinafter referred to as “the Commission”, and of its administration.
(2) These Rules stipulate the proceedings before the Commission under Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as “Regulation (EU) 2016/679”) and under the Personal Data Protection Act (PDPA).
Article 2. The Activity of the Commission is executed in conformity with the principles of legality, hierarchy in the application of legal acts, fairness, justice, solidarity, search for the objective truth, the ex officio principle, independency and impartial judgment, publicity, rapidity and procedures economy, succession and predictability, equality of the parties in the procedures.
Chapter Two
STRUCTURE AND COMPETENCY OF THE COMMISSION
Section I
Structure
Article 3. (1) The Commission is independent supervisory authority, performing the protection of individuals by the processing of their personal data and by the access to these data, as well as the supervision on the compliance with Regulation (EU) 2016/679 and the PDPA.
(2) The Commission is a state budget financed legal person with a head office in Sofia.
(3) The Commission has a logo, a plaquette and a medal.
Article 4. (1) The Commission is a collegiate body which consists of a Chairperson and four members.
(2) In the implementation of the functions thereof, the Commission is assisted by an administration.
(3) The Commission may recruit external experts, interpretors and other professionals.
Section II
Competency of the Commission
Article 5. (1) The Commission exercises control for the protection of the fundamental rights and freedoms of natural persons with regard to the processing of the personal data thereof and ensuring the free movement of personal data within the European Union and, to this end:
1. perform the tasks referred to in Article 57 and exercise the powers referred to in Article 58 of Regulation (EU) 2016/679 and the related functions and activities assigned thereto by Regulation (EU) 2016/679;
2. implement the tasks referred to in Article 10 (2) and Article 10a (2) of the PDPA.
(2) The Commission gives its pronouncement by way of decision on all matters within the competence thereof.
Section III
Chairperson and Members
Article 6. (1) The Chairperson executes the complete management of the Commission and, to this end:
1. represent the Commission;
2. be in charge for the Commission’s budget as first-level spender of budget credits;
3. organise the activity on the preparation of draft statutory acts of secondary personal data protection legislation;
4. make official statements to the mass communication media on behalf of the Commission;
5. issue penalty decrees within the meaning given by the Administrative Infringements and Sanctions Act (AISA);
6. endorse, after a decision of the Commission, internal acts concerning the functioning of the Commission and the administration thereof;
7. approve internal wage rules for the employees at the CPDP in accordance with the requirements of the Civil Servants Act, the Labour Code and the acts of secondary legislation for the application thereof;
8. approve a staffing schedule listing the employees by name;
9. appoint and release the employees working under a civil-service relationship and an employment relationship;
10. conclude and terminate the civil contracts of personal services with external experts recruited by the Commission;
11. endorse the job description of the Secretary General;
12. establish, transform and close down departments after a decision of the Commission;
13. authorise business trips of the members of the Commission and the employees of the administration domestically and internationally;
14. submit to the Ministry of Finance a three-year budget forecast and a draft budget for the relevant year, which have been approved by way of decision of the Commission.
(2) Implementing the powers thereof, the Chairperson travels domestically and internationally without the issuing of a business travel authorisation. In such cases, the Secretary General of the Commission draws up an aide-mémoire which includes all details required for a business travel authorisation and business trip report.
(3) When the Chairperson is absent, the functions thereof under Paragraph (1) are implemented by a member of the Commission who has been appointed by an order of the Chairperson under a decision of the Commission.
(4) The Secretary General draws up an aide-mémoire on the use of a leave of absence by the Chairperson of the Commission for Personal Data Protection, which includes all details required for an order granting leave of absence of the relevant type.
(5) The financial proposals, memorandums, reports and aide-mémoires related to the expenses incurred by the Chairperson of the CPDP on domestic and international business trips, supplementary remunerations for results achieved and remunerations in connection with the participation thereof in nationally or internationally financed projects of the CPDP, clothing, materials and services, are approved or adopted by a member of the Commission who has been appointed by a decision of the CPDP.
(6) Other matters related to the working arrangements of the administration of the Commission may be regulated by an order of the Chairperson.
Article 7. The members of the Commission:
1. are on equal status and implement the functions thereof according to Regulation (EU) 2016/679 and the PDPA;
2. implement the powers of the Chairperson in the cases referred to in Article 6 (3) herein;
3. perform other activities after a decision of the Commission.
Section IV
Organization of the Commission’s work
Article 8. (1) The Commission examines and decides matters within the competence thereof at meetings open to the public.
(2) Particular meetings may be held behind closed doors by a decision of the Commission.
(3) Regular meetings of the Commission are held at least twice a month, with the day and start time being appointed with the decision of the Commission.
(4) Special meetings may be convened by the Chairperson or at the request of at least two members of the Commission, who propose an agenda for the holding of any such meetings. The rest of the members of the Commission are notified of the time of the holding and the agenda by the Secretary General.
(5) The agenda and the documents proposed for consideration are submitted to the Commission at least 24 hours in advance of the meeting.
(6) The Commission’s meetings are held if at least three members are present.
(7) The Commission adopts decisions in an open ballot by a majority of three votes. Members of the Commission may not abstain from voting.
(8) In case a majority required for the adoption of a decision cannot be reached at a meeting of the Commission, the matter is put to the vote at a subsequent meeting.
(9) After the completion of a meeting, the CPDP paperless meeting program generates an aide-mémoire in electronic form, containing the agenda and the operative part of the decisions adopted.
Article 9. The Chairperson or a member of the Commission is bound to recuse himself or herself when he or she is directly or indirectly interested in the outcome of proceedings initiated before the Commission.
Article 10. (1) The meetings of the Commission are presided by the Chairperson.
(2) An absence of the Chairperson or of a member of the Commission from a regular meeting is admissible where he or she is:
1. on a business travel;
2. on legally established leave;
3. performs in other urgent official work with the permission of the Chairperson, of which the rest of the members of the Commission have been informed in advance.
(3) If the Chairperson or a member is absent from a meeting of the Commission without (any or some) justification, the following deductions are made from the monthly remuneration of any such absentee:
1. for one absence: in the amount of 30 per cent of the gross monthly salary of the absentee for the relevant month;
2. for two absences: in the amount of 50 per cent of the gross monthly salary of the absentee for the relevant month;
3. for three and more absences: in the amount of two-thirds of the gross monthly salary of the absentee for the relevant month.
(4) The absences under Paragraphs (2) and (3) are noted in the minutes referred to in Article 11 herein, and an excerpt of the said minutes after the signing thereof are transferred to the accounting department for application of the requirements of Paragraph (3). If any member of the Commission in respect of whom a breach under Paragraph (2) has been noted does not sign the inutes or signs the minutes with a dissenting opinion, this are grounds for non-application of the requirements under Paragraph (3).
Article 11. (1) Minutes are taken of the proceedings at each meeting of the Commission, and the said minutes are signed by the Chairperson, by all members who participated in the meeting, and by a shorthand record keeper.
(2) The date and venue of the meeting, the type of meeting, the members of the Commission and the administration employees present, the stakeholders who presented themselves, the agenda as adopted, the statements made on the said agenda and the decisions adopted are mandatorily entered into the minutes.
(3) The minutes of proceedings at the meeting of the Commission are drawn up not later than three days after the meeting has been held.
(4) The Chairperson or a member of the Commission, who disagrees with a decision, signs the said decision with a dissenting opinion and states the reasons thereof for such dissent. The dissenting opinion together with the reasons is attached to the decision.
Article 12. The Commission may alternatively adopt a decision without meeting if the Chairperson and all members of the Commission agree with the decision and sign the said decision.
Article 13. The Commission and/or authorised employees thereof carry out investigations in the form of inspections in connection with data protection in accordance with the instruction referred to in Article 12 (10) of the PDPA.
Article 14. (1) Implementing the powers thereof, the Commission interacts with State bodies and non-governmental organisations.
(2) The activity referred to in Paragraph (1) finds expression in participating in working groups, holding working meetings, carrying out joint activities, including inspections, implementing joint projects, and drawing up drafts of statutory acts.
(3) While interacting with other bodies and organisations, the Commission may conclude agreements on cooperation and mutual assistance.
Chapter Three
COMMISSION’S ADMINISTRATION
Section I
General Provisions
Article 15. (1) The administration supports the Commission by the performance of its competences.
(2) According to the distribution of the activities that it performs, the administration is general and specialized.
(3) The general administration is organised in a Resource Management and Administrative Legal Services Directorate.
(4) The specialised administration is organised into three directorates:
1. a Legal Affairs and International Cooperation Directorate;
2. a Legal Proceedings and Supervision Directorate;
3. a Legal Analysis, Information and Control Directorate.
(5) Departments may be established within the directorates.
(6) The total staff number of the administration, including the members of the Commission, is 87 pay-roll employees, allocated to units according to the appendix hereto.
Article 16. The functional links for work at the administration are defined by an internal act of the Commission.
Article 17. (1) The administration employees working under a civil-service relationship and an employment relationship perform the tasks assigned thereto accurately, conscientiously and impartially in accordance with the duties thereof under the job description, the provisions of these Rules and the internal acts.
