Amendments to the Rules of Procedure of the Commission for Personal Data Protection and its Administration
The new Rules of Procedure of the Commission for Personal Data Protection and its Administration, promulgated in State Gazette, issue 60 as of June 30, 2019, entered into force on June 30, 2019 (the “New Rules”) repealed the current Rules of Procedure of the Commission for Personal Data Protection and its Administration, promulgated in State Gazette, issue 11 as of February 10, 2009, entered into force on February 10, 2009 (the “Repealed Rules”). A number of changes were introduced with the New Rules that became necessary due to the entry into force of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR”). The main changes are related to the following:
I. Competences of the Commission for Personal Data Protection (the “Commission”)
- The proceedings regarding the registration and deletion of controllers are no longer applicable;
- The Commission’s activity is focused on:
- adoption of standard contractual clauses under Art. 28, paragraph 8 of the GDPR;
- drawing up and maintenance of a list in accordance with the requirements for data protection impact assessment;
- delivering opinions in relation to data processing operations regarding requests for consultation;
- encouraging preparation of codes of conduct;
- encouraging establishment of certification mechanisms and data protection seals and marks;
- approval of binding corporate rules.
II. Registers kept by the Commission
The requirement for keeping a register of the controllers is no longer applicable. However, the Commission is required to keep the following registers:
1. Public registers of:
- data controllers and processors which have designated data protection officers;
- codes of conduct;
- certification bodies accredited under Article 14 of the Personal Data Protection Act.
2. Non-public registers of:
- infringements of the personal data protection legislation and the measures taken in accordance with the exercise of the Commission’s competences as a supervisory authority;
- notifications of personal data breaches;
- the received records from the undertakings providing electronic communication services for the destroyed data under Арt. 251g, paragraph 1 of the Electronic Communications Act.
III. Structure of the Commission
Functional changes in the activity of the Commission’s administration are introduced.
IV. Proceedings before the Commission
New proceedings have been implemented in relation to:
- applying the measures under Art. 58, paragraph 2 of the GDPR (related to issuing of warnings, reprimands to controllers/ processors; imposing limitations, bans on data processing and others related to the protection of personal data);
- adoption of standard contractual clauses;
- examination of proceedings under Chapter V of the GDPR (transfers of personal data to third countries or international organizations);
- carrying out of prior consultations;
- examining notifications of personal data breaches;
- approval, amendment or supplementation of codes of conduct;
- accreditation and withdrawal of accreditation of bodies monitoring the approved codes of conduct;
- accreditation and withdrawal of accreditation of certification bodies;
The proceedings before the Commission are initiated upon written or oral request of an individual or a legal entity or at the initiative of the Commission. The written requests shall be submitted to the Commission’s office by letter, fax or electronic means. The official of the Commission shall prepare a protocol for the oral request and the latter shall be signed by this official and the person who made the oral request. The request shall be registered with the Commission’s registry.
The request shall contain not only information about the person who made the request, but also the nature of the request, other information provided for by law, date and signature, the date on which the infringement became known, provided that the request is related to an infringement, and a specification of the person against whom the request is made.
The scope of the requests not being examined by the Commission is broadened: anonymous requests and requests lacking the required information to be provided by law. This also applies for the alerts introduced with the New Rules, together with a corresponding definition for alert: a notification request regarding infringements of the GDPR and the Personal Data Protection Act without prejudice to any rights of the person who made the request.
V. Adoption of standard contractual clauses regarding transfer of personal data to third countries or international organizations (Chapter V of the GDPR)
The New Rules implemented a relatively complicated procedure for adoption of standard contractual clauses as follows:
- The Commission at its own initiative adopts standard contractual clauses for data protection.
- After the draft of the standard contractual clauses is approved by the Commission with a resolution, the latter is sent to the European Data Protection Board for an opinion.
- Upon receipt of the opinion and within one month the Legal and Regulatory and International Affairs Directorate reflects it in the draft of the standard contractual clauses. The Commission then approves the draft and the latter is sent to the European Commission for approval.
- After the draft of the standard contractual clauses is approved by the European Commission and within one month the Legal and Regulatory and International Affairs Directorate prepares a report with the attached contractual clauses. The report is then sent to the Commission with recommendation for adoption of the standard contractual clauses.
- The Commission adopts the standard contractual clauses and publishes them on its website.
VI. Review of notifications for personal data protection breaches
Upon receipt of a notification for a breach, the latter is allocated to the Legal-analytical, Information and Control Activity Directorate that registers the notification with the register of notifications of personal data breaches. The Directorate analyses the received information within two weeks and as a result of the analysis drafts a report to the Commission recommending: (i) acceptance of the breach notification in case of a low level risk to the rights and freedoms of individuals; (ii) carrying out documentary checks in case of a medium-level risk to the rights and freedoms of individuals; (iii) performing on-site checks in case of a high level risk to the rights and freedoms of individuals. The Commission may adopt a resolution for carrying out an on-site inspection regardless of the risk level.
VII. Training in the field of personal data protection
Trainings are carried out based on a submitted to the Commission request or at the Commission’s own initiative. The training is conducted on the basis of standardized and approved by the Commission thematic content. The Commission adopts an annual training plan. The annual plan necessarily includes some administrators and processors (for instance those whose main activity is of high public and social importance). The training is conducted by the members of the Commission or its employees, but it can be carried out by external experts appointed by a resolution of the Commission. The training ends with an exam and a certificate evidencing that the exam is successfully passed.
For more information, please refer to:
Legal Disclaimer: The material contained in this newsletter is provided for general information purposes only and does not contain a comprehensive analysis of each item described. Before taking (or not taking) any action readers should seek professional advice specific to their situation. No liability is accepted for acts or omissions taken in reliance upon the contents of this alert.