Instruction on Measures and Means for Protection of Personal Data Collected, Processed, Stored and Provided by the NSI

INSTRUCTION

on measures and means for protection of personal data

collected, processed, stored and provided by the National Statistical Institute

 

Section One

GENERAL PROVISIONS

Article 1. This Instruction shall regulate the organization and internal order of the National Statistical Institute, hereinafter referred to as "NSI" as personal data controller and the level of technical and organizational measures on the processing of personal data and admissible type of protection.

Article 2. This Instruction is prepared in accordance with the provisions of the Law For Protection of the Personal Data (LPPD) and Ordinance № 1 of 30.01.2013 on the minimum level of technical and organizational measures and the admissible type of protection of personal data (Ordinance № 1) and aims to protect the interests of clients - individuals and individuals representing corporate bodies as well as employees of the NSI from unlawful and unconscionable processing of their personal data.

Article 3. For the purposes of this Instruction, the terms below have the following meanings:

1. “Personal data” are information for clients (individuals and individuals representing corporate bodies) of the NSI and its employees who are identified or identifiable, directly or indirectly, by reference to an identification number or to one or more specific features.

2. “Processing of personal data” shall mean any operation or set of operations which the NSI performs with respect to personal data, whether by automatic or non automatic means (collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, provision, transfer or otherwise making available, updating or combination, blocking, deletion or destruction, etc.).

3. “Personal data controller” shall be the NSI which processes personal data separately or by assignment to another person.

4. “Specific features” shall refer to features relating to physical, physiological, genetic, psychical, psychological, economic, cultural, social and other identity of the individual.

5. “Personal data register” shall mean structured set of personal data which is accessible according to specific criteria in accordance with the NSI internal documents and which can be centralized and decentralized and distributed on a functional basis.

6. “Consent of the individual” shall mean any freely given, specific and informed expression of will, by which the individual to whom the personal data refer, states his or her unambiguous consent for processing such data.

Article 4. (1) The NSI processes only legally collected personal data needed for specific, precisely defined and legal purposes. Personal data collected and processed by the NSI shall be accurate and updated if necessary. Personal data are deleted or corrected when found to be imprecise or disproportionate to the purposes for which they are being processed.

(2) The NSI maintains personal data in a type and form that enables identification of the individuals’ identity for a period not exceeding the time necessary for the purposes for which such data are being processed.

(3) The NSI observes the principle of prohibition of processing of special categories of data according to Art. 5 Para. 1 of LPPD (disclosure of racial or ethnic origin; disclosure of political, religious or philosophical convictions; membership in political parties or organizations; associations having religious, philosophical, political or trade-union goals; personal data which refer to health, sexual life or human genome), exceptions are allowed only in cases specified in Art. 5 Para. 2 of LPPD.

Article 5. (1) The client - holder of personal data - expresses freely his consent for the processing of personal data relating to him.

(2) The client has the right at any time of the processing to request blocking or destruction (deletion) of the collected personal data on him when he disputes their accuracy or their processing is unlawful.

(3) In cases where data are not received by the client, NSI informs him of the purpose and legal basis of the processing, the categories of data provided and their source, the recipients to be given and his right of access to his personal data.

Article 6. The NSI, as personal data controller, maintains personal data in a form which allows identification of individuals.

Article 7. Personal data are processed when:

1. This is necessary for the execution of an obligation stipulated by law.

2The individual to whom such data refer has given his/her explicit consent. The clients (individuals and individuals representing corporate bodies) and employees of the NSI are identified by an official identity document (identity card). The identity document must be copied and the client must write “I agree with the copy” and sign the copy. The original is returned to the client and the copy is stored in the archives of the NSI for 5 years.

3. Processing is necessary for the execution of obligations of a contract to which the individual to whom such data refer is a party, and for actions at the individual’s request and preceding the execution of a contract.

