» Rules on the activity of the commission for personal data protection and its administration
Rules on the activity of the commission for personal data protection and its administration
On the activity of the Commission for Personal Data Protection and its administration
(Promulgated, SG No. 11 / 10 February 2009, amend.SG No.21/15 March 2011, amend. and suppl. SG No.12/10 February 2012, amend. and suppl.SG No.20/09 March 2012)
Article 1 (1) With these rules are regulated the structure, functions and organization of the work of the Commission for Personal Data Protection, called the “Commission”, and of its administration.
(2) These rules stipulate the procedures before the Commission according to the Law for Protection of Personal Data (LPPD).
Article 2 The activity of the Commission is executed in conformity with the principles of legitimacy, hierarchy by the application of the legal acts, good will, justice, solidarity, search for the objective truth, the ex officio principle, independency and impartial judgment, publicity, rapidity and procedures economy, succession and predictability, equality of the parties in the procedures.
Structure and competency of the commission
Article 3. (1) The Commission is independent state body, performing the protection of individuals by the processing of their personal data and by the access to these data, as well as the control on the observance of the LPPD.
(2) The Commission is budget-supported legal entity, first-level spender of budget credits, with main office in Sofia.
(3) The Commission has its reserved mark, plaquette and medal.
Article 4. (1) The Commission is collective body consisting of a Chairman and four members.
(2) By the execution of its functions the Commission is supported by the administration.
(3) The Commission could recruit independent experts, interpreters and other specialists.
Competency of the Commission
Article 5. (1) (amend. SG No.12/2012) The Commission performs uniform state policy in the personal data protection area, as it:
1. performs protection of the individuals’ rights by the processing of their data and the access to their personal data;
2. executes complete control on the observance of the legal acts in the personal data protection sphere;
3. participates in the preparation and mandatory gives opinions on draft-laws and secondary legal acts personal data protection field;
4. (amend. SG No.12/2012) issues secondary legal acts in the personal data protection field;
5. (new- SG No.12/2012) issues general and specific administrative acts following its competences, in cases, foreseen in law;
6. (prev. p.4, amend. SG No. 12/2012) issues decisions, rules, methodical instructions and other in accordance with the LPPD application if this stems from special law;
7. (prev. p.5- SG No. 12/2012) ensures the implementation and application of the European Commission’s personal data protection acts in the national legislation;
8. (prev. p.6- SG No. 12/2012) adopts strategy and annual programs for the development of the personal data protection activities;
9. (prev. p.7- SG No. 12/2012) expresses opinions and gives permissions in the cases, set in law;
10. (prev. p.8- SG No. 12/2012) maintains register of the personal data controllers and of the registers kept by them;
11. (prev. p.9- SG No.12/2012) handles complaints against acts and actions of controllers and third parties with which are violated the individuals’ rights under the LPPD;
12. (prev. p.10- SG No. 12/2012) performs inspections of the personal data controllers in accordance with its activity under the law;
13. (prev. p.11- SG No.12/2012) issues compulsory instructions to the controllers in connection with the personal data protection;
14. (prev. p.12- SG No.12/2012) imposes temporary prohibition to controllers for processing personal data;
15. (prev. p.13- SG No.12/2012) imposes administrative penalties under Chapter Eight of the LPPD;
16. (prev. p.14- SG No.12/2012) issues bulletin in which it publishes information on its activity and the decisions taken;
17. (prev. p.15- SG No.12/2012) keeps registers of the complaints submitted to it, the executed checks, the issued compulsory instructions, penalty decrees and permissions;
18. (new- SG No.12/2012) organizes, holds and executes the whole coordination and control on the personal data controllers’ training in the personal data protection field;
19. (prev. p.16- SG No.12/2012) holds seminars, conferences and other events with personal data controllers and individuals;
20. (prev. p.17- SG No.12/2012) interacts with another state bodies, with the bodies of the local self-governance, as well as with non-profit legal entities by the performance of its activity;
21. (prev. p.18- SG No.12/2012) executes the international cooperation of the Republic of Bulgaria with the supervisory authorities of the European Union Member-States, as well as with third countries in personal data protection sphere;
22. (new- SG No.12/2012) participates in the work of the international organization on personal data protection issues as well as in negotiations and the conclusion of international contracts related to personal data protection.
(2) (amend. SG No.12/2012) the Commission pronounces on all issues of its competency the Commission with the relevant act, which is adopted with decision.
