Big data analytics' and processing of health data for scientific research purposes : The Bulgarian legal framework - Timelex

 
'Big data analytics' and processing of
health data for scientific research
purposes : The Bulgarian legal framework

Research Protocol by Desislava Krusteva and Silvena Rakshieva, Dimitrov, Petrov & Co.,

in Sofia, Bulgaria , 20 July 2018
www.aegle.uhealth.eu

Contents
        Overview of the legal framework ......................................................................................................................... 3
a. The legislative and regulatory instruments regulating the processing of health data for research purposes
(current regime) ............................................................................................................................................................ 3
b.      Revision of the current legal framework under the GDPR ................................................................................... 6
c.      The national data processing authority ................................................................................................................ 8
        Transposition of Article 8.4 of Directive 95/46 .................................................................................................. 10
a.      Transposition of Article 8.4 of the Directive 95/46 ............................................................................................ 10
b.      The regime applying to the processing of personal data for health research purposes .................................... 11
c.      Are there additional specific conditions governing the processing of data for scientific research purposes? .. 14
d.      Formalities prior to processing: the general regime under the current framework .......................................... 17
        Further processing of health data (for research purposes): the current regime ............................................... 17
     The GDPR’s impact on the current regulatory framework for the processing of health data for research
purposes ...................................................................................................................................................................... 18
e.      The impact of the GDPR on the rules applying to processing for research in the field of health ...................... 18
b.      Modification to the processing authorization procedure applying to research in the field of health ............... 19
        Further processing for research purposes under the GDPR ............................................................................... 20
        Health data sources for research purposes ........................................................................................................ 20
a.      Sources of data and their regulation .................................................................................................................. 21
b.      The application of the national framework to the AEGLE cases ........................................................................ 24
1.      Type 2 diabetes .................................................................................................................................................. 24
2.      Intensive Care Unit (ICU) .................................................................................................................................... 25
3.      Chronic Lymphocytic Leukaemia (CLL) ............................................................................................................... 25

AEGLE in your country                                                                                                                                    Page 2 of 26

                                                                                           Partners
                        Co-funded by the Horizon 2020
                        Framework Programme of the
                                                                                           EXUS AE (Coordinator), ICCS, KINGSTON, CERTH, Maxeler Tecnologies
                        European Union under Grant                                         Limited, UPPSALA UNIVERSITET, UNISR, Time.Lex, EUR, CHS, LOBA,
                        Agreement nº 644906.                                               PAGNI, GNUBILA FRANCE, NTU
www.aegle.uhealth.eu

      Overview of the legal framework
First, we would like to get an overview of the current and upcoming legal framework applying to the processing
of health data for research purposes in your country.

     a. The legislative and regulatory instruments regulating the processing of
        health data for research purposes (current regime)

What are the relevant applicable provisions governing the processing of health data in your
country? Please provide online references (also to an English version, if available), a brief
description and any specific relevant information.

Personal Data Protection Act (PDPA) adopted on 21 December 2001, taking effect on 1st January 2002, promulgated
with State Gazette No 1 of 4 January 2002.

The PDPA governs the processing of personal data, the organization and functions of the Bulgarian Personal Data
Protection Commission (PDPC) and the procedures in case of infringements related to personal data processing. The
PDPA has been amended multiple times since its adoption, in particular in 2006 to transpose Directive 95/46 on the
protection of individuals with regard to the processing of personal data and on the free movement of such data. 1 In
2004 the PDPA was slightly amended to reflect changes in the Healthcare Act (promulgated with State Gazette No
70 of 10 August 2004, entered into force on 1st January 2005) introducing the notion of “human genome” as a type
of personal data.

Currently, the PDPA is undergoing significant changes related to the entry into effect of the General Data Protection
Regulation (GDPR). A preliminary2 Bill for Amendment and Supplement to the PDPA (the Amendment Bill) was
drafted with the aim to harmonize the Bulgarian legislation in the field of personal data protection with the European
framework on the matter. The Amendment Bill was published for public consultations which ended on 30 May 2018,
gathering dozens of opinions, statements and suggestions. On 18 July 2018 the Amendment Bill was entered into

1Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the
processing of personal data and on the free movement of such data.

2 The Amendment Bill is called “preliminary” due to  the legislation procedure held in Bulgaria, which contains several stages until the enforcement
of an Act. According to Art. 85 Internal Rules of Procedure of the Council of the Ministers, the Amendment Bills together with the motives of
amendment and the report, are published on the website of the petitioner and on the Public Consultation Portal prior to submitting them before
the Council of the Ministers. Each institution has decentralized access to the portal. All stakeholders have the opportunity to get advance
information about the planned changes and give their opinion/statement to improving legislation and policies. The publication of the Amendment
Bills is carried out together with the preliminary impact assessment and the opinion of the “Modernization of Administration” Directorate.

Only then the Amendment Bills shall be submitted to the Chairman of the National Assembly together with motives and preliminary impact
assessment. Within three days after the bill is received, the Chairperson of the National Assembly shall distribute it to the standing committees,
defining which of them will lead in the discussion. The bill is adopted in two votes, which are held in different sessions. The National Assembly
may exceptionally decide on the two votes to be held in one session only if no proposals for amending or supplementing the Bill have been made
during the discussion.

The Bill shall then be sent to the President of the Republic for a promulgation decree. The Bill shall be promulgated in the State Gazette not later
than 15 days after its adoption. The Amended Act comes into force three days after its promulgation.

AEGLE in your country                                                                                                          Page 3 of 26

                                                                            Partners
                    Co-funded by the Horizon 2020
                    Framework Programme of the
                                                                            EXUS AE (Coordinator), ICCS, KINGSTON, CERTH, Maxeler Tecnologies
                    European Union under Grant                              Limited, UPPSALA UNIVERSITET, UNISR, Time.Lex, EUR, CHS, LOBA,
                    Agreement nº 644906.                                    PAGNI, GNUBILA FRANCE, NTU
www.aegle.uhealth.eu

Parliament. It will undergo the two-stage legislative procedure in the Parliament, before being promulgated.
Considering the length of legislative procedure in Bulgaria, it is expected that the vote and promulgation of the
Amendment Bill will take several more months.

