The EU General Data Protection Regulation (GDPR) aims at ensuring the protection of every citizen's personal data by introducing a series of obligations for businesses (data controllers).
Stricter data protection rules, which will come into force on 25 May 2018, will provide greater control of citizens over their data. One set of rules for all companies operating in the EU wherever they are established.
The Regulation applies in Bulgaria, throughout the European Union and beyond, when it concerns EU citizens' rights.
The regulation enters into force on 25 May 2018 and everyone will be required to meet its requirements. The fines provided by the Regulation are enormous - € 20 million or 4% of the annual turnover of the company. The control over the protection of personal data will be carried out by the Personal Data Protection Commission.
Personal data are: name, address, location, online identifier, health information, income, cultural profile, and more.
All personal data controllers must fulfill the following obligations with regard to the personal data they process:
1. Understand the new legal requirements in the field of personal data protection
2. Internal analysis of the processing of personal data
3. Assess whether there is an obligation to designate a Data Protection Officer
4. Risk management in relation to the protection of personal data
5. Adoption of an action plan for the implementation of the defined technical and organizational measures
6. Review of the legal bases for the processing of personal data, including on the basis of the consent of the individuals
7. Awareness of data subjects and transparency of processing
8. Practical exercise of rights by data subjects
9. Notification of breach of security of personal data
10. Documentation and accountability