Big data analytics' and processing of health data for scientific research purposes : The Bulgarian legal framework

Big data analytics' and processing of health data for scientific research purposes : The Bulgarian legal framework Research Protocol by Desislava Krusteva and Silvena Rakshieva, Dimitrov, Petrov & Co., in Sofia, Bulgaria , 20 July 2018

AEGLE in your country Page 2 of 26 Co-funded by the Horizon 2020 Framework Programme of the European Union under Grant Agreement nº 644906. Partners EXUS AE (Coordinator), ICCS, KINGSTON, CERTH, Maxeler Tecnologies Limited, UPPSALA UNIVERSITET, UNISR, Time.Lex, EUR, CHS, LOBA, PAGNI, GNUBILA FRANCE, NTU www.aegle.uhealth.eu Contents Overview of the legal framework ___ 3
a.

The legislative and regulatory instruments regulating the processing of health data for research purposes (current regime ___ 3
b. Revision of the current legal framework under the GDPR ___ 6
c. The national data processing authority ___ 8
Transposition of Article 8.4 of Directive 95/46 ___ 10
a. Transposition of Article 8.4 of the Directive 95/46 ___ 10
b. The regime applying to the processing of personal data for health research purposes ___ 11
c. Are there additional specific conditions governing the processing of data for scientific research purposes? ..14 d. Formalities prior to processing: the general regime under the current framework ___ 17
Further processing of health data (for research purposes): the current regime ___ 17
The GDPR’s impact on the current regulatory framework for the processing of health data for research purposes ___ 18
e.

The impact of the GDPR on the rules applying to processing for research in the field of health ___ 18
b. Modification to the processing authorization procedure applying to research in the field of health ___ 19
Further processing for research purposes under the GDPR ___ 20
Health data sources for research purposes ___ 20
a. Sources of data and their regulation ___ 21
b. The application of the national framework to the AEGLE cases ___ 24
1. Type 2 diabetes ___ 24
2. Intensive Care Unit (ICU ___ 25
3. Chronic Lymphocytic Leukaemia (CLL . . 25

AEGLE in your country Page 3 of 26 Co-funded by the Horizon 2020 Framework Programme of the European Union under Grant Agreement nº 644906. Partners EXUS AE (Coordinator), ICCS, KINGSTON, CERTH, Maxeler Tecnologies Limited, UPPSALA UNIVERSITET, UNISR, Time.Lex, EUR, CHS, LOBA, PAGNI, GNUBILA FRANCE, NTU www.aegle.uhealth.eu Overview of the legal framework First, we would like to get an overview of the current and upcoming legal framework applying to the processing of health data for research purposes in your country.

a. The legislative and regulatory instruments regulating the processing of health data for research purposes (current regime) What are the relevant applicable provisions governing the processing of health data in your country? Please provide online references (also to an English version, if available), a brief description and any specific relevant information.

Personal Data Protection Act (PDPA) adopted on 21 December 2001, taking effect on 1st January 2002, promulgated with State Gazette No 1 of 4 January 2002. The PDPA governs the processing of personal data, the organization and functions of the Bulgarian Personal Data Protection Commission (PDPC) and the procedures in case of infringements related to personal data processing. The PDPA has been amended multiple times since its adoption, in particular in 2006 to transpose Directive 95/46 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.1 In 2004 the PDPA was slightly amended to reflect changes in the Healthcare Act (promulgated with State Gazette No 70 of 10 August 2004, entered into force on 1st January 2005) introducing the notion of “human genome” as a type of personal data.

Currently, the PDPA is undergoing significant changes related to the entry into effect of the General Data Protection Regulation (GDPR). A preliminary2 Bill for Amendment and Supplement to the PDPA (the Amendment Bill) was drafted with the aim to harmonize the Bulgarian legislation in the field of personal data protection with the European framework on the matter. The Amendment Bill was published for public consultations which ended on 30 May 2018, gathering dozens of opinions, statements and suggestions. On 18 July 2018 the Amendment Bill was entered into 1 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

2 The Amendment Bill is called “preliminary” due to the legislation procedure held in Bulgaria, which contains several stages until the enforcement of an Act. According to Art. 85 Internal Rules of Procedure of the Council of the Ministers, the Amendment Bills together with the motives of amendment and the report, are published on the website of the petitioner and on the Public Consultation Portal prior to submitting them before the Council of the Ministers. Each institution has decentralized access to the portal. All stakeholders have the opportunity to get advance information about the planned changes and give their opinion/statement to improving legislation and policies.

The publication of the Amendment Bills is carried out together with the preliminary impact assessment and the opinion of the “Modernization of Administration” Directorate. Only then the Amendment Bills shall be submitted to the Chairman of the National Assembly together with motives and preliminary impact assessment. Within three days after the bill is received, the Chairperson of the National Assembly shall distribute it to the standing committees, defining which of them will lead in the discussion. The bill is adopted in two votes, which are held in different sessions. The National Assembly may exceptionally decide on the two votes to be held in one session only if no proposals for amending or supplementing the Bill have been made during the discussion.

The Bill shall then be sent to the President of the Republic for a promulgation decree. The Bill shall be promulgated in the State Gazette not later than 15 days after its adoption. The Amended Act comes into force three days after its promulgation.