Health Act (HA) promulgated with State Gazette no 70 of 10 August 2004 entered into force on 1st January 2005,
revoking and replacing the Public Health Act. The HA governs the organization of the healthcare institutions and
system in Bulgaria, the provision of healthcare services, the unconventional medical practices, genetic health and
research as well as the organization and management of medical education and science and the processing of health
information. It also provides for some special rules related to the processing of medical/ health information.

Article 141 and following HA governs genetic research and examinations of the human genome for medical and
scientific purposes.

Additionally, Chapter 7, Section IV of the HA (Art. 197 and following HA) entitled “Medical research upon persons.
Medical science” contains provisions regarding the organization, control and responsibilities in the field of medical
and science research upon individuals.

Pharmaceutical Products in Human Medicine Act (PPHMA) governs the procedures for placing pharmaceutical
products on the market; clinical trials; manufacture and import of pharmaceutical products and active substances;
packaging and package leaflets of pharmaceutical products; classification of pharmaceutical products;
pharmaceutical safety; wholesale, retail trade and export of pharmaceutical products; advertising of pharmaceutical
products; and state control.

Ordinance No 1 of 27.02.2013 on the provision of medico-statistic information and information on the medical
activity of healthcare establishments governs the provision, collection, processing, storage, use, distribution and
exchange of medico-statistic information and information on the medical activity of healthcare establishments.
Healthcare establishments collect, process, use, store and provide the said information and the related
documentation for the purposes of development, production and distribution of official national or European
statistical information for reporting, control and analytical needs and for the elaboration of national health policy.
The organization and control of activities related to medico-statistic information are under the authority of the
National Centre of Public Health and Analysis (NCPHA) and the Regional Health Inspections (RHI). This Ordinance
regulates the rights and obligations of healthcare institutions and national healthcare system bodies and does not
apply to the processing of health information by third parties.

Ordinance No 1 of 30 January 2013 on the minimum level of technical and organizational measures and the
admissible type of personal data protection (Ordinance No 1) governs the obligations of data controllers with regard
to the technical and organizational measures to be implemented based on the level of impact and the respective
necessary level of protection of personal data. As of 25 May 2018, Ordinance No 1 was officially repealed. The PDPC
has made an announcement that the repealed Ordinance No 1 will be recast and transformed into a Methodical
Guidelines paper to data controllers. To date this report was submitted, there is no draft or official publication of
the PDPC Methodical Guidelines.

Ordinance No 41 of 21.12.2005 Establishing Medical Standards for General Medical Practice issues by the Ministry
of Healthcare. Ordinance No 41 establishes the standards which shall be respected by all healthcare establishments
in which a general medical practice is carried out.

AEGLE in your country                                                                                        Page 4 of 26

                                                            Partners
                Co-funded by the Horizon 2020
                Framework Programme of the
                                                            EXUS AE (Coordinator), ICCS, KINGSTON, CERTH, Maxeler Tecnologies
                European Union under Grant                  Limited, UPPSALA UNIVERSITET, UNISR, Time.Lex, EUR, CHS, LOBA,
                Agreement nº 644906.                        PAGNI, GNUBILA FRANCE, NTU
www.aegle.uhealth.eu

Ordinance No 31 of 12.08.2007 Establishing the Rules for Good Clinical Practice issued by the Ministry of Healthcare
governs the principles and guidance for good clinical practice with regard to pharmaceutical products for human use
intended for research.

National Framework Agreement on Medical Activities for 2018, concluded by the National Health Insurance Fund
(NHIF)3 and the Bulgarian Medical Association. It establishes the healthcare, economic, financial, medical,
organizational, information, legal and deontological framework according to which the contracts between the NHIF
and healthcare providers are concluded.

Professional Ethics Code of Medical Doctors in Bulgaria, issued by the Ministry of Healthcare. The Professional Ethics
Code of Medical Doctors in Bulgaria (Professional Ethics Code) provides the definition of medical secrecy. Pursuant
to its Art. 51, para. 1 medical secrecy includes all the information that the patient has shared with the physician
about his/her condition, and facts which were discovered throughout the medical check-up and examinations
performed by the latter, as well as all the information which that the physician has learned with regard to the patient
in the exercise of the medical profession. The medical secrecy is kept with regard to the members of the patient’s
family (Art. 51, para. 2 of the Professional Ethics Code). The secrets which the patient has shared with the physician,
are kept by the latter after the death of the patient (Art. 51, para. 3 of the Professional Ethics Code). Article 52 of
the Professional Ethics Code clarifies that the medical secret is extended upon all the medical documentation and
illustrative material, as well as upon data and conclusions of the performed consultations.

E-Governance Development Strategy 2014-2020, adopted by the Council of Ministries with Decision No. 163 from
21.03.2014 and Roadmap for Implementation of the E-Governance Development Strategy

PROJECT of Ordinance establishing the conditions and procedure for the conduct of medical science research has
been drafted in 2011. Although a draft is publicly available, the project of Ordinance has not yet been adopted. The
project of Ordinance, as currently drafted, contains, amongst others, provisions regarding the persons who may
participate to medical research and the conditions on the validity of their consent.

Shared electronic health records are indirectly relevant in this context because they can
potentially be an important source for health-related research.

Do shared electronic patient records exist in your country? How is the sharing of electronic
patient records regulated? Can data stored in these records be used for research purposes?

Currently in Bulgaria there is no legislative framework establishing and governing electronic patient records. The e-
Governance Development Strategy 2014-2020 aims at improving e-Heath services. The Roadmap for
Implementation of the E-Governance Development Strategy provides some further clarifications on the state of the
electronic exchange of information in the healthcare sector. It explains that according to the results of a consultancy
project “Analysis of information processes in the healthcare system in Bulgaria – participants, responsibilities,
systems, flows and legal framework” conducted upon the request of the Ministry of Healthcare, considerable
number of actors in the healthcare sector provide information to the NHIF via electronic means but the scope and

3The National Health Insurance Fund (NHIF) is regulated by the Health Insurance Act (1998) which introduced the mandatory health insurance
and regulates the supplementary health insurance in Bulgaria. The NHIF is an independent public institution separate from the structure of the
social healthcare system and having its own bodies of management.