Article 8. All employees of the NSI on taking up duty undertake to respect confidentiality of the NSI client database including personal data and not to disclose data and information become known to them in connection with the performance of their duties.

Article 9. The NSI maintains internal order as a personal data controller by providing technical and organizational measures for protection.

Section two

DESCRIPTION OF REGISTERS

Article 10. The NSI maintains the following registers:

(1) Personal data of employees and visitors of the NSI which are collected processed and stored in “Personnel” Registers;

(2) “Video surveillance”;

(3) “Document registry”;

(4) “External visitors”;

(5) “Salaries and fees”;

(6) Personal data collected by statistical surveys are collected, processed and stored in “Demography” register, “Statistical business register” and “Foreign trade” register;

(7) Personal data collected by Censuses of population and housing fund are collected, processed and stored in “Census” Register.

Article 11. (1) Personal data under Article 10, paragraph 6 and 7 are individual statistical data and shall constitute a statistical secret in accordance with the Law on statistics. They may be used only for statistical purposes. Individual data received for the purposes of statistical surveys may not be used as evidence before the bodies of the executive and the judiciary.

(2) Employees of the NSI may not disclose or provide:

1. individual statistical data;

2. statistical data which can be matched in a way that enables the identification of a specific statistical unit;

3. statistical information which aggregates data about less than three statistical units or about a population in which the relative share of the value of a surveyed parameter of a single unit exceeds 85 per cent of the total value of such parameter for all units in the population.

(3) Individual data may be published only if the subject to which such data relate has granted consent therefor. Such consent shall be granted in writing and should clearly specify which data it includes. The person to whom such data relate may at any time withdraw his/her consent in writing, and such withdrawal shall not apply to actions performed prior to it.

Article 12. (1) In order to protect personal data against accidental or unlawful destruction, unauthorized access, alteration or dissemination as well as against other unlawful forms of processing, the NSI shall organize and take measures consistent with modern technological achievements and risks related to the nature of the data that must be protected.

Section three

TECHNOLOGICAL DESCRIPTION OF THE REGISTERS MAINTAINED – DATA CARRIERS, PROCESSING TECHNOLOGY, STORAGE PERIOD AND SERVICES PROVIDED

Article 13. (1) The NSI shall collect and process personal data automated and non automated /on paper/.

Article 14. (1) The following types of personal data are stored in “Personnel” Register:

1. physical identity – names, personal number, address, phone, passport data;

2. education – a document proving acquired education, qualification, competence;

3. labor activity – according to the documents attached for work experience and professional background;

4. medical data – card for preliminary medical examination for employment;

5. conviction status certificate when required;

6. sample form;

7. property status.

(2) The collection, processing and storage of personal data in the “Personnel” register is governed by Instruction on the mechanism of processing of personal data and their protection against unlawful forms of processing in the “Personnel” register in Head Office of the NSI. This Instruction is adopted by Order № РД 07-11/31.01.2006 of the President of the NSI.

(3) Data on paper in the register are collected, processed and stored in “Human Resources” Department. Data on paper and technical carrier in the register are processed and stored in “Financial - Economic Activities” Department.

(4) Personal data are entered in “Personnel” register when submitting documents for employment under labor contract.

Article 15. (1) “Video surveillance” register is filled with data from automatic non-stop video surveillance (video image) for the movement of employees and visitors to approaches of the NSI buildings and premises with a certain status. Records of the video images are stored on a separate personal computer installed in the premises of physical security.

(2) Data in the register are provided voluntarily by individuals upon their entry into the building of the NSI. Warning signs that the object is under constant video surveillance are placed at the entrances of the building. The data from this register are stored for 14 days.

(3) Physical protection of personal data is carried out by the security guards.

Article 16. (1) “Document registry” contains the following personal data of individuals - employees of the NSI: three names and position.

(2) Data in the register shall not be transferred to third parties.

(3) Physical protection of personal data in the register is organized in a way that the data are processed and stored in lockable rooms and strict control of access to them.