(2) Upon occupining their positions, the persons referred to in Paragraph (1) sign a declaration under Article 13 (2) of the PDPA.
Article 18. The Commission’s administration employees could execute ex officio contacts with employees of other administrations in connection with the performance of their tasks.
Section II
Secretary General
Article 19. The Secretary General performs the general management of the administration and, to this end:
1. is in charge of the execution of the assigned tasks stemming from the decisions of the Commission and the orders of the Chairperson;
2. provides assistance to the Chairperson and the members of the Commission by the performance of their powers;
3. organizes the Commission’s work;
4. organizes the execution of the Commission’s decisions and the control over their performance;
5. coordinates the tasks distribution between the administrative units and controls the observance of the deadlines for their execution;
6. organizes and is in charge of the preparation of draft internal acts of the Commission;
7. coordinates and controls the activities concerning the training and raising the qualification of the employees;
8. approves the job characteristics of the employees;
9. organises, coordinates and controls the activities of performance evaluation of the administration employees;
10. organizes the meetings and prepares draft agenda for the regular meetings.
11. performs other tasks assigned by the Commission and the Chairperson.
Section III
Financial Controller
Article 20. (1) The Financial Controller is appointed according to the Public Sector Financial Management and Control Act (PSFMCA) and is directly subordinated to the Chairperson of the Commission.
(2) The Financial Controller:
1. executes his activity in conformity with the Directions for execution of preliminary control, issued by the Ministry of Finance, on the application of the Law for Financial Management and Control in the Public Sector and the accepted internal rules on the financial management and control in the Commission for Personal Data Protection;
2. executes ex-ante control on the legitimacy of the undertaken obligations and the expenditures incurred by the Commission.
Section IV
Directorates’ Functioning
Article 21. (1) The directorates are managed by a director, who:
1. creates conditions for the lawful and effective work of the employees at the directorate;
2. allocates the tasks among the departments according to nature and specifics, proposing measures for an improvement of the working arrangements at the directorate to the Secretary General or to the Chairperson;
3. is responsible for the professional qualification of the employees of the directorate and take measures for upgrading the said qualification;
4. in consultation with the Secretary General, makes reasoned proposals to the Chairperson for the establishment and reduction of structural units, as well as for opening and closing of pay-roll positions in the directorate;
5. coordinates all documents from the directorate;
6. prepares quarterly progress reports and an annual report on the results achieved by the CPDP relevant to the activity of the directorate;
7. coordinates the job descriptions of the employees at the directorate;
8. carries out evaluation according to the Ordinance on the Terms and Procedure for Performance Evaluation of State Administration Employees, adopted by Council of Ministers Decree No. 129 of 2012 (State Gazette No. 49 of 2012) and make proposals for promotion in rank or position or imposition of disciplinary sanctions according to the Labour Code and the Civil Servants Act;
9. carries out other activities as well, assigned thereto by the Commission, by the Chairperson or by the Secretary General.
(2) The departments are managed by a head of department, who:
1. organises, coordinates and controls the work of the employees at the department;
2. coordinates all documents from the department;
3. coordinates the job descriptions of the employees at the department;
4. allocates the tasks among the employees at the department, defines the deadlines for the performance of the said tasks;
5. carries out other activities assigned thereto by the direct manager.
Section V
General Administration
Article 22. The Resource Management and Administrative Legal Services Directorate:
1. organises and performs financial-accounting activities of the Commission in conformity with the requirements of the Accountancy Law, the account plan of the budget enterprises, accounting standards and directions;
2. prepares and gives reason for draft annual budget and organizes the development of three year budget forecast;
3. prepares monthly allocation of the established annual budget in accordance with the economic elements of the Uniform Budget Classification;
4. organizes, prepares and presents monthly request for limit of the Commission’s payments in accordance with the Law for the State Budget of the Republic of Bulgaria for the corresponding year;
5. monitors the effective spending of the budget funding according to the released limits by observing the financial discipline;
6. suggests and prepares correction of the Commission’s annual budget;
7. summarizes the data and prepares monthly, quarterly and annual accounts for the cash execution of the Commission’s budget;
8. executes the accounting reporting following the legal requirements and guidance and draws up primary and secondary accounting documents and notes them in timely manner in the accounting registers; prepares monthly and annual turnover registers;
9. prepares the Commission’s annual financial report;
10. applies the system for double signing when it comes to undertaking the obligations and expenditures incurring;
11. stores the accounting documents in accordance with the requirements of the Accountancy Law and the internal rules and instructions;
12. supports the Chairperson on the human resources management;
13. prepares and updates the positions and namely schedule of the Commission and its administration;
14. supports the drawing up of job characteristics with regard to the methodology, organization and technical actions;
15. prepares, updates and stores the servants and labour records of the officials of the administration;
16. organizes and is in charge for the preparation of the acts in connection with the occurrence, amendment and termination of the civil servants and labour contracts;
17. prepares and sends in the statutory term the notifications to the territorial department of the National Revenues Agency on the occurrence, amendment and termination of the legal relations with the officials of the Commission;
18. plans and supports the organization on the training of the officials for raising their qualification and career development;
19. prepares statistical inquiries on the salary and the movement of human resources in the Commission, prepares all certifying documents of the officials in connection with the civil servants and labour contracts;
20. organises the management and the exploitation of the buildings, procure the material and technical resources and preserve the tangible fixed assets necessary for the activity of the Commission;
21. ensures the transport services of the Commission and the administration thereof, as well as the operation, repair and maintenance of the motor vehicle fleet in the Commission;
22. ensures the defence and mobilisation training in the Commission;
23. ensures the preparation for and response of the Commission to emergencies, disasters, accidents and crises;
24. organises the forecasting and planning of public procurements and draw up an annual timetable for conduct of the said procurements;
25. prepares the drafts of documents necessary for the conduct of public procurement awards;
26. organises the conduct and completion of public procurements;
27. organises the activity of the making up of a complete set and proper safekeeping of concluded public procurement dossiers;
28. executes the legal representation on lawsuits, connected civil servants and labour contracts, management of the proprietorship of the Commission and under the Law for Public Tenders and provides information to the Commission on their movement;
29. prepares draft ordinances for the execution of the orders of the Chairperson of the Commission;
30. participates in the preparation and conclusion of contracts under which the Commission is party;
31. organises and maintains the secretary activity according to the effective legislation and the internal acts;
32. organises and ensures the archive of the Commission;
33. ensures and prepares the technical materials for the Commission’s meetings and the adopted acts;
34. ensures the connections of the Commission with the media after preliminary coordination with the Chairperson of the Commission;
35. organises briefings, press conferences, meetings and seminars;
36. analyzes the publications in the media about the Commission’s activity and informs on daily basis the Chairperson and the members of the Commission;
37. performs secretarial services to the Chairperson, the members of the Commission, and the officials from the Commission’s administration;
38. executes the protocol activity of the Commission and its administration in the country and abroad;
39. certifies duplicate copies of the acts issued by the Commission;
40. carries out activities related to information and publicity upon the exercise of the powers and the performance of the tasks of the CPDP;
41. explores and implement cutting-edge information and communication technologies;
42. ensures the proper functioning of the requisite information processing and transmission means;
43. organises the installation and maintenance of the system software and the specialised software;
44. implements the activities in connection with the administrative sanctions compliance rate, inter alia enforce, according to the procedure established by the Tax and Social-Insurance Procedure Code, the enforceable decisions of the Commission and the enforceable penalty decrees imposing pecuniary penalties and fines;
45. prepares draft certificate under Article 39 (4) of the PDPA.
