The Ordinance on the Minimum Level of Technical and Organizational Measures and Admissible Type of Personal Data Protection was adopted on January 30, 2013 by the Commission for Personal Data Protection and was promulgated in SG on February 12, 2013 This Ordinance repeals Ordinance No. 1 dated February 7, 2007 (SG, issue 25 of March 23, 2007).
Pursuant to the Ordinance no later than August 15, 2013 the controller shall determine the level of impact of the registers with personal data processed thereby. This should be done by all personal data controllers and the procedure is not complicated, while the controller has the right to determine the level of impact, while complying with the requirements set forth in the Ordinance.
Representatives of the Commission for Personal Data Protection explain that the Ordinance is to ensure an adequate level of protection of personal data in the maintained personal data registers depending on the nature of the data and the number of affected persons upon the violation of their protection. The main objectives of data protection are defined – confidentiality, integrity and availability, and certain types of personal data protection are specified. The essence of the different types of protection is clarified, as well as the corresponding to each type organizational and/or technical measures.
In order to determine the adequate level of these measures and admissible type of protection, the controllers are required to carry out a periodic assessment of the impact on the personal data processed. A result of the impact assessment is the determination of the level of impact and the corresponding level of protection.
The Ordinance introduces four levels of impact depending on the nature of the personal data processed and the number of affected individuals upon violation of confidentiality, integrity or availability of personal data. Depending on the level of impact the appropriate level of protection is determined. For each protection level the necessary technical and organizational measures, which shall be undertaken by the personal data controllers, are specified. The implementation of these measures is performed by the data controller or his authorized representative on the protection of personal data. The controller can define more than one person on the protection of personal data. A fundamental principle of access to the data is “need to know”.
Within 6 months of the entry into force of the Ordinance, namely until August 15, 2013, the controller shall determine the level of impact of the registers processed thereby.
For registers with personal data kept up to the moment of entry into force of the new Ordinance, the following deadlines for the implementation of protection measures, considered from the time of determining the level of impact, are specified:
- for low – up to six months;
- for average – up to nine months;
- for high and very high – up to one year.
The Ordinance on the Minimum Level of Technical and Organizational Measures and Admissible Type of Personal Data Protection was issued on the grounds of Art. 23, Para. 5 of the Personal Data Protection Act and is in effect as of February 15, 2013
As a result of the new requirements changes in the internal policies for personal data protection may be necessary to be made.
Every two years, the personal data controllers will determine the appropriate level of protection for the different types of data. In addition, they will have to train some of their employees, who shall be responsible for the processing and protection of personal data.