Chairman and members
Article 6. (1) The Chairman executes the complete management of the Commission as he/she:
1. represents the Commission;
2. is in charge for the Commission’s budget as first-level spender of budget credits;
3. organizes the activity on the preparation of draft secondary acts on the application of the LPPD;
4. makes official announcements in front of the media on behalf of the Commission;
5. issues penal decrees in accordance with the Law for Administrative Violations and Penalties (LAVP);
6. establishes, after a decision of the Commission, internal acts, concerning the Commission’s functioning and its administration;
7. (amend. SG No.12/2012) approves internal rules for CPDP’s officials’ salaries in accordance with the requirements of the Civil Servant Act and the secondary implementing acts;
8. (amend. SG No.12/2012) approves the officials and nominal schedule;
9. (amend. SG No.12/2012) appoints and releases official under labour and civil servants contracts;
10. enters and terminates civil contracts with external experts recruited by the Commission;
11. establishes the job characteristics of the Secretary General;
12. creates, transforms and closes departments and sectors after the Commission’s decision;
13. commissions on business travels members of the Commission and employees from the administration in the country and abroad;
(2) (new- SG No.21/2011, suppl.- SG No.12/2012) By the exercising of his/her competences the Chairman of the Commission for Personal Data Protection travels in the country and abroad without the issuing of commission order. In these cases, the Secretary General of the Commission for Personal Data Protection prepares memory note which include all requisites of the commission’s order and report.
(3) (prev. para.2- SG No.21/2011) In the case the Chairman is absent, his/her functions under paragraph 1 are performed by member of the Commission appointed with order of the Chairman in accordance with the Commission’s decision.
(4) (new- SG No.12/2012) The Secretary General prepares memory note for the holiday leave of the Chairman of the Commission for Personal Data Protection, which includes all requisites of the order for permitting the relevant type of leave.
(5) (prev. para.3- SG No.21/2011, prev. para. 4- SG No.12/2012) With order of the Chairman could be settled other issues concerning the organization of the Commission’s administration work.
Article 7. The members of the Commission:
1. are of equal status and they perform their functions according to the LPPD;
2. (amend. SG No.12/2012) they exercise the powers of the Chairman in accordance with article 6 para.3;
3. they perform other activities after the Commission’s decision.
Organization of the Commission’s work
Article 8 (1) The Commission reviews and resolves issues of its competence at open meetings.
(2) Individual meetings could be closed according to the Commission’s decision.
(3) Regular meetings of the Commission are held at least twice a month, and the date and start time are defined with Commission’s decision.
(4) Special meetings could be summoned by the Chairman or upon the request of at least two members of the Commission who suggest the agenda for their organization. The rest of the Commission’s members are notified about the time and the agenda by the Secretary General.
(5) The agenda and the documents suggested for discussion are presented to the attention of the Commission at least two days before the meeting.
(6) The Commission’s meetings are held if at least three members are present.
(7) The Commission takes decisions after open vote with a majority of three votes. The Commission’s members could not abstain from voting.
(8) In the case, that at a meeting of the Commission could not be achieved decision-making majority, the issue is put at voting on the next meeting.
(9) After the meeting is closed a memory note is prepared containing the agenda and the disposition of the made decisions. The note is signed by the Chairman and all the members who have participated in the meeting.
Article 9. The Chairman or Commission’s member is obliged to struck off the list when he or she is directly interested in the outcome of the procedures that were started before the Commission.
Article 10 (1) The Commission’s meetings are presided by the Chairman.
(2) The absence of the Chairman or a member of the Commission at regular meetings is permissible in the case that he/she is:
1. on a business travel;
2. on legally established leave;
3. performs another urgent ex officio work for which the Chairman and the rest of the members of the Commission have been informed.
Article 11. (1) For every Commission’s meeting are maintained minutes that are signed by the Chairman, all the members that participated in the meeting and by shorthand record keeper.
(2) In the minutes mandatory is entered the date, place and type of the meeting, the attending members of the Commission and employees of the administration, the present interested parties, the accepted agenda, the statements made on it and the decisions taken.
(3) (amend.- SG No.12/2012, amend.- SG No.20/2012) The minutes of the Commission’s meeting is prepared not later than three days after the holding of the meeting.
(4) The Chairman or member of the Commission who does not agree with a decision, signs it with reserves.
Article 12. Commission’s decision could be taken without attendance if the Chairman and members of the Commission agree with the decision and sign it.
Article 13. (1) By the exercising of its powers the Commission interacts with state bodies, non-governmental organizations as well as national or foreign institutions.
(2) The activity under paragraph 1 includes participating in working groups meetings, organizing consultations, executing joint inspections and projects, preparing draft legal acts, coordination of positions with third parties in international organizations in the personal data protection field etc.
(3) By the interaction with other bodies and organizations, the Commission could conclude agreements on cooperation and mutual assistance.
Article 14. (1) The administration supports the Commission by the performance of its competences.
(2) According to the distribution of the activities that it performs, the administration is general and specialized.
(3) (amend. SG No.20/2012) The general administration is organized in Resources Management and Administrative Servicing Directorate.
(4) The specialized administration is organized into 3 Directorates:
1. (amend. SG No.12/2012) Legal Affairs, Training and International Cooperation Directorate;
2. Legal Procedure and Supervision Directorate;
3. Informational Funds and Systems Directorate.
(5) In the Directorates could be established departments and sectors.
(6) (amend.- SG No.12/2012) The total number of the administration, including the members of the Commission, is 87 pay-roll employees, distributed in the units in accordance with the appendix.
Article 15. The functional relations in the administration are defined with internal act of the Commission.