AEGLE in your country Page 4 of 26 Co-funded by the Horizon 2020 Framework Programme of the European Union under Grant Agreement nº 644906. Partners EXUS AE (Coordinator), ICCS, KINGSTON, CERTH, Maxeler Tecnologies Limited, UPPSALA UNIVERSITET, UNISR, Time.Lex, EUR, CHS, LOBA, PAGNI, GNUBILA FRANCE, NTU www.aegle.uhealth.eu Parliament.

It will undergo the two-stage legislative procedure in the Parliament, before being promulgated. Considering the length of legislative procedure in Bulgaria, it is expected that the vote and promulgation of the Amendment Bill will take several more months.

Health Act (HA) promulgated with State Gazette no 70 of 10 August 2004 entered into force on 1st January 2005, revoking and replacing the Public Health Act. The HA governs the organization of the healthcare institutions and system in Bulgaria, the provision of healthcare services, the unconventional medical practices, genetic health and research as well as the organization and management of medical education and science and the processing of health information. It also provides for some special rules related to the processing of medical/ health information. Article 141 and following HA governs genetic research and examinations of the human genome for medical and scientific purposes.

Additionally, Chapter 7, Section IV of the HA (Art. 197 and following HA) entitled “Medical research upon persons. Medical science” contains provisions regarding the organization, control and responsibilities in the field of medical and science research upon individuals. Pharmaceutical Products in Human Medicine Act (PPHMA) governs the procedures for placing pharmaceutical products on the market; clinical trials; manufacture and import of pharmaceutical products and active substances; packaging and package leaflets of pharmaceutical products; classification of pharmaceutical products; pharmaceutical safety; wholesale, retail trade and export of pharmaceutical products; advertising of pharmaceutical products; and state control.

Ordinance No 1 of 27.02.2013 on the provision of medico-statistic information and information on the medical activity of healthcare establishments governs the provision, collection, processing, storage, use, distribution and exchange of medico-statistic information and information on the medical activity of healthcare establishments. Healthcare establishments collect, process, use, store and provide the said information and the related documentation for the purposes of development, production and distribution of official national or European statistical information for reporting, control and analytical needs and for the elaboration of national health policy.

The organization and control of activities related to medico-statistic information are under the authority of the National Centre of Public Health and Analysis (NCPHA) and the Regional Health Inspections (RHI). This Ordinance regulates the rights and obligations of healthcare institutions and national healthcare system bodies and does not apply to the processing of health information by third parties.

Ordinance No 1 of 30 January 2013 on the minimum level of technical and organizational measures and the admissible type of personal data protection (Ordinance No 1) governs the obligations of data controllers with regard to the technical and organizational measures to be implemented based on the level of impact and the respective necessary level of protection of personal data. As of 25 May 2018, Ordinance No 1 was officially repealed. The PDPC has made an announcement that the repealed Ordinance No 1 will be recast and transformed into a Methodical Guidelines paper to data controllers. To date this report was submitted, there is no draft or official publication of the PDPC Methodical Guidelines.

Ordinance No 41 of 21.12.2005 Establishing Medical Standards for General Medical Practice issues by the Ministry of Healthcare. Ordinance No 41 establishes the standards which shall be respected by all healthcare establishments in which a general medical practice is carried out.

AEGLE in your country Page 5 of 26 Co-funded by the Horizon 2020 Framework Programme of the European Union under Grant Agreement nº 644906. Partners EXUS AE (Coordinator), ICCS, KINGSTON, CERTH, Maxeler Tecnologies Limited, UPPSALA UNIVERSITET, UNISR, Time.Lex, EUR, CHS, LOBA, PAGNI, GNUBILA FRANCE, NTU www.aegle.uhealth.eu Ordinance No 31 of 12.08.2007 Establishing the Rules for Good Clinical Practice issued by the Ministry of Healthcare governs the principles and guidance for good clinical practice with regard to pharmaceutical products for human use intended for research.

National Framework Agreement on Medical Activities for 2018, concluded by the National Health Insurance Fund (NHIF)3 and the Bulgarian Medical Association. It establishes the healthcare, economic, financial, medical, organizational, information, legal and deontological framework according to which the contracts between the NHIF and healthcare providers are concluded. Professional Ethics Code of Medical Doctors in Bulgaria, issued by the Ministry of Healthcare. The Professional Ethics Code of Medical Doctors in Bulgaria (Professional Ethics Code) provides the definition of medical secrecy. Pursuant to its Art.

51, para. 1 medical secrecy includes all the information that the patient has shared with the physician about his/her condition, and facts which were discovered throughout the medical check-up and examinations performed by the latter, as well as all the information which that the physician has learned with regard to the patient in the exercise of the medical profession. The medical secrecy is kept with regard to the members of the patient’s family (Art. 51, para. 2 of the Professional Ethics Code). The secrets which the patient has shared with the physician, are kept by the latter after the death of the patient (Art.

51, para. 3 of the Professional Ethics Code). Article 52 of the Professional Ethics Code clarifies that the medical secret is extended upon all the medical documentation and illustrative material, as well as upon data and conclusions of the performed consultations. E-Governance Development Strategy 2014-2020, adopted by the Council of Ministries with Decision No. 163 from 21.03.2014 and Roadmap for Implementation of the E-Governance Development Strategy PROJECT of Ordinance establishing the conditions and procedure for the conduct of medical science research has been drafted in 2011. Although a draft is publicly available, the project of Ordinance has not yet been adopted.

The project of Ordinance, as currently drafted, contains, amongst others, provisions regarding the persons who may participate to medical research and the conditions on the validity of their consent. Shared electronic health records are indirectly relevant in this context because they can potentially be an important source for health-related research. Do shared electronic patient records exist in your country? How is the sharing of electronic patient records regulated? Can data stored in these records be used for research purposes? Currently in Bulgaria there is no legislative framework establishing and governing electronic patient records.

The eGovernance Development Strategy 2014-2020 aims at improving e-Heath services. The Roadmap for Implementation of the E-Governance Development Strategy provides some further clarifications on the state of the electronic exchange of information in the healthcare sector. It explains that according to the results of a consultancy project “Analysis of information processes in the healthcare system in Bulgaria – participants, responsibilities, systems, flows and legal framework” conducted upon the request of the Ministry of Healthcare, considerable number of actors in the healthcare sector provide information to the NHIF via electronic means but the scope and 3 The National Health Insurance Fund (NHIF) is regulated by the Health Insurance Act (1998) which introduced the mandatory health insurance and regulates the supplementary health insurance in Bulgaria.

The NHIF is an independent public institution separate from the structure of the social healthcare system and having its own bodies of management.

AEGLE in your country Page 6 of 26 Co-funded by the Horizon 2020 Framework Programme of the European Union under Grant Agreement nº 644906. Partners EXUS AE (Coordinator), ICCS, KINGSTON, CERTH, Maxeler Tecnologies Limited, UPPSALA UNIVERSITET, UNISR, Time.Lex, EUR, CHS, LOBA, PAGNI, GNUBILA FRANCE, NTU www.aegle.uhealth.eu the exchange of information are limited to data on health insured persons. All forms of paid and private healthcare services remain out of reach of available systems. Currently there are also no national technology standards for the exchange of structured information, information security and protection of personal data and sensitive information for patients.

In order to address the gaps, a priority project was said to be launched for the implementation of the first stages of the construction of a National Health Information System (NHSH). The NHSH would include all stakeholders and key information flows in the healthcare sector in order to implement a minimum viable product with regard to e-Health by establishing, among others, electronic health record (patient file) and electronic prescriptions (e-prescriptions). However, to date, no legislative change was introduced in this direction. Despite the ongoing lack of a legal framework on electronic patient record, a platform for electronic Health Patient Record, supported by the NHIF, currently exists.

The Health Patient Record contains information on the health status of mandatorily health-insured citizens (immunizations, hospitalizations, medical and laboratory examinations, etc.) as well as information on the general medical practitioner chosen by them. It is accessible through the website of the NHIF with an electronic signature or a personal code issued by the NHIF. The system, however, needs further improvement as it was denounced by stakeholders to lacks information or contain errors. b. Revision of the current legal framework under the GDPR How are the necessary changes to the national data protection framework, introduced by the GDPR, addressed in your country? What is the adopted legislative approach? In Bulgaria the legislative process following the entry into force of GDPR is currently ongoing.

In order to ensure the compliance of the Bulgarian framework with the EU data protection package, a Bill for Amendment and Supplement to the Personal Data Protection Act (Bill for Amendment) was drafted and announced by The Ministry of Interior for public consultations for a period of two weeks (30 April 2018 – 15 May 2018). As dozens of opinions and statements, criticizing the Bill for Amendment, were submitted, the public consultations were prolonged until 30 May 2018. The Bill for Amendment was approved and entered into Parliament by the Council of Ministers on 18 July 2018. Additionally, Ordinance No 1 of 30 January 2013 on the minimum level of technical and organizational measures and the admissible type of personal data protection (Ordinance No 1) was repealed as of 25 May 2018.

According to an official release of the PDPC, the provisions of the repealed Ordinance No 1 will be updated, transformed and recast into Methodical Guidelines. To date this report was submitted, there is no draft or official publication of the PDPC Methodical Guidelines.

Is the GDPR implemented in your country by an entirely new legislative text or via amendments to the current data protection law? Please explain. In Bulgaria, GDPR provisions and requirements will be developed and implemented via amendments to the currently applicable data protection law, namely the Personal Data Protection Act (PDPA). Regarding the sub-legislative legal framework, some sub-legislative acts such as Ordinance No 1, are repealed altogether, and they will not be replaced by new legislative acts of the same nature. As explained earlier in this report, the repealed Ordinance No 1 will be recast and it provisions will be amended and transformed into a Methodical Guidelines issued by the PDPC.