AEGLE in your country                                                                                                     Page 5 of 26

                                                                         Partners
                   Co-funded by the Horizon 2020
                   Framework Programme of the
                                                                         EXUS AE (Coordinator), ICCS, KINGSTON, CERTH, Maxeler Tecnologies
                   European Union under Grant                            Limited, UPPSALA UNIVERSITET, UNISR, Time.Lex, EUR, CHS, LOBA,
                   Agreement nº 644906.                                  PAGNI, GNUBILA FRANCE, NTU
www.aegle.uhealth.eu

the exchange of information are limited to data on health insured persons. All forms of paid and private healthcare
services remain out of reach of available systems. Currently there are also no national technology standards for the
exchange of structured information, information security and protection of personal data and sensitive information
for patients. In order to address the gaps, a priority project was said to be launched for the implementation of the
first stages of the construction of a National Health Information System (NHSH). The NHSH would include all
stakeholders and key information flows in the healthcare sector in order to implement a minimum viable product
with regard to e-Health by establishing, among others, electronic health record (patient file) and electronic
prescriptions (e-prescriptions). However, to date, no legislative change was introduced in this direction.

Despite the ongoing lack of a legal framework on electronic patient record, a platform for electronic Health Patient
Record, supported by the NHIF, currently exists. The Health Patient Record contains information on the health status
of mandatorily health-insured citizens (immunizations, hospitalizations, medical and laboratory examinations, etc.)
as well as information on the general medical practitioner chosen by them. It is accessible through the website of
the NHIF with an electronic signature or a personal code issued by the NHIF. The system, however, needs further
improvement as it was denounced by stakeholders to lacks information or contain errors.

    b. Revision of the current legal framework under the GDPR

How are the necessary changes to the national data protection framework, introduced by the
GDPR, addressed in your country? What is the adopted legislative approach?

In Bulgaria the legislative process following the entry into force of GDPR is currently ongoing. In order to ensure the
compliance of the Bulgarian framework with the EU data protection package, a Bill for Amendment and Supplement
to the Personal Data Protection Act (Bill for Amendment) was drafted and announced by The Ministry of Interior for
public consultations for a period of two weeks (30 April 2018 – 15 May 2018). As dozens of opinions and statements,
criticizing the Bill for Amendment, were submitted, the public consultations were prolonged until 30 May 2018. The
Bill for Amendment was approved and entered into Parliament by the Council of Ministers on 18 July 2018.

Additionally, Ordinance No 1 of 30 January 2013 on the minimum level of technical and organizational measures and
the admissible type of personal data protection (Ordinance No 1) was repealed as of 25 May 2018. According to an
official release of the PDPC, the provisions of the repealed Ordinance No 1 will be updated, transformed and recast
into Methodical Guidelines. To date this report was submitted, there is no draft or official publication of the PDPC
Methodical Guidelines.

Is the GDPR implemented in your country by an entirely new legislative text or via
amendments to the current data protection law? Please explain.

In Bulgaria, GDPR provisions and requirements will be developed and implemented via amendments to the currently
applicable data protection law, namely the Personal Data Protection Act (PDPA).

Regarding the sub-legislative legal framework, some sub-legislative acts such as Ordinance No 1, are repealed
altogether, and they will not be replaced by new legislative acts of the same nature. As explained earlier in this
report, the repealed Ordinance No 1 will be recast and it provisions will be amended and transformed into a
Methodical Guidelines issued by the PDPC.

AEGLE in your country                                                                                         Page 6 of 26

                                                             Partners
                Co-funded by the Horizon 2020
                Framework Programme of the
                                                             EXUS AE (Coordinator), ICCS, KINGSTON, CERTH, Maxeler Tecnologies
                European Union under Grant                   Limited, UPPSALA UNIVERSITET, UNISR, Time.Lex, EUR, CHS, LOBA,
                Agreement nº 644906.                         PAGNI, GNUBILA FRANCE, NTU
www.aegle.uhealth.eu

On the other hand, the Bill for Amendment provide for the legislative delegation for the adoption of new sub-
legislative legal acts such as an ordinance on the certification and of some non-legislative documents regarding, for
instance, the minimal requirements for large-scale video surveillance activities in the public domain as well as the
automated decision-taking of individual decisions, incl. profiling.4

What are the main characteristics of the legislative implementation of the GDPR in your
country?

Given that the Regulation is directly applicable, the Amendment Bill deals with the provisions giving some leeway to
the Member States. For example, regarding the consent of children, Art. 8, para. 1 GDPR allows Member State to
provide by law for a lower age and thus the Bulgarian government has chosen to down the age of consent to 14.

The Bill for Amendment also regulates the issues that require the explicit introduction of legislative measures at
national level to ensure the implementation of the new legislative package in the field of personal data protection.

Some of the national legislative measures introduced with the Bill for Amendment include:

        •    Updated definitions list: GDPR significantly extends the existing definitions apparatus in the field of personal
             data protection. The Bill for Amendment contains an updated list of terminology in accordance with
             Regulation 2016/679 and Directive 2016/680.

        •    Waiver of the registration requirement for data controllers: As of 25 May 2018, the obligation for data
             controllers to register with the Personal Data Protection Commission (PDPC) is waived. This circumstance
             is taken into account in the Bill for Amendment which repeals the current PDPA texts governing the
             mandatory registration of data controllers.

        •    Regulation of specific cases of personal data processing: The Bill for Amendment offers detailed regulation
             of certain specific social relations, such as the exercise of the right to freedom of expression and
             information, incl. for journalistic purposes and for the purposes of academic, artistic or literary expression;
             processing of personal data in the context of employment and employment relationships; legal regulation,
             in special laws, on public access to the national Personal Identification Number of individuals; excluding of
             the data of deceased individuals from the scope of personal data.

        •    Administrative sanctions of public authorities: No distinction is made between public and private data
             controllers in terms of the sanction regime in case of a breach the personal data protection rules.

Additionally, the Amendment Bill transposes into national law EU Directive 2016/680 of the European Parliament
and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal
data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal
offences or the execution of criminal penalties, and on the free movement of such data. Despite the different legal
nature of Regulation 2016/679 and Directive 2016/680, the preliminary analysis of their norms prescribed that the
national legislation synchronizing and transposing their provisions should be settled in one national legal act, namely
the Bill for Amendment of the PDPA. This approach was found to be best suited both in principle and in legal and
technical terms.

