The majority of the specific additional requirements concern compliance with core GDPR requirements and data processing for employment purposes
May 2018 – The Bulgarian government has announced a set of specific requirements relating to the processing of personal data that it plans to introduce to national legislation in addition to the requirements under the EU General Data Protection Regulation (the “GDPR”). Such specific requirements (commonly known as “derogations”) are allowed by the GDPR in certain areas, such as employment, the role of data protection officers, and data protection impact assessments, as long as they introduce more detailed or tailored rules on data processing without deviating from the letter or spirit of the GDPR.
Bulgaria apparently plans to take advantage of this possibility under the GDPR to introduce, among others, specific requirements with respect to:
– Employers may not make and keep on file copies of employees’ personal identification documents unless explicitly required by law.
– Employers must adopt a set of internal policies regulating whistleblowing systems, acceptable/restricted use of internal resources (e.g. IT systems, devices and equipment, etc.), and systems for monitoring access to work premises, working hours and work order. These policies must be tailored to the essence and specificities of the employer’s activities and not merely boilerplate documents.
– If employers collect and process data that is not directly related to and necessary for the employment relationship, they must seek the employee’s consent for this additional data processing. Businesses should take care not to over-rely on such consent, as under the GDPR it would be considered invalid if not freely given, which is often the case in an employer-employee relationship.
The proposed additional requirements are currently subject to public consultations. Interested third parties may submit their views on the feasibility of the above additional requirements by 30 May 2018 via the portal for public consultations of the Council of Ministers of the Republic of Bulgaria. Kinstellar would be pleased to assist you/your company further, should you consider taking part in the public consultations.
For any questions and further assistance with data protection matters, please contact Dessislava Fessenko, Of Counsel, at .