AEGLE in your country Page 7 of 26 Co-funded by the Horizon 2020 Framework Programme of the European Union under Grant Agreement nº 644906. Partners EXUS AE (Coordinator), ICCS, KINGSTON, CERTH, Maxeler Tecnologies Limited, UPPSALA UNIVERSITET, UNISR, Time.Lex, EUR, CHS, LOBA, PAGNI, GNUBILA FRANCE, NTU www.aegle.uhealth.eu On the other hand, the Bill for Amendment provide for the legislative delegation for the adoption of new sublegislative legal acts such as an ordinance on the certification and of some non-legislative documents regarding, for instance, the minimal requirements for large-scale video surveillance activities in the public domain as well as the automated decision-taking of individual decisions, incl.

profiling.4 What are the main characteristics of the legislative implementation of the GDPR in your country?

Given that the Regulation is directly applicable, the Amendment Bill deals with the provisions giving some leeway to the Member States. For example, regarding the consent of children, Art. 8, para. 1 GDPR allows Member State to provide by law for a lower age and thus the Bulgarian government has chosen to down the age of consent to 14. The Bill for Amendment also regulates the issues that require the explicit introduction of legislative measures at national level to ensure the implementation of the new legislative package in the field of personal data protection. Some of the national legislative measures introduced with the Bill for Amendment include:
  • Updated definitions list: GDPR significantly extends the existing definitions apparatus in the field of personal data protection. The Bill for Amendment contains an updated list of terminology in accordance with Regulation 2016/679 and Directive 2016/680.
  • Waiver of the registration requirement for data controllers: As of 25 May 2018, the obligation for data controllers to register with the Personal Data Protection Commission (PDPC) is waived. This circumstance is taken into account in the Bill for Amendment which repeals the current PDPA texts governing the mandatory registration of data controllers.
  • Regulation of specific cases of personal data processing: The Bill for Amendment offers detailed regulation of certain specific social relations, such as the exercise of the right to freedom of expression and information, incl. for journalistic purposes and for the purposes of academic, artistic or literary expression; processing of personal data in the context of employment and employment relationships; legal regulation, in special laws, on public access to the national Personal Identification Number of individuals; excluding of the data of deceased individuals from the scope of personal data.

Administrative sanctions of public authorities: No distinction is made between public and private data controllers in terms of the sanction regime in case of a breach the personal data protection rules. Additionally, the Amendment Bill transposes into national law EU Directive 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data.

Despite the different legal nature of Regulation 2016/679 and Directive 2016/680, the preliminary analysis of their norms prescribed that the national legislation synchronizing and transposing their provisions should be settled in one national legal act, namely the Bill for Amendment of the PDPA. This approach was found to be best suited both in principle and in legal and technical terms.

4 Bill for Amendment of the Personal Data Protection Act, Motives, p. 3

AEGLE in your country Page 8 of 26 Co-funded by the Horizon 2020 Framework Programme of the European Union under Grant Agreement nº 644906. Partners EXUS AE (Coordinator), ICCS, KINGSTON, CERTH, Maxeler Tecnologies Limited, UPPSALA UNIVERSITET, UNISR, Time.Lex, EUR, CHS, LOBA, PAGNI, GNUBILA FRANCE, NTU www.aegle.uhealth.eu What is your own assessment of the legislative approach adopted in your country for implementing the GDPR? Besides the obvious fact that the necessary amendments in the legislation are quite delayed and thus, create serious uncertainty at the present moment, our understanding is that the Bill for Amendment is quite balanced and does not reveal any substantial contradictions to the GDPR.

It is expected to ensure and increase the legal certainty for data controllers, processors and data subjects and to provide for a lean enforcement due to the simplification of the regulatory framework.

c. The national data processing authority Can you provide a short description of the role of the data protection supervisory authority in your country in the domain of processing health data for research purposes under the current legal framework? In Bulgaria the Personal Data Protection Commission (PDPC) is an independent state institution governed by the provisions of Art. 6 and following of the PDPA. According to Art. 17 PDPA, the data controller is required to file an application for registration with the PDPC prior to commencing any data processing. Within 14 days of the application submission, the Commission registers the data controller.

In case the processing will involve health or genetic data, the PDPC carries out a mandatory preliminary check prior to registering the controller and the respective processing (Art. 17b, para. 1 PDPA). The check is performed within 2 months of the application submission (Art. 17b, para. 2 PDPA). Following the check, the PDPC either (1) registers the controller; (2) issues binding prescriptions regarding the conditions of the data processing; or (3) denies registering the controller (Art. 17b, para. 3 PDPA). The controller is not permitted to commence processing data before being registered with the PDPC or before fulfilling its binding prescriptions (Art.

17b, para. 4 PDPA). According to Art. 17b, para. 6 PDPA, the disposition of the PDPC decision is promulgated in the State Gazette. Additionally, in case where, after achieving the purpose of the processing, the controller wishes to store the processed data as anonymous data for scientific purposes, the PDPC should be informed accordingly (Art. 25, para. 3 PDPA). By issuing a decision, the PDPC may prohibit such storage of data in case it establishes that the controller has failed to provide sufficient safeguards to the storage of the anonymous data (Art. 25, para. 4 PDPA). The PDPC decision may be appealed before the competent administrative court.

The court decisions could not be appealed; in case of dismissal of the appeal against the Commission’s decision, the controller is obliged to destroy the data (Art. 25, para. 5 PDPA).

