Bulgarian Data Protection Authority’s guidance on whether banks and other regulated entities act as ‘controllers’ or ‘processors’
In September 2018 the Bulgarian Personal Data Protection Commission (“PDPC”) produced a number of formal opinions, in which the authority examined the concepts of ‘controller’ and ‘processor’ in the context of the activity of banks and providers of postal and courier services. The PDPC has taken the position, without outlining it as an absolute rule, that in principle companies that act under licenses or governmental permits and are subject to strict regulations, are controllers in their relationships with clients. This is because a client cannot instruct the service provider how exactly to process his data, since both parties are bound to comply with the laws and regulations, including data processing provisions, applicable to banking, insurance, postal or other regulated services. The PDPC’s guidance is of a general nature and leaves open the possibility that there are situations a regulated entity would, however, act as processor and not a controller