Article 17. “External visitors” register contains three names of respondents and visitors of the NSI.

Article 18. (1) ) “Salaries and fees” register contains the following data - name, personal number, number of identity card, address, bank account, tax authority by place of residence, monthly income;

Article 19. (1) “Census” Register contains the following personal data of individuals subject to Law on census of population and housing fund in the Republic of Bulgaria’2011: personal number, number of identity card (for e-census registration only), three names of persons, sex, citizenship, permanent and current address, birthplace, marital status, highest level of education completed, ethnic group, religious denomination, mother tongue, labour status, occupation/position, workplace, location of the workplace or the educational institution, vehicle used for trip, health status;

(2) Data in the register are provided under the Law on census of population and housing fund in the Republic of Bulgaria’2011 and / or voluntarily by persons in carrying out censuses;

(3) For physical protection of personal data processed in the "Census" register, it is built automatic system for control on employee access to the premises where personal data are processed and stored in "Demographic statistics" Department and "Information systems” Department;

Article 20. (1) “Demography” register contains the following personal data of individuals subject to Law on census of population and housing fund in the Republic of Bulgaria’2011: personal number, three names of persons, sex, citizenship, permanent and current address, marital status, level of education completed;

(2) The data in the "Demography" register are received encrypted by e-mail and collected and stored on PCs and server in "Demographic statistics" Department in "Demographic and Social Statistics" Directorate and "Information Systems" Department in "Information and Communication Technologies” Directorate.

(3) The data in the "Demography" register are obtained from Directorate General "Civil Registration and Administrative Services" in Ministry of Regional Development and Public Works under an agreement.

(4) For physical protection of personal data processed in the "Demography" register, it is built automatic system for control on employee access to the premises where personal data are processed and stored in "Demographic statistics" Department and "Information systems” Department;

Article 21. (1) “Statistical business register” contains the following personal data of individuals representing corporate bodies included in Information System “Business statistics”: names and personal number.

(2) The data in the register are collected and stored on electronic carrier in "Business registers" Department.

(3) The data in the register are delivered under voluntary / mandatory data provision /Law on Statistics/ and by the Registry Agency under an agreement;

(4) Physical protection of personal data in the register is organized as part of the overall physical protection of buildings and working premises under strict control of access.

Article 22. (1) “Foreign trade” register contains the following personal data of individuals representing corporate bodies: names and personal number.

(2) Physical protection of personal data in the register is organized as part of the overall physical protection of buildings and working premises under strict control of access.

Article 23. The NSI shall take the following measures to protect personal data:

(1) hardware and software - cryptographic methods and means and protection in transferring information, reliable and secure identification and authentication of the sender and the recipient of information and ensuring confidentiality, integrity of the transferred information

(3) physical – system of measures for protection of buildings, premises and facilities in which personal data are created, processed and stored and control of access to them;

(4) organizational and administrative - regulated by rules and orders of the President of the NSI;

(5) legal acts laid down in laws and regulations.

Article 24. (1) Storage periods are aligned with the descriptions in Part 2 of the respective register as follows:

1. for “Personnel” Register - 50 years;

2. for “Video surveillance” Register – 14 days;

3. for “Document registry” – according to nomenclature of the documents;

4. for “External visitors” Register – 3 months;

5. for “Salaries and fees” Register – 50 years;

6. for “Census” Register – 3 years for paper carrier;

7. for “Demography” Register – period not defined;

8. for “Statistical business register” – period not defined;

9. for “Foreign trade” Register – period not defined.

(2) The NSI should observe the technology for safe maintenance and storage, update, deletion, destruction, etc. of personal data.

 

Section four

POSITIONS RELATED TO PROCESSING AND PROTECTION OF PERSONAL DATA. RIGHTS AND OBLIGATIONS

Article 25. (1) Person under protection of personal data in the NSI is the Secretary General who is also chairman of the Council on Protection of Information.