Article 16. (1) (amend.- SG No.12/2012) The official under labour and civil servants contracts in the administration perform the tasks assigned to them in accurate manner, in good will and impartially in conformity with their obligations set in the job characteristics, the provisions of these rules and the internal acts.
(2) The people under paragraph 1 when occupying their position sign a declaration in accordance with article 13, paragraph 2 of the LPPD.
Article 17. The officials of the Commission’s administration could execute ex officio contacts with employees of other administrations in connection with the performance of their tasks.
Article 18. (1) The Secretary General performs the general management of the administration as he/she:
1. is in charge of the execution of the assigned tasks stemming from the decisions of the Commission and the orders of the Chairman;
2. provides assistance to the Chairman and the members of the Commission by the performance of their powers;
3. organizes the Commission’s work;
4. organizes the execution of the Commission’s decisions and the control over their performance;
5. coordinates the tasks distribution between the administrative units and controls the observance of the deadlines for their execution;
6. organizes and is in charge of the preparation of draft internal acts of the Commission;
7. coordinates and controls the activities concerning the training and raising the qualification of the employees;
8. approves the job characteristics of the employees;
9. organizes, coordinates and controls the activities on attesting the state officials from the administration;
10. organizes the meetings and prepares draft agenda for the regular meetings.
11. performs other tasks assigned by the Commission and the Chairman.
Financial controller, internal auditor, information security officer
Article 19. (1) The financial controller is appointed according the Law for Financial Management and Control in the Public Sector and is directly subordinated to the Chairman of the Commission;
(2) The financial controller:
1. executes his activity in conformity with the Directions for execution of preliminary control, issued by the Ministry of Finance, on the application of the Law for Financial Management and Control in the Public Sector and the accepted internal rules on the financial management and control in the Commission for Personal Data Protection;
2. executes preliminary control on the legitimacy of the undertaken obligations and the expenditures incurred by the Commission.
Article 20. (1) The internal auditor is directly subordinated to the Chairman of the Commission and performs internal audit according to the Law for Internal Audit in the Public Sector.
(2) The internal auditor performs his activity on all structures, programmes, activities and procedures in the Commission and its administration in conformity with article 13 of the Law for Internal Audit in the Public Sector.
(3) The internal auditor reports directly to the Chairman of the Commission.
Article 21. (1) The information security officer could be the Chairman of the Commission or officer appointed by the Chairman of the Commission.
(2) The information security officer performs its functions stemming from the Law for Protection of the Classified Information and the Regulation for the application of the Law for Protection of Classified Information.
Article 22. (1) Directorates are managed by director who:
1. creates conditions for lawful and effective work of the officials in the directorate;
2. allocates the tasks to departments and sectors in accordance with their nature and specifics, and proposes to the Secretary General or the Chairman of the Commission measures for improvement of the work organization in the directorate;
3. is in charge of the professional qualification of the officials in the directorate and undertakes measures on raising it;
4. makes well-grounded proposals to the Chairman for creating and reducing structural units, as well as for opening and closing of pay-roll positions in the directorate;
5. coordinates all documents from the directorate;
6. prepares three-months reports and annual report on the directorates’ activity;
7. coordinates the job characteristics of the directorate’s officials;
8. (amend.- SG No.12/2012) executes attestation in accordance with the Ordinance on the terms and conditions for attesting the officials in the state administration and makes suggestions on raising people’s rank and position or setting disciplinary penalties under the Labour Code and the Civil Servant Act.
9. coordinates the schedule on holiday leaves of the officials in the directorate;
10. performs other activities assigned by the Commission, the Chairman or the Secretary General;
(2) The departments are managed by head of department and he/she:
1. organizes, coordinates and controls the work of the officials in the department;
2. coordinates all documents from the department;
3. coordinates the job characteristics of the department’s officials;
4. distributes the tasks between the officials of the department, defines the deadlines for their performance;
5. prepares monthly report on the activity of the department and presents it to his direct manager;
6. performs other activities assigned to him by the direct manager;
(3) The sectors are managed by the chief sector and he/she:
1. organizes, coordinates and controls the work of the officials in the sector;
2. distributes the tasks between the officials in the sector and controls their performance;
3. performs other activities assigned to him by the direct manager.
