Support Centre



Law: The Protection of Personal Data Act 2002 (last amended in 2023) ('the Act') and the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR')

Regulator: Commission for Personal Data Protection ('CPDP')

Summary: The Act is the main source of local data protection law, having been adopted in 2002. Since then, it has undergone several amendments and was extensively modified, on 26 February 2019, to harmonise with the provisions of GDPR and to implement the GDPR into national legislation. The Act, together with the Rules on the Activity of the Commission for Personal Data Protection and its Administration set forth the legal framework for supervisory and regulatory functions of the CDPD. Since the entry into force of the GDPR, the CPDP has been very active both in terms of issuing regulatory guidance and in terms of enforcemen.


In this Insight article, Violetta Kunze and Lilia Kisseva, from Djingov, Gouginski, Kyutchukov & Velichkov, explore whistleblowing and the need for protection. They discuss key points of the Bulgarian Law on the Protection of Persons who Report or Publicly Disclose Information about Breaches (the Whistleblowing Law), confidentiality, data protection challenges, and striking a balance between public interest and privacy.

On February 2, 2023, Bulgaria passed its first Whistleblowing Act as part of the process of transposing the EU Whistleblowing Directive into national legislation. Hristina Dzhevlekova and Zhulieta Markova, from Wolf Theiss, discuss the main provisions of the Whistleblowing Act for whistleblowers and what this law requires of companies.

In recent years, the issue of creating a working environment complete with diversity and inclusion has been increasingly raised. Nikolay Zisov and Deyan Terziev, from BOYANOV & Co., provide an overview of how the implementation of a diversity and inclusion program relates to provisions within data protection law, such as the data minimisation principles and purpose limitation.