Skip to main content

Controller-Processor relationship in public sector (Bulgaria)


With the entry into force of Regulation (EU) 2016/679 (the “General Data Protection Regulation”) on 25th May 2018, the matter of harmonization with the current EU legal framework appeared on the agenda in Bulgaria. The need for EU legal framework harmonization was further enhanced by Directive 2016/680 on data protection in the field of criminal investigations and other related activities. As of today, Bill for amendment and supplementation to the Bulgarian Personal Data Protection Act (“ Draft Bill”) is submitted with the Bulgarian National Assembly and is to be discussed and voted by the competent parliamentary committees. Although the Draft Bill has not yet been passed, this article outlines the main features, which are to be expected.

What’s new?

The approach of the Bulgarian Draft Bill is to indicate that it will regulate the matters, which are not regulated by the GDPR and which require additional development at a local level. Hence, the general requirements for the controller-processor agreement would still be applied as required within the GDPR.

The Draft Bill provides specific regulation on the data processing agreements for public authorities with regards to criminal investigations and other related activities. This specific regulation is being adopted as per the requirements of Directive 2016/680. The Draft Bill introduces new data related terminology, where data controllers are also public authorities they are called “Competent authority-Controller”

Which are the main criteria for Competent authority-Controller when choosing processors? 

The need the Competent authority-Controller to evaluate the processor prior to appointment remains in place. Namely the controller may assign processing of personal data only to processors who provide sufficient guarantees, that they will apply appropriate technical and organizational measures for protection of the personal data. Taking into account the sensitiveness and social importance of the type of data, which is being processed in the criminal investigations and other related activities, it may be reasonably considered that such processors shall comply with a higher level of security standards.

How will Competent authority-Controllers appoint processors?

Processing of personal data by the processor is to be governed by a contract or other legal act under European Union law or the Bulgarian legislation. In order to ease the signing process and to optimize timing, the Draft Bill foresees an option for the controller-processor agreement to be signed in an electronic form. The Draft Bill does not specify on the type of certificate, which would be required for validly signing the controller-processor agreement in case electronic form has been chosen by the parties. Thus, it may be reasonably concluded that the rules of eIDAS would apply.  

Is there mandatory content of controller-processor agreements in public sector?

The mandatory requirements for controller-processor agreements in public sector cover the general requirements, set out by the GDPR. The controller-processor agreement shall specify that the processor is to act only on the instructions of the controller that the persons authorized to process personal data have committed to confidentiality, that certain safeguards with regards to automated processing have been observed, etc.

The controller-processor relationship in public sector also implies a high level of trust and cooperation between both parties. This would refer to requests from the Competent authority-Controller towards the processor to delete certain data or to dispose of the data permanently, as well as with regards to notification breach, which should be done by the processor in a timely manner and without unnecessary delays.   

In other words

The Draft Bill recognizes that the controller-processor relationship in public and private sector have their similarities. However, the legislation to be adopted also reflects the specifics and social importance of data being processed in the public sector– such as criminal investigations and other related activities and thus, stressing that specific regulation would be required in these cases. 


Article provided by: Mario ArabistanovChristian Nemtsov & Mitko Karuskov (Kambourov & Partners)

Cloud Privacy Check (CPC). Data Privacy Compliance in the Cloud Made Easy

Understand Cloud and Data Protection Law in only 4 easy steps. Plus highly relevant legal information for 33 countries. Provided by EuroCloud and 53 European lawyers.


About Us

EuroCloud is an independent non-profit organization and consists of a two-tier setup where organisations form all European countries can apply to participate in as long as they respect the EuroCloud Statutes.

To act as a true European player, all programs that are developed are intended to be European activities. These European programs are the strength of EuroCloud as a whole. Respect to local cultures along with the will to promote a real European spirit.