Leave your GDPR compliance to us

You are in Safe Hands

The seminars that we held regarding the new privacy protection rules under the GDPR.

On December 14, 2017, in the Novotel Hotel in Sofia was launched the series of seminars on the topic: “The changes in the Personal Data Protection Legislation under Regulation (EU) 2016/679 and how to get prepared”. Attorney Dessislava Dimitrova and Attorney Yordan Cholakov presented the legal aspects of the Regulation, giving guidance to companies on what steps to take in order to be compliant. Issues such as the validity of the given consents before May 25, 2018, who should have a DPO, the Regulation in the context of the Employment Law, the authorities of the Bulgarian Commission for personal data protection and other were discussed. The event was attended by representatives of various business sectors such as hospitals, hotels, real estate agencies, IT companies, online stores and others.
On January 25, 2018, in Hotel City, Stara Zagora, was held the second seminar on the topic: “The changes in the Personal Data Protection Legislation underRegulation (EU) 2016/679 and how to get prepared “. Attorney Desislava Dimitrova and Attorney Yordan Cholakov introduced local companies to the new changes in the legislation on personal data under the Regulation and gave them practical advice on what steps to take to be GDPR compliant.
On February 07, 2018 the third practical seminar on the topic: “The changes in the Personal Data Protection Legislation under Regulation (EU) 2016/679 and how to get prepared ” was held at the St. Petersburg Hotel. It was held in Plovdiv, the previous ones in Sofia and Stara Zagora also caused great interest among the attendants. Attorney Desislava Dimitrova and Attorney Yordan Cholakov introduced local companies to the new changes in the legislation on personal data under the Regulation and gave them practical advice on what steps to take to be GDPR compliant. Issues such as the validity of the consents prior to May 25, 2018, telephone consents, GDPR in the context of Employment relations, Bulgarian Commission for personal data protection, cross-border data transfer, etc. were discussed. By the end of the month, two more events are going to be held, and for more information you can write to us at office@innovires.com

What exactly is GDPR?

GDPR stands for European Union General Data Protection Regulation. It comprises a set of rules for data protection for all European citizens, replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens’ data privacy and to reshape the way organizations across the region approach data privacy. The main reason for setting new rules for data protection is rapid growth of the amount of data and completely new way of accessing and processing the data.

What information does it apply to?

Personal data

The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.

This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data or online identifier, reflecting changes in technology and the way organizations collect information about people.

The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria.

Personal data that has been pseudonymised – e.g. key-coded – can fall within the scope of the GDPR depending on how difficult it is to attribute the pseudonym to a particular individual.

Sensitive personal data

The GDPR refers to sensitive personal data as “special categories of personal data” The special categories specifically include genetic data, and biometric data where processed to uniquely identify an individual.

What you need to take into consideration

Lawful basis for processing

You must have a valid lawful basis in order to process personal data. There are six available lawful bases for processing.

Expanded territorial reach

The transition from the Directive to the GDPR introduces significantly broader territorial application of EU data protection law.

Accountability and Privacy by design

The accountability means that the controllers are responsible for, and must be able to demonstrate, compliance with the Data Protection Principles.

Data processors obligations

One of the key changes in the GDPR is that data processors have direct obligations for the first time. Under the GDPR, the concept of a “processor” does not change.

The consent

Consent must be freely given, specific, informed and unambiguous. Requests for consent should be separate from other terms, and be in clear and plain language.

Children data

Children are considered to be “vulnerable individuals” and have been given more rights under the GDPR than is the case for the existing Data Protect Act.

Retentions Policy

If you retain customer data, and particularly if your customers have accounts and you keep a customer record, you will need to look at how long you retain the data.

Privacy Impact Assessments

A privacy impact assessment will help you understand the risks and issues of using the customer data.


In certain circumstances data controllers and processors must designate a Data Protection Officer (the DPO) as part of their accountability compliance.

Data breach notification

According to the GDPR, the data controller must notify for data breaches to the DPA. This must be done without undue delay and, where feasible, within 72 hours of awareness.

Remedies and sanctions

Whereas the remedies and sanctions available to DPAs under the Directive are comparatively low, the remedies and sanctions available to DPAs under the GDPR are significantly greater.


The ‘One-Stop-Shop’ mechanism is one of the key elements of the GDPR. The main idea is that it will greatly affect companies with a presence in more than one Member State.

No registration requirement

A change has been made for the data controllers – they are no required to register or to notify the DPA of a controller’s data processing activities and to seek approval from the DPA in some circumstances.

Codes of conduct

One of the core dangers of transferring data out of the EEA is that those data will be subject to lower standards of protection. By adhering to Codes of Conduct, non-EEA controllers and processors can address this risk, and provide a lawful basis for Cross-Border Data Transfers.

Cross-Border Data Transfers

Cross-Border Data Transfers are prohibited, unless certain conditions are met. Cross-Border Data Transfers to a recipient in a third country may take place, without a need to obtain any further authorization, if the Commission has decided that such third country ensures an adequate level of data protection.

