October 2023

1. Governing Texts

The Bulgarian legislation on data protection does not encompass significant variations of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). The data protection landscape is shaped by the Protection of Personal Data Act 2002 ('the Act') and the guidelines issued by the Commission for Personal Data Protection ('CPDP').

1.1. Key acts, regulations, directives, bills

The Act is the main source of local data protection law. It was adopted in 2002 and now implements the provisions of the GDPR. The Act sets forth the legal framework for the CPDP established in 2002. Since then, the Act has been amended several times and its last revision followed the entry into force of the new Act on Protection of Persons Reporting Information, or Publicly Disclosing Information about Breaches (Whistleblowers Protection Act) ('the Whistleblowers Protection Act') in May 2023.

The Law for amendment and supplement of the Act (only available in Bulgarian here) ('the Law') was first published as a draft in April 2018 and underwent lively public discussions, which resulted in certain revisions of the initial text before it was submitted to National Assembly of the Republic of Bulgaria ('Parliament'). It introduces legislative changes related to the GDPR and to the transposition of the Data Protection Directive with Respect to Law Enforcement (Directive (EU) 2016/680).

After passing the second final reading at Parliament, the Law was vetoed by the President of the Republic of Bulgaria, Rumen Radev, who issued, on 4 February 2019, a motion vetoing a provision of the Law (only available in Bulgarian here) ('the Motion'). In particular, the Motion referred to Section 25 of the Act, which included a provision on ten different criteria for the processing of personal data for journalistic purposes and for purposes of academic, artistic, or literary expression, according to Article 85(1) of the GDPR.

Furthermore, the Motion highlighted that the presence of such criteria is an excessive and unbalanced measure, which would lead to overregulation and a need for a continuous balancing of the right to protection of data with the right to freedom of expression and information. These considerations were not accepted by the Parliament. The Motion was overturned, and the Law was promulgated in the State Gazette on 26 February 2019.

However, in November 2019 the aforementioned criteria were declared unconstitutional by the Bulgarian Constitutional Court, which means that currently only the general rule under Section 25(h) of the Act applies.

Before 25 May 2018, along with the Act, the main regulatory source of personal data protection rules was Ordinance No. 1 on the Minimum Level of Technical and Organisational measures and the Admissible Type of Personal Data Protection (30 January 2013) ('the Ordinance'). It was repealed on 25 May 2018; however, its provisions may be revised by the CPDP into methodical instructions to controllers, which will be a source of soft law, helping controllers to choose appropriate measures for personal data protection in compliance with the GDPR requirements.

1.2. Guidelines

The CPDP has published several guidelines and explanatory materials on its website, which relate to the application of the GDPR, such as:

• Ten practical steps for the implementation of the GDPR (only available in Bulgarian here);
• Practical questions regarding personal data protection after 25 May 2018 (only available in Bulgarian here);
• Obligations of personal data controllers under the GDPR (only available in Bulgarian here);
• Data protection officers ('DPO') (only available in Bulgarian here);
• Rights of data subjects (only available in Bulgarian here);
• Consent under the GDPR (only available in Bulgarian here);
• Practical guidelines of the CPDP regarding cases where consent for personal data processing is not necessary (only available in Bulgarian here);
• Opinion of the CPDP on the qualification of payment service providers as data controllers (only available in Bulgarian here);
• Opinion of the CPDP on the application of the right to be forgotten in the context of personal data processing for journalistic purposes (only available in Bulgarian here);
• Opinion of the CPDP on the Codes of Conduct and monitoring authorities (only available in Bulgarian here);
• Opinion of the CPDP on the processing of vaccination status data (only available in Bulgarian here);
• Opinions of the CPDP on other specific queries, for example regarding personal data processing with respect to provision of sports cards to employees and the general qualification of banks, insurers, and courier firms as data controllers under the GDPR (only available in Bulgarian here);
• List of personal data processing operations for which prior consultation is mandatory under Section 65(3) of the Act (only available in Bulgarian here); and
• List of processing operations requiring data protection impact assessment (DPIA) pursuant to Art. 35, paragraph 4 of Regulation (EU) 2016/679) ('the List').