Section VI
Specialised Administration
Article 23. The Legal Affairs and International Cooperation Directorate:
1. prepares opinions for the National Assembly, the Council of Ministers, other institutions and authorities regarding the legislative and administrative measures in connection with the protection of natural persons with regard to the processing of personal data thereof;
2. prepares drafts of statutory acts, internal acts and documents in the field of personal data protection;
3. prepares drafts of general and statutory administrative acts related to the powers thereof in cases provided for by a law;
4. carries out legal analyses, prepare opinions, decisions, authorisations and positions of the Commission on matters in the field of personal data protection, including on drafts of statutory acts, as well as drafts of replies to queries by third parties regarding the application of personal data protection legislation;
5. draws up draft decisions on the adoption of standard contractual clauses referred to in Article 28 (8) and point (d) of Article 46 (2) of Regulation (EU) 2016/679 and facilitate the procedure for the adoption thereof in accordance with the consistency mechanism referred to in Article 63 of Regulation (EU) 2016/679;
6. prepares draft authorisations for application of contractual clauses and the provisions referred to in Article 46 (3) of Regulation (EU) 2016/679 and facilitate the procedure for the adoption thereof in accordance with the consistency mechanism referred to in Article 63 of Regulation (EU) 2016/679;
7. draws up draft decisions on the approval of binding corporate rules according to Article 47 of Regulation (EU) 2016/679 and facilitate the procedure for the adoption thereof in accordance with the consistency mechanism referred to in Article 63 of Regulation (EU) 2016/679;
8. executes the legal representation before the court on appeals against acts of the Commission adopted on a proposal by the Directorate, and provide current information to the Commission on the progress of the court cases in connection with any such proceedings;
9. provides consultations to controllers, processors, and to data subjects on matters in the field of personal data protection;
10. prepares opinions on requests for access to data in the National System for Civil Registration and Administrative Services to the Public (ESGRAON) under Item 3 of Article 106 (1) of the Civil Registration Act;
11. coordinates and participates in the implementation of the international activity of the Commission;
12. cooperates with other supervisory authorities, including by sharing information and mutual assistance, with a view to ensuring the consistency of application and enforcement of the applicable personal data protection legislation, as well as with the international organisations on issues in the field of personal data protection;
13. supports the Commission in implementing the activities of the European Data Protection Board;
14. ensures the implementation of the decisions of the European Commission and the judgments of the Court of Justice of the European Union in the field of personal data protection and the implementation of the binding decisions of the European Data Protection Board;
15. participates in the preparation and conduct of negotiations on the conclusion of bilateral or multilateral agreements in the field of personal data protection;
16. analyses the results of the application of statutory acts and international treaties in the field of personal data protection and deliver opinions on the need to take national implementing measures;
17. supports the Commission in entering into contacts and interacting with national and international institutions on issues in the field of personal data protection, as well as in exchanging information in connection with the honouring of obligations arising from an international treaty whereto the Republic of Bulgaria is a party;
18. analyses the experience and work of international organisations and institutions and foreign legislation, conduct investigations on issues of international nature and maintain a database of acts and case-law of the Court of Justice of the European Union (EU) and the European Court of Human Rights on matters in the field of personal data protection;
19. studies, analyses and prepares project proposals under nationally and internationally funded programmes, prepares and coordinates project documents according to the requirements of the relevant programme, as well as supports the Commission for building strategic partnerships with other supervisory authorities and domestic and foreign organisations of the public and private sector;
20. plans, coordinates and implements the project proposals that have been approved for funding whereof the Commission is a beneficiary, including by rendering the requisite assistance in the process of monitoring and control by other state and European institutions;
21. shares in the delivery of training courses in the field of personal data protection.
Article 24. The Legal Proceedings and Supervision Directorate:
1. examines complaints lodged under Article 38 (1) of the PDPA, including under the cooperation mechanism with other supervisory authorities, and prepares reasoned legal opinions as to whether the said complaints are admissible and well-founded;
2. supports the Commission in carrying out an analysis in order to identify a lead supervisory authority and a supervisory authority concerned where complaints in connection with cross-border processing of personal data have been lodged;
3. cooperates with other supervisory authorities in connection with the examination of complaints;
4. organises the provision of information to the data subjects under Article 38 (2) of the PDPA;
5. proposes to the CPDP the application of the measures under points (a) to (d), (f), (g), (i) and (j) of Article 58 (2) of Regulation (EU) 2016/679, under Items 3, 4 and 5 of Article 80 (1) or Chapter Nine of the PDPA upon the examination of complaints;
6. plans control activities on the basis of a risk analysis and the priorities of the Commission;
7. executes the investigative powers of the Commission under points (a), (b), (d), (e) and (f) of Article 58 (1) of Regulation (EU) 2016/679;
8. proposes to the CPDP the application of the measures under points (a) to (d), (f), (g), (i) and (j) of Article 58 (2) of Regulation (EU) 2016/679, under Items 3, 4 and 5 of Article 80 (1) or Chapter Nine of the PDPA as regards control activities;
9. cooperates with other supervisory authorities in connection with the implementation of joint operations;
10. carries out the control activities assigned to the Commission by law or implementing an act of the European Union or an international treaty whereto the Republic of Bulgaria is a party, with regard to the national units responsible for personal data processing in large-scale IT systems of the EU, being able to propose application of the powers under Article 58 (1) of Regulation (EU) 2016/679;
11. executes the legal representation on appeals against penalty decrees and against decisions of the Commission under Article 38 (3) and (4) of the PDPA, whereby corrective powers are exercised as regards control activities;
12. prepares opinions, reports, draft directions, statements of findings, written statements ascertaining administrative infringements and penalty decrees according to the procedure established by the AISA;
13. provides consultations to controllers, processors, and to data subjects on matters in the field of personal data protection;
14. analyses and summarises the practice of the Commission and deliver opinions on the general state of the personal data protection system in the area of legal proceedings and supervision;
15. maintains registers of the complaints received, the decisions rendered and the penalty decrees issued;
16. shares in the delivery of training courses in the field of personal data protection.
Article 25. The Legal Analysis, Information and Control Directorate:
1. supports the Commission in monitoring and ensuring the application of Regulation (EU) 2016/679 and the national personal data protection legislation;
2. conducts studies regarding the application of Regulation (EU) 2016/679, including on the basis of information received from other supervisory or public authorities;
3. prepares draft procedures, rules, methodologies, guidance notes, clarifications, guidelines, recommendations and best practices for the application of Regulation (EU) 2016/679 and the PDPA and submit the said drafts to the Commission for approval;
4. supports the Commission in promoting public awareness and understanding of the risks, rules, safeguards and rights in relation to the processing of personal data;
5. supports the Commission in raising the awareness of controllers and processors of the obligations thereof arising from the applicable personal data protection legislation;
6. maintains the institutional website of the CPDP as an essential and permanent means of ensuring public awareness of the activities of the CPDP and the functioning of the personal data protection system and produce the bulletin of the CPDP;
7. handles the complaints/alerts and queries submitted on the website of the CPDP and, after the Chairperson has made a decision, allocate the said submissions to the competent directorates;
8. processes the information received through the information system of the European Data Protection Board and, after the Chairperson has made a decision, allocate the said information to the competent directorates;
9. organises the setting of the objectives of the administrative units, monitoring and reporting the outcomes of the implementation of strategic documents;
10. coordinates the activities of developing and applying the strategic documents of the Commission, the monitoring and reporting of the implementation of the said documents;
11. is responsible for the alignment of the strategic priorities of the Commission with the project activities and outcomes;
12. prepares opinions in the prior consultation procedure under Article 36 of Regulation (EU) 2016/679 and Article 12 (2) and Article 65 of the PDPA;
13. prepares opinions regarding:
(a) the approval of codes of conduct;
(b) the accreditation of bodies for monitoring codes of conduct;
(c) the accreditation of certification bodies;
14. supports the Commission in the activity thereof encouraging the drawing up of codes of conduct;
15. supports the Commission in the activity thereof encouraging the establishment of data protection certification mechanisms and of data protection seals and marks;
16. performs a periodic review of the certifications issued;
17. applies the corrective powers of the CPDP under points (d) and (h) of Article 58 (2) of Regulation (EU) 2016/679;
18. maintains registers of:
(a) controllers and processors which have designated data protection officers;
(b) codes of conduct under Article 40 of Regulation (EU) 2016/679;
(c) certification bodies accredited under Article 14 of the PDPA;
(d) infringements of Regulation (EU) 2016/679 and of the PDPA, as well as of the measures taken in accordance with the exercise of the powers referred to in Article 58 (2) of Regulation (EU) 2016/679;
(e) notifications of personal data breaches under Article 33 of Regulation (EU) 2016/679 and under Article 67 of the PDPA;
(f) the records received from the undertakings providing electronic communications services on the data destroyed under Article 251g (1) of the Electronic Communications Act (ECA);
19. processes and summarises the statistical information received from the undertakings providing electronic communications services in connection with Article 261a (4) and (5) of the ECA;
20. monitors the development of information and communication technologies and commercial practices insofar as they have a direct impact on the protection of personal data;
21. implements the automated data exchange with national and international information systems;
22. executes the legal representation before the court on appeals against acts of the Commission adopted on a proposal by the Directorate, and provide current information to the Commission on the progress of the court cases in connection with any such proceedings;
23. shares in the delivery of training courses in the field of personal data protection.
Chapter Four
PROCEDURE FOR PURSUIT OF PROCEEDINGS BEFORE COMMISSION FOR PERSONAL DATA PROTECTION
Section I
General Provisions
Article 26. (1) In connection with the implementation of the tasks and powers of the Commission under Regulation (EU) 2016/679 and the Personal Data Protection Act, the following proceedings are pursued before the Commission:
1. examination of complaints under Article 38 of the PDPA, including under the cooperation mechanism with other supervisory authorities, as well as alerts referred to in Article 35 (2) herein;
2. application of measures under Article 58 (2) of Regulation (EU) 2016/679 and under Items 3, 4 and 5 of Article 80 (1) and Chapter Nine of the PDPA;
3. expression of opinions on matters in the field of personal data protection;
4. the adoption of standard contractual clauses under Regulation (EU) 2016/679;
5. examination of proceedings under Chapter V of Regulation (EU) 2016/679;
6. carrying out prior consultation;
7. examination of notifications of personal data breaches;
8. approval, amendment or extension of codes of conduct;
9. accreditation and withdrawal of an accreditation of bodies for monitoring approved codes of conduct under the terms and according to the procedure established by Article 14a (3) of the PDPA;
10. accreditation and withdrawal of an accreditation of certification bodies under the terms and according to the procedure established by Article 14 (5) of the PDPA;
11. certification under the terms and according to the procedure established by Article 14 (6) of the PDPA.
