Publications


New Ordinance on Measures for Protection of Personal Data

 

New Ordinance on Measures for Protection of Personal Data
New Ordinance on Measures for Protection of Personal Data

Pursuant to the new Ordinance of the Personal Data Protection Commission on the minimum level of technical and organizational measures and the admissible level of personal data protection (the „Ordinance”), effective as of 15 February 2013, each data controller shall determine a level of impact on the personal data registers kept by it and a corresponding level of personal data protection. The levels of impact/protection can be: „extremely high”, „high”, „medium” or „low”.

The level of impact shall depend on the nature of the processed personal data (determined on the basis of the criteria of confidentiality, integrity and availability), and the number of the individuals who will be affected in the case of illegal processing of personal data. The impact assessment shall be carried out periodically, while the initial impact assessment is to be completed by 15 August 2013.

The level of protection is defined by a number of particular technical and organizational measures for personal data protection corresponding to the respective impact level. The data controller must have practically implemented the measures included in the relevant level of protection within specified deadlines which vary from 6 months (for low level of protection) to 1 year (for high or extremely high level of protection), starting from determination of the level of impact.

Data controllers will have also to amend their instructions (policies) for personal data protection accordingly to meet the new requirements of the Ordinance.

Fines for incompliance with the new rules can reach BGN 5,000 (EUR 2,557).
 

New Ordinance on Measures for Protection of Personal Data