1.3. Case law

The CPDP's case-law expanded during the 2020 COVID-19 pandemic as it issued opinions on what measures the employers can and cannot take in order to ensure safety at the workplace (only available in Bulgarian here). Notably, the CPDP considered that measuring the body temperature of employees is lawful only when the measurements are not stored and are used only to determine whether a person can enter the company premises. Furthermore, the CPDP noted that requiring the employees to fill-in questionnaires regarding their health status constitutes an excessive interference in the personal sphere of data subjects and thus is not justified under the data protection legislation.

2. Scope of Application

2.1. Personal scope

The Act applies to organizations that process the data of identifiable natural persons. Personal data of deceased persons may be processed only based on legal grounds.

2.2. Territorial scope

The Act applies in the territory of the Republic of Bulgaria and imposes obligations on controllers and processors who process the data of natural persons in Bulgaria.

2.3. Material scope

The Act covers the rules for the processing of personal data by private organizations and public authorities, specific categories of personal data, and personal data by automated means.

3. Data Protection Authority | Regulatory Authority

3.1. Main regulator for data protection

The CPDP is the national supervisory authority within the meaning of the GDPR. It is an independent public authority, carrying out protection of individuals in processing their personal data and in providing access to this data, as well as control over the observance of data protection legislation.

The CPDP consists of a chairperson and four members. The members of the CPDP and its chairperson are elected by the Parliament on proposal from the Council of Ministers for a term of five years, and they may be re-elected for another mandate.

The CPDP's activity is regulated by the Act and by the Rules on the Activity of the Commission for Personal Data Protection and its Administration ('the Rules') which were adopted in 2019 to reflect the legislative changes after entry into force of the amended Act. Тhe Rules were amended in April 2023 to reflect the new functions of the CPDP under the new Whistleblowers Protection Act and related increase in the CPDP staff.

3.2. Main powers, duties and responsibilities

As the Bulgarian supervisory authority, the CPDP's competence, tasks, and duties are those established in Articles 55 to 58 of the GDPR, for example monitoring and enforcing the application of the GDPR, carrying out data protection audits, and imposing administrative fines.

The Act specifically provides that the CPDP has the powers and duties to, among other things:

• issue by-laws in the field of personal data protection;
• organise, coordinate, and conduct training in the field of personal data protection;
• issue guidelines, recommendations, and best practices, where such have not been issued by the EDPB;
• bring infringements of the GDPR to the court; and
• impose compulsory administrative measures.

4. Key Definitions

Data controller: No national variations, GDPR applies with the exception of the controller under Chapter 8 of the Act. Also found in Section 1(2) of Supplementary Provisions of the Act.

Data processor: There are no variations from the GDPR. Also found in Section 1(3) of the Supplementary Provisions of the Act.

Personal data: There are no variations from the GDPR. Also found in Section 1(1) of the Supplementary Provisions of the Act.

Sensitive data: There are no variations from the GDPR.

Health data: There are no variations from the GDPR. Also found in Section 1(13) of the Supplementary Provisions of the Act.

Biometric data: There are no variations from the GDPR. Also found in Section 1(12) of the Supplementary Provisions of the Act.

Pseudonymisation: There are no variations from the GDPR. Also found in Section 1(7) of the Supplementary Provisions of the Act.

5. Legal Bases

5.1. Consent

There are no variations from the GDPR.

5.2. Contract with the data subject

There are no variations from the GDPR.

5.3. Legal obligations

There are no variations from the GDPR.

5.4. Interests of the data subject

There are no variations from the GDPR.

5.5. Public interest

There are no variations from the GDPR.

5.6. Legitimate interests of the data controller

There are no variations from the GDPR.