(2) The person under protection of information has the following competences:

1. provides the organization of keeping the registers according to measures laid down to ensure adequate protection;

2. monitors the compliance with the specific measures for protection and control of access according to specifics of the registers;

3. exercises control of compliance with the requirements for protection of the registers;

4. keeps contact with the Commission for Personal Data Protection on the measures and means taken to protect the registers and submitted applications for the provision of personal data;

5. controls the observance of user rights in relation to the registers and software and hardware resources for their processing;

6. specifies the technical resources applied to the processing of personal data;

7. monitors the compliance with the organizational procedure for personal data processing, including the time, place and order for processing, by registration of all actions with registers in the computer environment;

13. determines procedures for the storage and destruction of information carriers;

14. determines procedure for setting, use and change of passwords, as well as actions in case of disclosure of a password and / or cryptographic key;

15. lays down rules for conduction of regular prevention of computer and communication equipment, including checking for viruses, illegally installed software, integrity of the database, as well as data backup, updating the system information, and others;

16. conducts periodic monitoring of compliance with the requirements of data protection and takes measures for elimination of irregularities if discovered.

Article 26. (1) The Council on Protection of Information performs the overall policy of the NSI on protection of information. The Council organizes, coordinates, analyzes and controls the activities related to the creation, receiving, processing, storage and archiving of information representing statistical, state or official secret, as well as the terms and conditions for granting access to them in accordance with the Bulgarian and European legislation.

(2) The Council on Protection of Information shall be appointed by Order of the President of NSI and shall be a consultative body to the President of the NSI.

Article 27. The NSI President on the proposal of the Secretary General shall determine by order the list of persons who process personal data in the NSI. The lists are prepared separately for each register.

Article 28. The NSI employees are obliged:

1. to process personal data in legal compliance and in a bona fide manner;

2. to use personal data to which they have access according to the purposes for which they are collected and not to process them additionally in a manner incompatible with such purposes;

3. to update the personal data registers (if necessary);

4. to delete or correct personal data when found to be imprecise or disproportionate to the purposes for which they are being processed;

5. to maintain personal data in a type that enables identification of the corresponding individuals for a period not exceeding the time necessary for the purposes for which such data are being processed;

Article 29. (1) Employees of the NSI who do not comply with this instruction shall be liable under the Law on statistics, Law for protection of personal data, Law on census of population and housing fund in the Republic of Bulgaria in 2011 and the Labour Code.

(2) If actions performed by an employee of the NSI under processing of personal data result in damage to a third party,  the latter may indict under general civil law, or criminal procedure if the deed represents a more serious act which provides for criminal liability.

Article 30. (1) Software and hardware means for protection of personal data are subject to separate Instruction for the organization of work and workplaces of the employees of the NSI who have been granted rights to work with information systems. The Instruction was approved by Order РД 07-243/14.05.2010 of the President of the NSI.

(2) At implementation of new software for the processing of personal data, a special committee should be drawn up to test and check the capabilities of the software in order to meet the requirements of the Law for protection of personal data and to ensure their maximum protection against unauthorized access, loss, damage or destruction.

Article 31. (1) Right of access to data in the “Personnel” register:

1. Individuals to whom the data in the register refer, at their written and express request;

2. The President, Deputy Presidents and Secretary General of the NSI - in the execution of their competences under the Law on statistics, Labour Code, Civil Servants Act and others.

3. Personal data processors and Personal data controllers – employees of “Human Resources” Department, “Financial - Economic Activities” Department, “Legal Activities” Department and employees of the company which serves the NSI with the corresponding software, persons carrying out technical operations on data processing and control.

4. Government authorities duly legitimating with relevant documents - written orders of the authority indicating the reason, the names of the persons to whom it is necessary to grant access to personal data.

(2) Data in the register shall not be transferred to third parties.

(3) Protection of premises where personal data are stored shall be achieved with controlled access with smart card, security alarm code and key, video surveillance.