4   Bill for Amendment of the Personal Data Protection Act, Motives, p. 3

AEGLE in your country                                                                                                        Page 7 of 26

                                                                            Partners
                      Co-funded by the Horizon 2020
                      Framework Programme of the
                                                                            EXUS AE (Coordinator), ICCS, KINGSTON, CERTH, Maxeler Tecnologies
                      European Union under Grant                            Limited, UPPSALA UNIVERSITET, UNISR, Time.Lex, EUR, CHS, LOBA,
                      Agreement nº 644906.                                  PAGNI, GNUBILA FRANCE, NTU
www.aegle.uhealth.eu

What is your own assessment of the legislative approach adopted in your country for
implementing the GDPR?

Besides the obvious fact that the necessary amendments in the legislation are quite delayed and thus, create serious
uncertainty at the present moment, our understanding is that the Bill for Amendment is quite balanced and does
not reveal any substantial contradictions to the GDPR. It is expected to ensure and increase the legal certainty for
data controllers, processors and data subjects and to provide for a lean enforcement due to the simplification of the
regulatory framework.

    c. The national data processing authority

Can you provide a short description of the role of the data protection supervisory authority in
your country in the domain of processing health data for research purposes under the current
legal framework?

In Bulgaria the Personal Data Protection Commission (PDPC) is an independent state institution governed by the
provisions of Art. 6 and following of the PDPA.

According to Art. 17 PDPA, the data controller is required to file an application for registration with the PDPC prior
to commencing any data processing. Within 14 days of the application submission, the Commission registers the
data controller.

In case the processing will involve health or genetic data, the PDPC carries out a mandatory preliminary check prior
to registering the controller and the respective processing (Art. 17b, para. 1 PDPA). The check is performed within 2
months of the application submission (Art. 17b, para. 2 PDPA). Following the check, the PDPC either (1) registers the
controller; (2) issues binding prescriptions regarding the conditions of the data processing; or (3) denies registering
the controller (Art. 17b, para. 3 PDPA). The controller is not permitted to commence processing data before being
registered with the PDPC or before fulfilling its binding prescriptions (Art. 17b, para. 4 PDPA). According to Art. 17b,
para. 6 PDPA, the disposition of the PDPC decision is promulgated in the State Gazette.

Additionally, in case where, after achieving the purpose of the processing, the controller wishes to store the
processed data as anonymous data for scientific purposes, the PDPC should be informed accordingly (Art. 25, para.
3 PDPA). By issuing a decision, the PDPC may prohibit such storage of data in case it establishes that the controller
has failed to provide sufficient safeguards to the storage of the anonymous data (Art. 25, para. 4 PDPA). The PDPC
decision may be appealed before the competent administrative court. The court decisions could not be appealed; in
case of dismissal of the appeal against the Commission’s decision, the controller is obliged to destroy the data (Art.
25, para. 5 PDPA).

Finally, the PDPC is competent for imposing pecuniary sanctions in case of infringements to the provisions of the
PDPA. In case of violation to the general prohibition to process health or genetic data (Art. 5, para. 1, pt. 3 PDPA) or
of violations to the exceptions to this prohibition (Art. 5, para. 2 PDPA) the PDPC is competent to impose fines or
pecuniary sanctions of BGN 10,000 to BGN 100,000 (approx. EUR 5,000 to EUR 50,000).

AEGLE in your country                                                                                         Page 8 of 26

                                                             Partners
                Co-funded by the Horizon 2020
                Framework Programme of the
                                                             EXUS AE (Coordinator), ICCS, KINGSTON, CERTH, Maxeler Tecnologies
                European Union under Grant                   Limited, UPPSALA UNIVERSITET, UNISR, Time.Lex, EUR, CHS, LOBA,
                Agreement nº 644906.                         PAGNI, GNUBILA FRANCE, NTU
www.aegle.uhealth.eu

Can you describe the adopted or proposed changes to this role of the national data
protection authority to ensure compliance with the GDPR?

The Amendment Bill introduces several novelties reinforcing the role of the Personal Data Protection Commission
(PDPC).

In addition to the powers which the PDPC shall exercise on the territory of the Republic of Bulgaria under Art. 58
GDPR, its role shall also include, amongst others:

•      analyzing and carrying out comprehensive supervision and ensures compliance with Regulation (EU)
2016/679, national law and other legal acts in the field of personal data protection;

•        issuing sub-legislative legal acts;

•       ensuring implementation of the European Commission’s decisions on the protection of personal data and
the implementation of binding decisions of the European Data Protection Supervisor;

•        organizing, coordinating and conducting trainings in the field of personal data protection;

•        adopting criteria for the accreditation of certification bodies;

•       issuing guidelines, recommendations and best practices in cases where such are not issued by the European
Data Protection Supervisor;

•        approving draft codes of conduct per sector or activity area, as per the meaning of Art. 40 GDPR;

•        referring breaches of Regulation (EU) 2016/679 to court;

•       issuing mandatory prescriptions and gives instructions and recommendations regarding the protection of
personal data;

•        applying coercive administrative measures.

•        being assigned other tasks and powers only by law;

•        participating in the Cohesion Mechanism and cooperating with the lead and/ or affected supervisory
authorities, by exchanging information, providing or seeking mutual assistance and/ or participating in joint
operations.

The PDPC shall exercise control through prior consultations, audits and joint operations for compliance with the
GDPR and the national legislation. Prior consultation as per the meaning of Art. 36 GDPR are carried out by the PDPC
when data are processed in the performance of a task in the public interest, incl. processing in relation to social
protection and public health. The PDPC issues an opinion within 8 weeks from the submission of the request. When
the processing is carried out in relation to social protection and public health the PDPC may allow for it before the
expiry of the statutory time period of 8 weeks.

