Disney Enterprises, Inc. et al v. Hotfile Corp. et al
Filing
81
MEMORANDUM of Law re 72 Plaintiff's MOTION to Compel RESPONSES TO REQUESTS FOR PRODUCTION OF DOCUMENTS AND INTERROGATORIES (Public Redacted Version)Plaintiff's MOTION to Compel RESPONSES TO REQUESTS FOR PRODUCTION OF DOCUMENTS AND INTERROGATORIES (Public Redacted Version) Memorandum of Law of Defendants Hotfile Corporation and Anton Titov In Opposition to Plaintiffs' Motion to Compel Responses to Requests for Production and Interrogatories by Hotfile Corp., Anton Titov. (Attachments: # 1 Exhibit 1, # 2 Exhibit A, # 3 Exhibit B, # 4 Exhibit C, # 5 Exhibit D, # 6 Exhibit E, # 7 Exhibit F, # 8 Exhibit G, # 9 Exhibit H, # 10 Exhibit I, # 11 Exhibit J, # 12 Exhibit K, # 13 Exhibit L, # 14 Exhibit M, # 15 Exhibit N, # 16 Exhibit O, # 17 Exhibit 2, # 18 Exhibit 3, # 19 Exhibit A)(Munn, Janet)
<![CDATA[
EXHIBIT J
LAW FOR PROTECTION OF PERSONAL DATA
Prom. SG. 1/4 Jan 2002, amend. SG. 70/10 Aug 2004, amend.
SG. 93/19 Oct 2004, amend: SG. 43/20 May 2005, amend. SG. 103/23
Dec 2005, amend. SG. 30/11 Apr 2006, amend. SG. 91/10 Nov 2006,
amend. SG. 57/13 Jul 2007, amend. SG. 42/5 Jun 2009
Chapter One
GENERAL PROVISIONS
Art. 1.
(amend. - SG 103/05)
(1) This Law shall govern the protection of rights of individuals with regard to the processing of their
personal data.
(2) The purpose of this law is to guarantee the inviolability of personality and privacy by ensuring
protection of individuals in case of unauthorised personal data processing referred to them, in the
process of free movement of data.
(3) (new - SG 91/06)This Law shall apply to personal data processing:
1. by automatic means;
2. by non-automatic means, where such data are, or are designed to become, part of a register.
(4) (prey. text of para 3, amend. - SG 91/06) This Law shall apply to personal data processing where
the data controller:
1. (amend. - SG 91/06) is established on the territory of the Republic of Bulgaria and processes
personal data in connection with its activity within the country;
2. is not established on the territory of the Republic of Bulgaria but is bound to apply this Law by
virtue of international public law;
3. (in force as from the date of the Treaty of Accession of the Republic of Bulgaria to the European
Union, SG-91/06) is not established on the territory of an European Union Member State, nor in
another member country of the European Economic Area but, for the purposes of such processing, uses
means located on Bulgarian territory, unless such means are being used exclusively for transit
purposes; in such case the data controller must specify a representative that is established on the
territory of the Republic of Bulgaria, this, however, shall relieve it from responsibility.
(5) (prey. text of para 04, amend. - SG 91/06) Personal data processing for defence, national security
and public order purposes, and for the purposes of criminal proceedings, provided that the procedure
and conditions for processing are governed by special laws.
(6) (prey. text of para 05 - SG 91/06) The terms and procedure for processing uniform personal
identification numbers and other identification numbers of general application shall be governed by
special laws.
(7) (prey. text of para 06 - SG 91/06; suppl. — SG 57/07, in force as from 13.07.2007) This Law shall
not apply to personal data processing by individuals for their personal or household activity, nor for
information which is stored in the National Archive Fund.
Art. 2.
(suppl., - SG 70/04; amend. - SG 103/05)
(1) (amend. - SG 91/06) "Personal data" shall refer to any information relating to a individual who is
identified or identifiable, directly or indirectly, by reference to an identification number or to one or
more specific features.
(2) Personal data must be:
1. processed in legal compliance and in a bona fide manner;
2. collected for specific, precisely defined and legal purposes and not be submitted to additional
processing in a manner incompatible with such purposes; additional personal data processing for
historical, statistical or research purposes shall be allowed provided the data controller has ensured
proper protection, guaranteeing that such data are not being processed for any other purposes;
3. (amend. - SG 91/06) proportionate to the purposes for which they are being processed and not
exceeding their scope;
4. accurate; and updated if necessary;
5. deleted or corrected when found to be imprecise or disproportionate to the purposes for which they
are being processed;
6. maintained in a form that enables identification of the respective individuals for a period not
exceeding the time necessary for the purposes for which such data are being processed; personal data
which will be stored for a longer period of time for historical, statistical or research purposes shall be
kept in a format precluding the identification of individuals.
Art. 3.
(1) (amend. — SG 103/05; amend. - SG 91/06) "Personal data controller", hereinafter referred to as
"data controller", shall refer to any individual or legal person, or a central or local government
authority which determines separately or jointly with another person the purposes and means personal
data processing.
(2) (new — SG 103/05; amend. - SG 91/06) "A controller" shall also refer to any individual or legal
person, or a central or local government authority, which determines separately the type of personal
data processed, and the purposes and means of processing.
(2) (new — SG 103/05; amend. - SG 91/06) " A data controller" shall also refer to any individual or
legal person, or a central or local government authority processing personal data whose type, purposes
and means of processing shall be determined by law. In such cases the data controller or the specific
criteria for its determination can be regulated by a legal act.
(3) (prey. text of Para 2 - SG 103/05) A personal data controller shall process the personal data
separately or by assignment to a data processor.
(4) (new - SG 103/05) The data controller shall ensure compliance with the requirements laid out in
Art. 2 para. (2).
Art. 4.
(amend. — SG 103/05)
(1) Personal data may be processed only in cases when at least one of the following conditions is met:
1. processing is necessary for the execution of an obligation of the personal data controller, stipulated
by law;
2. the individual to whom such data refer has given his/her explicit consent;
3. (amend. - SG 91/06) processing is necessary for the execution of obligations of a contract to which
the individual to whom such data refer is a party, and for actions at the individual's request and
preceding the execution of a contract;
4. processing is necessary in order to protect the life and health of the individual to whom such data
refer;
5. processing is necessary for the performance of a task carried out in the public interest;
6. processing is necessary for the execution of competences vested by law in the data controller or in a
third party to whom the data are disclosed;
7. processing is necessary for the execution of the legitimate interests of the personal data controller or
a third party to whom the data are disclosed, except where such interests have priority over the interests
of the individual to whom such data refer.
