Providing free personal information – how to protect?

Julian Spassov
Julian Spassov

Individuals have the right to make at any time a request to the administrator for deletion, correction or blocking of data, processing of which does not meet the requirements of the law.

Everyone has the right of protection of personal data. This fundamental right is enshrined in the Charter of Fundamental Rights of the European Union and the Treaty on the Functioning of the EU. In the field of personal data to date, the founding instrument of the existing legislation of the EU is Directive 95/46/EO, which harmonizes the national legislations, setting strict limits on the collection and use of data and requires each Member State to set up an independent national body, responsible for data protection.

In 2002 Bulgaria, implementing the necessary regulation, introduced the Law on protection of personal data (LPPD), which regulates in details the relations in the field of processing and protecting the rights of individuals, while processing their personal data. For its part, the Commission for Personal Data Protection is an administrative body in the territory of the country, which has the power to protect the rights of the citizens, when they are violated under the LPPD.

What is personal data?

The law considers as personal any information that can identify us physically, as it usually includes name, date of birth, picture, e-mail address, phone number, but it can also include credit card information, IP address, information on social networks. There is also another type of personal data, provided with special protection. The law introduces a general prohibition on processing sensitive personal data, relating to such, revealing racial or ethnic origin, political, religious purposes or concerning health or sex life of people. There are explicit cases, which allow the processing of such data, when this is expressly permitted by the law.

Who has access to it and who it is provided to?

Not everyone could use our personal data, but only the so-called by the law personal data administrator, who can be a natural or a legal person, as well as a public authority or a local authority, who determines alone or together with another person the purposes and means for processing of personal data. In fact, all public authorities, tax, municipal, social and judicial authorities have access to the personal information of the citizens, as well as the private sector, where banks, telecommunication companies, internet providers, employers constantly process personal data. The virtual world makes easier the accessing and processing such data. According to the LPPD personal data must be processed lawfully and in good faith for a clearly defined period of time and in relation to the purposes, which they are used for, i.e. the law “ensures” that the data will not be used for purposes other than those, provided by the law, and will not be submitted to third parties without the expressly stated acceptance of the owner. However, there are many cases of misuse of personal data.

Misuse of personal data

All citizens can become victims of providing free their personal data every day. For example, we witness the misuse of personal data, stored under employment contracts, bank accounts, illegal transfers of property, “stolen identity”, misappropriation of funds. Free access to the Commercial Register “helps” change of ownership of companies and citizens. To prevent unauthorized intervention, a new system is planned, which will allow the managers or members of the companies to receive a SMS, when someone tries to change the management or the account ownership of the company. Not rare are also the cases, when public authorities or private organizations publicize personal information. In connection with court proceedings, personal data of natural persons (litigants, lawyers, etc.) is often provided. In this connection, it has to be taken into consideration that the Personal Data Protection Commission has issued mandatory instructions to the courts in Bulgaria to anonymise the court acts upon their publication.

In subtle ways different financial advisors acquire personal information such as mobile phone number, and directly worry the owner with aggressive proposals, which, if not “cut” immediately, rise to a significant waste of time.

Misappropriated personal data is also used for criminal activity, such as statement (containing properly executed all the true data of the sender) to the other party in established trade relations, which informs the recipient to continue paying on a “new” bank account, which in fact is not the owner’s one.

How to protect?

As mentioned above, each of us can become subject to processing of such data or can process such data, but also every citizen has the right to know who, when and what purpose for information is collected. The right to information and the right to access processed personal data on individuals are fundamental rights, regulated in the LPPD. Individuals have the right to request at any time that the administrator:

-to delete, correct or block personal data, processing of which does not meet the requirements of the law

-to notify third parties, who have accessed such data about any deletion, correction or blocking except the cases, when this is impossible or involves disproportionate effort

LPPD regulates the right to object to the actions of the administrator of personal data. This right can be exercised, regarding the access request and the decision of “the administrator of personal data” and includes the right to object to the administrator:

-the processing of personal data in case of a legal basis for that (when the objection is founded, the personal data of the individual can no longer be processed)

-the processing of personal data for direct marketing purposes (for example, the Law on electronic communications provides that the consumer has the right to express disagreement with the future receipt of advertisements)

Protection can be sought from the Personal Data Protection Commission, as well as from the court, according to the general rules of the Administrative Procedure Code, and if it is established that the personal data has been processed for criminal purposes, under the Penal Code or the Penal Procedural Code. Knowledge of the regulatory framework is required, but do not neglect the right to control the information, concerning your personal data.

Seventeen years after the adoption of the European Directive in the field of personal data 27 Members still face legal uncertainty and the need of effective implementation of the regulation. The citizens increasingly feel that they have no control over their data, especially when it is submitted online. Today, in the world of evolving technologies, the European Commission provides a single choice of rules for data protection, valid for the whole European Union. There is a need for greater security of our personal data. The European Commission goes further by providing the right to be forgotten, and allows citizens to delete their data, if there is no legal basis for maintaining it. We shall see how we will be able to exercise our rights of European citizens in Bulgaria more effectively.

The article has been published in Bulgarian, in Capital Daily.