Foreword
The Strategy of the Commission for Personal Data Protection for Development in the Area of Personal Data Protection takes into account the strengths of a more than ten years’ experience amassed by the Commission, the weaknesses in the application of the regulatory framework in the area of personal data protection so far, the opportunities for a further sustained development of the Commission’s practice, as well as the threats concomitant with personal data processing and protection. The Strategy complies with the requirements of the Personal Data Protection Act, as well as with the new EU legislation in this area: Regulation (EU) No 2016/679, Directive (EU) 2016/680, and Directive (EU) 2016/681.
The Commission for the Protection of Personal Data developed the present Strategy in accordance with the National Development Programme: Bulgaria 2020 and taking note of the Strategy for Development of the State Administration (2014 – 2020). The CPDP seeks to build confidence in citizens upon the protection of their personal data as a fundamental right of all Europeans.
Introduction
Globalisation, which extends to all spheres of public life, leads, among other things, to a globalisation of the threats and challenges facing personal data protection. This calls for a coordinated response from all stakeholders which, in turn, gives rise to a need to apply uniform standards and modes of action. In its operation, the Commission for Personal Data Protection relies on two established European principles. One such principle is impartiality: the Commission works independently and objectively, seeking to balance the disparate conflicting interests, within the bounds of legality. Besides this, the CPDP applies the principle of transparency in its work, communicating its activity to the public in easily comprehensible language. All this is done respecting stakeholders’ legitimate interests and in search of pragmatic solutions to the benefit of citizens and business.
The digital revolution poses a major challenge to personal data protection at the beginning of the 21st century. As a data protection supervisor, the Commission endeavours to safeguard the public interest. This task involves various challenges which should be addressed systematically. To this end, the Commission will seek partnership with similar authorities, representatives of the public and private sector, as well as civil society.
Fulfilling its obligations, the Commission endeavours to keep abreast as much as possible of the new challenges, not to pose difficulties to innovation and business, and to harmonise proactively data protection legislation and policies at the national and European level.
The strategic document sets out performance evaluation means and indicators, which are to be detailed in an Action Plan. The specific steps leading to the desired results are listed in the CPDP annual plans for activity and discharge of leaders’ and employees’ duties.
Essentially, the CPDP Strategy is conceived as an open document that can respond adequately to changing social relations arising from the emerging global threats and the rapid advances in the communications and high-technology sector.
The Strategy contains a performance monitoring and evaluation mechanism. An interim evaluation and analysis of the implementation are envisaged. The purpose of this mechanism is to initiate corrective action so that the expected results and the CPDP strategic objective can be achieved as effectively as possible.
The availability of a strategic document enables a sustainable development in the area of personal data protection. The Strategy underlies the Commission’s long-term operation. Considering the rapidly changing new trends in the area of personal data protection, the Strategy (Horizon 2022) lays down a mechanism for a review of the Commission’s tactical and short-term actions to serve as a basis for the development of a follow-up strategy by the next complement of the CPDP.
1. Mission and vision
The mission is to guarantee the fundamental civil right to protection of natural persons’ rights with regard to processing of their personal data.
Vision: the CPDP seeks to build and develop a public environment in which the integrity of the individual and citizens’ privacy are guaranteed through a system of prevention, accountability and control measures against the wrongful processing of personal data.
2. Analysis of the state of play in the sector
Strategic planning requires an analysis of the results achieved so far and of the state of play in the personal data protection sector. Since its establishment the Commission for Personal Data Protection has achieved significant results by building its own administrative capacity and shaping a personal data protection system which functions within the territory of Bulgaria. Current global and European trends confront the Commission, in its supervisory role, with serious challenges in connection with the fulfilment of its obligations, but also provide fresh opportunities for coping with the new difficulties.
2.1. Results achieved so far
· A legal framework of primary and secondary legislation has been created and has taken shape. The personal data protection system has evolved in regulatory terms, ushered in by the adoption of the Personal Data Protection Act in 2002. In the ensuing years, the CPDP was actively involved in the follow-up development and shaping of that system, both through legislation amending and supplementing the PDPA and through the adoption of Ordinance No 1 on the minimum level of technical and organisational measures and the admissible type of personal data protection and by consulting a number of statutory instruments relevant to personal data protection.
· Administrative capacity has been built, and a functioning institution has been set up with a full complement of effective human resources. During the 14 years of its existence, the CPDP has succeeded in recruiting, training and specialising a large number of personal data protection experts. Substantial experience has also been amassed over that period as a result of the thoroughgoing work on various privacy cases.
