Bulgaria is set to introduce certain changes to the application of the EU General Data Protection Regulation (GDPR).

Bulgaria’s government has announced that it will legislate additional protocols to that exisitng under GDPR. Areas to be effected include employment, the role of GDPR or data protection officers (DPOs) and data protection impact assessments.

Regarding DPOs, Bulgaria-based businesses would be required to designate a DPO if they process the personal data of more than 10,000 individuals. In addition, specific corporate rules and procedures would need to introduced in regards to procedural safeguards, all of which would follow a self-initiated data protection impact assessment byt the DPO.

In the area of employees, employers would not be able to maintain on record personal information unless explicitly allowed for under Bulgarian law. Internal policies would need to be introduced regarding whistleblowing systems, acceptable/restricted use of internal resources, and systems designed to monitor employee access to the work premises, amount of hours worked and work order.

Most important, any collection or processing of employee data not directly related to and necessary for the employment relationship would first need prior written consent by the employee in question.

Recruitment companies would have a time limit on data retention. These proposals are currently subject to public consultation.