5.7. Legal bases in other instances

The Act provides the following derogations, pursuant to Article 89 of the GDPR:

• Personal data processing for the purpose of the National Archives Fund of Bulgaria is processing in the public interest. In this case, the rights under Articles 15, 16, 18, 19, 20, and 21 of the GDPR are derogated; and 
• When processing personal data for statistical purposes, the rights under Articles 15, 16, 18, and 21 of the GDPR are derogated.

The Act provides that further processing for the purposes of archiving in the public interest, for purposes of scientific or historical research, or for statistical purposes, is compatible and lawful personal data processing. In such cases, the controller must apply appropriate technical and organisational measures to guarantee the rights and freedoms of the data subject in accordance with Article 89(1) of the GDPR.

6. Principles

The Act makes reference to the data protection principles under Article 5 of the GDPR. No additional principles are listed.

7. Controller and Processor Obligations

7.1. Data processing notification

In accordance with the GDPR, Bulgaria has repealed its registration regime. As of 25 May 2018, controllers are no longer obliged to register with the CPDP, which ceased to maintain the public register of data controllers.

In accordance with Article 37(7) of the GDPR, a notification should be filed with the CPDP by controllers/processors who have designated a DPO. The CPDP has published a sample notification form in this respect (only available in Bulgarian here). Please also see the section on data protection officer ('DPO') appointment below.

The CPDP plans to maintain several public registries, namely:

• a register of data controllers and data processors who have designated a DPO;
• a register of accredited certification bodies pursuant to Section 14 of the Act (currently there are no accredited certification bodies pursuant to Section 14 of the Act); and
• a register of codes of conduct pursuant to Article 40 of the GDPR (currently there are no approved codes of conduct pursuant to Article 40 of the GDPR).

7.2. Data transfers

The Act does not stipulate any national restrictions on the transfer of data, in addition to the ones regulated by the GDPR.

7.3. Data processing records

The Act does not stipulate any national specifics of the data processing records, in addition to the ones regulated by the GDPR.

7.4. Data protection impact assessment

On 13 February 2019, the CPDP adopted а the List (see the section on 'Guidelines' above) of the processing activities where Data Protection Impact Assessment ('DPIA') is mandatory.

Pursuant to the List, data controllers whose main or only place of establishment is in the territory of Bulgaria will be required to conduct a DPIA when carrying out the following types of processing operations:

• large scale processing of biometric data for the unique identification of the individual which is not sporadic;
• processing of genetic data for profiling purposes which produces legal effects for the data subject or similarly significantly affects them;
• processing of location data for profiling purposes which produces legal effects for the data subject or similarly significantly affects them;
• processing operations for which the provision of information to the data subject pursuant to Article 14 of the GDPR is impossible or would involve disproportionate effort or is likely to render impossible or seriously impair the achievement of the objectives of that processing, when they are linked to large scale processing;
• personal data processing by controller with main place of establishment outside the EU when its designated representative for the EU is located on the territory of the Republic of Bulgaria;
• regular and systematic processing for which the provision of information pursuant to Article 19 of GDPR by the controller to the data subject is impossible or requires disproportionate efforts;
• processing of personal data of children in relation to the offer of information society services directly to a child; and
• migration of data from existing to new technologies when this is linked to large scale data processing.

7.5. Data protection officer appointment

The Act does not implement variations of the GDPR regarding the requirements on DPO appointment, role, and tasks.

The Act provides that the CPDP should be notified of the appointment of the DPO, their name, identification number, and contact details, as well as of any subsequent changes. The notification form should be completed following its instructions and may be submitted to the CPDP in any of the following ways (the Notification Guidance):

• through the automated system provided by the CPDP (only available in Bulgarian here);
• hand delivered in person at the CPDP;
• by letter to the CPDP;
• through the system for secure electronic service offered by the State e-Government Agency (only available in Bulgarian here); or
• via email to [email protected].

In addition, the CPDP has updated, on 12 December 2019, its DPO appointment notification form (only available to download in Bulgarian here). The CPDP highlighted that the update is not a prerequisite for re-notification under the new form and that such an obligation arises only if changes have occurred in the circumstances that have already been declared to the CPDP (press release only available in Bulgarian here).