(2) The Commission may implement other proceedings as well, where this is provided for in a law.
Article 27. (1) The proceedings before the Commission are initiated by a written or oral request from a natural or legal person or on the initiative of the Commission.
(2) Written requests aree submitted at the registry of the Commission by a letter, by fax, or by electronic means according to the procedure established by the Electronic Document and Electronic Trust Services Act.
(3) In respect of any oral requests, a memorandum is drawn up according to the procedure established by Article 29 (5) of the Administrative Procedure Code, and the said memorandum is signed by the submitter and by the Commission employee who drew up the said memorandum and is filed at the registry.
Article 28. (1) The request should contain:
1. particulars of the requesting party: names, mailing address and permanent address, contact telephone number, email address (if available);
2. the nature of the request;
3. date of knowledge of the infringement, if an infringement is alleged;
4. identification of a person targeted by the request;
5. other information or documents, where this is provided for in a law or in these Rules;
6. date and signature.
(2) Where a written request contains any irregularities, the submitter is notified to remedy the said irregularities within three days of the communication.
(3) In case the irregularities are not remedied within the time limit referred to in Paragraph (2), the proceedings are terminated.
Article 29. (1) No action is taken:
1. on any anonymous complaints or alerts which are not signed by the submitter or by a legal or authorised representative thereof or such that do not state the information referred to in Article 28 (1) herein;
2. on any complaints or alerts written using Roman or any other characters different from Cyrillic (unless written in a language other than Bulgarian).
(2) The Commission may take up the matter on its own initiative and/or notify the competent institutions where an anonymous request or alert contains information about damage to a substantial public interest.
Article 30. The requests received is allocated to the relevant directorate which is competent to handle them.
Article 31. Where a request received falls within the competence of another authority, the Commission forwards the request to the authority which is competent to handle it and informs the requesting party.
Article 32. The known stakeholders is likewise informed of the commencement of proceedings.
Article 33. The proceedings before the Commission is concluded by an act according to Article 5 (2) herein.
Article 34. In cases involving cross-border processing of personal data, according to Regulation (EU) 2016/679 in addition to the proceedings under this Chapter the CPDP furthermore apply the rules of the cooperation mechanism and the consistency mechanism under Chapter VII of Regulation (EU) 2016/679, as well as the rules applicable to the case at hand which are established by the European Data Protection Board.
Section II
Handling Complaints under Article 38 of PDPA and Alerts, Including under Cooperation Mechanism with Other Supervisory Authorities
Article 35. (1) A complaint is a request whereby protection is sought for any infringed rights of the requesting party under Regulation (EU) 2016/679 and under the PDPA.
(2) An alert is a request whereby any infringements of Regulation (EU) 2016/679 and under the PDPA are reported, without any rights of the requesting party having been infringed.
(3) Action under Article 12 (4) of the PDPA may be taken in the cases under Paragraph (2).
Article 36. (1) Where a complaint or an alert does not fall within the competence of the Commission, the said complaint or alert is forwarded to the competent authority.
(2) In cases where the competent authority cannot be inferred from the data in the complaint or alert, the said complaint or alert is returned to the complainant accompanied by brief written instructions.
(3) Where the complaint or alert concerns the manner of exercise of rights related to personal data protection, the submitter is given written instructions regarding the procedure for the exercise of the said rights. Where necessary, cooperation with the supervisory authorities in other Member States take place.
Article 37. (1) Any request referred to in Article 35 (1) herein received is allocated to the Legal Proceedings and Supervision Directorate, which submits an opinion on whether the request is conforming, admissible or well-founded, including an analysis regarding the need to examine the complaint in cooperation with another supervisory authority, where applicable.
(2) Any request, which does not contain data on infringed rights of the requesting party and contains allegations of an infringement of Regulation (EU) 2016/679 or of the Personal Data Protection Act committed by a controller or processor, is allocated to the Legal Proceedings and Supervision Directorate.
Article 38. (1) The Commission in meeting held behind closed doors, gives its pronouncement by way of decision as to whether a complaint referred to in Article 35 (1) herein is conforming or admissible, as well as in the cases referred to in Article 38 (4) of the PDPA.
(2) For the purpose of clarifying the facts and circumstances under a complaint received, the Commission may assign the conduct of a check, the taking of evidence, or request opinions from third parties under the terms established by the APC and in conformity with the powers thereof under Article 58 (1) of Regulation (EU) 2016/679.
Article 39. (1) The requisite cooperation arrangements are made if the complaint needs to be examined in cooperation with another supervisory authority.
(2) In the cases where the Commission does not act as a lead supervisory authority, the lead supervisory authority is informed of the case.
(3) Where the lead supervisory authority decides to handle the case, the Commission may participate by sending experts on site and/or submitting a draft decision.
(4) Where the Commission is the lead supervisory authority, account of the opinion of the supervisory authority concerned is taken when adopting a decision on the complaint.
Article 40. (1) The Commission examines the complaint on the merits at a meeting open to the public, of which the Commission notifies the parties and the stakeholders.
(2) The Commission adopts a decision on the merits of the complaint and may thereby apply the measures referred to in points (a) to (h) and (j) of Article 58 (2) of Regulation (EU) 2016/679 or in Items 3, 4 and 5 of Article 80 (1) of the PDPA and, in addition to, or instead of, the said measures, may impose an administrative fine in accordance with Article 83 of Regulation (EU) 2016/679, as well as under Chapter Nine of the PDPA.
(3) A duplicate copy of the decision is sent to the parties and to the stakeholders.
Article 41. Evidence is taken, experts are appointed, the parties are represented and summoned, and other steps in the proceedings under this Section are taken according to the procedure established by the APC.
Article 42. In complaint examination proceedings, the parties may reach a settlement according to the procedure established by Article 20 of the APC.
Article 43. The complainant is informed of the progress of the examination of the complaint or of the result of the said complaint within three months after the infringement has been brought to the attention of the Commission.
Article 44. (1) Any request referred to in Article 57 of the PDPA is submitted according to the procedure established by Article 28 herein and furthermore states a personal identification number or a foreigner personal number or another similar identifier or other identification data of the natural person determined by the controller in connection with the activity carried out thereby.
(2) In case the request referred to in Paragraph (1) does not comply with the requirements for identifying the data subject, the controller or the nature of the request, the submitter is notified to remedy the said non-compliances within three days of the communication.
(3) In case the irregularities are not remedied within the time limit referred to in Paragraph (2), the proceedings is terminated.
Article 45. (1) Where a request under Article 44 herein has been received, an inspection under Article 12 of the PDPA is conducted.
(2) Upon examination of the request, all data relevant to the refusal is collected and the controller or processor are required to make available the information referred to in Article 55 (5) of the PDPA.
(3) When checking the lawfulness of the processing in the cases under Article 57 of the PDPA, the Commission exercises the powers thereof under Article 80 of the PDPA.
(4) The data subject is informed of the outcome of the check within three months after the infringement has been brought to the attention of the Commission or of the reasons why the check has not been carried out.
Section III
Application of Measures under Article 58 (2) of Regulation (EU) 2016/679 and Items 3, 4 and 5 of Article 80 (1) and Chapter Nine of PDPA
Article 46. The Commission for Personal Data Protection applies, by decision, the measures under Article 58 (2) of Regulation (EU) 2016/679, Items 3, 4 and 5 of Article 80 (1) and Chapter Nine of the PDPA in respect of the controllers or processors on the protection of natural persons with regard to the processing of personal data.
Article 47. (1) Measures under Article 58 (2) of Regulation (EU) 2016/679, Items 3, 4 and 5 of Article 80 (1) and Chapter Nine of the PDPA are applied upon:
1. examination of a complaint against a controller under Article 38 of the PDPA;
2. implementation of the control activity of the Commission under Article 12 of the PDPA, including where an alert has been received;
3. supervision by the Commission under Article 34 (4), sentence two of Article 42 (7) and Article 43 of Regulation (EU) 2016/679.
(2) (Corrected, State Gazette No. 63 of 2019) The application of the measures in connection with the activity referred to in Item 1 of Paragraph (1) follows the rules of the respective proceedings under Article 38 of the PDPA.
(3) (Corrected, State Gazette No. 63 of 2019) The application of the measures in connection with the activity referred to in Item 2 of Paragraph (2) is based on a proposal by the Legal Proceedings and Supervision Directorate made by a report to the Commission, and in the cases where an inspection has been conducted, by a statement of findings under Article 12 (7) of the PDPA.
(4) (Corrected, State Gazette No. 63 of 2019) The application of the measures in connection with the activity referred to in Item 3 of Paragraph (2) is based on a proposal by the Legal Analysis, Information and Control Directorate to the Commission.
Article 48. (1) The measures are applied by a decision of the Commission which are communicated to the stakeholders according to the procedure established by the APC.