Finally, the PDPC is competent for imposing pecuniary sanctions in case of infringements to the provisions of the PDPA. In case of violation to the general prohibition to process health or genetic data (Art. 5, para. 1, pt. 3 PDPA) or of violations to the exceptions to this prohibition (Art. 5, para. 2 PDPA) the PDPC is competent to impose fines or pecuniary sanctions of BGN 10,000 to BGN 100,000 (approx. EUR 5,000 to EUR 50,000).

AEGLE in your country Page 9 of 26 Co-funded by the Horizon 2020 Framework Programme of the European Union under Grant Agreement nº 644906.

Partners EXUS AE (Coordinator), ICCS, KINGSTON, CERTH, Maxeler Tecnologies Limited, UPPSALA UNIVERSITET, UNISR, Time.Lex, EUR, CHS, LOBA, PAGNI, GNUBILA FRANCE, NTU www.aegle.uhealth.eu Can you describe the adopted or proposed changes to this role of the national data protection authority to ensure compliance with the GDPR? The Amendment Bill introduces several novelties reinforcing the role of the Personal Data Protection Commission (PDPC).

In addition to the powers which the PDPC shall exercise on the territory of the Republic of Bulgaria under Art. 58 GDPR, its role shall also include, amongst others:
  • analyzing and carrying out comprehensive supervision and ensures compliance with Regulation (EU) 2016/679, national law and other legal acts in the field of personal data protection;
  • issuing sub-legislative legal acts;
  • ensuring implementation of the European Commission’s decisions on the protection of personal data and the implementation of binding decisions of the European Data Protection Supervisor;
  • organizing, coordinating and conducting trainings in the field of personal data protection;
  • adopting criteria for the accreditation of certification bodies;
  • issuing guidelines, recommendations and best practices in cases where such are not issued by the European Data Protection Supervisor;
  • approving draft codes of conduct per sector or activity area, as per the meaning of Art. 40 GDPR;
  • referring breaches of Regulation (EU) 2016/679 to court;
  • issuing mandatory prescriptions and gives instructions and recommendations regarding the protection of personal data;
  • applying coercive administrative measures.
  • being assigned other tasks and powers only by law;
  • participating in the Cohesion Mechanism and cooperating with the lead and/ or affected supervisory authorities, by exchanging information, providing or seeking mutual assistance and/ or participating in joint operations.

The PDPC shall exercise control through prior consultations, audits and joint operations for compliance with the GDPR and the national legislation. Prior consultation as per the meaning of Art. 36 GDPR are carried out by the PDPC when data are processed in the performance of a task in the public interest, incl. processing in relation to social protection and public health. The PDPC issues an opinion within 8 weeks from the submission of the request. When the processing is carried out in relation to social protection and public health the PDPC may allow for it before the expiry of the statutory time period of 8 weeks.

AEGLE in your country Page 10 of 26 Co-funded by the Horizon 2020 Framework Programme of the European Union under Grant Agreement nº 644906. Partners EXUS AE (Coordinator), ICCS, KINGSTON, CERTH, Maxeler Tecnologies Limited, UPPSALA UNIVERSITET, UNISR, Time.Lex, EUR, CHS, LOBA, PAGNI, GNUBILA FRANCE, NTU www.aegle.uhealth.eu Transposition of Article 8.4 of Directive 95/46 Article 8 of Directive 95/46 prohibits, in principle, the processing of special categories of personal data concerning health. Article 8.2 lists a series of exceptions to this general prohibition. Article 8.4 states “Subject to the provision of suitable safeguards, Member States may, for reasons of substantial public interest, lay down exemptions in addition to those laid down in paragraph 2 either by national law or by decision of the supervisory authority”.

When transposing Directive 95/46 did your national legislator or supervisory authority make use of the power granted to Member States in Article 8.4 of the Directive? Did the legislator use this provision to insert any additional (i.e. additional to the exceptions listed in the Directive) exemption (to the prohibition to process health data) for the processing of health data for research purposes?

If yes, how is such an exemption formulated? Please explain. a. Transposition of Article 8.4 of the Directive 95/46 What are the exceptions to the prohibition of processing sensitive data? Do any of these exceptions address scientific research in the field of health? How is such an exception formulated, and does it set out specific conditions? In Bulgaria data regarding health and human genome are considered sensitive data and as such their processing is prohibited (Art. 5, para. 1, pt. 3 PDPA). However, the prohibition does not apply (1) if the individual to whom such data relate has given his/her consent to the processing, unless a special law provides otherwise5 (Art.

5, para. 2, pt.

2 PDPA) or (2) if the processing is necessary for the exercising of or for the compliance with specific rights or obligations of the data controller, established in the employment law (Art. 5, para. 2, pt. 1 PDPA) or (3) if the processing is required for the purposes of preventive medicine, medical diagnostics, the provision or management of healthcare services provided that data are processed by a medical professional who is bound by law to professional secrecy or by another person subject to such obligation of secrecy (Art. 5, para. 2, pt. 6 PDPA). 5 The clarification “unless a special law provides otherwise“ may be understood in two different ways: (1) a special law provides that sensitive data may be processed even in the absence of the data subject’s consent; or (2) a special law provides that sensitive data cannot be processed even with the data subject’s consent.