(2) Personal data processing shall be allowed also in cases when it is performed exclusively for the
purposes of journalism, literary or artistic expression provided that such processing does not violate the
right of privacy of the person to whom the data refer. In such cases, the provisions of Chapter Three
shall not apply.
Art. 5.
(amend. — SG 103/05)
(1) It shall be prohibited to process personal data which:
1. reveal racial or ethnic origin;
2. reveal political, religious or philosophical convictions, membership in political parties or
organisations, associations having religious, philosophical, political or trade-union goals;
3. refer to health, sexual life or human genome.
(2) Para. (1) shall not apply when:
1. processing is necessary for the purposes of carrying out specific rights and obligations of the data
controller in the field of labour legislation;
2. (suppl. - SG 91/06) the individual to whom such data refer has given his/her explicit consent to the
processing of such data, except when otherwise provided by a special law;
3. processing is necessary in order to protect the life and health of the individual to whom such data
refer, or of another person, and the physical condition of such individual makes him or her incapable of
giving his/her consent, or there are legal impediments to doing so;
4. processing is carried out by a non-profit organisation, including such with a political, philosophical,
religious or trade-union goal, in the course of its legitimate activities and with appropriate protection,
provided that:
(a) such processing refers exclusively to the members of the organisation or to persons who have
regular contact with it in connection with its goals;
(b) the data are not disclosed to a third party without the consent of the individual to whom such data
refer;
5. such processing refers to data which have been made public by the individual to whom such data
refer, or it is necessary for the establishment, exercise or defence of rights through the court;
6. processing of the data is required for the purposes of preventive medicine, medical diagnostics, the
provision or management of health-care services provided that such data are processed by a medical
professional who is bound by law to professional secrecy, or by another person under a similar
obligation of secrecy;
7. processing is performed exclusively for the purposes of journalism, literary or artistic expression
provided that it does not violate the right of privacy of the person to whom such data refer.
Chapter Two
COMMISSION FOR PERSONAL DATA PROTECTION
Art. 6.
(1)The Commission for Personal Data Protection, hereinafter referred to as "the Commission", shall be
an independent government body ensuring the protection of individuals in the processing of and access
to their personal data, as well as the control on observation of this Law.
(2) The Commission shall be a public budget-supported legal entity with main office in Sofia and it
shall be a first-level spender of budget credits.
Art. 7.
(1) The Commission shall be a collective authority consisting of a President and four members.
(2) (amend. - SG 91/06) The members of the Commission and the President shall be elected by the
National Assembly based on a proposal of the Council of Ministers for a five-year mandate and may be
re-elected for another mandate.
(3) The President and the members of the Commission shall perform their activities under a contract of
employment governed by labour law.
(4) (new - SG 91/06) The members of the Commission shall be paid a basic monthly salary to the
amount of 2.5 average monthly salaries of the persons employed under labour contract or in
compliance with the provisions the Civil Servant Act in the public sector according to data of the
National Statistical Institute. The basic monthly salary shall be recalculated each quarter taking into
consideration the average monthly salary for the last month of the preceding quarter.
(5) (new - SG 91/06) The Commission's President shall be paid a basic monthly salary to the amount of
30 percent higher than the basic monthly salary referred to in para. 4.
(6) (amend. — SG 103/05; prev. text of para 04 - SG 91/06) The Commission shall submit an annual
report on its activities to the National Assembly before 31 January each year.
,
Art. 8.
(1) Members of the Commission may be Bulgarian citizens who:
1. have higher education in Information Science or Law or a Master's degree in Information
Technologies;
2. have at least ten years of service in their specialty;
3. (amend. — SG 103/05) have not been convicted to imprisonment for a malicious crime of general
nature regardless of whether rehabilitated.
(2) Members of the Commission may not:
1. (amend. — SG 103/05) be persons who are sole trader, managers/procurators or members of
management or supervisory bodies of companies, cooperative societies or personal data controllers in
compliance with this Law;
2. occupy other paid jobs, except for research activity or teaching.
3. (new- SG 42/09) can't be persons, who are spouses or have actual cohabitation, lineal relatives,
collateral relatives — to fourth degree inclusive or by affinity- to second degree inclusive with other
member of the Commission.
(3) A qualified member of the legal profession meeting the requirements laid down in para. 1 and 2
shall be elected as the president of the Commission.
(4) The mandate of the President or a member of the Commission shall be terminated earlier in any of
the following cases:
1. death or legal disability;
2. upon a decision of the National Assembly, when:
(a) the person has filed a request to be dismissed from his/her duties;
(b) the person has committed a serious violation of this Law;
(c) the person has committed a malicious crime of general nature for which there is a conviction in
force;
(d) it has become impossible for him/her to fulfil his/her duties for a period longer than six months.
(e) (new- SG 42/09) an act has entered into force, with which is determined conflict of interests under
the Conflict of Interests Prevention and Detection Law.
(5) (amend. and suppl. — SG 103/05) In the cases under para. 4, the Council of Ministers shall propose
to the National Assembly to elect a new member for a term until the expiration of the original mandate
of the respective member of the Commission.
(6) The term of service as a President or a member of the Commission shall be recognized also as
length of service according to the provisions of the Civil Servant Act.
Art. 9.
(1) The Commission shall be a permanently operating body supported by an administration.
(2) The Commission shall organize its activity and the activity of its administration by regulations and
publish these regulations in the State Gazette.
(3) The Commission shall make decisions by the majority of the total number of its members.
(4) The Commission's meetings shall be public. The Commission may decide that some meetings will
be closed.
Art. 10.
(1) The Commission shall:
1. analyse and monitor compliance with the legal framework in the field of personal data protection;
2. (suppl. — SG 103/05) keep a register of personal data controllers and the personal data registers kept
by them;
3. inspect personal data controllers in connection with its activities under subpara. (1);
4. give opinions and issue permissions in the cases provided for in this Law;
5. issue compulsory instructions to data controllers in connection with personal data protection;
6. suspend, upon prior notification, any personal data processing that violates the provisions for
personal data protection;
7. (amend. — SG 103/05) handle complaints against acts issued or any actions of data controllers, which
violate the rights of individuals under this Law, as well as third parties' complaints in relation to their
rights under this Law;
8. (amend. — SG 103/05) participate in drawing up and obligatory issuing of opinions with regard to
draft laws and regulations in the field of personal data protection;
9. (new — SG 103/05, in force as from the effective date of the Treaty of Accession of the Republic of
Bulgaria to the European Union) ensure enforcement of European Commission decisions in the field of
personal data protection.