Article 23 (amend. SG No.12/2012) Resources Management and Administrative Servicing Directorate:
1. organizes and performs financial-accounting activities of the Commission in conformity with the requirements of the Accountancy Law, the account plan of the budget enterprises, accounting standards and directions;
2. prepares and gives reason for draft annual budget and organizes the development of three year budget forecast;
3. prepares monthly allocation of the established annual budget in accordance with the economic elements of the Uniform Budget Classification;
4. organizes, prepares and presents monthly request for limit of the Commission’s payments in accordance with the Law for the State Budget of the Republic of Bulgaria for the corresponding year;
5. monitors the effective spending of the budget funding according to the released limits by observing the financial discipline;
6. suggests and prepares correction of the Commission’s annual budget;
7. summarizes the data and prepares monthly, quarterly and annual accounts for the cash execution of the Commission’s budget;
8. executes the accounting reporting following the legal requirements and guidance and draws up primary and secondary accounting documents and notes them in timely manner in the accounting registers; prepares monthly and annual turnover registers;
9. prepares the Commission’s annual financial report;
10. applies the system for double signing when it comes to undertaking the obligations and expenditures incurring;
11. stores the accounting documents in accordance with the requirements of the Accountancy Law and the internal rules and instructions;
12. supports the Chairman on the human resources management;
13. prepares and updates the positions and namely schedule of the Commission and its administration;
14. supports the drawing up of job characteristics with regard to the methodology, organization and technical actions;
15. prepares, updates and stores the servants and labour records of the officials of the administration;
16. organizes and is in charge for the preparation of the acts in connection with the occurrence, amendment and termination of the civil servants and labour contracts;
17. prepares and sends in the statutory term the notifications to the territorial department of the National Revenues Agency on the occurrence, amendment and termination of the legal relations with the officials of the Commission;
18. plans and supports the organization on the training of the officials for raising their qualification and career development;
19. prepares statistical inquiries on the salary and the movement of human resources in the Commission, prepares all certifying documents of the officials in connection with the civil servants and labour contracts;
20. organizes the management and the exploitation of the buildings;
21. prepares draft documents on the assignation of public tenders, participates in the performance of the procedures and organizes the activity on the preparation and storage of the concluded public tenders records.
22. executes the legal representation on lawsuits, connected civil servants and labour contracts, management of the proprietorship of the Commission and under the Law for Public Tenders and provides information to the Commission on their movement;
23. prepares draft ordinances for the execution of the orders of the Chairman of the Commission;
24. participates in the preparation and conclusion of contracts under which the Commission is party;
25. organizes and maintains the secretary activity according to the effective legislation and the internal acts;
26. organizes and ensures the archive of the Commission;
27. organizes and executes the movement of the correspondence that contains classified information and its archiving;
28. ensures and prepares the technical materials for the Commission’s meetings and the adopted acts;
29. ensures the connections of the Commission with the media after preliminary coordination with the Chairman of the Commission;
30. organizes briefings, press conferences, meetings and seminars;
31. analyzes the publications in the media about the Commission’s activity and informs on daily basis the Chairman and the members of the Commission;
32. organizes the translations of materials about the Commission’s activity;
33. executes the protocol activity of the Commission and its administration in the country and abroad and ensures the entire logistics on the organization of seminars, work meetings and other events;
34. ensures the transportation servicing of the Commission and its administration, as well as the exploitation, repair works and maintenance of the auto-transportation technics in the Commission;
35. organizes and controls the security and the checkpoint regime in the Commission’s building;
36. ensures the defence-mobilizing preparation in the Commission;
37. ensures the preparation and the actions of the Commission in extraordinary cases, natural disasters, emergences and crises.
Article 24 (repealed – SG No. 12/2012)
Article 25 (amend.- SG No. 12/2012) Legal Affairs, Training and International Cooperation Directorate:
1. performs legal consultations and gives opinions on the implementation of the personal data protection legislation, applicable in the country European Union and third countries;
2. participates in the preparation or individually prepares drafts legal acts, internal acts and documents;
3. performs legal analysis, prepares opinions and positions of the Commission on personal data protection matters, including on draft legal acts, third party inquiries on the LPPD’s implementation and requests under Chapter Sixth of the LPPD;
4. supports the Commission by the handling of individuals’ requests concerning their personal data protection rights;
5. performs legal representation before court on complaints against Commission’s acts under art.35, with which is concluded the procedure under art.28, para.1, p.3 and 5 and submits current information to the Commission on the development of the court cases on these procedures;
6. participates in the preparation and organization of the negotiations for concluding bi- and multilateral agreements in the personal data protection field;
7. analyses the results of the application of legal acts and international contracts in the personal data protection sphere and gives opinions on the necessity of undertaking the relevant national measures;
8. organizes, coordinates and executes the training in the personal data protection field;
9. coordinates and participates in the international activity of the Commission;
10. supports the Commission in its contacts and cooperation with the national and international institutions on personal data protection matters as well as by the exchange of information in connection with exercising of obligations under international contract to which the Republic of Bulgaria is party;
11. analyses the experience and work of the international organizations and institutions and the foreign legislation, executes research work on issues of international nature and maintains library of the acts and the court practice connected with the activity of the directorate;
12. participates in the preparation of proposals for participation in projects and programmes with national and international funding, research, preparation and coordination of the project documentation following the established procedures; executes cooperation by the monitoring of the programmes;
Article 26. (amend.- SG No.12/2012) Legal Procedures and Supervision Directorate:
1. analyses the received complaints and prepares motivated legal opinions on the admissibility and justification;
2. prepares motivated draft opinions;
3. executes the control activity of the Commission, foreseen in law or stemming from international contract to which the Republic of Bulgaria is party, including the personal data processing in the national Schengen Information System;
4. executes the procedure representation on complaints against penal decrees and acts of the Commission under art.35 with which are concluded the procedures under art.28, para.1, p.1,5 and 6;
5. submits current information to the Commission on the development of the court cases under p.4;
6. prepares opinions, reports, statements of findings, statements on ascertainment of administrative violations, draft compulsory instructions and of penalty decrees as well as proposals for imposing temporary prohibition for personal data processing;
7. prepares and proposes for approval by the Commission of methodologies for the application of the LPPD and the rules by the execution of the legal procedures and supervision;
8. analyses and summarizes the Commission’s practice and gives opinions on the general state of the personal data protection system in the area of the legal procedures and supervision;
9. maintains registers of the received complaints, the prepared statements of findings, statements on ascertainment of administrative violations, the issued penalty decrees and compulsory instructions;
10. enforces in accordance with the procedure set in the Tax-Insurance Procedure Code the entered into force decisions of the Commission and the issued penalty decrees imposing propriety sanctions and fines;
11. participates in working groups, expert councils and other events of the Commission.
