български deutsch italiano
Varadinov & Co.
Legal Bulletin

Varadinov & Co Attorneys at law is recognised in the IFLR1000
Varadinov & Co Attorneys at law is listed in Legal 500

State Gazette, issue 12 /February 8th, 2019
Enhanced supervision of the activities of pension insurance companies introduces changes in the Social Insurance Code.It introduces the principle that oversight activity should be based on a forward-looking risk-based approach. In exercising a supervisory review and determining the minimum frequency and scope, the Commission and the Deputy Chairperson of the Commission in charge of the Insurance Supervision Division shall take into account the circumstances in which the supplementary social insurance company and the funds managed by it operate and the amount , the nature, scale and complexity of their activities. The supervisory review also covers the activities of external contractors to whom the company has outsourced certain activities. The requirements for professional experience in management positions are increasing. The custodian bank shall verify that the supplementary pension fund is the owner of the assets other than the financial instruments that are held in an account with the custodian bank or available to it. The audit shall be carried out on the basis of the documents submitted by the pension insurance company and on the basis of external evidence, where available.
The risk management system shall cover, in a manner commensurate with the size and internal organization of the pension insurance company and the funds managed by it and in accordance with the size, nature, scale and complexity of their activities, the risks that may arise in them or in the external contractors , at least in the following areas: 1. formation of reserves; 2. Asset and Liability Management; 3. investment activity; 4. Liquidity risk management; 5. concentration risk management; 6. Operational risk management; 7. application of risk mitigation techniques; 8. the environmental, social and management risks related to the investment portfolio of a supplementary voluntary pension fund under occupational schemes and its management, provided that they are provided for in the investment policy of the fund. The risk management system addresses the biometric and investment risks from the point of view of insured persons and pensioners in the funds managed by the company. The pension insurance company is obliged to carry out according to the size, nature, scale and complexity of its activity and to document its own risk assessment of the company and to provide it with a trust fund - at least once annually and immediately after any material change in the risk profile of the company or the funds. The valuation is presented to the general meeting of shareholders as part of the annual report and is taken into account by the pension insurance company when making strategic decisions.
The information provided by the pension insurance company to the insured persons, pensioners and their heirs according to the requirements of this Code and the instruments of its application to the persons to be insured in a supplementary pension insurance fund should be updated regularly; be clearly written in unambiguous, precise and comprehensible language, avoiding the use of professional jargon and professional terminology if they can be replaced by commonly understood terms; not misleading and distinguished by consistency in terms and content; to be presented in a way that is easy to read; be provided in the Bulgarian language and, in the case of insurance under a professional scheme to which the labor and social legislation of another Member State is applicable, in the official language of that Member State, unless otherwise agreed with the person concerned; to be provided free of charge. The information shall be made available to the persons of their choice by electronic means, including by e-mail, on a durable medium or via the website of the pension insurance company or in paper form. Where the person concerned has not made a choice as to how the information is to be provided, it shall be provided on paper. Where information is provided electronically, the information is also provided on paper at the request of the person concerned.
Before entering into an insurance contract, the pension insurance company must provide the counterparty to the contract with up-to-date information about the Fund’s main characteristics and participation. The pension insurance company is obliged, upon request, to issue to every insured person or pensioner a unique identifier to provide him / her with electronic access to the data in his / her individual account and to allow him / her to consult and track his / her insurance history. The pension insurance company is obligated to provide a copy of an electronic document in its electronic file in paper or electronic form within 7 days to the insured person, the pensioner, the heir of the insured person or the pensioner respectively.

State Gazette, issue 13 /February 13th, 2019
Discipline, transparency and accountability in the spending of public funds aim at changes in the Financial Management and Control Act in the public sector. The circle of regulated persons is expanding, with managers of commercial companies with more than 50 percents municipal shareholding in the capital being responsible for the state of financial management and control in the companies and reporting to the municipal council. Control activities are implemented at all levels of the organization and at all stages in achieving the goals. They may be preventive, disclosure or corrective, and must include at least: 1. a double signature system that does not allow for a financial commitment or payment without the signatures of the head of the organization under Art. 2 and the person responsible for the accounting entries; 2. rules on access to assets and information; 3. Policies and procedures for ex-ante control of legality; 4. Policies and procedures for ongoing monitoring of the implementation of financial commitments and contracts; 5. policies and procedures for ex-post performance appraisals; 6. policies and procedures for the objective, accurate, complete, reliable and timely accounting of all business transactions; 7. policies and procedures for human resource management; 8. Policies and procedures for respecting personal integrity and professional ethics. The order and the way of carrying out the ex-ante control of legality shall be determined by the managers of the organizations on the basis of a risk assessment and a cost-benefit analysis and in accordance with the instructions of the Minister of Finance. Organization Leaders provide a system of financial management and control monitoring to assess its functioning and provide timely information on identified weaknesses and omissions to those responsible for taking corrective action and to ensure timely updating changes in terms. Preliminary control of legality and ex post performance assessment, including all documentary inquiries, facts and circumstances relating to assurance of compliance with applicable law, are in place before a decision is taken or action by the managers of the organizations , as well as any checks aimed at detecting possible errors or irregularities of a completed process, contract, or business operation. The checks shall establish whether the resources have been acquired or are spent legally and in relation to the objectives and level of achievement.