According to the wording of Directive 95/46/ЕC the understanding should be as per the second suggestion, insofar as Art. 8 para. 2, lit. a of the Directive provides that data subject’s consent may justify the processing of sensitive data “except where the laws of the Member State provide that the prohibition [for processing of such data] may not be lifted by the data subject's giving his consent”. However, in its Opinion No П-3991/2013 of 26.06.2013 the PDPC understands it otherwise and reiterates that “the processing is admissible in the absence of consent if a special law provides otherwise” (emphasis added).

The instance at hand involved the provisions of Art. 106, para. 1 and Art. 243, para. 2 of the Insurance Code which provide for the possibility of insurance companies to obtain certain health information of insured persons, including by receiving it directly from medical specialists without the consent of the data subject. Notwithstanding, in the context of health information the above differences in interpretation are virtually irrelevant as in Bulgarian special legislation in this field does not diverge from the general data protection regime of sensitive data, provided for by the PDPA.

AEGLE in your country Page 11 of 26 Co-funded by the Horizon 2020 Framework Programme of the European Union under Grant Agreement nº 644906. Partners EXUS AE (Coordinator), ICCS, KINGSTON, CERTH, Maxeler Tecnologies Limited, UPPSALA UNIVERSITET, UNISR, Time.Lex, EUR, CHS, LOBA, PAGNI, GNUBILA FRANCE, NTU www.aegle.uhealth.eu With regard to the powers granted to Member States with Article 8.4 of Directive 95/46, Bulgarian legislator has made use of them by inserting only one additional exception to the general prohibition for processing of sensitive data, under pt. 7 of Art. 5, para. 2 PDPA.

According to this exception the processing of sensitive data is permitted if it is performed exclusively for the purposes of journalism, literary or artistic expression provided that it does not violate the right to privacy of the person to whom such data relate.

  • b. The regime applying to the processing of personal data for health research purposes Is there a specific regime applying to data processing for research in the field of health purposes? What is the scope? Which are the steps, and who are the key actors? In Bulgaria specific regime applying to processing of health data is provided through special legislation in the field of health.
  • THE HEALTH ACT (HA) Pursuant to Art. 27, para. 1 of the Health Act (HA) “health information” is personal data related to the health condition, physical and phycological development of individuals as well as any other information contained in the medical prescriptions, instructions, protocols, certificates and other medical documentation. According to the wording of this provision the definition of health information is twofold and involves (1) personal data related to the health condition, physical and phycological development of individuals; and (2) any other information contained in medical documentation. The HA does not provide a clear definition of “medical documentation”. It obviously covers medical prescriptions, instructions, protocols and certificates (examples of medical documentation listed in Art. 27, para. 1 HA). It may also cover “health documentation” defined in para. 1, pt. 1 of the Additional provisions of the HA as “all forms for registering and storage of health information”. Despite the lack of clear definition of “medical documentation”, such documentation would practically always contain information making a natural person to whom it relates identified or identifiable. With view to that, health information falls, altogether, under the scope of PDPA. General data protection regime is therefore applicable to health information together with the specific rules of the HA, which further develop and complement it.

According to Art. 27, para 2 HA health information is collected, processed, used and stored by healthcare and medical establishments, Regional Health Inspections, physicians, dentists, pharmacists and other medical specialists, as well as by non-medical specialists with higher non-medical education working in the national healthcare system.6 The persons under Art. 27, para. 2 HA who process health information are required to ensure safeguards by protecting this information from unauthorized access (Art. 28, para. 3 HA). In addition, they are prohibited from disclosing patient information received in the course of their official duties (Art.

28B HA). 6 This provision should not be understood as providing a limitative list of the categories of persons allowed to process health information but rather as establishing the processing of such information as an activity which is inherent to the duties of listed persons.

AEGLE in your country Page 12 of 26 Co-funded by the Horizon 2020 Framework Programme of the European Union under Grant Agreement nº 644906. Partners EXUS AE (Coordinator), ICCS, KINGSTON, CERTH, Maxeler Tecnologies Limited, UPPSALA UNIVERSITET, UNISR, Time.Lex, EUR, CHS, LOBA, PAGNI, GNUBILA FRANCE, NTU www.aegle.uhealth.eu The patient has the right to obtain from a healthcare establishment the health information relating to him/her, incl. copies of his/her medical documents. (Art. 28Б, para. 1 HA). The patient has also the right to authorize in writing a third person to consult and copy his/her medical documents (Art.

28Б, para. 2 HA). Pursuant to Art. 28, para. 1 HA health information may be shared with third persons when: 1. the medical treatment continuous in another healthcare establishment; 2. there is a threat to the life and health of other persons; 3. the information is necessary for the identification of human corps or for establishing the cause for the death; 4. the information is necessary for state health control for prevention of epidemics and spread of communicable diseases; 5. the information is necessary for the purposes of medical expertise and social security; 6. the information is necessary for the purposes of medical statistics or medical science research provided that data which identify the data subject are removed; 7.

the information is necessary for the needs of the Ministry of Healthcare, National Centre of health information, National Health Insurance Fund and the National Statistics Institute; 8. the information is needed by a licensed insurer.