(4) Officials collecting and processing personal data in the "Personnel" register have the following rights and obligations:

1. shall use personal data in compliance with the provisions of the Labour Code, the Civil Servants Act /upon occurrence of employment under labor contract/.

2. shall use personal data in performing their duties under the Health Insurance Act /HIA/.

3. shall not move and store personal data outside specially designated areas regulated by a system of special access;

4. shall not use personal data in unauthorized manner /falsification and other abuse/.

(5) Right of access to data in the register:

1. Individuals to whom the data in the register refer, at their express request;

2. The President, Deputy Presidents and Secretary General of the NSI - in the execution of their competences under the Law on statistics, Labour Code, Civil Servants Act and others.

3. Personal data processors and Personal data controllers – employees of “Security of Information and DM Unit” carrying out technical operations on data processing and control.

4. Government authorities duly legitimating with relevant documents - written orders of the authority indicating the reason, the names of the persons to whom it is necessary to grant access to personal data.

(6) Data in the register shall not be transmitted by electronic means.

(7) Protection of the register is implemented through premises with controlled access which are protected from accidental intrusion.

Article 32. (1) Right of access to data in the “Video surveillance” Register:

1. Individuals to whom the data in the register refer, at their express request;

2. The President, Deputy Presidents and Secretary General of the NSI - in the execution of their competences under the Law on statistics, Labour Code, Civil Servants Act and others.

3. The official who maintains the “Video surveillance” Register must ensure the good condition of the equipment used.

4. Personal data processors and Personal data controllers – employees of “Security of Information and DM Unit” carrying out technical operations on data processing and control.

5. Government authorities duly legitimating with relevant documents - written orders of the authority indicating the reason, the names of the persons to whom it is necessary to grant access to personal data.

6. Protection of the register is implemented through premises with controlled access which are protected from accidental intrusion.

(2) Data in the register shall not be transmitted by electronic means.

(3) The official who maintains the “Video surveillance” Register must ensure the good condition of the equipment used.

(4) Protection of the register is implemented through premises with controlled access which are protected from accidental intrusion.

Article 33. Right of access to data in the “Document registry”:

(1). Individuals to whom the data in the register refer, at their express request;

(2) The President, Deputy Presidents and Secretary General of the NSI - in the execution of their competences under the Law on statistics, Labour Code, Civil Servants Act and others.

(3) Personal data processors and Personal data controllers – employees of “Financial - Economic Activities” Department, “Legal Activities” Department and “Human Resources” Department, employees of the company which serves the NSI with the corresponding software and persons carrying out technical operations on data processing – only for a certain group of documents.

(4) Data in the register shall not be transferred to third parties.

Article 34. Data stored in the “Visitors” Register shall be provided to:

(1) individuals to whom the data refer;

(2) persons if laid down in legal act;

(3) persons processing personal data.

Article 35. Data stored in the “Salaries and fees” Register shall be provided to:

(1) individuals to whom the data refer;

(2) respective Territorial Directorate of the National Revenue Agency;

(3) respective Territorial Office of the National Social Security Institute.

Article 36. (1) Right of access to data in the “Census” Register:

(2) Individuals to whom the data in the register refer, at their express request;

(3) The President, Deputy Presidents and Secretary General of the NSI - in the execution of their competences under the Law on statistics, Labour Code, Civil Servants Act and others.

(4) Personal data processors and Personal data controllers – employees of “Demographic statistics” Department and “Information Systems” Department, persons carrying out technical operations on data processing.

(5) Government authorities duly legitimating with relevant documents - written orders of the authority indicating the reason, the names of the persons to whom, for the purposes of their activities, it is necessary to grant access to personal data.

Article 37. Right of access to data in the “Demography” Register:

1. Individuals to whom the data in the register refer, at their express request;

2. The President, Deputy Presidents and Secretary General of the NSI - in the execution of their competences under the Law on statistics, Labour Code, Civil Servants Act and others.