(2) The decision referred to in Paragraph (1) is appealable according to the procedure established by the Administrative Procedure Code within 14 days of the communication thereof.
(3) The controller in respect of which a measure has been applied notifies the Commission in writing that the actions prescribed by the measures have been complied with, where any such actions are required, and/or that the grounds for the application of the said measures have ceased to apply, attaching the relevant evidence.
(4) The Commission gives its pronouncement by way of decision on the notification received under Paragraph (3) on the basis of a reasoned opinion of the competent directorate.
Article 49. Upon failure to comply with the decision under Article 48 herein, the Commission may impose an administrative fine under Article 83 (5) of Regulation (EU) 2016/679 and Article 85 (5) of the PDPA.
Article 50. (1) Where, in the course of an inspection under Article 12 (4) of the PDPA, with the exception of an inspection under Article 37 (2) herein, evidence of an administrative infringement is found, the application of the measure “imposition of an administrative fine” under point (i) of Article 58 (2) of Regulation (EU) 2016/679 and Chapter Nine of the PDPA follows the procedure established by the Administrative Infringements and Sanctions Act (AISA).
(2) The infringements are ascertained and the penalty decrees are appealed and enforced according to the procedure established by the AISA.
(3) The written statements ascertaining the administrative infringements are drawn up by a member of the CPDP or by officials empowered by the Commission.
(4) The penalty decrees are issued by the Chairperson of the CPDP.
(5) The pecuniary sanctions and fines under enforceable penalty decrees are collected according to the procedure established by the Tax and Social-Insurance Procedure Code.
(6) Without prejudice to the administrative fine, a coercive administrative measure under Article 84 of the Personal Data Protection Act may be imposed upon the ascertainment of an administrative infringement.
Section IV
Issuing Opinions in Field of Personal Data Protection
Article 51. The Commission issues opinions in the field of personal data protection:
1. on drafts of statutory acts or regulatory measures relevant to the processing of personal data;
2. on requests by natural and legal persons, State bodies and organisations on issues related to personal data protection;
3. on its own initiative.
Article 52. Upon receipt of a request for an opinion under Article 51 herein, the Legal Affairs and International Cooperation Directorate prepares a proposal for an opinion and submits proposal to the Commission within one month of receipt of the request.
Section V
Adoption of Standard Contractual Clauses under Regulation (EU) 2016/679. Proceedings under Chapter V of Regulation (EU) 2016/679
Article 53. (1) Acting on its own initiative, the Commission adopts standard contractual clauses on data protection under Article 28 (8) and under point (d) of Article 46 (2) of Regulation (EU) 2016/679.
(2) The Legal Affairs and International Cooperation Directorate prepares a draft of standard contractual clauses and submits the draft for consideration at a meeting of the CPDP. When the Commission approves the draft of standard contractual clauses by decision, the draft is sent to the European Data Protection Board for its opinion under point (d) of Article 64 (1) of Regulation (EU) 2016/679.
(3) Within one month of receipt of the opinion of the European Data Protection Board referred to in Paragraph (2), the Legal Affairs and International Cooperation Directorate revises the wording of the draft of standard contractual clauses in line with the opinion and, after approval by the CPDP, sends the draft to the European Commission for adoption.
(4) Within one month after the adoption of the draft of standard contractual clauses by the European Commission under Paragraph (3), the Legal Affairs and International Cooperation Directorate prepares a report to the CPDP proposing the adoption of the standard contractual clauses and accompanies the said report by the final version of the said clauses.
(5) The Commission adopts the standard contractual clauses by decision and publishes the said clauses on the Internet website thereof.
Article 54. (1) The Commission approves binding corporate rules under Article 47 of Regulation (EU) 2016/679 in the cases where the Commission is a competent supervisory authority in accordance with Articles 55 and 56 of Regulation (EU) 2016/679.
(2) The procedure for the approval of binding corporate rules is initiated by a request from a group of enterprises engaged in a joint economic activity. A draft of binding corporate rules in paper and electronic form in Bulgarian and English is submitted attached to any such request.
(3) The Legal Affairs and International Cooperation Directorate effects the overall interaction and exchange of information on the draft of binding corporate rules with the supervisory authorities concerned and the submitter of the request under Paragraph (2) in accordance with the applicable rules of the European Data Protection Board. After the information received and opinions have been summarised, the Directorate prepares an opinion regarding the conformity of the draft with Regulation (EU) 2016/679 and submits the said opinion at a meeting of the Commission.
(4) When the Commission adopts an opinion on conformity of the draft of binding corporate rules with Regulation (EU) 2016/679, the said draft is sent to the European Data Protection Board for its opinion under point (f) of Article 64 (1) of Regulation (EU) 2016/679. Upon receipt of the opinion of the European Data Protection Board, the Legal Affairs and International Cooperation Directorate notifies the submitter of the request under Paragraph (2) as to whether any additional changes to the content of the draft of binding corporate rules are required.
(5) The Commission approves the binding corporate rules by decision. The Legal Affairs and International Cooperation Directorate notifies the submitter of the request under Paragraph (2) and the supervisory authorities concerned of the decision adopted. A copy of the rules as approved in English is sent to the supervisory authorities concerned.
Article 55. (1) The procedure for giving authorisation to the transfer of personal data to a third country or international organisation under the terms established by Article 46 (3) of Regulation (EU) 2016/679 is initiated by a written request from a controller or processor or, respectively, from a competent public authority in the cases referred to in point (b) of Article 46 (3) of Regulation (EU) 2016/679. Any such request is accompanied by the draft of contractual clauses or provisions in administrative arrangements in paper and electronic form in Bulgarian and English.
(2) The request is allocated to the Legal Affairs and International Cooperation Directorate, which prepares a report to the CPDP making a proposal based on the documents and information submitted by the requesting party.
(3) The Commission for Personal Data Protection gives its pronouncement by way of:
1. reasoned opinion, where the contractual clauses under point (a) of Article 46 (3) or provisions under point (b) of Article 46 (3) of Regulation (EU) 2016/679 proposed by the requesting party do not provide sufficient safeguards to protect the rights of data subjects; the said opinion is sent to the requesting party;
2. decision, whereby transfer of data is authorised in the cases under point (b) of Article 46 (3) of Regulation (EU) 2016/679; the said decision is sent to the requesting party;
3. decision, whereby the contractual clauses proposed by the requesting parties are approved in the cases under point (a) of Article 46 (3) of Regulation (EU) 2016/679; the said decision, accompanied by the draft of contractual clauses, is sent to the European Data Protection Board for its opinion under point (e) of Article 64 (1) of Regulation (EU) 2016/679.
(4) Within one month of receipt of the opinion of the European Data Protection Board in the cases under Item 3 of Paragraph (3), the Legal Affairs and International Cooperation Directorate revises the final version of the draft of contractual clauses in line with the said opinion and submits the matter for consideration by the CPDP.
(5) The Commission approves the final version of the contractual clauses in the cases referred to in Paragraph (4) and pronounces by way of decision whereby transfer of data is authorised on the basis of point (a) of Article 46 (3) of Regulation (EU) 2016/679. The said decision is sent to the requesting party.
Article 56. (1) Upon receipt of notification from a controller on transfer of data on the basis of the second subparagraph of Article 49 (1) of Regulation (EU) 2016/679, the said notification is allocated to the Legal Affairs and International Cooperation Directorate, which draws up a report to the CPDP within one month of receipt of the notification. The said report analyses the information which has been provided with the notification and evidence regarding the fulfilment of the following requirements:
1. the transfer of personal data is not repetitive;
2. the transfer of personal data concerns only a limited number of data subjects;
3. the transfer of personal data is necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject;
4. the controller has assessed all the circumstances surrounding the data transfer;
5. the controller has provided suitable safeguards with regard to the protection of personal data;
6. the controller has provided to the data subject the information referred to in Articles 13 and 14 of Regulation (EU) 2016/679 and, in addition to that, has informed the data subject of the transfer and on the compelling legitimate interests pursued by the controller.
(2) Where the report referred to in Paragraph (1) gives a favourable opinion on the fulfilment of the requirements of the second subparagraph of Article 49 (1) of Regulation (EU) 2016/679, the Commission takes note of the notification. If any omissions, ambiguities or non-conformities are ascertained, the CPDP pronounces by way of reasoned opinion which are sent to the requesting party. In such case, data may be transferred on any of the other grounds for transfer of data under Chapter V of Regulation (EU) 2016/679.
Article 57. (1) The texts of contractual clauses, including standard contractual clauses, as well as of binding corporate rules, which have been adopted according to the procedure established by this Section, are amended according to the procedure for the adoption thereof.
(2) The Legal Affairs and International Cooperation Directorate keeps information regarding the requests and the acts of the CPDP under Article 53 (5), Article 54 (5), Item 2 of Article 55 (3), Article 55 (5) and Article 56 (2) herein, which are not publicly available.
Section VI
Engaging in Prior Consultation
Article 58. (1) Prior consultation under Article 36 of Regulation (EU) 2016/679, Article 12 (2) and Article 65 of the PDPA takes place acting on a request for consultation submitted to the supervisory authority under the applicable terms of Article 28 herein.