AEGLE in your country                                                                                          Page 9 of 26

                                                              Partners
                Co-funded by the Horizon 2020
                Framework Programme of the
                                                              EXUS AE (Coordinator), ICCS, KINGSTON, CERTH, Maxeler Tecnologies
                European Union under Grant                    Limited, UPPSALA UNIVERSITET, UNISR, Time.Lex, EUR, CHS, LOBA,
                Agreement nº 644906.                          PAGNI, GNUBILA FRANCE, NTU
www.aegle.uhealth.eu

      Transposition of Article 8.4 of Directive 95/46
Article 8 of Directive 95/46 prohibits, in principle, the processing of special categories of
personal data concerning health. Article 8.2 lists a series of exceptions to this general
prohibition. Article 8.4 states “Subject to the provision of suitable safeguards, Member States
may, for reasons of substantial public interest, lay down exemptions in addition to those laid
down in paragraph 2 either by national law or by decision of the supervisory authority”.

When transposing Directive 95/46 did your national legislator or supervisory authority make
use of the power granted to Member States in Article 8.4 of the Directive? Did the legislator
use this provision to insert any additional (i.e. additional to the exceptions listed in the
Directive) exemption (to the prohibition to process health data) for the processing of health
data for research purposes?

If yes, how is such an exemption formulated? Please explain.

     a. Transposition of Article 8.4 of the Directive 95/46

What are the exceptions to the prohibition of processing sensitive data? Do any of these
exceptions address scientific research in the field of health? How is such an exception
formulated, and does it set out specific conditions?

In Bulgaria data regarding health and human genome are considered sensitive data and as such their processing is
prohibited (Art. 5, para. 1, pt. 3 PDPA). However, the prohibition does not apply (1) if the individual to whom such
data relate has given his/her consent to the processing, unless a special law provides otherwise 5 (Art. 5, para. 2, pt.
2 PDPA) or (2) if the processing is necessary for the exercising of or for the compliance with specific rights or
obligations of the data controller, established in the employment law (Art. 5, para. 2, pt. 1 PDPA) or (3) if the
processing is required for the purposes of preventive medicine, medical diagnostics, the provision or management
of healthcare services provided that data are processed by a medical professional who is bound by law to
professional secrecy or by another person subject to such obligation of secrecy (Art. 5, para. 2, pt. 6 PDPA).

5 The clarification “unless a special law provides otherwise“ may be understood in two different ways: (1) a special law provides that sensitive
data may be processed even in the absence of the data subject’s consent; or (2) a special law provides that sensitive data cannot be processed
even with the data subject’s consent. According to the wording of Directive 95/46/ЕC the understanding should be as per the second suggestion,
insofar as Art. 8 para. 2, lit. a of the Directive provides that data subject’s consent may justify the processing of sensitive data “except where the
laws of the Member State provide that the prohibition [for processing of such data] may not be lifted by the data subject's giving his consent”.
However, in its Opinion No П-3991/2013 of 26.06.2013 the PDPC understands it otherwise and reiterates that “the processing is admissible in the
absence of consent if a special law provides otherwise” (emphasis added). The instance at hand involved the provisions of Art. 106, para. 1 and
Art. 243, para. 2 of the Insurance Code which provide for the possibility of insurance companies to obtain certain health information of insured
persons, including by receiving it directly from medical specialists without the consent of the data subject. Notwithstanding, in the context of
health information the above differences in interpretation are virtually irrelevant as in Bulgarian special legislation in this field does not diverge
from the general data protection regime of sensitive data, provided for by the PDPA.

AEGLE in your country                                                                                                          Page 10 of 26

                                                                             Partners
                    Co-funded by the Horizon 2020
                    Framework Programme of the
                                                                             EXUS AE (Coordinator), ICCS, KINGSTON, CERTH, Maxeler Tecnologies
                    European Union under Grant                               Limited, UPPSALA UNIVERSITET, UNISR, Time.Lex, EUR, CHS, LOBA,
                    Agreement nº 644906.                                     PAGNI, GNUBILA FRANCE, NTU
www.aegle.uhealth.eu

With regard to the powers granted to Member States with Article 8.4 of Directive 95/46, Bulgarian legislator has
made use of them by inserting only one additional exception to the general prohibition for processing of sensitive
data, under pt. 7 of Art. 5, para. 2 PDPA. According to this exception the processing of sensitive data is permitted if
it is performed exclusively for the purposes of journalism, literary or artistic expression provided that it does not
violate the right to privacy of the person to whom such data relate.

     b. The regime applying to the processing of personal data for health
        research purposes

Is there a specific regime applying to data processing for research in the field of health
purposes?

What is the scope? Which are the steps, and who are the key actors?

In Bulgaria specific regime applying to processing of health data is provided through special legislation in the field of
health.

              •    THE HEALTH ACT (HA)

Pursuant to Art. 27, para. 1 of the Health Act (HA) “health information” is personal data related to the health
condition, physical and phycological development of individuals as well as any other information contained in the
medical prescriptions, instructions, protocols, certificates and other medical documentation. According to the
wording of this provision the definition of health information is twofold and involves (1) personal data related to the
health condition, physical and phycological development of individuals; and (2) any other information contained in
medical documentation. The HA does not provide a clear definition of “medical documentation”. It obviously covers
medical prescriptions, instructions, protocols and certificates (examples of medical documentation listed in Art. 27,
para. 1 HA). It may also cover “health documentation” defined in para. 1, pt. 1 of the Additional provisions of the HA
as “all forms for registering and storage of health information”. Despite the lack of clear definition of “medical
documentation”, such documentation would practically always contain information making a natural person to
whom it relates identified or identifiable. With view to that, health information falls, altogether, under the scope of
PDPA. General data protection regime is therefore applicable to health information together with the specific rules
of the HA, which further develop and complement it.

According to Art. 27, para 2 HA health information is collected, processed, used and stored by healthcare and medical
establishments, Regional Health Inspections, physicians, dentists, pharmacists and other medical specialists, as well
as by non-medical specialists with higher non-medical education working in the national healthcare system. 6 The
persons under Art. 27, para. 2 HA who process health information are required to ensure safeguards by protecting
this information from unauthorized access (Art. 28, para. 3 HA). In addition, they are prohibited from disclosing
patient information received in the course of their official duties (Art. 28B HA).

6 This provision should not be understood as providing a limitative list of the categories of persons allowed to process health information but
rather as establishing the processing of such information as an activity which is inherent to the duties of listed persons.

