Legal Affairs and International Cooperation Directorate
1. prepares opinions for the National Assembly, the Council of Ministers, other institutions and authorities regarding the legislative and administrative measures in connection with the protection of natural persons with regard to the processing of personal data thereof;
2. prepares drafts of statutory acts, internal acts and documents in the field of personal data protection;
3. prepares drafts of general and statutory administrative acts related to the powers thereof in cases provided for by a law;
4. carries out legal analyses, prepare opinions, decisions, authorisations and positions of the Commission on matters in the field of personal data protection, including on drafts of statutory acts, as well as drafts of replies to queries by third parties regarding the application of personal data protection legislation;
5. draws up draft decisions on the adoption of standard contractual clauses referred to in Article 28 (8) and point (d) of Article 46 (2) of Regulation (EU) 2016/679 and facilitate the procedure for the adoption thereof in accordance with the consistency mechanism referred to in Article 63 of Regulation (EU) 2016/679;
6. prepares draft authorisations for application of contractual clauses and the provisions referred to in Article 46 (3) of Regulation (EU) 2016/679 and facilitate the procedure for the adoption thereof in accordance with the consistency mechanism referred to in Article 63 of Regulation (EU) 2016/679;
7. draws up draft decisions on the approval of binding corporate rules according to Article 47 of Regulation (EU) 2016/679 and facilitate the procedure for the adoption thereof in accordance with the consistency mechanism referred to in Article 63 of Regulation (EU) 2016/679;
8. executes the legal representation before the court on appeals against acts of the Commission adopted on a proposal by the Directorate, and provide current information to the Commission on the progress of the court cases in connection with any such proceedings;
9. provides consultations to controllers, processors, and to data subjects on matters in the field of personal data protection;
10. prepares opinions on requests for access to data in the National System for Civil Registration and Administrative Services to the Public (ESGRAON) under Item 3 of Article 106 (1) of the Civil Registration Act;
11. coordinates and participates in the implementation of the international activity of the Commission;
12. cooperates with other supervisory authorities, including by sharing information and mutual assistance, with a view to ensuring the consistency of application and enforcement of the applicable personal data protection legislation, as well as with the international organisations on issues in the field of personal data protection;
13. supports the Commission in implementing the activities of the European Data Protection Board;
14. ensures the implementation of the decisions of the European Commission and the judgments of the Court of Justice of the European Union in the field of personal data protection and the implementation of the binding decisions of the European Data Protection Board;
15. participates in the preparation and conduct of negotiations on the conclusion of bilateral or multilateral agreements in the field of personal data protection;
16. analyses the results of the application of statutory acts and international treaties in the field of personal data protection and deliver opinions on the need to take national implementing measures;
17. supports the Commission in entering into contacts and interacting with national and international institutions on issues in the field of personal data protection, as well as in exchanging information in connection with the honouring of obligations arising from an international treaty whereto the Republic of Bulgaria is a party;
18. analyses the experience and work of international organisations and institutions and foreign legislation, conduct investigations on issues of international nature and maintain a database of acts and case-law of the Court of Justice of the European Union (EU) and the European Court of Human Rights on matters in the field of personal data protection;
19. studies, analyses and prepares project proposals under nationally and internationally funded programmes, prepares and coordinates project documents according to the requirements of the relevant programme, as well as supports the Commission for building strategic partnerships with other supervisory authorities and domestic and foreign organisations of the public and private sector;
20. plans, coordinates and implements the project proposals that have been approved for funding whereof the Commission is a beneficiary, including by rendering the requisite assistance in the process of monitoring and control by other state and European institutions;
21. shares in the delivery of training courses in the field of personal data protection.