(2) (amend. — SG 103/05) The terms and conditions for keeping the register under para. (1), subpara.
(2), notifying the Commission, issuing permissions and opinions, handling complaints, and issuing
compulsory instructions or imposing temporary prohibitions for personal data processing shall be laid
down in the regulations under Art. 9, para. (2).
(3) (suppl. — SG 103/05; amend. - SG 91/06) The Commission shall issue a bulletin to publish
information about its activities and decisions. The report referred to in Art. 7, para. (6) shall also be
published in the bulletin.
(4) (new — SG 103/05; amend. - SG 91/06) The Commission shall coordinate, by industry branch and
by areas of activity, the ethic codes of behaviour of personal data controllers under Art. 22a and in case
of ascertaining legal inconsistency it shall issue compulsory instructions.
Art. 11.
The president of the Commission shall:
1. organise and administer the activities of the Commission in compliance with the law and the
decisions of the Commission, and be responsible for the fulfilment of its duties;
2. represent the Commission before third parties;
3. (suppl. — SG 103/05) appoint and dismiss civil servants and execute and terminate contracts with
employees of the administration upon decision of the Commission.
4. (new — SG 103/05) issue penal decree as provided for in Art. 43, para. (2).
Art. 12.
(amend. - SG 91/06)
(1) The president and members of the Commission or officials from the administration authorized by it
shall perform monitoring by means of ex-ante, on-going and ex-post inspections for observance of this
Law.
(2) An ex-ante inspection shall be carried out in the cases under Art. 17b:
(3) On-going inspections shall be carried out at the request of persons concerned, as well as on the
Commission's initiative based on a monthly control activity plan adopted by it.
(4) Ex-post inspections shall be carried out for implementing a decision or a compulsory instruction of
the Commission, and on the Commission's initiative following receipt of warning about a violation.
(5) The inspectors shall prove their identity by their official cards and the order issued by the
Commission's President for the respective inspection.
(6) In conducting inspections, the persons referred to in para. (1) may assign the preparation of expert
reports following the procedure laid down in the Civil Procedure Code.
(7) An inspection shall end in a statement of findings.
(8) In cases when a violation is ascertained with the statement of findings, the latter shall be considered
a statement on ascertainment of an administrative violation in the meaning of the Administrative
Violations and Sanctions Act.
(9) The terms and procedure for carrying out inspections shall be determined in an instruction of the
Commission.
Art. 13.
(1) (amend. - SG 103/05) (1) The President and members of the Commission, and its
administration shall be required not to disclose and not to make use, for their own or any third
party's benefit, of any information constituting a secret protected by a law of which they have
become aware in the performance of their official duties until the term provided for the
protection of such information has expired.
(2) The persons referred to in para. (1) shall submit a declaration concerning their obligations
provided for in para. (1), when appointed in the Commission.
Art. 14.
amend. - SG 103/05)
(1) The data provided for in Art. 18, para. (2) shall be entered in the register referred to in Art. 10, para.
(1), subpara. (2).
(2) Data entry in the register referred to in Art. 10, para. (1), subpara. (2) shall be verified by an
identification number.
(3) The register referred to in para. (1) shall be public.
Art. 15.
(repealed — SG 103/05)
Art. 16.
(amend. - SG 103/05; repealed — SG 91/06)
Chapter Three
OBLIGATIONS OF PERSONAL DATA CONTROLLERS
(heading amend. — SG 103/05)
Art. 17.
(amend. - SG 103/05; amend. - SG 91/06)
(1) The personal data controller shall be required to submit an application for registration before the
beginning of personal data processing.
(2) The Commission shall enter the personal data controller in the register referred to in Art. 10, para 1,
subpara. 2, within a 14-day term as from the submission of the application.
(3) The data controller may start processing the data after submission of the application for registration.
Art. 17a.
(new - SG 91/06)
(1) Application for registration shall not be submitted when the data controller:
1. keeps a register which is intended to provide public information by virtue of a legal act and:
a) the access to it is free or
b) any person of legal interest has access to it;
2. processes data in the cases referred to in Art. 5, para 2, subpara. 4.
(2) The Commission may also exempt from the obligation for registration data controllers processing
data except those referred to in para 1, provided that such processing does not endanger the rights and
the legal interests of the individuals whose data are being processed.
(3) The terms and procedure of exemption under para. 2 shall be regulated by the regulations referred
to in Art. 9, Para 2 and the Commission shall determine the criteria in compliance with:
1. the purposes personal data processing;
2. the personal data or the categories of personal data subject to processing;
3. the categories of individuals whose data are being processed;
4. the recipients or the categories of recipients to whom the personal data may be disclosed;
5. the term of data storage.
Art. 17b.
(new - SG 91/06)
(1) When the data controller has applied for processing of data under Art. 5, para. 1, or of data whose
processing according to a Decision of the Commission endangers the rights and the legal interests of
individuals, the Commission shall be required to perform an ex-ante inspection before making an entry
into the register referred to in Art. 10, para 1, subpara. 2.
(2) The ex-ante inspection shall be performed within two months from submission of the application
for registration referred to in Art. 17, para. 1.
(3) After the end of the ex-ante inspection the Commission shall:
1. enter the personal data controller in the register;
2. give compulsory instructions concerning the conditions of personal data processing and maintaining
a personal data register;
3. deny the entry.
(4) The data controller may not begin personal data processing before being entered in the register
under Art. 10, para 1, subpara. 2 or before fulfilling the compulsory instructions of the Commission.
(5) The failure to make a decision by the Commission within the term referred to in para. 2 shall be
considered an implicit denial to enter the administrator into the register.
(6) The operative part of the decision referred to in para. 1 shall be promulgated in the State Gazette.
Art. 18.
(amend. — SG 103/05)
(1) (amend. - SG 91/06) (1) Any personal data controller or its representative shall submit a registration
application as referred to in Art. 17 and documents in a form approved by the Commission.
