GDPR – Legal Aspects Desislava Krusteva, Attorney-at-Law, CIPP/E Law firm Dimitrov, Petrov & Co., Partner Law and Internet Foundation, Senior Legal Expert Sofia, November 20 2017

The Reform in the EU Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation; GDPR)

General Data Protection Regulation

What constitute personal data? Personal Data - Definition What constitute personal data? ‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.Чл. 4(1) от Регламента

Personal Data - Assessment Any information – What is information? Relating to – When is the information relating to a natural person? (content, purpose, impact…) Identified or identifiable natural person – What is identity? When can someone be identified? (directly or indirectly) Natural person – What is natural person?

What is New in the New Legal Framework? The fines to be imposed under the Regulation: Effective, proportionate and dissuasive “Infringements … shall, … be subject to administrative fines up to 20 000 000 EUR, OR in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.”

What is New in the New Legal Framework?

What is New in the New Legal Framework? Parallel with the concept of “undertaking” in the competition law and still not the same Goal – „piercing of the corporate veil“ or „extension of the enforcement of the Regulation beyond the EU borders“ It is possible to provide rules on other penalties on the national level for violations which are not subject to specific penalties in the Regulation.

Controller Determines the purposes and means of the processing of the personal data Purposes: Why do we process the data? What do we need the data for? Means: How do we process the data? In which way? What kind of data do we process? For what period of time are we going to process the data? Where are we going to process the data? Where are we going to store the data? Who is going to process the data? A person, who determines the purposes and means of the processing of personal data, is CONTROLLER

Do we use data processors? Accountancy services Cloud services and infrastructure Date § call -centers Colocations IT & Maintenance Others Group of undertakings / Group of companies: Relations Controller – Controller Relations Controller – Processor

Legal obligations and responsibilities for the data processors Contract between the controller and the processor (written) Reassigning of the processing activity to another processor only after prior written concrete or general consent / approval by the controller Must inform the controller of any planned change of the reassigning Must process data only upon documented assignment by the controller Obligation of confidentiality of their personnel Must immediately inform the controller if, in its opinion, an instruction infringes any applicable provisions Must maintain register of any categories of activities on data processing, commenced on behalf of the controller

Principles, related to data protection

Integrity and Confidentiality (Measures for Rrotection) Principles, related to data protection F per Principles, related to the processing of personal data Purpose Limitation Storage Limitation Lawful, Fair and Transparent Data Minimalization Accuracy Integrity and Confidentiality (Measures for Rrotection) ACCOUNTABILITY

ACCOUNTABILITY The controller must be able to demonstrate compliance with the requirements laid down in Article 5 (1) of the Regulation Plan/ Analysis Register of the processing activities (written) Written form (declarations, contracts and etc.)

Fundamental Rights of Data Subjects Right to information (extended) – Principle of transparency Right to access (extended) Right of rectification Right to erasure (right „to be forgotten“) Right to restriction of processing Notification of any rectification, erasure or restriction the processing of personal data Right of data portability. Right to object Right not to be subject to a decision which produces legal effects concerning him or her or significantly affects him or her and which is based solely on automated processing of data including profiling

Security of Personal Data

Sustainability of systems Security of Personal Data Appropriate technical and organisational measures Ensuring an adequate level of protection Confidentiality Integrity Availability Sustainability of systems

Security Breach Immediate notification of the CPDP Notification of the data subjects, if there are present specific risks for their rights and freedoms

?