(2) Attached to the request referred to in Paragraph (1), the controller provides the Commission with information regarding:
1. where applicable, the respective responsibilities of the controller, joint controllers and processors involved in the processing, in particular for processing within a group of undertakings;
2. the purposes and means of the intended processing;
3. the measures and safeguards provided to protect the rights and freedoms of data subjects pursuant to this Regulation;
4. where applicable, the contact details of the data protection officer;
5. the data protection impact assessment, including an assessment of the risk posed to the rights and freedoms of data subjects by the intended processing;
6. any other information requested by the supervisory authority.
Article 59. The request for prior consultation is allocated to the Legal Analysis, Information and Control Directorate which, within one month of receipt of the request, draws up a proposal for an opinion and, where necessary, a proposal for exercise of the powers of the CPDP under Article 58 of Regulation (EU) 2016/679, Article 12 (2) or Article 80 of the PDPA, and submits the said proposal or proposals to the Commission.
Article 60. In cases other than those under Article 58 herein, the Commission may, on its own initiative, require controllers to consult therewith, and obtain prior authorisation therefrom, in relation to processing by a controller for the performance of a task carried out by the controller in the public interest, including processing in relation to social protection and public health.
Article 61. The Commission pronounces by way of opinion, and in the cases referred to in Article 36 (5) of Regulation (EU) 2016/679, the Commission pronounces by way of authorisation. Where, in addition to the opinion, the Commission exercises any of the powers thereof under Article 58 of Regulation (EU) 2016/679, the Commission adopts a decision.
Section VII
Handling of Notifications of Personal Data Breaches
Article 62. Upon the receipt at the CPDP of a notification of personal data breach, the notification is allocated to the Legal Analysis, Information and Control Directorate, which takes the following steps:
1. to register the notification in a register of notifications of personal data breaches;
2. to analyse, within two weeks, the information submitted as to completeness of the data under Article 33 (3) of Regulation (EU) 2016/679, respectively, Article 67 (3) of the PDPA, whereupon the following issues are clarified:
(a) the capacity of the CPDP: lead authority, authority concerned or competent authority under Article 56 (2) of Regulation (EU) 2016/679; in the cases where the Commission is authority concerned or competent authority under Article 56 (2), after a decision of the CPDP, the Legal Analysis, Information and Control Directorate informs, without delay, the lead authority through the Internal Market Information System and expects a relevant decision from the said authority; if a jurisdictional conflict arises, the Directorate draws up a reasoned proposal to the CPDP as to whether the matter should be referred to the European Data Protection Board according to the procedure established by Article 65, and if there is an urgent need to act, according to the procedure established by Article 66 of Regulation (EU) 2016/679;
(b) the nature of the personal data breach, taking account of the categories of data subjects and personal data records, the approximate number of data subjects and personal data records concerned, the likely consequences of the personal data breach, and the measures taken or proposed to be taken by the controller;
(c) determining the severity of the risk in conformity with a methodology adopted by the Commission;
3. upon ascertainment of incompleteness of the data referred to in Article 33 (3) of Regulation (EU) 2016/679, respectively, Article 67 (3) of the PDPA, the Legal Analysis, Information and Control Directorate contacts the controller which made the notification for the purpose of completing and/or clarifying the information.
Article 63. (1) On the basis of the information and analysis under Item 2 (b) and (c) of Article 62 herein, the Legal Analysis, Information and Control Directoratе draws up a reasoned report to the CPDP making the following proposals:
1. to take note of the notification of the data breach if the severity of the risk to the rights and freedoms of natural persons is low;
2. to conduct a documentary inspection if the severity of the risk to the rights and freedoms of natural persons is medium;
3. to conduct an on-site inspection if the severity of the risk to the rights and freedoms of natural persons is high.
(2) By a decision of the CPDP, an on-site inspection may be conducted irrespective of the severity of the risk.
Section VIII
Approval, Amendment or Extension of Code of Conduct
Article 64. (1) The procedure for the approval of a code of conduct under Article 40 of Regulation (EU) 2016/679 is initiated by the receipt of a written request, which contains:
1. information of the party proposing the code of conduct (association or another body representing the relevant sector, branch or category of controllers/processors whereto the code is applicable), stating the name, address, BULSAT Code or another unique identifier of the said party;
2. title of the code of conduct, which may not repeat the title of a code of conduct that has already been registered and published;
3. the categories of controllers/processors whereto the code of conduct will apply.
(2) The request referred to in Paragraph (1) is accompanied by the draft code of conduct whereof the approval is requested in paper and electronic form.
(3) The request for the approval of a code under Paragraph (1) is allocated to the Legal Analysis, Information and Control Directorate, which checks and analyses whether the code:
1. complies with Regulation (EU) 2016/679;
2. facilitates the application of Regulation (EU) 2016/679 by the controllers/processors which will apply the said code and ensures the consistent application of the said Regulation;
3. provides sufficient appropriate safeguards for the rights and freedoms of natural persons.
Article 65. The draft code referred to in Article 64 herein is returned to the submitter without consideration if:
1. the draft is submitted by a person who is not empowered to represent the controllers or processors which will apply the code of conduct;
2. the submitter of the draft code has not consulted all stakeholders, including data subjects where feasible, and/or information has not been provided on whether regard has been had to submissions received from stakeholders in the course of such consultations;
3. the Commission for Persona Data Protection is not competent pursuant to Article 55 of Regulation (EU) 2016/679 to consider and approve the draft code.
Article 66. In cases other than those under Article 65 herein, the Legal Analysis, Information and Control Directorate submits to the Commission an opinion on the draft code, which mandatorily analyses the availability of information and evidence regarding:
1. the material, territorial and sectoral scope of the draft code, including the sector-specific characteristics and/or needs of micro, small and medium-sized enterprises and/or the processing operations thereof;
2. the legal framework specific to the sector concerned which is relevant to the processing of personal data;
3. the criteria for adherence of controllers/processors to the draft code;
4. the mechanism for adherence to the draft code and the binding effect of the said adherence, as well as the mechanism for termination or temporary suspension of draft code membership;
5. the mechanism for the mandatory monitoring of compliance with the draft code by the controllers/processors which undertake to apply it;
6. the legal basis for the processing of the data by the controllers/processors which will apply the draft code, including the legitimate interests of the controllers/processors, where applicable;
7. the application of the principles of data protection under Article 5 of Regulation (EU) 2016/679, including the fairness and transparency of the mechanisms for the provision of information to the public and to the data subjects with regard to adherence to the code and the rights thereof under Regulation (EU) 2016/679;
8. the availability of common criteria and mechanisms for analysing the risks and, where applicable, the availability of common requirements for impact assessment under Article 35 of Regulation (EU) 2016/679;
9. the mechanisms for support of the accountability of controllers/processors which will apply the draft code of conduct, by providing model documents;
10. the categories of personal data and/or the registers containing personal data that the controllers/processors which will apply the draft code will process, including the purposes of the processing and the time-limit for storage;
11. the technology used for processing the personal data, including the categories of persons (natural and legal) who and which have the right to access the personal data registers, as well as the extent of that access (full or limited);
12. the measures envisaged to safeguard the exercise of the rights of data subjects;
13. the procedure for the provision of information to, and the protection of, children, and the manner in which the consent of the holders of parental responsibility over children is to be obtained;
14. the appropriate technical and organisational measures of protection envisaged, including the conditions for the application of pseudonymisation of the data, where applicable;
15. reference to the code as an appropriate safeguard within the meaning of Article 46 (2) (e) of Regulation (EU) 2016/679;
16. the procedure for notifying the CPDP or another competent supervisory authority of personal data breaches and a procedure for notifying the data subjects affected of such breaches;
17. the out-of-court proceedings and other procedures for resolving disputes between controllers and data subjects with regard to processing;
18. the procedure for the amendment and extension of the draft code of conduct;
19. the procedure for taking suitable actions in case of a breach of the draft code of conduct by a controller or processor, including suspension of membership or exclusion of the controller or processor concerned from the draft code;
20. the necessity and usefulness of developing and applying a code of conduct in the sector concerned.
Article 67. (1) The Commission, meeting behind closed doors, pronounces by way of decision on the compliance of the draft code of conduct with the requirements of Article 64 (3) and Article 66 herein.
(2) The Commission expresses an opinion and returns the code of conduct for alignment to Regulation (EU) 2016/679 if the Commission ascertains non-compliance with the requirements of the Regulation and/or lack of sufficient appropriate safeguards for the rights and freedoms of natural persons.
(3) In the cases where the draft code of conduct specifies the application of Regulation (EU) 2016/679 within the sector concerned and fully complies with the requirements of Article 64 (3) and Article 66 herein, the Commission approves the code by decision and informs the party proposing the code of conduct. Within seven days from the adoption of the decision, the Commission publishes the code in the register referred to in Item 3 of Article 72 (1) which is kept by the Commission.