AEGLE in your country                                                                                                    Page 11 of 26

                                                                         Partners
                   Co-funded by the Horizon 2020
                   Framework Programme of the
                                                                         EXUS AE (Coordinator), ICCS, KINGSTON, CERTH, Maxeler Tecnologies
                   European Union under Grant                            Limited, UPPSALA UNIVERSITET, UNISR, Time.Lex, EUR, CHS, LOBA,
                   Agreement nº 644906.                                  PAGNI, GNUBILA FRANCE, NTU
www.aegle.uhealth.eu

The patient has the right to obtain from a healthcare establishment the health information relating to him/her, incl.
copies of his/her medical documents. (Art. 28Б, para. 1 HA). The patient has also the right to authorize in writing a
third person to consult and copy his/her medical documents (Art. 28Б, para. 2 HA).

Pursuant to Art. 28, para. 1 HA health information may be shared with third persons when:

    1.   the medical treatment continuous in another healthcare establishment;

    2.   there is a threat to the life and health of other persons;

    3.   the information is necessary for the identification of human corps or for establishing the cause for the
         death;

    4.   the information is necessary for state health control for prevention of epidemics and spread of
         communicable diseases;

    5.   the information is necessary for the purposes of medical expertise and social security;

    6.   the information is necessary for the purposes of medical statistics or medical science research provided
         that data which identify the data subject are removed;

    7.   the information is necessary for the needs of the Ministry of Healthcare, National Centre of health
         information, National Health Insurance Fund and the National Statistics Institute;

    8.   the information is needed by a licensed insurer.

Pt. 6 expressly provides for the possibility to share health information with third persons in case the information is
necessary for the purposes medical science research and provided that data which identify the data subject are
removed.

In addition, according to Art. 86, para. 1, pt. 5 HA every patient has the right to protection of the data referring to
his/her health.

The HA contains some further special provisions regarding medical research upon humans and upon the human
genome.

Medical research upon humans is governed by the provisions of Art. 197 and following HA. The person undergoing
the research has all the rights of a patient (Art. 197, para. 3 HA), including with regard to his/her health information.
Medical research is carried out while ensuring maximum safety for the health of the patient and preserving the
secret of his/her personal data (Art. 197, para. 4 HA). According to Art. 199 HA medical research upon humans may
be conducted solely after the head of the research has informed, in writing, the participating individuals on the
nature, significance, scope and possible risks of the study, and the participating individuals have provided their
written informed consent (Art. 199, para. 1 HA). The said consent may be given solely by a legally capable person
who understands the nature, significance, scope and possible risks of the study (Art. 199, para. 2 HA). The provided
written consent may be withdrawn at any time (Art. 199, para. 3 HA).

According to Art. 141, para. 1 HA genetic research for medical and scientific purposes is conducted only provided
that the persons undergoing the research examinations have provided their written informed consent. The results
of such research examinations and screening shall not give rise to discrimination of the persons undergoing the

AEGLE in your country                                                                                         Page 12 of 26

                                                              Partners
                Co-funded by the Horizon 2020
                Framework Programme of the
                                                              EXUS AE (Coordinator), ICCS, KINGSTON, CERTH, Maxeler Tecnologies
                European Union under Grant                    Limited, UPPSALA UNIVERSITET, UNISR, Time.Lex, EUR, CHS, LOBA,
                Agreement nº 644906.                          PAGNI, GNUBILA FRANCE, NTU
www.aegle.uhealth.eu

research (Art. 141, para. 3 HA). Article 141, para. 4 HA establishes that data regarding the human genome is personal
data and they cannot be provided to employers, health insurance organizations and insurance companies.

Genetic research for medical and scientific purposes is conducted by accredited genetic laboratories adjacent to
inpatient and outpatient medical care establishments as well as by independent accredited laboratories. The
National Genetic Laboratory, which supervises and controls the activity of genetic laboratories, administrates and
manages a national genetic register.

            •   THE PHARMACEUTICAL PRODUCTS IN HUMAN MEDICINE ACT (PPHMA)

According the Art. 85, para. 2 PPHMA all the information of the clinical trial is saved, processed and stored in a way
which allows for its correct reporting, interpretation and confirmation by protecting the personal data of
participants. Clinical trial may commence and is conducted when the participant’s physical and phycological
inviolability, the privacy of his/her personal life and the protection of his/her personal data pursuant to the
provisions of the PDPA is guaranteed (Art. 90, pt. 2 PPHMA). In case the person undergoing the trial has a general
practitioner and has consented to the latter to be informed, the researcher informs the general practitioner on the
participation of the patient to the trial (pt. 4.3.3. of Annex 1 to Art. 1, para. 1 of Ordinance No 31). Before undergoing
the clinical trial, the participant is informed on various aspects of the trial, including on the fact that the persons
monitoring and reviewing the trial, the ethics commission and the regulatory bodies are given access to his/her
original medical documents for the purposes of checking the trial procedures and data, by guaranteeing protection
of personal data of the participant according to applicable laws and ordinances (pt. 4.8.10.14. of Annex 1 to Art. 1,
para. 1 of Ordinance No 31). The participant is also informed on the fact that documents establishing his/her identity
will be kept confidential and data contained therein will not be disclosed according to applicable laws and
ordinances; in case of publishing the results of the clinical trial, the identity of participants will be kept confidential
(pt. 4.8.10.15. of Annex 1 to Art. 1, para. 1 of Ordinance No 31).

All the above specific provisions regarding health information, medical research and clinical trial are to be read in
conjunction with the PDPA framework. Special legislation, namely the HA and the PPHMA and sublegislative legal
framework, further develop the general personal data protection regime and complement it with some additional
specific rules with regard to health data.

From which generally applicable data protection provisions are researchers exempted and
under what conditions?

For what reasons? From which provisions? What are the consequences?

The processing of personal data for scientific purposes is exempted from the information obligation of Art. 20 PDPA,
according to which the data controller is required, when processing data which was not obtained directly from the
data subject, to provide the latter with a set of information, namely: data identifying the controller; the purposes of
the processing; the categories of data which are processed; the (categories of) recipients to whom the data may be
revealed; information regarding the right of access and the right of rectification of the collected data. Pursuant to
Art. 20, para. 3 PDPA the controller is not obliged to provide data subjects with such information insofar as the
processing is carried out for scientific purposes and the provision of the said information is impossible or requires
disproportionate efforts.