Article 27. Informational Funds and Systems Directorate:
1. creates and organizes the maintenance of the register of the personal data controllers and the registers kept by them;
2. prepares justified opinions on received documents of the directorate competency;
3. prepares justified opinions on entering, refusal for entering in the register under point 1, as well as, on releasing from the obligation for registration of personal data controllers;
4. (suppl.- SG No.12/2012) executes the activity of the Commission in accordance with article 28, paragraph 1, point 2 and 7;
5. maintains the notifications under article 25, paragraph 1, point 2 and the decisions under article 25, paragraph 4 of LPPD.
6. creates and maintains the integrated communication-informational system of the Commission
7. executes the automated data exchange with national and international informational systems;
8. maintains and updates the webpage of the Commission;
9. prepares for publishing the bulletin of the Commission in which is published information on its activity and the decisions made;
10. analyses and applies state-of-art informational and communicational technologies;
11. maintains Centre for Information and Contacts of the Commission;
12. analyzes the received inquiries and presents before the Commission monthly report with summaries and suggestions on the current practice of the Centre for Information and Contacts.
Procedures BEFORE Commission
Article 28 (1) Before the Commission are developed the following procedures:
1. complaints handling;
2. personal data controllers’ registration;
3. issuing permissions;
4. issuing opinions;
5. issuing compulsory instructions;
6. setting temporary prohibitions for personal data processing;
7. (new- SG No.12/2012) deletion of personal data controllers
(2) The Commission could execute other procedures when this is stipulated in law.
Article 29. (1) The procedures before the Commission start by oral or written request from individual or legal entity or at the Commission’s initiative.
(2) The written requests are submitted in the Secretariat of the Commission with attached letter, via fax or email following the procedure set in the Law for the Electronic Document and Electronic Signature.
(3) For the oral requests is prepared record of proceedings in accordance with article 29, paragraph 5 of the Administrative-Procedure Code, as it is signed by the person submitting the request and the official of the Commission, who has prepared it and is entered in the Secretariat.
Article 30.(1) The request should contain:
1. data about the requesting party: full name, address, contact telephone, email (if applicable);
2. the nature of the request;
3. other information or documents when it is stipulated by law or in these rules;
4. date and signature.
(2) In the case, the written request is inaccurate the person submitting it should be notified to remove them in 3-day term from the receiving of the notification.
(3) In the case, that the inaccuracies are not removed in the deadline stipulated in paragraph 2, the procedure is terminated.
Article 31. (1) Anonymous requests are not to be reviewed by the Commission.
(2) The Commission could refer to itself and/or notify the relevant institutions in the cases in which the anonymous request contains information on violation of significant public interest.
Article 32. The received requests are distributed to the particular competent directorate.
Article 33. In the cases in which the submitted request is of the competency of another body, the commission forwards the request according to the competency and notifies the requesting party.
Article 34. For starting the procedure, aside from the requesting party are notified the known interested parties.
Article 35. (amend.- SG No.12/2012) The procedures before the Commission are concluded with the issuing of an act under art.5, para.2.
Handling complaints submitted by individuals
Article 36. (1) The complaint is a request with which is sought protection against violations of the rights of the requesting party under the LPPD.
(2) In the cases, in which the request does not contain data on violated rights of the requesting party, could be undertaken activity under article 10, paragraph 1, point 3, point 5, point 6 and article 43 of the LPPD.
(3) In the cases under paragraph 2, the Commission informs the requesting party on the results of the undertaken activities in one-month term from the receipt of the request.
Article 37. (amend.- SG No.12/2012) (1) A request received under article 36, para.1 is distributed to Legal Procedures and Supervision Directorate, which presents opinion on the request’s admissibility or regularity.
(2) When the request under article 36, para.1 is received via e-mail without electronic signature, the requesting party is notified for the requirements under art.30 following the manner of the submitted request.
(3) A request which doesn’t contain data for violation of the requesting party rights but statements for violation of the Law for Protection of Personal Data by the personal data controller is forwarded to Legal Procedures and Supervision Directorate for exercising the activity under art.26, p.3.
Article 38. (amend.- SG No.12/2012) (1) The Commission pronounces with decision on the request’s regularity and admissibility under art.36, para.1 at a closed meeting.