(2) The application shall contain:
1. the data identifying the personal data controller and its representative, if any;
2. the purposes of personal data processing;
3. the categories of individuals whose data are processed, and the categories of personal data relating to
them;
4. the recipients or categories of recipients to whom the personal data may be disclosed;
5. proposed data transfer to other countries;
6. the general description of measures taken in compliance with Art. 23 allowing the preparation of a
preliminary assessment of their advisability.
(3) The data controller shall notify the Commission of any alteration in the data referred to in para. (2)
before making such an alteration. In cases where such alteration is provided for by law, notification
shall be made within 7 days following the effective date of the respective law.
(4) In cases when the data controller is not entered in the register referred to in Art. 10, para. (1),
subpara. (2), he/she shall be required to provide the data referred to in para. (2) to any person upon
request.
Art. 19.
(suppl. SG 92/04; amend. - SG 103/05)
(1) (amend. - SG 91/06) When personal data are collected from the individual to whom such data refer,
the data controller or its representative shall provide him/her with:
1. the data which identify the data controller and its representative;
2. the purposes for which the data are processed;
3. the recipients or categories of recipients to whom the personal data may be disclosed;
4. the data concerning the compulsory or voluntary nature of data provision and the consequences of a
denial to provide them;
5. information about the right of access and the right to rectify the data collected.
(2) The data referred to in para. (1) shall not be provided when the individual to whom they refer
already has such data, or if there is an explicit prohibition for providing them in a law.
Art. 20.
(amend. - SG 103/05)
(1) (amend. - SG 91/06) When personal data have not been collected from the individual to whom they
refer, the data controller or its representative shall provide him/her with:
1. the data which identify the data controller and its representative;
2. the purposes for which the data are being processed;
3. the personal data categories referring to the respective individual;
4. the recipients or categories of recipients to whom the personal data may be disclosed;
5. information about the right of access and the right to rectify the collected data.
(2) The data referred to in para. (1) shall be provided to the individual to whom they refer at the time
they are entered in the respective register or, if data are to be disclosed to a third party, not later than
their first disclosure.
(3) Para. (1) shall not apply when:
1. processing is performed for statistical purposes or for the purposes of historical or scientific research
and the provision of the data referred to in para. (1) is impossible or would require disproportionate
efforts;
2. entry or disclosure of data is explicitly laid down by law;
3. the individual to whom such data refer already has the information referred to in para. (1);
4. there is an explicit prohibition for this in a law.
Art. 21.
(amend. - SG 103/05)
(1) (amend. - SG 91/06) (1) Any other information beyond that referred to in Art. 19, para.
(1), subpara. 3 — 5, and Art. 20, para. (1), referring to data processing shall be given upon an
assessment of the necessity to provide it, in order to ensure fair processing of data with regard to the
individual to whom they refer.
(2) The assessment referred to in para. (1) shall be made by the data controller on a case by case basis.
Art. 22
(amend. - SG 103/05)
(1) The personal data controller shall be obliged to provide access to registers maintained by him/her
for the persons referred to in Art. 12, para. (1), and shall not obstruct the control on the process of
personal data processing.
(2) The personal data controller shall be required to provide the information requested by the persons
referred to in Art. 12, para. (1) either orally in writing, or on other information carriers.
(3) (new - SG 91/06) The existence of a trade, production or other secret protected by law cannot serve
as grounds for the data controller to refuse to cooperate.
(4) (prey. text of para 03 - SG 91/06) The access procedure provided for in the Law on Protection of
Classified Information shall apply when the information contains data which is classified information.
(5) (prey. text of para 04 - SG 91/06) All persons engaged in personal data processing shall be required
to cooperate with the Commission in the execution of its powers.
Art. 22a.
(new - SG 91/06)
(1) Data controllers shall, by industry branch and by area of activity, develop Ethic codes of behaviour,
taking into account the specifics of their activity and the rules of morality and good manners.
(2) Ethic codes may be provided to the Commission for consultation prior to their adoption by the data
controllers.
Chapter Four
PERSONAL DATA PROTECTION
Art. 23.
(amend. - SG 103/05 )
(1) The personal data controller shall take appropriate technical and organisational measures to protect
data against accidental or unlawful destruction, or against accidental loss, unauthorised access,
alteration or dissemination, and against other unlawful forms of processing.
(2) The data controller shall take special protection measures when processing involves the
transmission of data by electronic means.
(3) The measures referred to in para. (1) and para. (2) shall take into account the modern technological
achievements and ensure a level of security adequate to the risks related to processing, and the nature
of the data to be protected.
(4) The measures referred to in para. (1) and para. (2) shall be determined in an instruction issued by
the personal data controller.
(5) The Commission shall specify in an ordinance the minimum level of technical and organisational
measures, as well as the admissible type of protection. Such ordinance shall be published in the State
Gazette.
Art. 24.
(1) (amend. - SG 103/05) The data controller may process data separately or by assignment to data
processors. When necessary for organisational reasons, the processing may be assigned to more than
one data processor, including for the purpose of differentiating their specific duties.
(2) When data processing is not performed by the data controller, the latter shall be required to appoint
a data processor and ensure sufficient data protection guarantees.
(3) (repealed - SG 103/05)
(4) (amend. - SG 103/05) The relationship between the data controller and the personal data processor
shall be governed by a legal act, a written contract or another act of the data controller, defining the
scope of duties assigned by the data controller to the data processor.
(5) (amend. - SG 103/05) The data controller shall be liable jointly and separately for any damages
caused to any third party, resulting from any acts of omission and commission of the data processor.
(6) (amend. - SG 103/05) The personal data processor or any person acting under the guidance of the
data controller or of the data processor who has access to personal data, may process them only by
instructions of the data controller, unless otherwise specified by law.
Art. 25.
(1) (amend. - SG 103/05) After the achievement of the purpose of personal data processing, the data
controller shall be required:
1. either to destroy the data, or
2. transfer them to another data controller by preliminary notification to the Commission, if such
transfer is specified in a law and the purposes of processing are identical.
(2) (suppl. SG 92/04; amend. - SG 103/05) After achieving the intended purpose of personal data
processing, the personal data controller shall store data only in the cases provided for by law.
(3) (amend. - SG 103/05) In cases when, after achieving the purpose of processing, the data controller
wishes to store the personal data as anonymous data for historical, research or statistical purposes,
he/she shall notify the Commission.