State Gazette, issue 17 /February 26th, 2019
Amendments to the Personal Data Protection Act introduce the rules of Regulation (EU) 2016/679. Under its powers, the Personal Data Protection Commission seizes the court for breach of the law, provides guidance, issues guidelines, recommendations and best practices in relation to the protection of personal data. The commission may be assigned other tasks and powers only by law. The Commission shall participate in the Cohesion Mechanism and shall cooperate with the lead or with the supervisory authorities of the Member States of the European Union, including by exchanging information, providing or seeking mutual assistance or participating in joint operations. Upon request, the controller and the personal data processor shall, unless the obligation of the controller or the processor of personal data to protect professional secrecy or any other obligation of secrecy ensuing from law may be breached. In these cases, the administrator or the personal data processor refuses to provide or access only the information protected as a secret. Where the information contains data classified as classified information, the access procedure under the Classified Information Protection Act shall apply. The conditions and procedure for training of data protection officers shall be laid down in a Regulation, and the Commission shall issue a certificate to persons who have passed a training course after a successful examination. The certificate shall be issued for a period of three years and shall be renewed after a successful examination but its presence may not be a mandatory condition for the appointment or performance of the duties of a Data Protection Officer.
Where personal data is provided by the data subject to an administrator or processor of personal data without a legal basis or contrary to the principles of Art. (5) of Regulation (EU) 2016/679, within one month of becoming aware, the controller or the personal data processor returns them, and if this is impossible or requires disproportionate effort, erases or destroys them. Deletion and destruction shall be documented. The administrator and the personal data processor shall notify the Commission of the names, the unique civilian number or the personal identification number of an alien or other similar identifier and the contact details of the Data Protection Officer as well as any subsequent changes thereto. An administrator or personal data processor may copy an identity document, a driving license or a residence document only if this is provided for by law. The administrator or the processor of personal data shall adopt and apply rules on the large-scale processing of personal data or systematically large-scale surveillance of publicly accessible areas, including through CCTV, which shall introduce appropriate technical and organizational measures to protect the rights and freedoms of data subjects. Personal data of deceased individuals can only be processed if there is a legal basis for this. In such cases, the controller or the personal data processor shall take appropriate measures to prevent the unfavorable impairment of the rights and freedoms of others or the public interest. The Administrator shall provide upon request access to the personal data of a deceased person, including a copy thereof, to his heirs or other persons of legal interest. Free public access to information containing a single citizen number or personal number of an alien is not allowed unless the law provides otherwise.
The processing of personal data for journalistic purposes, as well as academic, artistic or literary expression, is lawful when done for the realization of freedom of expression and the right to information, respecting privacy. In the case of disclosure by transmission, dissemination or other means by which personal data collected for the above purposes become available, the balance between freedom of expression and the right to information and the right to protection of personal data shall be assessed on the basis of the following criteria, to the extent relevant: the nature of personal data; the impact that disclosure of personal data or public disclosure would have on the privacy of the data subject and his reputation; the circumstances in which the personal data have become known to the controller; the nature and nature of the statement by which the rights are exercised; the importance of disclosing personal data or public disclosure thereof to clarify a matter of public interest; reporting whether the data subject is a person who holds a post under Art. 6 of the Law on Counteracting Corruption and Forfeiture of the Illicitly Acquired Property, or is a person who, due to the nature of his or her role or role in public life, has lesser protection of his or her privacy or whose actions have an impact on society; Reporting whether the data subject has contributed to the disclosure of his or her personal data and / or information about his or her personal and family life; the purpose, content, form and consequences of the statement by which the rights under par. 1; the compliance of the statement by which rights are exercised with the fundamental rights of citizens; other circumstances relevant to the particular case.