Pt. 6 expressly provides for the possibility to share health information with third persons in case the information is necessary for the purposes medical science research and provided that data which identify the data subject are removed. In addition, according to Art. 86, para. 1, pt. 5 HA every patient has the right to protection of the data referring to his/her health. The HA contains some further special provisions regarding medical research upon humans and upon the human genome. Medical research upon humans is governed by the provisions of Art. 197 and following HA. The person undergoing the research has all the rights of a patient (Art.

197, para. 3 HA), including with regard to his/her health information. Medical research is carried out while ensuring maximum safety for the health of the patient and preserving the secret of his/her personal data (Art. 197, para. 4 HA). According to Art. 199 HA medical research upon humans may be conducted solely after the head of the research has informed, in writing, the participating individuals on the nature, significance, scope and possible risks of the study, and the participating individuals have provided their written informed consent (Art. 199, para. 1 HA). The said consent may be given solely by a legally capable person who understands the nature, significance, scope and possible risks of the study (Art.

199, para. 2 HA). The provided written consent may be withdrawn at any time (Art. 199, para. 3 HA).

According to Art. 141, para. 1 HA genetic research for medical and scientific purposes is conducted only provided that the persons undergoing the research examinations have provided their written informed consent. The results of such research examinations and screening shall not give rise to discrimination of the persons undergoing the

AEGLE in your country Page 13 of 26 Co-funded by the Horizon 2020 Framework Programme of the European Union under Grant Agreement nº 644906. Partners EXUS AE (Coordinator), ICCS, KINGSTON, CERTH, Maxeler Tecnologies Limited, UPPSALA UNIVERSITET, UNISR, Time.Lex, EUR, CHS, LOBA, PAGNI, GNUBILA FRANCE, NTU www.aegle.uhealth.eu research (Art.

141, para. 3 HA). Article 141, para. 4 HA establishes that data regarding the human genome is personal data and they cannot be provided to employers, health insurance organizations and insurance companies. Genetic research for medical and scientific purposes is conducted by accredited genetic laboratories adjacent to inpatient and outpatient medical care establishments as well as by independent accredited laboratories. The National Genetic Laboratory, which supervises and controls the activity of genetic laboratories, administrates and manages a national genetic register.

THE PHARMACEUTICAL PRODUCTS IN HUMAN MEDICINE ACT (PPHMA) According the Art. 85, para. 2 PPHMA all the information of the clinical trial is saved, processed and stored in a way which allows for its correct reporting, interpretation and confirmation by protecting the personal data of participants. Clinical trial may commence and is conducted when the participant’s physical and phycological inviolability, the privacy of his/her personal life and the protection of his/her personal data pursuant to the provisions of the PDPA is guaranteed (Art. 90, pt. 2 PPHMA). In case the person undergoing the trial has a general practitioner and has consented to the latter to be informed, the researcher informs the general practitioner on the participation of the patient to the trial (pt.

4.3.3. of Annex 1 to Art. 1, para. 1 of Ordinance No 31). Before undergoing the clinical trial, the participant is informed on various aspects of the trial, including on the fact that the persons monitoring and reviewing the trial, the ethics commission and the regulatory bodies are given access to his/her original medical documents for the purposes of checking the trial procedures and data, by guaranteeing protection of personal data of the participant according to applicable laws and ordinances (pt. 4.8.10.14. of Annex 1 to Art. 1, para. 1 of Ordinance No 31). The participant is also informed on the fact that documents establishing his/her identity will be kept confidential and data contained therein will not be disclosed according to applicable laws and ordinances; in case of publishing the results of the clinical trial, the identity of participants will be kept confidential (pt.

4.8.10.15. of Annex 1 to Art. 1, para. 1 of Ordinance No 31).

All the above specific provisions regarding health information, medical research and clinical trial are to be read in conjunction with the PDPA framework. Special legislation, namely the HA and the PPHMA and sublegislative legal framework, further develop the general personal data protection regime and complement it with some additional specific rules with regard to health data. From which generally applicable data protection provisions are researchers exempted and under what conditions? For what reasons? From which provisions? What are the consequences? The processing of personal data for scientific purposes is exempted from the information obligation of Art.

20 PDPA, according to which the data controller is required, when processing data which was not obtained directly from the data subject, to provide the latter with a set of information, namely: data identifying the controller; the purposes of the processing; the categories of data which are processed; the (categories of) recipients to whom the data may be revealed; information regarding the right of access and the right of rectification of the collected data. Pursuant to Art. 20, para. 3 PDPA the controller is not obliged to provide data subjects with such information insofar as the processing is carried out for scientific purposes and the provision of the said information is impossible or requires disproportionate efforts.

AEGLE in your country Page 14 of 26 Co-funded by the Horizon 2020 Framework Programme of the European Union under Grant Agreement nº 644906. Partners EXUS AE (Coordinator), ICCS, KINGSTON, CERTH, Maxeler Tecnologies Limited, UPPSALA UNIVERSITET, UNISR, Time.Lex, EUR, CHS, LOBA, PAGNI, GNUBILA FRANCE, NTU www.aegle.uhealth.eu c. Are there additional specific conditions governing the processing of data for scientific research purposes? What are the suitable safeguards applying to the exemption foreseen by Article 8.4 of the Directive in your country? Are there any specific provisions concerning: (i) professional secrecy, (ii) express consent for specific data, or specific provisions for (iii) deceased data subjects, or (iv) specific provisions for minors or persons subject to guardianship? (i) Professional secrecy According to Art.

5, para. 2, pt. 6 PDPA, health and genetic data may be processed in case the processing is required for the purposes of preventive medicine, medical diagnostics, the provision or management of healthcare services provided that data are processed by a medical professional who is bound by law to professional secrecy or by another person subject to such obligation of secrecy. Similarly, Art. 28B HA establishes that medical specialists and the personnel in the healthcare establishments are prohibited from disclosing patient information received in the course of their official duties.

(ii) Express consent for specific data According to the provisions of Art. 199 HA medical research upon humans may be conducted solely after the head of the research has informed, in writing, the participating individuals on the nature, significance, scope and possible risks of the study, and the participating individuals have provided their written informed consent. Similarly, clinical trial may only be conducted in case the participant has provided his/her written informed consent. By analogy, although the PDPA does not contain an express requirement for consent to be written, our understanding is that in terms of processing health information, incl.

for research purposes, such consent shall be provided in writing. (iii) Specific provisions for deceased data subjects The PDPA does not contain specific provisions regarding deceased data subjects’ data, with the exception of the special rules for exercising the deceased data subject’s right to access, which could be exercised by their heirs. The specific provisions of HA establish that a diseased person’s heirs and relatives of straight and collateral line of up to the fourth-degree incl. have the right to obtain the health information of the diseased as well as to make copies of his/her medical documents (Art.

28Б, para. 3 HA).

(iv) Specific provisions for minors or persons subject to guardianship Bulgarian legal system distinguishes minors from underage persons. According to Art. 3 of the Persons and Family Act (PFA) persons under the age of 14 are considered minors and are not legally capable of performing valid legal actions. Such actions are performed in their name and on their behalf by their legal representatives - parents or guardians. Pursuant to Art. 4 PFA, persons between the age of 14 and 18 are considered underage and have limited legal capacity. They undertake legal actions with the approval of their parents or guardians.

They can conclude small ordinary deals to meet their current needs and also have the right to be in dispose of what they have acquired through their own labor.

AEGLE in your country Page 15 of 26 Co-funded by the Horizon 2020 Framework Programme of the European Union under Grant Agreement nº 644906. Partners EXUS AE (Coordinator), ICCS, KINGSTON, CERTH, Maxeler Tecnologies Limited, UPPSALA UNIVERSITET, UNISR, Time.Lex, EUR, CHS, LOBA, PAGNI, GNUBILA FRANCE, NTU www.aegle.uhealth.eu The current PDPA framework does not contain specific provisions on minors and underage persons. With regard to obtaining consent for the processing of personal data of minors and underage persons (health data incl.), the PDPC’s established practice reiterates that such consent for the processing of personal data of minors (under age of 14) must be given by their parents or guardians, and the consent obtained from underage persons (between 14 and 18) must be approved by their parents or guardians.

Some further clarification may be found in the provisions of Art. 199, para. 2 HA which establishes that the consent for participation to a medical research upon humans may be given solely by a legally capable person who understands the nature, significance, scope and possible risks of the study. In addition, according to Art. 97, para. 1 PPHMA medical trial upon a minor is carried out solely after obtaining the written informed consent of both parents or guardians. Clinical trial upon an underage person is carried out after an informed written consent is obtained from the person and from both parents or guardians.

In case one of the parents is missing, diseased or deprived of parental rights the consent should be obtained from the underage person and the other parent (Art. 97, para. 4 PPHMA). Minors and underage persons are provided information on the clinical trial, the related risks and benefits, in a manner which is understandable and from a physician who has experience working with minors and underage persons (Art. 97, para. 7 PPHMA).

Are there specific requirements about the data subject’s information? Or the person from whom the data was collected? The PDPA does not provide for specific obligations about data subject’s information in the context of processing of health data. In the framework of the general PDPA regime, when the data is obtained directly from the data subject, controllers are bound by the requirement to provide data subjects with a set of information including: data which identifies the controller; the purpose of the processing; the (categories of) recipients to whom the data may be disclosed; information on the mandatory or voluntary provision of data and the consequences of a refusal to provide them; information on the right of access and the right of correction of data (Art.

19 PDPA). Similar information is to be provided to data subjects in case their data was not obtained directly from them (Art. 20 PDPA). Nonetheless, in case the data was not obtained directly from the data subject and are used for scientific purposes, controllers are exempted from the information obligation if the provision of the required information is not possible or requires disproportionate efforts (Art. 20, para. 3, pt. 1 PDPA). With regard to the special requirements of the HA, health information may be shared with third parties in a number of instances, namely when: 1. the medical treatment continuous in another healthcare establishment; 2.

there is a threat to the life and health of other persons; 3. the information is necessary for the identification of human corps or for establishing the cause for the death; 4. the information is necessary for state health control for prevention of epidemics and spread of communicable diseases;

You can also read
Next part ... Cancel