· Mechanisms for work and interaction have been created and have taken hold. The Commission adopted Rules on its activity, which are supplemented and updated when necessary in line with the experience of the institution;
· Public recognisability has been achieved. During the 15 years of its operation, the CPDP has established itself as a recognisable institution for citizens and data controllers. This is evidenced by the steady increase in the number of complaints and alerts submitted to the CPDP by citizens and the number of consultations and other administrative services requested.
· A high level of inter-institutional cooperation has been achieved. Through its participation in a number of inter-institutional formats and working groups, the CPDP succeeded in building a steady network of partners (at the national and international level).
· Public awareness has been raised (through awareness campaigns, international conferences, training delivery and media activity). The Commission constantly seeks to ensure publicity and openness to its activity in connection with the protection of natural persons’ personal data. As a means to this end, the CPDP has carried out a large number of information and awareness-raising campaigns on various subjects and occasions.
2.2. SWOT analysis
2.2.1 Strengths
· National legal framework on personal data protection in place;
· Ample practice built up in prevention (unification of practice in personal data protection by expressing opinions and delivering trainings) and supervision (running checks, examining complaints and imposing administrative sanctions);
· Good internal organisational structure of the administration and trained professional staff;
· Administrative services provided by the CPDP as part of the e-governance of the Republic of Bulgaria;
· The CPDP has become recognisable as a national supervisory authority in the Republic of Bulgaria.
2.2.2 Weaknesses
· Limited financial resources (budget and salaries);
· Small staff size and high rate of labour turnover;
· Insufficient number of IT experts in the CPDP administration who are narrowly specialised in the field of personal data protection;
· Insufficient foreign-language proficiency of the administration;
· Lack of local divisions;
· Remoteness from the central administration bodies and inadequate transport arrangements.
2.2.3 Opportunities
· Forthcoming modernisation of the national legal framework, which will make it possible to remedy the weaknesses committed so far;
· Standardising good practices in the separate areas and activities of the Commission;
· Setting up a national training centre in personal data protection;
· Broadening opportunities for external financing;
· Steady improvement and enhancement of the level of satisfaction of citizens, organisations and partners with the services provided;
· Building a system for obtaining regular feedback from a large number of stakeholders;
· Deepening and broadening cooperation with the non-governmental sector and the academic community;
· Enhanced participation in initiatives, forums and entities at the EU level and internationally.
2.2.4 Threats
· Underrating by the public of the threats and risks inherent in personal data protection;
· Underfunding in the medium term;
· Legal uncertainty resulting from delayed legislative revisions in the area of personal data protection;
· New threats to the integrity of the individual and personal data emerging as a result of information technology advances;
· Risk of difficulties or impossibility to perform functions and tasks in case of a persistent trend of labour turnover of highly skilled staff.
3. Strategic objectives for the 2017 – 2022 period:
· System implemented for the prevention and containment of the unlawful forms of personal data processing and violation of natural persons’ rights;
· Supervision mechanism effectively applied;
· Comprehensive system in place for training in personal data protection, public awareness raising events and initiatives;
· Sustainable administrative services provided to citizens and data controllers;
· Proactive approach applied to international cooperation;
· System of initiatives in place for upgrading the professional qualification of the CPDP and its administration;
· Advanced openness and transparency processes.
4. CPDP targeted policies
For the attainment of its strategic objectives, the Commission has developed and endorsed a set of policies which comply with European standards and good practices. The policies are also consistent with the relevant strategic documents at the national level.
European coherence policy
The development of the personal data protection system in Bulgaria is inextricably linked to the development of the sector in the world and above all in Europe. The ground-laying frameworks and regulations are drafted at the European Union level and are implemented only later at the national level by the competent supervisory authorities. This requires adequate actions to align and harmonise the application of these rules at the national level. Besides this, the General Data Protection Regulation establishes a fundamentally new environment for interaction among the supervisory authorities within the EU. After the Regulation starts to apply in May 2018, they will be required not simply to exchange information but to work actively together in order to solve the problems of data controllers and data subjects in Europe. In this connection, the European coherence policy is a mandatory element of the CPDP’s strategy with a view to complying with the requirements of the Regulation and asserting the leading positions of the Bulgarian supervisory authority in the European data protection architecture.
The European coherence policy also concerns the international formats of data protection, which provide a solid platform for the exchange of ideas and good practices in line with the latest trends. This requires an active approach to participation in international meetings of data protection authorities because Bulgarian citizens’ rights and interests can best be protected in this way and the CPDP itself would be enabled to share in current developments in the sector.