(2) With the decision under para.1, the Commission could assign the execution of a inspection, the collecting of evidences or the requesting of opinions by third parties.
(3) On admissible complaint are established the parties and is defined date for reviewing the content of the complaint.
Article 39. (1) The Commission reviews the content of the complaint at an open meeting and it notifies for this the parties and the interested individuals.
(2) The Commission pronounces with decision on the content of the request in 30 days from the receiving of the complaint.
(3) Copy of the decision is sent to the parties and the interested individuals.
Article 40. The collecting of evidence, appointment of experts, representation, summoning and other activities on the procedure set in this section are executed in accordance with the Administrative-Procedure Code rules.
Article 41. In the handling of complaint procedure the parties could conclude agreement following the rules set in article 20 of the Administrative-Procedure Code.
Personal data controllers’ registration
Article 42. (1) The Commission maintains register of the personal data controllers and the personal data registers kept by them.
(2) The register under paragraph 1 is maintained in electronic version.
(3) The entering, notes and deletions in the register under paragraph 1 are executed by Informational Funds and Systems Directorate.
(4) The Commission defines the technical and organizational measures for the protection of the data in the register under paragraph 1.
Article 43. (1) In the register under article 42, paragraph 1 are entered the data under article 18, paragraph 2 of the LPPD, in conformity with the applications approved by the Commission for personal data controllers’ registration.
(2) Every controller is entered in individual batch of the register with its own unique identification number.
Article 44. (1) Every change that has occurred in the circumstances under article 18, paragraph 2, article 25, paragraph 3, paragraph 4 and paragraph 5 of the LPPD should be noted in the register.
(2) In the case, information from the register is deleted are noted the reason and the date of deletion.
(3) Errors are remedied ex officio or upon request of the controller and this action is note in the controller’s batch;
(4) (amend. SG No.12/2012) The official who has performed the actions in the register is obliged to identify him/herself in the application under article 18 of LPPD;
(5) Every note in the batch of personal data controller is performed in a way that does not influence the already entered circumstances.
Article 45. (1) The provision of information from the register is executed on the grounds of submitted written request to Informational Funds and Systems Directorate.
(2) The information is submitted up to three days from its requesting.
Article 46. (1) The Commission could release from the obligation for registration the personal data controller which is in line with at least one of the following criteria:
1. when the controller processes personal data with the individual’s consent for a period not longer than six months;
2. when the data are processed in public registers on the grounds of laws ensuring the order for access and the protection measures;
3. when the controller processes data connected to labour or membership relations and the number of people whose data are processed, is not more than 15.
(2) The release from the registration obligation is performed on the personal data controller request, submitted in the form approved by the Commission.
(3) In the cases under paragraph 2, the Commission pronounces with decision after justified opinion from Informational Funds and Systems Directorate, but not later than 14 days from receiving the request.
(4) (repealed – SG No.12/2012).
(5) The release from the registration obligation does not exclude those controllers from the control of Commission on the LPPD.
Article 46a (new- SG No.12/2012) The registration application and the request for release from the registration obligation are submitted by the controller or authorized by it person with letter of attorney, attested by notary.
Procedures under article 25 of LPPD
Article 47 (1) The procedure before the Commission start with notification by the controller under article 25, paragraph 1, point 2 and article 25, paragraph 3 of the LPPD submitted following the rules set in Chapter Fourth, Section І.
(2) The notification should be justified and contain:
1. data of the submitting party: full name, address, contact telephone number, identification number under BULSTAT, email (if applicable);
2. data of the controller to which the data will be transferred: name, address, contact telephone number, identification number under BULSTAT, email (if applicable);
3. proof that the data processing purposes of the submitting party coincide with those of the receiving party;
4. legal grounds for the data transfer.
Article 48. (1) When receiving the notification under article 25, paragraph 3 of the LPPD could be performed check up to two weeks from receiving the notification.
(2) In the cases, in which from the collected proof or the performed check is established that the controller hasn’t ensured adequate protection of the processed data as anonymous, the Commission pronounces with decision in 7 days after the expiring of the term under paragraph 1 with which is prohibited data storage for the purposes under article 25, paragraph 4 of the LPPD.
Article 49. (1) The notifications under article 25, paragraph 1, point 2 and the decisions under article 25, paragraph 4 of the LPPD are submitted in Informational Funds and Systems Directorate for storing and maintaining the information in updated state.
(2) The decisions under article 25, paragraph 4 of LPPD are published in the information bulletin of the Commission.
Issuing permissions under article 36a – 36b of LPPD
Article 50. (amend.- SG No.12/2012) (1) The requests under article 36a, paragraph 7 and article 36b, paragraph 1 of LPPD are submitted in the Commission in accordance with rules set in Chapter Fourth, Section І and are forwarded to Legal Affairs, Training and International Cooperation Directorate.
(2) To its request the controller should also provide:
1. information about:
a) nature of the submitted data;
b) data processing period;
c) purpose for the submission of personal data.
