Since 2022 the Bulgarian DPA has adopted and started to implement a specific methodology in cases where they receive notifications for data breaches. This methodology includes collecting information regarding the data breach (via the notification and via additional sets of questions), an assessment of the level of risk of the occurred data breach based on a specific criterias adopted by the Bulgarian DPA and additional audits/ inspections based on the determined level of risk.
The levels of risk could be low, medium or high. However, it is important to note that the thresholds for determining medium or even high risk are very low and thus, even in cases where small amounts of data or a limited number of data subjects are affected, the DPA may still treat the data breach as “medium” or “high” level of risk.
In this respect, upon submitting a notification for a data breach a data controller may expect to receive approx. about 2 consecutive requests for additional information from the DPA. At a "medium" level of risk, the data controller can expect an inspection/ audit based by documents to be performed with the second set of questions. This is performed via thorough questionnaire (of approx. 70 questions) which covers all personal data processing activities of the data controller, not only those affected by the data breach. Along with this questionnaire and questions related to the data breach the DPA usually requires to receive the “full” set of documentation of the controller related to its data protection compliance (such us privacy notices, consent forms, policies and procedures, etc.). The questionnaire covers all the key aspects of the performed activities as categories of data subjects, categories of data, involved data processors, recipients of personal data, retention periods, legal grounds for the performed processing activities, the topics related to the performed data transfers and very thorough sections dedicated to the applied technical and organizational for security and protection of the data.
Usually, 7 calendar days are granted for responding to the questions and the questionnaire. Besides the above, all documents that are presented to the DPA need to be in Bulgarian or accompanied with a Bulgarian translation.
In case the DPA determine that the data breach is of a “high” level of risk, an on-premises inspection could also be performed as well.
The above described practice seems to be currently established as a standard procedure for the DPA and concerns all controllers with activities in Bulgaria.
Article provided by INPLP member: Desilava Krusteva (Dimitrov, Petrov & Co, Bulgaria)
Dr. Tobias Höllwarth (Managing Director INPLP)