en

Legal Digest

31-03-2025
New checks on the proper implementation of GDPR in the EU and in Bulgaria
The correct implementation of the General Data Protection Regulation continues to be a major topic for EU authorities, even though nearly nine years have passed since its adoption

As in previous years, the European Data Protection Board (“EDPB”), responsible for the coherent implementation of the General Data Protection Regulation (“GDPR”) held a plenary session at which it adopted the so-called Coordinated Enforcement Framework for 2025 (the “Framework”).

 

 

It aims to ensure cooperation between the local data protection regulators - the members of the EDPB. In Bulgaria, this is the Commission for Personal Data Protection (“CPDP”).

 

 

The focus of this year's Framework is on a particular aspect of the GDPR, namely the right of erasure of data subjects' personal data, or the so-called “right to be forgotten”. The regulation of this right is in Article 17 of the GDPR and it is also laid down in the local Personal Data Protection Act. The choice of this particular right derives from the fact that it is one of the most frequently exercised rights by data subjects, as well as one of the rights for which data protection authorities receive multitude complaints for alleged violations.

 

 

According to the legal framework, the right to be forgotten is granted to the data subject (the person whose data is being processed), i.e. the subject may request the controller (the person determining the purposes and means of the processing of personal data) to delete the personal data relating to the individual without undue delay, and the controller in turn is obliged to delete the data if:

 

 

· The personal data is not necessary for the purposes for which it was collected or processed;

 

 

· The data subject has withdrawn his consent on the basis of which it is processed and there is no other legal basis on which it is processed (Article 7 GDPR);

 

 

· The data subject objects to the processing and there are no other legal grounds for the processing (Article 21 GDPR);

 

 

· Personal data have been illegally processed (Article 6 GDPR);

 

 

· Personal data must be erased in order to observe with an EU or national legal obligation, if applicable;

 

 

· The personal data was collected in connection with the provision of information society services.

 

 

The purpose of the adopted Framework is to examine whether data controllers actually observe  the above rules and respect the right of subjects to have their personal data erased. The initiative involves a total of 32 local regulatory authorities, including the CPDP, which will connect with a range of controllers from different sectors across Europe - either by launching new formal investigations or conducting fact-finding studies.

 

 

As a first step to participate in the initiative at local level, the CPDP has published an online survey in Bulgarian to controllers and processors of personal data in the public and private sector, which is to be filled in anonymously and voluntarily via the online system “EUSurvey” until 30th June 2025. Its purpose is awareness with the actions and trends in the implementation of Article 17 of the GDPR, related to the exercise of the right to be forgotten.

 

 

The hope is that with targeted coordinated action by authorities across Europe, cases of abuse in relation to the processing of personal data and its retention/erasing will decrease significantly. The final outcome of the initiative will be a dedicated report by the EDPB in which trends will be summarized in the regulatory practice of the European data protection authorities, as well as best practices (recommendations) in relation to compliance with Article 17 of the GDPR.

Practice areas: