This article was originally published in the schoenherr roadmap`10 - if you would like to receive a complimentary copy of this publication, please visit: http://www.schoenherr.eu/roadmap.

A new Bulgarian Trade Registry Act1 (the Act) was enacted on 1 January 2008. The Act was drafted to meet the needs for a more transparent and flexible system for the registration of new companies in Bulgaria, as well as the registration of all existing companies in the new on-line Trade Registry. But does it violate data protection principles?

Introduction

The Trade Registry is organised and controlled by the Registry Agency. It was planned and (after elimination of all initial organisational difficulties) works as a unified data base, storing data of all companies in Bulgaria and their commercial details, which are publicly accessible and centralised.

This necessary and positive change in the administration is now used (almost two years after its launch) in the everyday life of businessmen, lawyers, bankers, journalists and more. However, one complication concerning the disclosure of personal data on the internet remains unresolved and worries many of the people engaged in business in Bulgaria.

Free access to public information

The registration of a company in the Trade Registry, or the submission of any kind of changes in the file of a registered company, requires the filing of certain documents and applications in compliance with the Bulgarian Commerce Act. These include resolutions of the general meetings of limited liability companies, declarations of the lack of any criminal proceedings, applications, powers of attorney and state fees.

As in most of the other EU member states, the hard copies of all required documents contain public information and can be reviewed by anyone in the office of the Registry Agency. Under the Bulgarian Trade Registry Act, "Any person shall have the right of free access to the Trade Registry and to the scanned form of the documents on the basis of which entries, deletions and disclosures have been made [...].The Agency shall ensure free access to the applications contained in the Trade Registry database system, the electronic form of the documents attached thereto and the refusals decreed."

Online availability of personal data

This means that the on-line version of the company's file is as comprehensive as its hard copy version. As a matter of transparency, the Bulgarian legislator has made a major step. Indeed, the participants in the "Trade Registry Project"2 declare the Bulgarian data base to be "the most transparent in the whole of Europe"3.

However, from a data protection perspective, the unfettered release of the personal data of managers, applicants and traders over the (unsecured) web is considered by many as a violation of fundamental data protection principles.

Even more, the launch of the Trade Registry database was accompanied by loud protests since scanned copies of the identity cards of the managers of the Bulgarian companies were provided on the official site of the Trade Registry. This, together with other information about the respective person (e.g. other companies in which he is active; shares held in another company, etc.), has created a risk of fraud and other abuses.

Currently the position of the Registry Agency (as a registered personal data administrator) is that the presentation of identity cards and other detailed personal data of all applicants is not obligatory. Scanned copies of identity cards have now been removed from the on-line version of company files.

A violation of data protection principles?

Notwithstanding the above, the question remains: Does the release of personal data on the internet through the official (and public) site of the Bulgarian Trade Registry (http://www.brra.bg) (www.brra.bg) infringe the Personal Data Protection Act4?

This question was reviewed by the Registry Agency in light of Art. 4, Para 1, item 2 of the Personal Data Protection Act, which states that "Personal data may be processed only if [...] the individual to whom such data relate has given his or her explicit consent".

The Registry Agency5 maintains that by signing (manually or through an electronic signature) the application for registration, applicants express their tacit consent for their personal data to be disclosed to the public. However, such signature is in fact required for the submission of documents to the Trade Registry. Thus, without signing, applicants will not be allowed to change their company's status. In such a case, one has to wonder if "consent" has been given at all.

Further, the legitimacy of releasing personal data based on a power of attorney or a resolution of a general meeting is also questionable. In other words, does the signature of the grantor/proxy or the participants in a general meeting form a valid consent for the release of their personal data or is it rather just a legal expression of their will? The answer is far from clear.

At the moment, the Registry Agency and the Personal Data Protection Commission are jointly considering how to meet the competing needs for a transparent and open database of companies and protection of personal data in the business environment.

The unfettered release of the personal data of managers, applicants and traders over the (unsecured) web is considered by many a violation of fundamental data protection principles.

This article was originally published in the schoenherr roadmap`10 - if you would like to receive a complimentary copy of this publication, please visit: http://www.schoenherr.eu/roadmap.

Footnotes

1 Promulgated, SG. No. 34/25.04.2006.

2 Mr. Ivailo Fillipov, head of the Bulgarian Trade Registry Project" (in front of the Bulgarian media).

3 The registers kept in the companies' department of the Bulgarian Courts, as well as all information kept in one company's file (as it was under the now-repealed legislation) was also publicly available. The point is that the internet data base is much easier to review and thus much more transparent.

4 Promulgated State Gazette No. 1/04.01.2002.

5 Instruction for internal document usage and organisation of the work with electronically signed documents in the Registry Agency.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.