(4) The Commission for Personal Data Protection may prohibit the storage of data for the purposes
under para. (3), if the data controller has failed to provide sufficient protection of the processed data as
anonymous.
(5) The decision of the Commission under para. 4 shall be subject to appeal before the Supreme
Administrative Court. In cases when the Supreme Administrative Court has rejected the appeal against
the decision of the Commission, the personal data controller shall be required to destroy the data.
Chapter Five
RIGHTS OF INDIVIDUALS
(Heading amended, SG - 103/05)
Art. 26
(1) Any individual shall be entitled to access to personal data referred to him or her.
(2) (amend. SG No. 103/2005) In the cases when the right of access granted to an individual may also
lead to disclosure of personal data of third parties, data controllers shall provide the relevant individual
with access only to that part of the data that refers to him or her.
Art. 27
(amend. - SG 103/05; repealed — SG 91/06)
Art. 28
(amend., SG - 103/05)
(1) When exercising his or her right of access, an individual shall be entitled to request, at any time,
from the personal data controller:
1. a confirmation as to whether or not data relating to him/her are being processed, information as to
the purposes of such processing, the categories of data concerned, and the recipients or categories of
recipients to whom the data are disclosed;
2. a notification to him/her, in an intelligible form, containing his or her personal data which are being
processed, and any available information about their source;
3. information concerning the logic involved in any automatic data processing concerning him/her, at
least in case of automated decisions referred to in Art. 34b.
(2) The individual may exercise his or her right to obtain the information referred to in para. (1) free of
charge once in every twelve months.
(3) In case the individual dies, his or her rights referred to in para. (1) and para. (2) shall be exercised
by his or her heirs.
Art. 28a
(New, SG - 103/05)
An individual shall be entitled to require, at any time, from the data controller:
1. to erase, rectify or block his or her personal data whose processing does not comply with the
provisions of this Law;
2. to notify any third parties to whom his or her personal data have been disclosed of any erasure,
rectification, or blocking carried out in compliance with para. (1), unless this is impossible or involves
a disproportionate effort.
Art. 29
(1) (amend., SG -103/05) The right of access referred to in Art. 26 and the rights referred to in Art. 28a
shall be exercised by submitting a written application to the personal data controller.
(2) (amend., SG - 103/05) The application may also be submitted in electronic form under the
procedure laid down in the Law on Electronic Documents and Electronic Signature.
(3) (amend., SG - 103/2005) The application referred to in para. (1) shall be filed personally by the
individual or by explicitly authorised person with a power of attorney certified by a notary public.
(4) (repealed, SG - 103/05)
Art. 30
(amend., SG - 103/05)
(1) The application referred to in Art. 29 shall contain:
1. the name, address and other data necessary for identifying the respective individual;
2. description of the request;
3. preferred form of provision of the information referred to in Art. 28, para. (1);
4. signature, date of submission of the application and mailing address.
(2) In cases when the application is submitted by a duly authorised person, the power of attorney
certified by a notary public shall be enclosed to the application.
(3) The personal data controller shall keep a register of the applications referred to in Art. 29.
Art. 31
(amend., SG - 103/05) The information referred to in Art. 28, para. (1) may be provided as an oral
(1)
or written reference, or in the form of the data review by the individual concerned or by another
explicitly authorised person.
(2) The individual may request a copy of the personal data processed on a preferred carrier or by
electronic means, unless this is prohibited by law.
(3) (amend., SG No. 103/2005) The personal data controller shall be required to take into consideration
the preferences stated by the applicant about the form of provision of the information referred to in Art.
28, para. (1).
Art. 32
(amend., SG - 103/05)
(1) In the cases referred to in Art. 28, para. (1), the personal data controller or a person explicitly
authorised by the former shall consider the application referred to in Art. 29 and shall respond within
14 days from its submission.
(2) The time-limit referred to in para. (1) may be extended by the data controller up to 30 days in the
cases under Art. 28, para. (1), subpara. (1) and (2), when the collection of all requested data objectively
requires a longer period and this would impede seriously the activities of the data controller.
(3) Within 14 days, the data controller shall decide whether to provide the applicant with full or partial
information as referred to in Art. 28, para. (1), or shall make a reasoned denial to provide it.
(4) In the cases referred to in Art. 28a, para. (1), the data controller shall make a decision and take the
relevant action within 14 days from the submission of the application referred to in Art. 29, or shall
make a reasoned denial to take such action.
(5) In the cases referred to in Art. 28a, para. (2), the personal data controller shall make a decision
within 14 days and shall immediately notify the third parties concerned or shall make a reasoned denial
to submit the notification.
Art. 33
(1) (amend., SG - 103/05) The personal data controller shall notify the applicant in writing of its
decision or denial under Art. 32, para. (3) to (5) within the relevant time-limit.
(2) The notice under para. (1) shall be delivered personally after signature or by mail with advice of
delivery.
(3) (new, SG - 103/05) The absence of notification as referred to in para. (1) shall be considered a
denial.
Art. 34
(1) (amend., SG - 103/05) The data controller shall deny access to personal data when such data do not
exist or their provision is prohibited by law.
(2) (repealed., SG - 103/05)
(3) (new, SG - 93/04, amended, SG - 103/05, amend. and suppl. SG - 91/06) The data controller shall
deny to provide fully or partially data to the individual to whom the data refer when such provision
would threaten the defence or national security, or the protection of classified information and this is
stipulated in a special law.
Art. 34a
(new, SG No. 103/2005)
(1) The individual to whom the data refer shall be entitled:
1. to object to the data controller against the processing of his/her personal data on the basis of
legitimate grounds; when such objection is justified, the personal data of the relevant individual may no
longer be processed;
2. to object against the processing of his or her personal data for the purposes of direct marketing;
3. to be informed before his or her personal data are disclosed for the first time to third parties or used
on their behalf for the purposes set out in subpara. (2), and to be given the opportunity to object to such
disclosure or use.
(2) The data controller shall inform the individual of his or her rights referred to in para. (1), subpara.
(2) and (3).
Art. 34b
(new, SG No. 103/2005)
(1) The data controller's decision shall be inadmissible when:
1. it engenders legal effects or significantly affects the individual, and
2. it is based solely on automated processing of personal data meant to evaluate certain personal aspects
of the individual.