AEGLE in your country                                                                                          Page 13 of 26

                                                               Partners
                Co-funded by the Horizon 2020
                Framework Programme of the
                                                               EXUS AE (Coordinator), ICCS, KINGSTON, CERTH, Maxeler Tecnologies
                European Union under Grant                     Limited, UPPSALA UNIVERSITET, UNISR, Time.Lex, EUR, CHS, LOBA,
                Agreement nº 644906.                           PAGNI, GNUBILA FRANCE, NTU
www.aegle.uhealth.eu

    c. Are there additional specific conditions governing the processing of data
       for scientific research purposes?

What are the suitable safeguards applying to the exemption foreseen by Article 8.4 of the
Directive in your country? Are there any specific provisions concerning: (i) professional
secrecy, (ii) express consent for specific data, or specific provisions for (iii) deceased data
subjects, or (iv) specific provisions for minors or persons subject to guardianship?

    (i)      Professional secrecy

According to Art. 5, para. 2, pt. 6 PDPA, health and genetic data may be processed in case the processing is required
for the purposes of preventive medicine, medical diagnostics, the provision or management of healthcare services
provided that data are processed by a medical professional who is bound by law to professional secrecy or by
another person subject to such obligation of secrecy. Similarly, Art. 28B HA establishes that medical specialists and
the personnel in the healthcare establishments are prohibited from disclosing patient information received in the
course of their official duties.

    (ii)     Express consent for specific data

According to the provisions of Art. 199 HA medical research upon humans may be conducted solely after the head
of the research has informed, in writing, the participating individuals on the nature, significance, scope and possible
risks of the study, and the participating individuals have provided their written informed consent. Similarly, clinical
trial may only be conducted in case the participant has provided his/her written informed consent. By analogy,
although the PDPA does not contain an express requirement for consent to be written, our understanding is that in
terms of processing health information, incl. for research purposes, such consent shall be provided in writing.

    (iii)    Specific provisions for deceased data subjects

The PDPA does not contain specific provisions regarding deceased data subjects’ data, with the exception of the
special rules for exercising the deceased data subject’s right to access, which could be exercised by their heirs.

The specific provisions of HA establish that a diseased person’s heirs and relatives of straight and collateral line of
up to the fourth-degree incl. have the right to obtain the health information of the diseased as well as to make copies
of his/her medical documents (Art. 28Б, para. 3 HA).

    (iv)     Specific provisions for minors or persons subject to guardianship

Bulgarian legal system distinguishes minors from underage persons. According to Art. 3 of the Persons and Family
Act (PFA) persons under the age of 14 are considered minors and are not legally capable of performing valid legal
actions. Such actions are performed in their name and on their behalf by their legal representatives - parents or
guardians. Pursuant to Art. 4 PFA, persons between the age of 14 and 18 are considered underage and have limited
legal capacity. They undertake legal actions with the approval of their parents or guardians. They can conclude small
ordinary deals to meet their current needs and also have the right to be in dispose of what they have acquired
through their own labor.

AEGLE in your country                                                                                        Page 14 of 26

                                                             Partners
                Co-funded by the Horizon 2020
                Framework Programme of the
                                                             EXUS AE (Coordinator), ICCS, KINGSTON, CERTH, Maxeler Tecnologies
                European Union under Grant                   Limited, UPPSALA UNIVERSITET, UNISR, Time.Lex, EUR, CHS, LOBA,
                Agreement nº 644906.                         PAGNI, GNUBILA FRANCE, NTU
www.aegle.uhealth.eu

The current PDPA framework does not contain specific provisions on minors and underage persons. With regard to
obtaining consent for the processing of personal data of minors and underage persons (health data incl.), the PDPC’s
established practice reiterates that such consent for the processing of personal data of minors (under age of 14)
must be given by their parents or guardians, and the consent obtained from underage persons (between 14 and 18)
must be approved by their parents or guardians.

Some further clarification may be found in the provisions of Art. 199, para. 2 HA which establishes that the consent
for participation to a medical research upon humans may be given solely by a legally capable person who
understands the nature, significance, scope and possible risks of the study. In addition, according to Art. 97, para. 1
PPHMA medical trial upon a minor is carried out solely after obtaining the written informed consent of both parents
or guardians. Clinical trial upon an underage person is carried out after an informed written consent is obtained from
the person and from both parents or guardians. In case one of the parents is missing, diseased or deprived of parental
rights the consent should be obtained from the underage person and the other parent (Art. 97, para. 4 PPHMA).
Minors and underage persons are provided information on the clinical trial, the related risks and benefits, in a
manner which is understandable and from a physician who has experience working with minors and underage
persons (Art. 97, para. 7 PPHMA).

Are there specific requirements about the data subject’s information? Or the person from
whom the data was collected?

The PDPA does not provide for specific obligations about data subject’s information in the context of processing of
health data.

In the framework of the general PDPA regime, when the data is obtained directly from the data subject, controllers
are bound by the requirement to provide data subjects with a set of information including: data which identifies the
controller; the purpose of the processing; the (categories of) recipients to whom the data may be disclosed;
information on the mandatory or voluntary provision of data and the consequences of a refusal to provide them;
information on the right of access and the right of correction of data (Art. 19 PDPA).

Similar information is to be provided to data subjects in case their data was not obtained directly from them (Art. 20
PDPA). Nonetheless, in case the data was not obtained directly from the data subject and are used for scientific
purposes, controllers are exempted from the information obligation if the provision of the required information is
not possible or requires disproportionate efforts (Art. 20, para. 3, pt. 1 PDPA).