3. Personal data processors and Personal data controllers – employees of “Demographic statistics” Department and “Information Systems” Department, persons carrying out technical operations on data processing.

4. Government authorities duly legitimating with relevant documents - written orders of the authority indicating the reason, the names of the persons to whom, for the purposes of their activities, it is necessary to grant access to personal data.

5. Data in the register can be transmitted electronically to Eurostat where this is necessary for the production of European statistics.

Article 38. Right of access to data in the “Statistical Business Register”:

1. Individuals to whom the data in the register refer, at their express request;

2. The President, Deputy Presidents and Secretary General of the NSI - in the execution of their competences under the Law on statistics, Labour Code, Civil Servants Act and others.

3. Personal data processors and Personal data controllers – employees of “Business registers” Department and "Information and Communication Technologies” Directorate carrying out technical operations on data processing.

4. Government authorities duly legitimating with relevant documents - written orders of the authority indicating the reason, the names of the persons to whom, for the purposes of their activities, it is necessary to grant access to personal data.

5. Data in the register can be transmitted electronically to Eurostat where this is necessary for the production of European statistics.

Article 39. Right of access to data in the “Foreign trade” Register:

1. Individuals to whom the data in the register refer, at their express request;

2. The President, Deputy Presidents and Secretary General of the NSI - in the execution of their competences under the Law on statistics, Labour Code, Civil Servants Act and others.

3. Personal data processors.

4. Data in the register can be transmitted electronically to Eurostat where this is necessary for the production of European statistics.

Section five

ASSESSMENT OF THE IMPACT AND DETERMINATION OF THE RELEVANT LEVEL OF PROTECTION

Article 40. Assessment of impact is a process of determining the levels of impact on a particular individual or group of individuals depending on the nature of the personal data processed and the number of affected individuals in case of infringement of confidentiality, integrity or availability of personal data.

Article 41. Level of protection:

(1) Level of protection determined for “Personnel” Register – “medium level”;

(2) Level of protection determined for “Video surveillance” Register – “low level”;

(1) Level of protection determined for “Document registry” - “low level”;

(2) Level of protection determined for “External visitors” Register – “low level”;

(3) Level of protection determined for “Salaries and fees” Register – “low level”;

(4) Level of protection determined for “Demography” Register – “high level”;

(5) Level of protection determined for “Statistical business register” – “low level”;

(6) Level of protection determined for “Foreign trade” Register – “low level”;

(7) Level of protection determined for “Census” Register – “high level”.

Section six

TECHNICAL AND ORFANIZATIONAL MEASURES

Article 42. The NSI shall take technical and organizational measures for protection as follows:

1. personal data are stored in cabinets with locking devices;

2. work and storage when working with computer systems is secured with antivirus programs, passwords;

3. digital signature available.

Section seven

ACTIONS FOR PROTECTION AGAINST ACCIDENTS, INCIDENTS AND DISASTERS

Article 43. The NSI shall take preventive actions for the protection of personal data by working out an action plan for different situations in event of force majeure, namely:

1. protection against accidents beyond the control of the NSI - concrete actions shall be taken depending on the situation;

2. protection against fire - immediately extinguish by own means /fire-extinguishers/ and notify the relevant authorities;

3. protection against flood – actions taken on limiting the spread, pumping the water or scooping improvised.

Section eight

STORAGE AND DESTRUCTION OF PERSONAL DATA

Article 44. Personal data of individuals and corporate bodies obtained from statistical surveys and censuses are stored until achievement of the objectives for which they are processed, but no later than the period laid down in the Nomenclature of the documents and terms for their storage in the NSI and the Law on census of population and housing fund in the Republic of Bulgaria’2011.

Article 45. After achieving the objectives under the preceding article, the personal data of individuals and corporate bodies shall be physically destroyed by melting and protocols for destruction shall be reliably produced.

This instruction was adopted and approved by Order № РД 07-257/12.08.2013 of the President of the NSI.