(2) Para. (1) shall not apply when the decision is:
1. taken in the course of the execution or performance of a contract, provided that the request for the
execution or the performance of such contract submitted by the individual concerned has been satisfied,
or provided that there are appropriate measures safeguarding his or her legal interests;
2. is provided for in a law which also lays down measures to safeguard the individual's legal interests.
(3) The individual shall be entitled to request from the data controller to review any decision made in
breach of the provisions of para. (1).
Chapter Six
TRANSFER OF PERSONAL DATA TO THIRD PARTIES
Article 35
(amend. SG - 103/05, repealed — SG 91/06 )
Article 36
(amend. SG 103/05, in force till the effective date of the Treaty of Accession of the Republic
of Bulgaria to the European Union)
(1) The provision of personal data by the data controller to foreign individuals or legal
persons or to foreign government authorities shall be allowed with the permission of the Commission
for Personal Data Protection, if the legislation of the recipient country guarantee a level of data
protection that is better or equivalent to that provided by this Law.
(2) In the transfer of personal data in cases referred to in paragraph (1), the requirements of this Law
shall apply.
Article 36a
(New - SG 103/05), in force as of the effective date of the Treaty of Accession of the Republic of
Bulgaria to the European Union)
(1) Transfer of personal data to any Member State of the European Union and to any other member
country of the European Economic Area shall be done freely, in compliance with the requirements of
this Law.
(2) Transfer of personal data to a third country shall be allowed only if this third country ensures an
adequate level of personal data protection within its territory.
(3) The assessment of adequacy of the level of personal data protection in a third country shall be made
by the Commission for Personal Data Protection, taking into consideration all the circumstances
referred to the data transfer operation or the set of data transfer operations, including the nature of the
data, the purpose and duration of their processing, the legal basis and security measures provided in the
third country.
(4) (amend. - SG 91/06) The Commission for Personal Data Protection shall not make an assessment as
referred to in para. (3) in the cases when it is necessary to implement a decision of the European
Commission, ruling that:
1. the third country where the personal data are transferred provides an adequate level of protection;
2. certain standard contractual clauses provide an adequate level of protection.
(5) (amend. - SG 91/06) In the cases referred to in para. (4), subpara. (2) the data controller shall use
the standard contractual clauses in transfers of data to a third country.
(6) Except for the cases referred to in para. (2) and para. (4), the data controller may transfer personal
data in a third country if:
1. the individual to whom such data refer has given his/her explicit consent;
2. (amend. - SG 91/06) the transfer is necessary for the execution and performance of obligations under
a contract between the individual and the data controller, and also for actions preceding the execution
of a contract, undertaken at such individual's request;
3. (amend. - SG 91/06) the transfer is necessary for the performance of a contract concluded in interest
of the individual between the data controller and another data subject;
4. the transfer is necessary or is required by law due to an important public interest, or for the
establishment, exercising or defence of rights through the court;
5. the transfer is necessary in order to protect the life and health of the individual to whom such data
refer;
6. (amend. - SG 91/06) the source of the data is a public register, the access to which is provided
according to terms and procedures laid down in a law.
(7) The transfer of personal data to third countries shall be admissible in all cases when performed
exclusively for the purposes of journalism, literary or artistic expression to the extent to which it does
not violate the right to privacy of the person to whom such data refer.
Article 36b
(new, SG - 103/05, in force as from the effective date of the Treaty of Accession of the Republic of
Bulgaria to the European Union)
(1) Except for the cases stipulated in Article 36a, the transfer of personal data to a third country shall
take place upon permission by the Commission for Personal Data Protection provided that both the data
controller transferring the data and the data controller receiving the data have given sufficient
safeguards for their protection.
(2) ) (suppl. - SG 91/06) The Commission shall notify the European Commission and the competent
authorities of the other Member States of the permissions issued under paragraph (1) as well as about
the denials to provide such permissions.
Article 37
(repealed, SG - 103/05)
Chapter Seven
APPEAL AGAINST ACTIONS OF PERSONAL DATA CONTROLLERS
Art. 38.
(1) (amend. - SG 103/05; amend. - SG 91/06) In case of infringement of his/her rights under this Law,
any individual shall be entitled to approach the Commission for Personal Data Protection within one
year from finding out such infringement, but not later than five years from committing the
infringement.
(2) (amend. - SG 103/05) The Commission shall pronounce a decision within 30 days after it has been
approached and may issue compulsory instructions, set a time limit to abate the infringement or impose
an administrative penalty.
(3) (repealed - SG 103/05)
(4) The Commission for Personal Data Protection shall also send a copy of the decision to the
individual.
(5) (new - SG 91/06) In the cases referred to in para. 1 when personal data are processed for the needs
of defence, national security and public order, as well as for penal proceedings, the Commission's
decision shall contain only fmdings regarding the lawfulness of the processing.
(6) (amend. - SG 103/05; prey. text of para. 5 - SG 91/06) The decision of the Commission as referred
to in para. (2) shall be subject to appeal before the Supreme Administrative Court within 14 days of its
receipt.
Art. 39. '
(1) (amend. - SG 103/05; amend. - SG 30/06, in force from 12.07.2006; amend. - SG 91/06) Any
individual may, in case of an infringement of his or her rights under this Law, appeal against actions
and acts of the data controller before the relevant regional court or the Supreme Administrative Court,
in compliance with the general jurisdiction rules.
(2) (amend. - SG 103/05) In the proceedings referred to in para. (1), the individual may claim
compensation for any suffered damages as a result of unlawful processing of personal data by the data
controller.
(3) (new - SG 103/05) The individual concerned may not approach the court in case of pending
proceedings before the Commission concerning the same violation or in case when the Commission's
decision concerning the same violation has been appealed against but there is no court judgement
which is not in force yet. The Commission shall verify, at the request of the individual concerned,
whether there are pending or not proceedings concerning the same dispute before it.
(4) (prey. text of Para 3 — amend., SG 103/05; repeald — SG 91/06)
(5) (prey. text of Para 4 — amend., SG 103/05; amend. - SG 30/06, in force from 12.07.2006;
repeald — SG 91/06)
Art. 40.
(repealed — SG 103/05)
Art. 41.
(repealed — SG 103/05)
Chapter Eight
ADMINISTRATIVE PENAL PROVISIONS
Art. 42
(amended, SG - 103/05)
(1) The personal data controller shall be imposed a fine or a property sanction in the amount of BGN
10 000 to BGN 100 000 for violations of the provisions of Art. 2, para. (2) and Art. 4,.