2. information about the personal data receiver.
3. proof connected with the specific request.
(3) In the case, in the request are noted irregularities or the provided evidences and information are not enough, the controller is granted with the opportunity, in 3 days from the notification, to add the relevant information and evidences to its request. If the instructions are not followed, the procedure is terminated.
Article 51. (amend. SG No.12/2012) (1) In cases under art.36a, para.3 of LPPD, the Commission performs assessment on the personal data protection level in the third country in accordance with the following criteria:
1. nature of the submitted data;
2. data processing period;
3. purpose for the submission of personal data;
4. personal data processing actions and all the circumstances connected with them;
5. the third country legislation concerning the personal data provision;
6. the technical and organization measures foreseen in the third country.
(2) If the Commission establishes that there isn’t adequate personal data protection level in the third country, it informs the European Commission and the competent authorities of the other Member States.
Article 52. (amend. SG No.12/2012) (1) In cases under art.36a, para.7 and art.36b, para.1 of the LPPD, aside for the requirements under art.51, para.1, p.1-4 and p.6, the Commission monitors also for:
1. the existence of condition for admissibility of the personal data provision by the controller, which submits the data;
2. the data processing principles under art. 2, para.2 of LPPD;
3. the notification of the individuals, whose data will be provided, about the submission purposes, the categories of data to be provided and the receiver of data in the third country;
4. the notification of individuals, whose data will be provided, about the right of access to their personal data and the right to request correction or deletion of the submitted data.
5. the accountability in case of unlawful personal data processing in third country and the foreseen possibility for compensation for damages suffered by the individual as result from this processing.
Article 53. (amend. SG No.12/2012) (1) In one-month period from the reception of the request under article 36a, para.7 or 36b, para. 1 of LPPD or after the controller has provided the information and proof for the requested permission, the Legal Affairs, Training and International Cooperation Directorate presents justified opinion before the Commission about:
1. in cases under art.36a, para.7- execution of inspection of the controller, collection of additional evidences, issuing of permission or denial of the permission for personal data transfer;
2. in cases under 36b, para.1- analysis of the protection measures for the submitted personal data, undertaken by the controller, providing the data and the controller, which receives them.
(2) The Commission pronounces with decision with which it permits or denies the third country personal data transfer.
(3) In 7-day period from the adoption of the decision under art.1, p.2, the Commission notifies the European Commission and the competent authorities of the other Member States on the decision taken.
Article 53a (New- SG 12/2012) The Commission shall not pronounce with decision and the controller may submit personal data to third country when decision of the European Commission exists, ruling that:
1. the third country where the personal data are transferred provides an adequate protection level, or
2. certain standard contractual clauses provide an adequate protection level.
Article 53b (New- SG 12/2012) In all cases of third countries personal data transfer, the controller declares the data submission in the CPDP’s register, set under Art. 42, para.1.
Issuing of opinions
Article 54. The Commission issues opinions:
1. on drafts legal acts where the LPPD is applied.
2. on requests by individuals and legal entities, state authorities and organizations.
Article 55. (amend. SG No.12/2012) When request for opinion under art.54 is received the Legal Affairs, Training and International Cooperation Directorate prepares and presents to the Commission draft opinion after the request has been analyzed.
Setting temporary prohibitions for the personal data processing
Article 56. (1) Temporary prohibition for personal data processing is set with Commission’s decision when by the personal data processing are violated the personal data protection provisions
(2) Temporary prohibition for personal data processing could be set also in the case of non-compliance with compulsory instruction issued to the controller or non-compliance with article 23, paragraph 1, 2 and 3 or with article 24, paragraph 2 of LPPD.
(3) In the cases under paragraph 2 the temporary prohibition is set on the grounds of a statement of findings.
Article 57. The procedure on setting temporary prohibition for the personal data processing is initiated after justified proposal by the Legal Procedures and Supervision Directorate or at the Commission’s initiative.
Article 58. (1) The temporary prohibition for the personal data processing is mandatory for the controller.
(2) The controller of personal data to which the temporary prohibition for personal data processing is set, notifies the Commission in the case the grounds for temporary prohibition become obsolete and attaches the necessary evidences.
(3) The Commission pronounces with decision on the received notification under paragraph 2 after hearing the justified opinion of the Legal Procedures and Supervision Directorate.
(4) The Commission could repeal the set temporary prohibition for the personal data processing or in justified manner to deny the controller request.
Issuing of compulsory instructions
Article 59. (1) The Commission takes decision to issue compulsory instructions to the personal data controllers in connection with the personal data protection.
(2) The compulsory instructions are subject to immediate execution.
Article 60. (1) The compulsory instructions are issued in the cases of:
1. handling complaints against the personal data controller;
2. performed ex-ante inspection under article 17b of LPPD;
3. execution of the Commission’s control activity;
4. issuing permissions.
(2) The order for issuing compulsory instruction follows the rules of the corresponding procedure under paragraph 1 and/or the terms and the order foreseen in the instruction under article 12, paragraph 9 of LPPD.
