On 30 January 2013, the Commission for Personal Data Protection adopted new Ordinance on the minimal level of technical and organizational measures and the admissible type of personal data protection. It was published in State Gazette on 12 February 2013 and entered into force three days after its promulgation. This Ordinance repeals Ordinance № 1 of 7 February 2007 (SG 25/23 March 2007).
The Ordinance aims at ensuring adequate personal data protection level in the maintained personal data registers depending on the data nature and the number of individuals concerned in case of violation of the data protection. The main personal data protection purposes are defined- confidentiality, integrity and availability and are determined the personal data protection types. In order to determine the adequate level of technical and organizational measures and the admissible type of protection, the controllers are obliged to periodically carry out an impact assessment on the processed personal data. As a result will be determined the impact level and its corresponding protection level. The access to data will be applied on the “need to know” basis. For every protection level are defined the necessary technical and organizational measures to be undertaken by the personal data controllers.
Within 6 months after the Ordinance entry into force, the controller is obliged to determine the impact level of the registers processed by it.
For the currently maintained personal data registers, until entering into force of the new Ordinance, are set the following deadlines for implementation of the protection measures as from the determination of impact level:
– for low level- within six months;
– for medium level- within nine months;
– for high and extremely high level- within an year.
The Ordinance № 1 on the minimal level of technical and organizational measures and the admissible type of personal data protection is issued on the ground of Art. 23 (5) of the Law for Protection of Personal Data and is in force as from 15 February 2013.