Legal Proceedings and Supervision Directorate
1. examines complaints lodged under Article 38 (1) of the PDPA, including under the cooperation mechanism with other supervisory authorities, and prepares reasoned legal opinions as to whether the said complaints are admissible and well-founded;
2. supports the Commission in carrying out an analysis in order to identify a lead supervisory authority and a supervisory authority concerned where complaints in connection with cross-border processing of personal data have been lodged;
3. cooperates with other supervisory authorities in connection with the examination of complaints;
4. organises the provision of information to the data subjects under Article 38 (2) of the PDPA;
5. proposes to the CPDP the application of the measures under points (a) to (d), (f), (g), (i) and (j) of Article 58 (2) of Regulation (EU) 2016/679, under Items 3, 4 and 5 of Article 80 (1) or Chapter Nine of the PDPA upon the examination of complaints;
6. plans control activities on the basis of a risk analysis and the priorities of the Commission;
7. executes the investigative powers of the Commission under points (a), (b), (d), (e) and (f) of Article 58 (1) of Regulation (EU) 2016/679;
8. proposes to the CPDP the application of the measures under points (a) to (d), (f), (g), (i) and (j) of Article 58 (2) of Regulation (EU) 2016/679, under Items 3, 4 and 5 of Article 80 (1) or Chapter Nine of the PDPA as regards control activities;
9. cooperates with other supervisory authorities in connection with the implementation of joint operations;
10. carries out the control activities assigned to the Commission by law or implementing an act of the European Union or an international treaty whereto the Republic of Bulgaria is a party, with regard to the national units responsible for personal data processing in large-scale IT systems of the EU, being able to propose application of the powers under Article 58 (1) of Regulation (EU) 2016/679;
11. executes the legal representation on appeals against penalty decrees and against decisions of the Commission under Article 38 (3) and (4) of the PDPA, whereby corrective powers are exercised as regards control activities;
12. prepares opinions, reports, draft directions, statements of findings, written statements ascertaining administrative infringements and penalty decrees according to the procedure established by the AISA;
13. provides consultations to controllers, processors, and to data subjects on matters in the field of personal data protection;
14. analyses and summarises the practice of the Commission and deliver opinions on the general state of the personal data protection system in the area of legal proceedings and supervision;
15. maintains registers of the complaints received, the decisions rendered and the penalty decrees issued;
16. shares in the delivery of training courses in the field of personal data protection.
Legal Analysis, Information and Control Directorate
1. supports the Commission in monitoring and ensuring the application of Regulation (EU) 2016/679 and the national personal data protection legislation;
2. conducts studies regarding the application of Regulation (EU) 2016/679, including on the basis of information received from other supervisory or public authorities;
3. prepares draft procedures, rules, methodologies, guidance notes, clarifications, guidelines, recommendations and best practices for the application of Regulation (EU) 2016/679 and the PDPA and submit the said drafts to the Commission for approval;
4. supports the Commission in promoting public awareness and understanding of the risks, rules, safeguards and rights in relation to the processing of personal data;
5. supports the Commission in raising the awareness of controllers and processors of the obligations thereof arising from the applicable personal data protection legislation;
6. maintains the institutional website of the CPDP as an essential and permanent means of ensuring public awareness of the activities of the CPDP and the functioning of the personal data protection system and produce the bulletin of the CPDP;
7. handles the complaints/alerts and queries submitted on the website of the CPDP and, after the Chairperson has made a decision, allocate the said submissions to the competent directorates;
8. processes the information received through the information system of the European Data Protection Board and, after the Chairperson has made a decision, allocate the said information to the competent directorates;
9. organises the setting of the objectives of the administrative units, monitoring and reporting the outcomes of the implementation of strategic documents;
10. coordinates the activities of developing and applying the strategic documents of the Commission, the monitoring and reporting of the implementation of the said documents;
11. is responsible for the alignment of the strategic priorities of the Commission with the project activities and outcomes;
12. prepares opinions in the prior consultation procedure under Article 36 of Regulation (EU) 2016/679 and Article 12 (2) and Article 65 of the PDPA;
13. prepares opinions regarding:
(a) the approval of codes of conduct;
(b) the accreditation of bodies for monitoring codes of conduct;
(c) the accreditation of certification bodies;
14. supports the Commission in the activity thereof encouraging the drawing up of codes of conduct;
15. supports the Commission in the activity thereof encouraging the establishment of data protection certification mechanisms and of data protection seals and marks;
16. performs a periodic review of the certifications issued;
17. applies the corrective powers of the CPDP under points (d) and (h) of Article 58 (2) of Regulation (EU) 2016/679;
18. maintains registers of:
(a) controllers and processors which have designated data protection officers;
(b) codes of conduct under Article 40 of Regulation (EU) 2016/679;
(c) certification bodies accredited under Article 14 of the PDPA;
(d) infringements of Regulation (EU) 2016/679 and of the PDPA, as well as of the measures taken in accordance with the exercise of the powers referred to in Article 58 (2) of Regulation (EU) 2016/679;
(e) notifications of personal data breaches under Article 33 of Regulation (EU) 2016/679 and under Article 67 of the PDPA;
(f) the records received from the undertakings providing electronic communications services on the data destroyed under Article 251g (1) of the Electronic Communications Act (ECA);
19. processes and summarises the statistical information received from the undertakings providing electronic communications services in connection with Article 261a (4) and (5) of the ECA;
20. monitors the development of information and communication technologies and commercial practices insofar as they have a direct impact on the protection of personal data;
21. implements the automated data exchange with national and international information systems;
22. executes the legal representation before the court on appeals against acts of the Commission adopted on a proposal by the Directorate, and provide current information to the Commission on the progress of the court cases in connection with any such proceedings;
23. shares in the delivery of training courses in the field of personal data protection.
