What’s new?
The approach of the Bulgarian Draft Bill is to indicate that it will regulate the matters, which are not regulated by the GDPR and which require additional development at a local level. Hence, the general requirements for the controller-processor agreement would still be applied as required within the GDPR.
The Draft Bill provides specific regulation on the data processing agreements for public authorities with regards to criminal investigations and other related activities. This specific regulation is being adopted as per the requirements of Directive 2016/680. The Draft Bill introduces new data related terminology, where data controllers are also public authorities they are called “Competent authority-Controller”
Which are the main criteria for Competent authority-Controller when choosing processors?
The need the Competent authority-Controller to evaluate the processor prior to appointment remains in place. Namely the controller may assign processing of personal data only to processors who provide sufficient guarantees, that they will apply appropriate technical and organizational measures for protection of the personal data. Taking into account the sensitiveness and social importance of the type of data, which is being processed in the criminal investigations and other related activities, it may be reasonably considered that such processors shall comply with a higher level of security standards.
How will Competent authority-Controllers appoint processors?
Processing of personal data by the processor is to be governed by a contract or other legal act under European Union law or the Bulgarian legislation. In order to ease the signing process and to optimize timing, the Draft Bill foresees an option for the controller-processor agreement to be signed in an electronic form. The Draft Bill does not specify on the type of certificate, which would be required for validly signing the controller-processor agreement in case electronic form has been chosen by the parties. Thus, it may be reasonably concluded that the rules of eIDAS would apply.
Is there mandatory content of controller-processor agreements in public sector?
The mandatory requirements for controller-processor agreements in public sector cover the general requirements, set out by the GDPR. The controller-processor agreement shall specify that the processor is to act only on the instructions of the controller that the persons authorized to process personal data have committed to confidentiality, that certain safeguards with regards to automated processing have been observed, etc.
The controller-processor relationship in public sector also implies a high level of trust and cooperation between both parties. This would refer to requests from the Competent authority-Controller towards the processor to delete certain data or to dispose of the data permanently, as well as with regards to notification breach, which should be done by the processor in a timely manner and without unnecessary delays.
In other words
The Draft Bill recognizes that the controller-processor relationship in public and private sector have their similarities. However, the legislation to be adopted also reflects the specifics and social importance of data being processed in the public sector– such as criminal investigations and other related activities and thus, stressing that specific regulation would be required in these cases.
Article provided by: Mario Arabistanov, Christian Nemtsov & Mitko Karuskov (Kambourov & Partners)