With regard to the special requirements of the HA, health information may be shared with third parties in a number
of instances, namely when:

    1.   the medical treatment continuous in another healthcare establishment;

    2.   there is a threat to the life and health of other persons;

    3.   the information is necessary for the identification of human corps or for establishing the cause for the
         death;

    4.   the information is necessary for state health control for prevention of epidemics and spread of
         communicable diseases;

AEGLE in your country                                                                                        Page 15 of 26

                                                             Partners
                Co-funded by the Horizon 2020
                Framework Programme of the
                                                             EXUS AE (Coordinator), ICCS, KINGSTON, CERTH, Maxeler Tecnologies
                European Union under Grant                   Limited, UPPSALA UNIVERSITET, UNISR, Time.Lex, EUR, CHS, LOBA,
                Agreement nº 644906.                         PAGNI, GNUBILA FRANCE, NTU
www.aegle.uhealth.eu

       5.    the information is necessary for the purposes of medical expertise and social security;

       6.    the information is necessary for the purposes of medical statistics or medical science research provided
             that data which identify the data subject are removed;

       7.    the information is necessary for the needs of the Ministry of Healthcare, National Centre of health
             information, National Health Insurance Fund (NHIF) and the National Statistics Institute;

       8.    the information is needed by a licensed insurer.

In the above instances under pt. 1 and 3-8 health information may be provided to a third party without informing
the data subject on the provision. According to Art. 28, para. 2 HA data subjects need to be informed when the
provision is performed on the grounds that there is a threat to the life and health of other persons (pt. 2 above).

Are there specific penalties if the conditions for processing for scientific research in the field
of health purposes are not respected? What do those penalties entail?

According to Art. 228 HA a medical specialist who violates the requirements established with the HA and the sub-
legislative acts with regard to the form, the content, the conditions and order for use, processing, analysis, storage
and provision of medical documentation is punishable with a fine of BGN 500 to BG 1,500 (approx. EUR 250 to EUR
750), and in case of a repeated violation – of BGN 1,500 to BGN 3,000 (approx. EUR 750 to EUR 1,500). For other
infringements of the HA, the fine is of BGN 100 to BGN 600 (approx. EUR 50 to EUR 300), and of BGN 500 to BGN
3,000 (approx. EUR 250 to EUR 1,500) in case of a repeated violation, for natural persons, and of BGN 500 to BGN
2,000 (approx. EUR 250 to EUR 1,000), and BGN 2,000 to BGN 5,000 (approx. EUR 1,000 to EUR 2,500) in case of a
repeated violation, for legal persons.

In case of violations to Art. 5 PDPA (establishing the prohibition for processing of health and genetic data and the
regime of the exceptions to this prohibition), the controller is punishable with a fine of BGN 10,000 to BGN 100,000
(approx. EUR 5,000 to EUR 50,000). The pecuniary sanction for violation of the prohibition to process health data
before being registered with the PDPC (Art. 17B PDPA) is of BGN 2,000 to BGN 20,000 (approx. EUR 1,000 to EUR
10,000).

According to Art. 38 of the Professional Organizations of Doctors and of Doctor of Dental Medicine Act (PODDDMA),
doctors and doctors of dental medicine are liable for infringements to the professional ethics codes and to the rules
for good medical practice, such as violations of doctor - patient privilege (including provision of health data) and
storing of health information contrary to the legal requirements. The penalties are as follows:

       1.        Reprimand;

       2.        Fines in the amount of 1 (one) up to 10 (ten) minimum working wages depending on the violation (the
                 minimum wage in Bulgaria is BGN 5107, approx. EUR 255);

       3.        Deregistration of doctors and dentists from the respective professional register for a period of 3 (three)
                 months up to 2 (two) years (i.e. they cannot carry out activity).

7   As of 2018

AEGLE in your country                                                                                           Page 16 of 26

                                                                Partners
                   Co-funded by the Horizon 2020
                   Framework Programme of the
                                                                EXUS AE (Coordinator), ICCS, KINGSTON, CERTH, Maxeler Tecnologies
                   European Union under Grant                   Limited, UPPSALA UNIVERSITET, UNISR, Time.Lex, EUR, CHS, LOBA,
                   Agreement nº 644906.                         PAGNI, GNUBILA FRANCE, NTU
www.aegle.uhealth.eu

According to Art. 145, para. 1 of the Criminal Code, criminal liability is also established in cases of revelation of
another one’s secret confided in connection to the performance of duties.

    d. Formalities prior to processing: the general regime under the current
       framework

This section is relevant if the regime applying to processing for research in the field of health
is a specific regime. But it may not always apply, and in such an instance the processing is
ruled by the general regime.

Is there a regime requiring the fulfilment of certain conditions prior to any processing
activities different from that applicable to research in the field of health? If yes, what does
that regime entail?

Where in the applicable legislation can it be found? What are this regime’s main steps and
conditions?

According to Art. 17, para. 1 PDPA data controllers are required to apply for a registration with the PDPC prior to
commencing the processing. In case they fall within the general regime (i.e. no sensitive data will be processed) they
may commence processing after submitting the registration (Art. 17, para. 3 PDPA). With the GDPR taking effect in
May 2018 this requirement will no longer be applicable.

     Further processing of health data (for research purposes): the
     current regime
How is the notion of further processing regulated in your national framework?

Are there specific conditions for further processing for scientific research in the field of health
purposes?

Article 2, para. 2, pt. 2 PDPA introduces the general principle according to which personal data are collected for
specific, precisely defined and lawful purposes and shall not be further processed in a manner which is incompatible
with those purposes. Nonetheless, the same provision allows for personal data to be further processed insofar as
such further processing is performed for scientific research purposes and provided that the controller ensures proper
protection to these data namely by guaranteeing that they are not processed for other purposes. The further
processing shall be compatible with the initial purpose of processing. Additionally, personal data which are stored
for scientific research purposes for periods longer than those necessary to the fulfilment of the initial purposes for
which they were collected, shall be maintained in such format so as to preclude the identification of data subjects
(Art. 2, para. 2, pt. 6 PDPA).

AEGLE in your country                                                                                       Page 17 of 26

                                                            Partners
                Co-funded by the Horizon 2020
                Framework Programme of the
                                                            EXUS AE (Coordinator), ICCS, KINGSTON, CERTH, Maxeler Tecnologies
                European Union under Grant                  Limited, UPPSALA UNIVERSITET, UNISR, Time.Lex, EUR, CHS, LOBA,
                Agreement nº 644906.                        PAGNI, GNUBILA FRANCE, NTU
You can also read
NEXT SLIDES ... Cancel