(2) The data controller shall be imposed a fine or a property sanction in the amount of BGN 10 000 to
BGN 100 000 for violations of the provisions of Art. 5.
(3) (amend. - SG 91/06) The data controller shall be imposed a fine or a property sanction in the
amount of BGN 2 000 to BGN 20 000for violations of the provisions of Art. 19, para. (1) and Art. 20,
para. (1).
(4) A data controller who has failed to meet its obligation to register as provided for in Art. 17, para.
(1), shall be imposed a fine or a property sanction in the amount of BGN 1 000 to BGN 10 000.
(5) (new - SG 91/06) A data controller who has started data processing in violation of Art. 17b, para.
(4), shall be imposed a fine or property sanction in the amount of BGN 2 000 to BGN 20 000.
(6) (new - SG 91/06) A data controller, who has failed to meet his/her obligations as provided for in
Art. 22, para.s (1) and (2), shall be imposed a fine or property sanction in the amount of BGN 2 000 to
BGN 20 000.
(7) (prev. text of para 05 - SG 91/06) A data controller who does not issue an administrative act
concerning the application under Art. 29 within the term, shall be imposed a fine or a property sanction
in the amount of BGN 1 000 to BGN 20 000, unless he/she is a subject to a more severe sanction.
(8) (prey. text of para 06 - SG 91/06) Persons who refuse to cooperate with the Commission with
regard to its control powers, shall be imposed a fine or a property sanction in the amount of BGN 1 000
to BGN 10 000.
(9) (prey. text of para 07 -.SG 91/06) The guilty persons shall be imposed a fine or a property sanction
in the amount of BGN 500 to BGN 5 000 for any other violation of the provisions of this Law.
Art. 42a
(new, SG - 103/05)
In cases of violations under this Law committed as repeated violations, a fine or property sanction shall
be imposed in an amount twice higher than the initially imposed penalty.
Art. 43
(1) (amend. - SG 103/05) The acts of determining administrative violations shall be constituted by a
member of the Commission for Personal Data Protection or by officials authorized by the Commission.
(2) (suppl. - SG 103/05; amend. - SG 91/06) The penal decrees shall be issued by the President of the
Commission for Personal Data Protection.
(3) (New - SG 91/06) Property sanctions and fines imposed by penal decrees in force, shall be collected
under the order of the Code of Tax and Social Security.
(4) (prey. text of para. 3 - SG 91/06) The determination of the violations, the issuance, the appeal and
the execution of the penal decrees shall be carried out in compliance with the Administrative Violations
and Sanctions Act.
ADDITIONAL PROVISIONS
§ 1. Within the meaning of this Law:
1. (amend., SG - 103/05; amend. - SG 91/06) "processing of personal data" shall mean any operation or
set of operations which can be performed with respect to personal data, whether by automatic means or
otherwise, such as collection, recording, organization, storage, adaptation or alteration, retrieval,
consultation, use, disclosure by transmission, dissemination, provision, transfer or otherwise making
available, updating or combination, blocking, deletion or destruction.
2.(amend., SG - 103/05) "personal data register" shall mean any structured set of personal data which is
accessible according to specific criteria, whether centralised, decentralised or distributed on a
functional or geographical basis.
3.(amend., - 103/05) "personal data processor" shall mean any natural or legal person, a central or local
government authority which processes personal data on behalf of the personal data controller.
4. (Repealed. SG - 103/05)
5."Provision of personal data" shall mean any actions for the full or partial transfer of personal data
from one data controller to another or to a third party within the territory of the country or abroad.
6.(amend., SG - 103/05) "anonymous data" shall mean any personal data put in a form which does not
allow such data to be connected with the respective individual to whom such data refer.
7. "Blocking" shall mean the storage of personal data with suspended processing.
8. (repealed, SG - 103/05)
9."Repeated" violation shall mean a violation committed within a year from the entry into force of the
penal order, with which was imposed a penalty for the same type of violation.
10. (new, SG - 70/04 — effective 01.01.2005) "Human genome" shall mean the full set of all genes in a
single (diploid) set of individual chromosomes.
11. (new - SG 103/05) "Third party" shall mean any natural or legal person, central or local
government authority other than the individual to whom the data refer, the personal data controller, the
personal data processor and the persons who, under the direct guidance of the controller or the
processor, are authorised to process personal data.
12. (new, SG - 103/05) "Recipient" shall mean a natural or legal person, an authority of central or local
government to whom personal data are disclosed, whether a third party or not.
Authorities which can receive data in the framework of a particular inquiry shall not be regarded as
recipients.
13. (new, SG - 103/05) "Consent of the individual" shall mean any freely given, specific and informed
expression of will, by which the individual to whom the personal data refer, states his or her
unambiguous consent for processing such data.
14. (new, SG -103/05, in force as of the effective date of the Treaty of Accession of the Republic of
Bulgaria to the European Union) "Third country" shall mean any state, which is not a member of the
European Union and is not a country signatory to the European Economic Area Agreement.
15. (new, SG No. 103/2005) "Direct marketing" shall mean offering goods and services to individuals
by mail, telephone, or in another direct way, and consulting aimed at making a survey regarding the
goods and services offered.
16. (new - SG 91/06) "Specific features" shall refer to features relating to physical, physiological,
genetic, psychical, psychological, economic, cultural, social and other identity of the individual.
§ l a. (new - SG 91/06) This Law shall introduce the provisions of Directive 95/46/EC of the European
Parliament and of the Council on the protection of individuals with regard to the processing of personal
data and on the free movement of such data.
TRANSITIONAL AND FINAL PROVISIONS
§ 2. (1) The Council of Ministers shall propose the members of the Commission for Personal Data
Protection to the National Assembly within a month from the entry into force of this Law.
(2) The National Assembly shall elect the members of the Commission for Personal Data Protection
within 14 days from the introduction of the proposal under para. (1).
(3) The Commission for Personal Data Protection shall adopt and promulgate in the State Gazette the
Regulations under Art. 9, para. (2) within three months of its election.
(4) The Council of Ministers shall provide the property and financial resources needed for the
Commission to start its work within a month from the entry into force of the decision of the National
Assembly under para. (2).