7.6. Data breach notification

The Act does not implement exemptions or variations from the GDPR on breach notification to the supervisory authority.

Regarding communication of a personal data breach to the data subject, the Act contains exemptions for cases where there is:

• personal data processing for journalistic purposes, or for the purposes of academic, artistic, or literary expression, as well as for the purpose of creating a photographic or audio-visual work by filming a person in the course of their public activities or in a public place (Section 25(h) of the Act);
• processing of personal data for humanitarian purposes by public authorities and/or humanitarian organizations, as well as processing in the event of disasters within the meaning of the Disaster Protection Act 102/19 of December 2006, as amended ('Disaster Protection Act') (Section 25(n) of the Act);
• a risk for the national security, defense, public order and security, the prevention, investigation, detection, or prosecution of criminal offenses, or the execution of criminal penalties, etc., where the terms and conditions should be governed by a specific law (Section 37(a) of the Act).

The Act does not establish specific sectoral obligations with respect to data breach notification (besides processing activities performed by courts and prosecution authorities where notifications should be filed with the Inspectorate to the Supreme Judicial Council instead of the CPDP).

The Commission for Personal Data Protection approved a sample data breach notification form (available in Bulgarian here), and launched an institutional site for notification filling to help the data processor in the fulfillment of their obligations under Article 33 of the GDPR.

The sample contains sections with the following information:

• type of notification (initial or subsequent);
• general and chronological data - when the violation occurred, when it was established, how it is determined whether it continues, if there is a delay in submitting the notification;
• description of the data breach;
• categories of personal data affected by the violation;
• number of data subjects and number of records affected by the violation;
• categories of data subjects;
• potential consequences for the rights and freedoms of data subjects according to the controller;
• measures taken or proposed to be taken in response to the violation;
• steps to be taken to prevent a recurrence of the violation and the time limit in which they are expected to be implemented;
• are the data subjects notified and in what way;
• have other bodies or organisations been notified of the violation; and
• controller's coordinates and data.

7.7. Data retention

Under the Act, if a controller or processor becomes aware that he or she is retaining data contrary to the GDPR principles or without a legal basis, the controller or processor must return such data within one month after having become aware of it or, if this is impossible or would involve disproportionate efforts, must erase or destroy said data.

Further, any employer or appointing authority, in the capacity of data controller, must determine a storage period for personal data for job applicants, which may not be longer than six months, unless the job applicant has given consent to storage for a longer period.

7.8. Children's data

The Act lowers the age for valid consent given by children from 16 to 14 years old in relation to processing their data based on consent in the meaning of Article 4(11) of the GDPR, including in cases which offer information society services directly to a child. Where the data subject is under 14, processing is lawful only if consent is given by the parent who is exercising the parental rights, or by the guardian of the data subject.

7.9. Special categories of personal data

The Act does not contain provisions regarding processing of special categories of data and criminal conviction data.

Generally, under Bulgarian employment law (more specifically, pursuant to Ordinance No. 4 of 11 May 1993 on the documents required for the conclusion of an employment contract (only available to download in Bulgarian here)), a certificate of conviction should be presented only when the law requires certification of criminal record. Therefore, these provisions should be considered when controllers undertake processing of personal data related to criminal convictions.

7.10. Controller and processor contracts

The Act does not stipulate any specific requirements, in addition to the ones regulated by the GDPR.

8. Data Subject Rights

8.1. Right to be informed

The Act does not implement variations of the GDPR on the right of information to be provided.

However, the Act contains a derogation from certain rights of the data subjects including the right of information. It provides that processing of personal data for humanitarian purposes by public authorities and/or humanitarian organisations, as well as processing in the event of disasters within the meaning of the Disaster Protection Act is lawful, and in this case, Articles 12 to 22 and Article 34 of the GDPR do not apply.