What you should do


  1. Establish recognition of the importance of GDPR accordance with company leaders
  2. Secure executive support for necessary resources and investments
  3. Choose an employee/ department to manage the effort
  4. Build a team of crucial functional leaders


  1. Study existing privacy and security acts to identify strengths and weaknesses
  2. Classify all the systems where the organization reserves personal data and creates an informational inventory
  3. Build a register of data processing actions and carry out a privacy impact assessment for each activity
  4. Ensure Document Compliance


  1. Ensure privacy notices are present and specific processes are implemented in order to identify and respond to security breaches
  2. Implement restrictions to limit the organization’s use of data
  3. Build mechanisms to manage data subject consent preferences
  4. Establish procedures to respond to subject data demands for data access and control.


  1. Compile copies of privacy notifications and consent forms, the data inventory and register of data processing activities, communicated policies and procedures, training materials, vendor contracts and intra-company data transfer agreements
  2. If needed, appoint a data protection manager and identify the appropriate EU supervisory authority
  3. Control periodical risk assessments

Consequences of GDPR

GDPR allows supervisory authorities to assess penalties/fines that are effective, dissuasive and proportionate. There are two tiers of maximum penalties according to the GDPR, with a charge based on the severity of the violation:

  1. 2% of the organization’s revenue or €10M, whichever is higher
  2. 4% of the organization’s revenue or €20M, whichever is higher

Additionally, individuals can also solicit monetary damages in court from the organizations storing their data (controllers) that violate their rights as well as from companies that process their personal data (data processors).

May 25, 2018, is approaching soon, organizations are scrambling to ensure they are GDPR compliant. Make sure you are compliant too!

Frequently asked questions

The data protection officer (DPO) role under the GDPR

A data protection officer (DPO) is a security leadership role demanded by the General Data Protection Regulation (GDPR). Data protection officers are accountable for overseeing data protection strategy and implementation to ensure compliance with the most recent GDPR requirements.

Under the GDPR, you must appoint a DPO if you:
1. are a public authority (courts acting in their judicial capacity are not eligible);
2. carry out regular monitoring of individuals (for example, online behavior tracking);
3. carry out processing of particular data related to criminal convictions.

The DPO’s tasks

The GDPR is explicit about the responsibilities that DPOs are required to perform. They include the following:
Inform and guide the company and its employees of their data protection obligations under the GDPR.
Monitor the organization’s consent to the GDPR and internal data protection policies and modes. The following includes overseeing the assignment of responsibilities, awareness education, and training of staff involved in processing transactions and related activities.
Advise on the necessity of data protection impact assessments (DPIAs), the manner of their implementation and expected results.
Serve as the contact individual to the data protection officials and regular data subjects for all data protection issues, including data breach recording.

Can we have one of our existing employees as the DPO?

Yes. As long as the licensed activities of the employee fit with the duties of a DPO and will surely not lead to a conflict of interests in the company.

Additionally, you can also contract out the role of DPO externally.

How Innovires can help

Innovires Legal can help your company process personal data fairly and by following the GDPR law.

We have already been trusted by clients across a spectrum of regulated and non-regulated business sectors to work with them on their GDPR management, helping them to plan, budget and implement specific compliance projects, as well as evaluating their strategy and response to the change in risk profile.

Our integrated team can provide analysis and practical solutions as well as assist your business in preparing up for the deadline until GDPR takes effect. We will help you understand the impact it will have on your business and how to prepare smoothly.

Access this page and use one of the contact options to get in touch with our team.

Innovires Legal and its trusted and well-known IT and HR partners can help your company process personal data fairly and by following the GDPR law. We can fully assist you with:

  1. Initial and ongoing consultations for companies processing personal data;
  2. GAP analysis and assessment of the current level of compliance, as well as the determination of the nature, scope and purposes of the processing of personal data, along with data transferring analysis.
  3. Identify the new privacy requirements regarding GDPR and how your organization effectively responds to them;
  4. Preparation of the legal documents to bring the activity of your company into compliance with the
  5. Regulation – forms for providing information and consent to data subjects, contracts with processors and other external companies, company policies on personal data protection, codes of conduct, etc. .;
  6. Updating documentation according to forthcoming mandatory guidelines and best practices on personal data protection.
  7. Overview of existing privacy practices;
    Analysis of the current state of the IT infrastructure;
  8. Review of available Information Security and Application Technology and Database Analysis technologies;
  9. Risk Assessment;
  10. Implementation of IT systems, if necessary;
    Ensure ongoing, unified and comprehensive monitoring;
  11. Legal assistance and representation to data subjects, supervisors and the court
    Provide an external “Data Protection Officer” (DPO) for the purpose of your organization with flexible working hours and competitive remuneration;
  12. Initial, ongoing and follow-up staff training and seminars.

Useful resources

  1. Political agreement reached on the above text during the final Trilogue meeting on 15 December 2015
  2. Commission press release
  3. Parliament press release
  1. Timeline of Trilogue negotiations presented by the European People’s Party, the largest group in the European Parliament.
  2. An overview of the history of Privacy by Design and how its time has come with the incoming GDPR
  3. Impact of EU General Data Protection Regulation (GDPR) on marketing in financial services in the UK

25 Vitosha blvd. fl. 2, Sofia, Bulgaria




Working with clients on their most critical challenges often results in new industry perspectives and insights.