Article 61. The personal data controller, to which compulsory instruction was issued, informs the Commission on its execution via submitting information and evidences
Article 62. The Directorate which follows the procedure under article 60, paragraph 1 or exercises the Commission’s control activity, presents justified opinion about the execution of the compulsory instruction with which it could propose the performance of inspection
Article 63. In the case of non-compliance with the issued compulsory instruction, the Commission could impose an administrative penalty in accordance with Chapter Eight of the LPPD.
Deletion of personal data controllers
Article 63a. (new- SG No.12/2012) (1) The procedure on personal data controllers’ deletion is started on the grounds of request submitted by the personal data controller or at the Commission’s initiative.
(2) The request for personal data controller deletion, submitted in the approved form, is received following the rules set in Chapter Fourth, Section I.
(3) In addition to the request the controller should submit:
1. information about the legal ground for the controller deletion from the register under art.42, para.1;
2. evidences about the execution of the obligation to destroy the personal data processed until that moment, resp. their provision to other controller on the ground of art.25, para.1 of LPPD.
Article 63b. (new- SG No.12/2012) (1) When the procedure is initiated on personal data controller’s request, in 14 days after the receipt of the request, the Information Funds and Systems Directorate presents to the Commission justified opinion, with which the performance of inspection, the collection of additional evidences or deletion from the register under art.42, para.1 can be proposed.
(2) When the procedure on the personal data controller deletion is initiated at the Commission’s initiative, the Commission can decide to be performed inspection about the observance of the requirements under art.17, para.4 and 5 of LPPD, before the deletion from the register under art. 42, para.1 is executed.
Article 63c. (new- SG No.12/2012) (1) Every deletion of personal data controller is subject to notification in the register under art.42, para.1.
(2) When a controller is deleted from the register are noted the ground, the date of deletion, the manner in which the deletion request was submitted, the presented evidences for the exercising of the requirements under art.25, para.1 of the LPPD.
Article 63d. (new- SG No.12/2012) The request for deletion is submitted by the controller or authorized by it person with letter of attorney, attested by notary.
Article 64. The rules on the Secretariat activity and the work with documents are regulated in internal act, approved with order from the Chairman after Commission’s decision.
Article 65. The rules concerning the admission regime, the fire-fighting security, the actions in extraordinary situations and others are established with order from the Chairman after Commission’s decision.
Article 66 (1) The business hours of the Commission and of its administration are from 9 till 17:30 p.m. and 30 minutes lunch break from 12:30 till 13 by 5-day business week.
(2) For the officials whose business hours are organized according to schedule, the time of the lunch break is defined according to the schedule approved by the Chairman of the Commission.
Article 67. (amend. SG No.12/2012) (1) The Chairman and the members of the Commission can receive additional remunerations in compliance with the requirements of the Labour Code and it’s the secondary implementing acts.
(2) The officials under civil servants and labour contracts from the CPDP’s administration can receive additional remunerations, regularly or occasionally, in compliance with the requirements of the Ordinance for the salaries of the officials in the state administration, adopted with CMD № 314 of 2011 (prom. SG No.95/2011; amend. SG No.106/2011) and the internal rules on the salaries of the CPDP’s officials.
Article 68. (amend. SG No.12/2012) The Chairman and members of the Commission have right to receive annually financial means for formal outfit in the amount of two minimal monthly salaries. The individual amount of the means is defined with Commission’s decision and the means are provided by its budget.
Article 69. (amend. SG No.12/2012) The officials from the CPDP’s administration under labour contract have the right to receive annually financial means for formal outfit. The individual amount of the means is defined with Commission’s decision and the means are provided by its budget.
Article 70. The Chairman and the members of the Commission as well as the employees from the administration of the Commission working with classified information receive additional monthly remuneration to the basic monthly salary as follows:
1. for level “top secret” – 15 %
2. for level “secret” – 10%
3. for level “confidential” – 5 %
Article 71. The reception hours of the Chairperson, the members of the Commission and the Secretary General is announced on the specified place in the building of the administration.
§ 1. The rules were adopted on the grounds of article 9, paragraph 2 of the Law for Protection of Personal Data (prom. SG No.1/2002; amend. SG No.70 and 93/2004; amend. SG No. 43 and 103/2005, SG No.30 and 91/2006, SG No.57/2007) with decision of the Commission for Personal Data Protection dated 9.01.2009 and enters into force as from the date of its promulgation in “State Gazette”.
§ 2. These Rules repeal the Rules on the activity of the Commission for Personal Data Protection and its administration (prom. SG No.25/2007, amend. SG No.40/2007).
Appendix to art.14, para.6
(Amend. SG No.12/2012)
Total number of the officials
1. Elected positions
2. Secretary General
3. Financial controller
4. General administration
4.1. Management of Resources and Administrative
5. Specialized administration
5.1. Legal Affairs, Training and International
5.2. Legal Procedures and Supervision Directorate
5.3. Informational Funds and Systems Directorate
Rules on the activity of the commission for personal data protection and its administration (DOC)
Rules on the activity of the commission for personal data protection and its administration (PDF)