In order to approach international cooperation proactively and to fulfil its obligations adequately, the CPDP will continue to actively render assistance in the drawing up of guidelines and opinions at the European level, to actively share information with similar authorities, and to actively exercise its new powers related to the conduct of joint operations. Preparing and shaping an administrative capacity for holding successfully the Bulgarian Presidency of the EU Council is an essential part of the implementation of this policy. It involves a series of trainings and initiatives for the staff of the Commission.
The European coherence policy specifically targets the Commission and its international partners and is used as a tool for influencing personal data regulation and coordination processes at the highest possible level.
Quality management policy
This policy seeks to match an effective and efficient utilisation of the CPDP’s resources with the objectives and obligations set to the institution while its operation steadily improves. This policy directly contributes to ensuring the training of the CPDP team necessary for the Bulgarian Presidency of the Council of the European Union. Last but not least, in its operation the Commission constantly interacts with the rest of the actors in the personal data protection system (data subjects and data controllers), whose level of satisfaction directly depends on the quality of the administrative services offered by the CPDP.
The quality management policy seeks to unleash the full potential of the CPDP staff. The adoption of clear and sound operating rules ensures security of career growth and sets explicit conditions for both career development and fostering professional skills and competences. The policy reflects an aspiration to achieve maximum quality, up to European and world standards.
Prevention policy
Prevention is one of the key policies through which the CPDP seeks to improve the level of personal data protection. Judging from experience, preventive action is far more effective in reducing breaches than any other measures. Besides this, prevention saves time, human and financial resources and helps increase the level of personal data and privacy protection. It is particularly effective in forestalling breaches in the area of personal data protection that are committed out of ignorance (target group: DC).
Prevention is pursued mainly through delivery of training and raising awareness of personal data protection, as well as issuing directions addressed at data controllers. One of the most significant and large-scale measures through which this policy is to be implemented is the setting up of a national training centre providing the best possible conditions for the training and certification of data protection officers and data controllers in Bulgaria. The measures implementing this policy also include deepening interaction with all stakeholders among data controllers, as well as an overall assertion of the CPDP’s recognisability, in order to improve understanding of the issues related to personal data protection.
Prevention is among the most comprehensive and large-scale policies that the CPDP has opted to implement. Since it seeks to exert overall influence on the personal data protection sector, it targets all actors in that sector (controllers, processors, subjects, and even the Commission itself).
Control and accountability policy
The principal powers of the Commission for Personal Data Protection include supervision of compliance with the Personal Data Protection Act. The Commission is empowered to conduct checks and impose administrative sanctions. In line with the latest trends in the area of personal data protection, the Commission also relies on the accountability principle which, in most general terms, represents a set of approved measures and procedures that data controllers are expected to follow for the purpose of achieving transparency and accessibility of the data processing process.
Regulation (EU) 2016/679 broadens and aligns the powers of personal data protection supervisory authorities in connection with their supervisory powers. Apart from the traditional and ramified activity of exercising control through checks of controllers and processors, particular attention in the implementation of this policy will be paid to the processes of certification of data controllers’ processing operations, as well as to the introduction of the data protection officer institute.
The control and accountability policy is one of the key policies targeting data controllers.
Partnership policy
In its activity, the Commission seeks to build stable partner relations with citizens, the business community, government institutions, the non-governmental sector and international partners in the area of data protection. Deepening cooperation with similar authorities at the international level, as well as with all stakeholders at the national level, is one of the principal objectives of the CPDP that would lead to uniform operating processes in the area of personal data protection (target group: similar authorities and stakeholders). Worthwhile opportunities for the pursuit of this policy can be found in the CPDP’s regulatory, project and international interaction with the rest of the entities concerned with the protection of the integrity of the individual and personal data.
The partnership policy is inseparable from the trends in the personal data protection sector. In a world of global threats and challenges, interacting with partners is a must. The CPDP has built a network of partners at the national and European level, and an expansion and further development of this network is part of the Commission’s strategy.
Publicity and inclusion policy
Personal data and privacy protection is one of the modern trends in civil rights protection. A comprehensive awareness of citizens and businesses of the mechanisms and modalities for personal data protection is essential for the achievement of successful prevention. In accordance with the objectives of the Strategy for Development of the State Administration (2014 – 2020), the CPDP is taking consistent measures for the creation of conditions for maximum visibility to the public of the mechanisms and outcomes of the institution’s operation. The process of openness enlists all stakeholders in the making of important decisions with regard to personal data protection.