On a separate note, following Article 23 of the GDPR, the Act provides that the controller or processor may refuse fully or partially the exercise of data subjects' rights under Articles 12 to 22 of the GDPR, and is allowed not to fulfil their obligation under Article 34 of the GDPR, where their exercise would create a risk for example towards the national security, defence, public order, and security, the prevention, investigation, detection, or prosecution of criminal offences, or the execution of criminal penalties. The terms and conditions for application of this provision should be further regulated by a specific law.

The Act contains derogations also in cases of personal data processing for journalistic purposes, or for the purposes of academic, artistic, or literary expression, as well as for the purpose of creating a photographic or audio-visual work by filming a person in the course of their public activities or in a public place.

8.2. Right to access

The Act does not implement variations of the GDPR on the right to access.

8.3. Right to rectification

The Act does not implement variations of the GDPR on the right to rectification.

8.4. Right to erasure

The Act does not implement variations of the GDPR on the right to erasure.

8.5. Right to object/opt-out

The Act does not implement variations of the GDPR on the right to restriction of processing.

8.6. Right to data portability

The Act does not implement variations of the GDPR on the right to data portability.

8.7. Right not to be subject to automated decision-making

The Act does not implement variations of the GDPR on automated individual decision making, including profiling.

8.8. Other rights

No further information. 

9. Penalties

The Act provides that for infringements of the GDPR, the CPDP may impose sanctions (fines), as well as compulsory administrative measures (such as the issuance of warnings, orders to comply with certain requirements, etc.).

Regarding the fines, the Act refers to the respective GDPR provisions and does not introduce minimum amounts (the first draft of the Law contained such, which provoked lively discussions that led to the removal of the proposed minimums). The fines provided for in the GDPR shall be determined in accordance with the criteria set out therein and shall be imposed in their BGN equivalence.

Additionally, for other violations under the Act, a fine of up to BGN 5,000 (approx. €2,550) may be imposed on the respective personal data controller or processor.

Where the violations under the GDPR and the Act are repeated, a fine shall be imposed of double the amount of the initially imposed fine, but not more than the maximum envisaged in Article 83 of the GDPR. A repeated violation is one committed within one year from the entry into force of the decision for imposing a sanction for the same type of violation

Historically, under the previous regime, the maximum amount of the fine established in the Act was BGN 100,000 (approx. €50,990), which could be doubled in case of repeated violations.

So far, the biggest fine imposed by the CPDP amounts to €2.6 million (see section on enforcement decisions below).

9.1 Enforcement decisions

A data subject filed a complaint with the CPDP against a Bulgarian state agency, claiming that the subject's personal data had been accessed by an employee of the agency without a proven professional necessity, which constitutes a failure to comply with the purpose limitation principle under the GDPR. The state agency was fined BGN 5,000 (approx. €2,550), by the CPDP, and the decision was subsequently appealed in court. The Sofia Court of Appeal rejected the appeal and confirmed the imposed sanction.

The biggest sanctions imposed by the CPDP so far are the following:

• The National Revenue Agency ('the NRA') was fined BGN 5.1 million (approx. €2.6 million) for the leakage of personal data of over 6 million persons due to a hacking attack. The CPDP found that the NRA had not undertaken sufficient technical and organizational measures for data protection.
• A bank was fined BGN 1 million (approx. €511,010) for leakage of personal data of over 33,000 customers in over 23,000 credit files. Due to insufficient technical and organisational measures, third parties had access to personal data including copies of ID cards, tax, and financial documents, health data, etc.
• The NRA was fined BGN 55,000 (approx. €28,120) for insufficient legal basis for personal data processing. Data was unlawfully collected and used by the NRA in relation to an enforcement case against the data subject.
• A telecommunication service provider was fined BGN 53,000 (approx. €27,090) for insufficient legal basis for personal data processing. The provider had repeatedly made registration of prepaid services without the knowledge and consent of the data subject, as the latter had not signed the application.
• Bulgarian Posts PLC was fined BGN 1 million (approx. €511,010) because the company did not implement appropriate technical and organizational measures before and during the cyber attack of 16 April 2022 and thus allowed malware to encrypt sensitive databases.