(4) The Commission addresses the code as approved under Paragraph (3) to the European Data Protection Board for publication in the register referred to in Article 40 (11) of Regulation (EU) 2016/679. In case the code was submitted to the Commission in Bulgarian only, the party proposing the code provides a translation into English within one month of receipt of a notification of the approval of the code.
Article 68. The requirements and procedures under this Section applies, mutatis mutandis, to requests for amendment or extension of an approved code of conduct.
Article 69. (1) In case a draft code of conduct submitted under Article 64 herein relates to processing activities in several Member States of the EU, the Commission provides information on the draft code as received to the supervisory authorities and to the European Data Protection Board through the Internal Market Information System and applies the consistency mechanism under Article 63 of Regulation (EU) 2016/679. The Commission may not approve any such code before the European Board has expressed an opinion on whether the draft code complies with the requirements of Regulation (EU) 2016/679 or, respectively, provides appropriate safeguards in the situation referred to in Article 40 (3) of Regulation (EU) 2016/679.
(2) The code of conduct referred to in Paragraph (1) is submitted to the Commission in Bulgarian and in English in paper and electronic form.
Section IX
CPDP’s Cooperation with Supervisory Authorities of Other States
Article 70. (1) On its own initiative or at the request of a supervisory authority of another State, the Commission participates in international cooperation mechanisms to facilitate the effective enforcement of personal data protection legislation.
(2) The forms of cooperation are determined in each individual case and may include sharing information, consultations, mutual assistance, joint operations, including joint investigations and joint enforcement measures, mutual notification, forwarding complaints, and other such.
(3) Cooperation with supervisory authorities of other Member States of the EU takes place in accordance with the requirements and the time limits in Regulation (EU) 2016/679 and the rules of the European Data Protection Board.
(4) Cooperation with supervisory authorities of third countries takes place in accordance with the applicable bilateral and/or multilateral agreements and the practical arrangements between the parties. In such cases, an assessment as to whether the third country ensures appropriate safeguards for the protection of personal data and other fundamental rights and freedoms is mandatory.
(5) The Commission may refuse to comply with a request for cooperation if:
1. the Commission is not competent for the subject-matter of the request or for the measures it is requested to execute; or
2. compliance with the request would infringe the legislation of the Republic of Bulgaria or European Union law.
Article 71. (1) Upon receipt of requests for cooperation, the Chairperson of the Commission designates the competent directorate (directorates) which is lead in organising the cooperation, including in preparing a response to the request within the time limit indicated therein.
(2) Where a request has been received or a need of a joint operation within the meaning of Article 62 of Regulation (EU) 2016/679 is ascertained, the Legal Proceedings and Supervision Directorate draws up a report making proposals regarding the possible involvement of the CPDP.
(3) In the cases under Paragraph (2), the Commission pronounces by way of decision at a meeting, and if the decision is favourable the Commission authorises members of the Commission and/or administration employees to participate in the joint operation.
(4) Within one month from the completion of the joint operation, the Legal Proceedings and Supervision Directorate draws up a report to the Commission regarding the results of the said operation.
Section X
Keeping Registers and Sharing Information with Public Authorities
Article 72. (1) The Commission keeps the following public registers:
1. a register of controllers and processors which have designated data protection officers;
2. a register of certification bodies accredited under Article 14 of the PDPA;
3. a register of codes of conduct under Article 40 of Regulation (EU) 2016/679.
(2) The Commission keeps the following registers which are not public:
1. a register of infringements of Regulation (EU) 2016/679 and of the PDPA, as well as of the measures taken in accordance with the exercise of the corrective powers referred to in Article 58 (2) of Regulation (EU) 2016/679;
2. a register of notifications of personal data breaches under Article 33 of Regulation (EU) 2016/679 and under Article 67 of the PDPA;
3. a register of the records received from the undertakings providing electronic communications services on the data destroyed under Article 251g (1) of the ECA.
(3) The registers referred to in Paragraphs (1) and (2) are kept in electronic form.
(4) Any entries, notations and deletions in the registers referred to in Paragraphs (1) and (2) are effected by the Legal Analysis, Information and Control Directorate, and any entries, notations and deletions in the register referred to in Item 1 of Paragraph (2) are effected by the Legal Proceedings and Supervision Directorate.
(5) The Commission determines the technical and organisational measures of protection of the data in the registers referred to in Paragraphs (1) and (2).
(6) Data in accordance with the model documents (notifications and memoranda) endorsed by the Commission are entered into the registers referred to in Paragraphs (1) and (2).
(7) Any intervening change in the circumstances/data in the registers referred to in Paragraphs (1) and (2) is subject to notation in the register.
(8) Any errors made in the data in the registers referred to in Paragraph (1) are corrected at the request of the controller, with a notation being effected accordingly.
Article 73. (1) Data identifying the controllers and processors which have designated data protection officers, data identifying the data protection officers and contact details of the data protection officers are entered into the register referred to in Item 1 of Article 72 (1) herein.
(2) The public part of the register includes the name/names of the controllers and processors which have designated data protection officers, the names of the data protection officers, and the contact details of the data protection officers.
Article 74. (1) Data identifying the accredited certification body, data on the accreditation (certification) under Article 43 (4) of Regulation (EU) 2016/679 and contact details of the accredited certification body are entered into the register referred to in Item 2 of Article 72 (1) herein.
(2) The public part of the register includes the name of the accredited certification body, the period of validity of the accreditation (certification), and contact details of the accredited certification body.
Article 75. (1) Data identifying the author of the code, name of the sector/branch, contents of the code (text), and identification of the body accredited as a monitoring body (if any) are entered into the register referred to in Item 3 of Article 72 (1) herein.
(2) The public part of the register includes the title of the code, the name of the author, the name of the sector/branch, the name of the body accredited for monitoring the code (if any), and the contents (text) of the code.
Article 76. Data of the corrective measure under Article 58 (2) of Regulation (EU) 2016/679, data of the initial source of information regarding the infringement (complaint, alert), actions taken by the CPDP, data of the controller about which information on an infringement has been received, infringed provisions of Regulation (EU) 2016/679 and of the PDPA, act rendered by the Commission, deadline for compliance with the corrective measure, date of service of the act of the Commission, amount of the sanction imposed, objections lodged, information on the coming into legal effect of the act of the Commission, data on compliance with the corrective measure are entered into the register referred to in Item 1 of Article 72 (2) herein.
Article 77. Data identifying the controller affected by the infringement, information under Article 33 (3) and Article 58 (2) of Regulation (EU) 2016/679, as well as under Article 67 of the PDPA, are entered into the register referred to in Item 2 of Article 72 (2) herein.
Article 78. Data identifying the undertaking, the complement of the commission which drew up the record, data of the period of storage of the data destroyed, the techniques and means whereby the data was destroyed, as well as the use of cloud services, are entered into the register referred to in Item 3 of Article 72 (2) herein.
Article 79. (1) A system for document and workflow management at the CPDP and for decision control is implemented and maintained at the Commission.
(2) Upon the performance of the tasks and the exercise of the powers thereof, the Commission exchanges information with, and access information held by, other pubic authorities by means of the following systems maintained by the State e-Government Agency:
1. the Electronic Data Interchange Messaging System;
2. the Secure Electronic Delivery System;
3. the Registry Information Exchange System (RegiX).
(3) The Commission may alternatively access registers and/or services provided by public authorities by means of the relevant information systems maintained by the public authorities to this end.
Chapter Five
TRAINING IN THE FIELD OF PERSONAL DATA PROTECTION
Article 80. The Commission organises and delivers training in the field of personal data protection according to Item 6 of Article 10 (2) of the PDPA on the basis of standardised training topics content endorsed by the Commission subject to the following requirements:
1. using the latest technological advances, where applicable;
2. combining personal attendance with distance (online) learning options;
3. teaching materials combining lectures, discussions and practice.
Article 81. (1) Training under Article 80 herein is provided acting on a request for training submitted to the Commission or on its own initiative.
(2) The request referred to in Paragraph (1) must contain:
1. particulars of the requesting party: names, address, contact telephone number, email address (if available);
2. other information or documents applicable to the nature of the request;
3. date and signature.
(3) Training on the initiative of the CPDP is delivered on the basis of an annual training plan adopted by the Commission. The Commission adopts the training plan not later than by the end of January in the calendar year. The annual training plan covers the following controllers and processors:
1. whose core activity is of major public and social importance;
2. whose core activities consist of processing on a large scale of special categories of data under Article 9 of Regulation (EU) 2016/679;
3. whose core activities consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale;
4. which carry out activities included in the list of the processing operations subject to the requirement for a data protection impact assessment pursuant to Article 35 (4) of Regulation (EU) 2016/679;
5. which carry out processing of personal data that results in a high risk to the rights and freedoms of natural persons.
Article 82. (1) The overall organisation and coordination of each particular training course are implemented by the Resource Management and Administrative Legal Services Directorate after the said Directorate has been expressly directed to do so by the Chairperson of the CPDP or by a decision of the Commission.
(2) The Resource Management and Administrative Legal Services Directorate coordinates the enrolment in the training course of employees of the relevant directorates of the specialised administration of the CPDP.
