Bulgarian Personal Data Protection Commission (PDPC) has addopted a list of personal data processing operations for which a controller or processor under Chapter Eight of the Bulgarian Personal Data Protection Act (PDPA) should conduct a mandatory preliminary consultation with the PDPC. The quoted Chapter Eight of PDPA transpose certain provisions of Directive (EU) 2016/680 among which the requirements of Art. 28 of the Directive. The list was adopted by the PDPC on the basis of Art. 65, para. 3 of the PDPA transposing Art. 28, para 3 of the Directive. This list is non-exhaustive, and it can be updated if necessary, in the order of its acceptance.
Based on this list the processing operations that require mandatory prior consultation with the PDPC before their start are, as follows:
- Regular and systematic processing of location data with technical means in order to control compliance with restrictive measures under Art. 58 of the Criminal Procedure Code.
- Large-scale processing of personal data of children for the purposes of prevention, investigation or disclosure of anti-social acts or crimes committed by or against minors, incl. for the purposes of applying educational measures or punishments.
- Large-scale processing of special categories of personal data, when it is related to automated decision-making, incl. for the purpose of performing a criminological analysis.
- Carrying out systematic large-scale monitoring of publicly accessible areas, when this is related to automated decision-making, incl. facial recognition.
- Carrying out data migration from existing to new technologies when it is related to large-scale data processing.
All of the above listed processing operations are considered likely to pose a high risk to the rights and freedoms of data subjects by the PDPC.
The adopted list is applicable to processing operations performed by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, it also provides an indication for types of processing activities which may be considerred to rise a high risk to the rights and freedoms of data subjects by the PDPC. Thus, even in cases where the controller does not fall within the scope of the Directive and instead is obliged to comply with the GDPR, if it plans to perform processing operations that are included in the list above or similar to an enlisted operation, this could be an indication the such controller is appropriate to perform at least a data protection impact assessment under Art. 35 GDPR.
Article provided by INPLP member: Desislava Krusteva (Dimitrov, Petrov & Co., Bulgaria)
Dr. Tobias Höllwarth (Managing Director INPLP)