The implementation of a publicity and inclusion policy targets above all citizens and the business community. Adhering to the principles of effective and efficient spending of budget resources, the CPDP is planning to use a variety of channels for raising public awareness.
Accessibility policy
This policy consists in easing as much as possible citizens’ access to the administrative services provided by the CPDP. Accessibility facilitates the implementation of some of the Commission’s principal policies, including control, prevention and partnership. The accessibility policy will help the CPDP fulfil adequately its main obligations to ensure natural persons’ protection.
The policy includes ensuring access to standardised forms for communication and interaction with the institution, clear guidelines to natural persons about the way they can exercise their rights, as well as a straightforward and accessible complaint procedure, always at the disposal of natural persons in whose opinion data controllers have not fulfilled their obligations. The bulk of the measures that will be implemented within the framework of this policy concern the application of the e-government concepts and the open data approach.
Monitoring policy
By implementing a monitoring policy, the Commission seeks to influence the regulatory environment at the national level, for the purpose of preventing the violation of natural persons’ rights and ensuring their adequate protection.
The policy includes monitoring the development and revisions of the national legal framework with a view to bringing it into conformity with personal data protection principles (target group: bodies of state power concerned with the relevant part of the legal framework that is revised), as well as sharing in the drafting and mandatory giving of opinions on proposals for instruments of primary and secondary legislation related to personal data protection. The drafts of statutory instruments must be subjected to impact assessment in accordance with the Manual for Preparation of an Impact Assessment by the Council of Ministers.
The monitoring policy targets the participants in rulemaking in Bulgaria and requires close cooperation with them.
Sustainable-development and management-of-change policy
Considering the fact that the dramatic advances in information technology create a fundamentally new environment for the existence of the personal data protection process, trends need to be monitored and the institution’s operating process and functioning have to keep abreast of the new social and technological developments so as to take on the challenges as they arise. In order to reaffirm and build on previous achievements, the Commission implements a policy of sustainable development and management of change.
This policy seeks simultaneously key partnerships for diversification of the Commission’s financing and the internal rules for the suppression of corrupt practices and improvement of mechanisms and technologies to keep stakeholders informed of the CPDP’s operation.
5. Resourcing
To be successfully implemented, the Strategy needs to be adequately resourced. Since the Strategy is inextricably linked to the performance of the CPDP’s functions, the Commission will invest all its available human and financial resources in its implementation.
Human resources
Translating the strategy into reality is a responsibility of the Commission for Personal Data Protection and its administration. The entire CPDP staff will contribute to its successful implementation. Specific administrative units will be designated to implement the policies as outlined and carry out the actions as planned, and they will have to put them into practice.
Financial resources
The Strategy will be implemented on the national financial resources allocated on the Commission’s budget, as well as on project-based external financing.
6. Action plan and implementation of the Strategy
The Strategy will be implemented by the CPDP and its administration, and, to this end, the present plan specifies actions and officials responsible for their execution (Annex 1). On the basis of the strategic objectives set out in the present document, annually, by 31 December, the administrative units will draw up proposals for a work plan for the following calendar year. The annual work plan proposals will be reported by the Secretary General at a CPDP meeting. When the individual work plans of the administration employees are drawn up, account will be taken of the strategic objectives and specific targets set in the annual work plans of the administrative units.
Strategy implementation monitoring team
The current implementation of the Strategy will be monitored by the Planning, Training and Project Management Department at the Legal Affairs, International Cooperation, Planning and Training Directorate under the guidance of the CPDP Secretary General. Annually, by 15 June, the responsible persons will submit information to the Planning, Training and Project Management Department on the current execution of the measures and activities by means of specific indicators, according to Annex 1.
The Department, under the guidance of the Secretary General, will be tasked with measuring progress under the indicators and watching for deviations from the Strategy, and it will report back to the Commission on an annual basis (by 30 November of the current year). Information on progress in the implementation of the Strategy will be included in the CPDP’s annual activity reports.
Reviewing and updating the Strategy
The Strategy is subject to updating on a proposal by the monitoring team, responding to intervening changes that may be triggered by external factors (changes in government policy, revisions of the legal framework at the European and national level) and internal factors (modifications in the CPDP resourcing, reassessment of the objectives set) by March of each year.
Control over the implementation of the Strategy will be exercised by the CPDP.
15.05.2017