(3) The activities of organising and coordinating a particular training course may exceptionally be carried out by employees of the specialised administration expressly designated by the Chairperson of the CPDP or by a decision of the Commission.
(4) The communication process related to specifying the particular parameters of each training course is implemented by the Resource Management and Administrative Legal Services Directorate, with an employee being designated to serve as a point of contact.
(5) The employee designated as a point of contact organises and coordinates the delivery of the particular training course.
(6) The Resource Management and Administrative Legal Services Directorate organises the administering of the examinations referred to in Article 82 (2) herein, draws up the personalised certificates, and keeps a register of the certificates issued under Article 16 (2) of the PDPA.
Article 83. (1) The Commission endorses the structure, content, methods and duration of training in the field of personal data protection.
(2) The training courses are conducted by members of the Commission and/or by employees of the specialised administration thereof depending on the training topics covered and the trainees enrolled. By a decision of the Commission, external experts may also be recruited as trainers.
Article 84. (1) The following groups of trainees may be enrolled in the training courses referred to in Item 6 of Article 10 (2) of the PDPA:
1. controllers;
2. processors;
3. data protection officers;
4. data subjects;
5. certification bodies.
(2) The Commission enables the applicants for enrolment in training to take an examination in order to assess the entry-level knowledge before the start of the training.
Article 85. (1) The training referred to in Item 6 of Article 10 (2) of the PDPA is completed by taking an examination. The purpose of the examination is to assess the level of knowledge and skills acquired in the field of personal data protection.
(2) The examination referred to in Paragraph (2) may be taken in-class by means of an examination paper or remotely by electronic means in a form and content endorsed by the Commission.
(3) The participant in a particular training course may sit for an examination under Paragraph (1) not more than twice within a calendar year.
(4) The content of the examination papers is checked and graded by a board composed of three members, who are employees of the specialised administration of the CPDP. The outcomes of the work of the said board are evidenced by a memorandum.
(5) The results of the examination are made public on the official Internet site of the Commission and in an especially designated place in the building thereof.
(6) A fee in an amount set by a rate schedule approved by the Council of Ministers on a proposal by the Commission is paid for enrolment in training referred to in Item 6 of Article 10 (2) of the PDPA and for sitting for an examination, including upon re-sitting for an examination. A fee for sitting for an examination is not paid by participants in a training course conducted on the initiative of the Commission.
Article 86. The certificate issued to persons who underwent training under Article 16 (2) of the PDPA contains the following required details:
1. name of the issuing authority;
2. name of the participant in training who has successfully taken an examination;
3. title of the training course;
4. period of delivery of the training;
5. date of taking an examination;
6. period of validity;
7. unique number;
8. issue date, signature and seal.
Chapter Six
INTERNAL RULES
Article 87. (1) The parties to administrative proceedings and/or representatives thereof are granted access to the materials in the relevant case files which are pending.
(2) The documents in the case files can be accessed on site in the building of the Commission on working days from 9 a.m. to 5 p.m.
(3) Copies of the documents contained in the case file can be made available at the written request of a party to the proceeding or of a representative thereof. Copies are made available free of charge.
(4) The procedure for accessing materials in the case files and, respectively, the procedure for obtaining copies of documents, is laid down in rules adopted by the Commission, which is published on the Internet site thereof.
Article 88. The rules on the registry and the handling of documents are laid down in an internal act endorsed by an order of the Chairperson after a decision of the Commission.
Article 89. The rules related to access control, fire protection, emergency response and other such are endorsed by an order of the Chairperson after a decision of the Commission.
Article 90. (1) The opening hours of the Commission are from 9:00 a.m. until 5:30 p.m.
(2) The working time of the Commission and of the employees of the administration thereof is 8 hours daily and 40 hours weekly for a five-day workweek.
(3) The employees referred to in Paragraph (2) work variable hours from 7:30 a.m. until 6:30 p.m., are bound to be present in the period from 10:00 a.m. until 4:00 p.m., and take a 30-minute lunch break between 12:00 noon and 2:00 p.m. In such cases, beyond the time during which they are bound to be present, the employees may make up the difference to the daily working time on specified days on the following or another working day within the same workweek.
(4) The specific working arrangements and the control over compliance with the fixed working time are regulated by an act of the Chairperson of the Commission.
(5) The working time of the employees of the Resource Management and Administrative Legal Services Directorate who are assigned the secretarial services of the Commission is not shorter than the working time of the Commission (from 9:00 a.m. until 5:30 p.m.), and the duration and reporting procedure of the said working time is determined by a separate act of the Chairperson of the Commission.
Article 91. (1) The Chairperson and the members of the Commission may receive supplementary remunerations in accordance with the requirements of the Labour Code and the acts of secondary legislation for the application thereof.
(2) The employees of the CPDP administration working under a civil-service relationship and an employment relationship may receive regular and occasional supplementary remunerations in accordance with the requirements of the Ordinance on the Salaries of State Administration Employees, adopted by Council of Ministers Decree No. 129 of 2012 (State Gazette No. 49 of 2012), and the internal wage rules for the employees of the CPDP.
Article 92. The Chairperson and the members of the Commission receive a supplementary remuneration calculated as a percentage of basic salary as follows:
1. where cleared for access to information classified as “Top Secret”: 15 per cent;
2. where cleared for access to information classified as “Secret”: 10 per cent;
3. where cleared for access to information classified as “Confidential”: 5 per cent.
Article 93. (1) The individual amount of the funds which are paid for presentable clothing to the Chairperson and the members of the Commission according to Article 13 (3) of the PDPA is fixed by a decision of the Commission. An order of the Chairperson is issued on the payment of the funds fixed for the members of the Commission, and an order of a member designated by the Commission is issued on the funds to be paid to the Chairperson.
(2) The individual amount of the funds which are paid for presentable clothing to the administration employees of the CPDP working under an employment relationship according to Article 13 (3) of the PDPA is fixed by an order of the Chairperson and may not exceed the value of the presentable clothing of civil servants determined according to Item 2 of Article 28 (1) of the Ordinance on the Official Status of Civil Servants, adopted by Council of Ministers Decree No. 34 of 2000 (State Gazette No. 34 of 2010).
(3) Where the persons referred to in Paragraphs (1) and (2) enter employment during the calendar year, the said persons are paid funds for presentable clothing in proportion to the months remaining until the end of the said year. Upon termination of the relationships, the persons refund the funds received for presentable clothing in proportion to the months not worked during the year.
Article 94. The time during which the Chairperson, the members of the Commission and the Secretary General receive visitors is made public in a designated place in the building of the administration.
Article 95. (1) In contacts with outsiders and institutions, as well as where necessary, the employees of the Commission identify themselves by producing a service card which contains: name, position, photograph, place of work, issue date, card number, signature of the Chairperson of the Commission and seal.
(2) Service cards are reissued upon intervening changes in the particulars therein and are surrendered by the employees upon termination of the civil-service or employment relationships thereof.
Supplementary Provisions
§ 1. These Rules were adopted on the basis of Article 9 (2) of the Personal Data Protection Act (promulgated in the State Gazette No. 1 of 2002; amended in Nos. 70 and 93 of 2004, Nos. 43 and 103 of 2005, Nos. 30 and 91 of 2006, No. 57 of 2007, No. 42 of 2009, Nos. 94 and 97 of 2010, Nos. 39, 81 and 105 of 2011; amended and supplemented in No. 15 of 2013; supplemented in No. 81 of 2016; amended in No. 85 of 2017; supplemented in No. 103 of 2017; amended in No. 7 of 2018; amended and supplemented in No. 17 of 2019) by a decision of the Commission for Personal Data Protection of 19 July 2019 and shall enter into force as from the date of the promulgation thereof in the State Gazette.
§ 2. These Rules supersede the Rules on the Activity of the Commission for Personal Data Protection and its Administration (promulgated in the State Gazette No. 11 of 2009; amended in No. 21 of 2011; amended and supplemented in Nos. 12 and 20 of 2012, No. 46 of 2014; amended in No. 10 of 2016).
§ 3. The Rules for amending the Rules on the Activity of the Commission for Personal Data Protection and its Administration were adopted by a decisoin of the Commission for Personal Datat Protection of 13 April 2022 and shell enter into force as from the date of the promulgation thereof in the State Gazette.
Annex to Article 15 (6)
| № | Staff Size in the CPDP Organisational Structure and Administrative Units | |
| Total staff size, of which: | 87 | |
| 1. | Elective positions | 5 |
| 1.1. | Chairperson | 1 |
| 1.2. | Member of the Commission | 4 |
| 2. | Secretary General | 1 |
| 3. | Financial Controller | 1 |
| 4. | General administration, of which: | 23 |
| 4.1. | Resource Management and Administrative Legal Services Directorate | 23 |
| 5. | Specialised administration, of which: | 57 |
| 5.1. | Legal Affairs and International Cooperation Directorate | 14 |
| 5.2. | Legal Proceedings and Supervision Directorate | 29 |
| 5.3. | Legal Analysis, Information and Control Directorate | 14 |