§ 3. (1) Within six months from the entry into force of the Regulations under Art. 9, para.
2, the persons maintaining personal data registers as from the entry into force of this Law, shall adjust
them to the requirements of this Law and shall notify the Commission thereof.
(2)The Commission shall make preliminary checks and register or refuse to register as data controllers,
persons maintaining personal data registers as of the effective date of this Law and their registers
within three months of the receipt of the application under para. (1).
(3)The decisions of the Commission to refuse registration shall be subject to appeal before the Supreme
Administrative Court within 14 days.
(4) Upon the entry into force of the decision of the Commission to refuse registration or the judgement
of the Supreme Administrative Court confirming the refusal by the Commission, the person
maintaining a register unlawfully shall destroy the personal data therein or, with the consent of the
Commission, transfer the data to another data controller who has registered its register and processes
personal data for the same purposes.
(5) The Commission shall monitor the execution of the obligation under para. (4).
(6) . Within three months of their registration, the data controllers under Art. 3, para. (1) shall publish
the details under Art. 22, para. (1) in the bulletin of the Commission for Personal Data Protection.
§ 4. The Law on Access to Public Information (SG - 55 of 2000) shall be amended as follows:
1. In Art. 2, para. (3), the words "personal information" shall be replaced by the words "personal data".
2. § 1, Item 2 shall be amended as follows:
2. "Personal data shall mean the information concerning an individual revealing his or her physical,
psychological, mental, marital, economic, cultural or social identity."
§ 5. This Law shall enter into force on 1 January 2002.
This Law was adopted by 39th National Assembly on 21 December, 2001 and the official seal
of the National Assembly was affixed to it.
TRANSITIONAL AND FINAL PROVISIONS
of the LAW ON PRIVATE ENFORCEMENT AGENTS
(Published, SG No. 43 of 2005)
§ 23. This Law shall enter into force on 1 September 2005.
TRANSITIONAL AND FINAL PROVISIONS
of the LAW AMENDING THE LAW FOR PROTECTION OF PERSONAL DATA.
(SG No. 103/2005; AMEND. - SG 91/06)
§ 50. The provision of § 38, concerning Art. 36 shall apply until the Treaty of Accession of the
Republic of Bulgaria to the European Union takes effect.
§ 51. The provisions of § 1, concerning Art. 1, para. (4), subpara. (3), § 8, item (1), section (c),
concerning Art. 10, para. (1), subpara. (9), § 39, concerning Art. 36a, § 40, concerning Art. 36b, and §
48, item (5), concerning item (14) of the Additional Provision shall take force as of the effective date of
the Treaty of Accession of the Republic of Bulgaria to the European Union.
§ 52. Within three months following the effective date of the Law, the Commission for Personal Data
Protection shall adopt the Code of Ethics referred to in Art. 10, para. (4), and the regulations referred to
in Art. 23, para. (5).
TRANSITIONAL AND FINAL PROVISIONS
of the ADMINISTRATIVE PROCEDURE CODE
(PROM. - SG 30/06, IN FORCE FROM 12.07.2006)
§ 142. The code shall enter into force three months after its promulgation in the State Gazette, with the
exception of
1. division three, § 2, item 1 and § 2, item 2 - with regards to the repeal of chapter third, section II
"Appeal by court order", § 9, item 1 and 2, § 15 and § 44,. item 1 and 2, § 51, item 1, § 53, item 1, § 61,
item 1, § 66, item 3, § 76, items 1 - 3, § 78, § 79, § 83, item 1, § 84, item 1 and 2, § 89, items 1 - 4§
101, item 1, § 102, item 1, § 107, § 117, items 1 and 2, § 125, § 128, items 1 and 2, § 132, item 2 and §
136, item 1, as well as § 34, § 35, item 2, § 43, item 2, § 62, item 1, § 66, items 2 and 4, § 97, item 2
and § 125, item 1 — with regard to the replacement of the word "the regional" with the "administrative"
and the replacement of the word "the Sofia City Court" with "the Administrative Court - Sofia",
which shall enter into force from 1 May, 2007;
2. para. 120, which shall enter into force from the 1 January, 2007;
3. para. 3, which shall enter into force from the day of the promulgation of the code in State Gazette.
TRANSITIONAL AND FINAL PROVISIONS
of the LAW AMENDING THE LAW FOR PROTECTION OF PERSONAL DATA
(PROM. - SG 91/06)
§ 31. The provision of Para. 6, regarding Art. 6, Para 2 shall enter into force from 1 January 2007.
§ 32. Within a term of two months from the entry into force of this Law, the Commission for Personal
Data Protection shall adopt the instruction referred to in Art. 12, Para 9.
§ 33. Within a term of three months from the entry into force of this Law, the data controllers subject to
registration shall submit an application for registration.
TRANSITIONAL AND FINAL PROVISIONS
of the LAW OF THE NATIONAL ARCHIVE FUND
(PROM. - 57/07, IN FORCE FROM 13.07.2007)
§ 23. The Law shall enter into force from the day of its promulgation in the State Gazette.
Relevant acts in the European legislation
DIRECTIVE 95/46/EC OF THE EUROPEAN PARLIAMENT AND THE COUNCIL of 24 October
1995 on the protection of individuals with regard to the processing of personal data and on the free
movement of such data
REGULATION (EEC) N2 2380/74 OF THE COUNCIL of 17 September 1974 adopting provisions for
dissemination of information relating to research programs for the European Economic Community
REGULATION (EC) 45/2001 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 18
December 2000 on the protection of individuals with regard to the processing of personal data by the
Community institutions and bodies and on the free movement of such data
COMMISSION DECISION of 15 June 2001 on standard contractual clauses for the transfer of
personal data to third countries, under Directive 95/46/EC (Text with EEA relevance) (notified under
document number C(2001) 1539) (2001/497/EC)
COMMISSION DECISION of 26 July 2000 pursuant to Directive 95/46/EC of the European
Parliament and of the Council on the adequate protection of personal data provided in Switzerland
(notified under document number C(2000) 2304) (Text with EEA relevance.) (2000/518/EC)
COMMISSION DECISION of 26 July 2000 pursuant to Directive 95/46/EC of the European
Parliament and of the Council on the adequate protection of personal data provided in Hungary
(notified under document number C(2000) 2305) (Text with EEA relevance.) (2000/519/EC)
]]>
Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.
Why Is My Information Online?
