Published on and written by Cyril Jarnias
Personal data protection has become a major global issue, and Bulgaria, as a European Union member, must comply with the strict regulations of the GDPR (General Data Protection Regulation). Companies operating in this country must navigate through a complex set of local and European laws to ensure the confidentiality of sensitive information they process. Bulgaria has implemented specific measures to enforce these obligations, with precise requirements regarding user consent, data security, and breach notification. Understanding these obligations is essential for any organization seeking to operate in compliance with European standards and avoid heavy legal penalties.
GDPR Requirements for Data Protection in Bulgaria
GDPR Implementation in Bulgaria
In Bulgaria, the General Data Protection Regulation (GDPR) has been fully applicable since May 2018. The Bulgarian Personal Data Protection Act was updated to align with GDPR requirements. Bulgarian companies must comply with these new rules, which significantly impact how they handle personal data.
Appointment of a Data Protection Officer
Bulgarian companies are required to appoint a Data Protection Officer (DPO) in specific cases. This obligation applies particularly to public authorities, companies whose core activities involve regular and systematic large-scale monitoring of individuals, and companies processing special categories of data on a large scale. For example, a major Bulgarian supermarket chain had to appoint a DPO to manage data from its customer loyalty programs.
International Data Transfers
For data transfers outside the European Union, Bulgarian companies must ensure the recipient country provides an adequate level of protection. In the absence of an adequacy decision, they must implement appropriate safeguards, such as standard contractual clauses or binding corporate rules. A Bulgarian technology company collaborating with American partners had to review its contracts to include standard contractual clauses approved by the European Commission.
Individual Rights
Bulgarian citizens enjoy enhanced rights regarding their personal data. They can specifically request access to their data, its rectification, erasure (right to be forgotten), as well as restriction of processing. A Bulgarian bank had to implement a system allowing its customers to easily view all personal data it holds about them.
Data Breach Notification
In case of personal data breaches, Bulgarian companies must notify the supervisory authority within 72 hours of discovering the incident. If the breach is likely to result in a high risk to the rights and freedoms of affected individuals, these individuals must also be directly informed. A Bulgarian hotel chain that suffered a cyberattack had to promptly notify the Commission for Personal Data Protection and inform its customers whose data had been compromised.
Penalties for Non-Compliance
Non-compliance with GDPR can lead to significant penalties. In Bulgaria, fines can reach up to €20 million or 4% of the company’s annual global turnover, whichever is higher. A Bulgarian telecommunications company was fined several hundred thousand euros for insufficiently protecting its customers’ data.
Responsible Authorities
The Commission for Personal Data Protection is the main authority responsible for GDPR enforcement in Bulgaria. It has the power to conduct investigations, impose penalties, and provide guidance to companies on GDPR compliance. The Inspectorate of the Supreme Judicial Council also plays a role in supervising data processing by courts and prosecutors.
Good to Know:
In Bulgaria, GDPR requires companies to appoint a Data Protection Officer (DPO) to oversee compliance with privacy standards, with entities like Deloitte Bulgaria having established this position to comply. For international transfers, companies must ensure they comply with EU legal frameworks and are supervised by the Commission for Personal Data Protection. Bulgarian citizens have the right to access their personal data and request its deletion, as highlighted in several local awareness campaigns. Companies must notify any data breach to the competent authority within 72 hours, under penalty of heavy fines reaching up to €20 million or 4% of their global turnover, a penalty that has already affected players such as Nova Broadcasting Group. The Bulgarian Data Protection Authority, which ensures enforcement of these rules, provides detailed guidelines to companies to ensure they meet GDPR expectations and avoid potential penalties.
Local Aspects and Bulgarian Specifics in Data Protection
Legal Framework for Data Protection in Bulgaria
Bulgaria has established a robust legal framework for personal data protection, aligned with European standards. The Personal Data Protection Act came into force in January 2002, marking a significant milestone in harmonizing Bulgarian legislation with EU directives. This law was substantially amended in 2019 to fully incorporate the provisions of the General Data Protection Regulation (GDPR).
The main legislative text governing data protection in Bulgaria is now the GDPR, directly applicable since May 2018. The Bulgarian Personal Data Protection Act, in its amended version, complements the GDPR by specifying certain aspects and exercising options left to member states’ discretion.
Role of the Commission for Personal Data Protection
The national supervisory authority for data protection is the Commission for Personal Data Protection (CPDP). Its powers have been strengthened in accordance with GDPR requirements. The CPDP is responsible for overseeing the application of data protection legislation, investigating violations, imposing administrative penalties, and raising public awareness about data protection issues.
The CPDP also plays a crucial role in developing guidelines and recommendations to help organizations comply with GDPR and national legislation. It collaborates with other data protection authorities within the EU to ensure consistent application of data protection rules.
Cultural Specifics and Implementation
The implementation of data protection in Bulgaria reflects certain cultural and contextual particularities. Public awareness about data protection issues remains a challenge, despite CPDP’s efforts. Small and medium-sized enterprises, which constitute a significant portion of the Bulgarian economic fabric, often face difficulties in fully complying with GDPR requirements due to limited resources.
A notable aspect of the Bulgarian approach is the emphasis on protecting children’s data. Bulgarian law sets the age at 13 for a child to consent to the processing of their personal data in the context of information society services, which is lower than the default age of 16 provided by GDPR.
Challenges and Opportunities
Bulgaria faces several challenges in implementing data protection. One of the main ones is the lack of qualified data protection professionals, which can hinder organizations’ ability to fully comply with legal requirements. However, this situation also creates opportunities for the development of specialized training and education programs.
The increasing digitization of Bulgarian public administration also raises important data protection questions. While this transformation offers opportunities to improve the efficiency of public services, it requires particular attention to ensure the security and confidentiality of citizens’ data.
Recent Cases and Examples
A recent case illustrating data protection enforcement in Bulgaria concerns a CPDP decision imposing a fine on a major telecommunications company for violating data security rules. This case highlighted the importance of implementing adequate security measures to protect customers’ personal data.
Another notable example relates to the use of biometric data in Bulgarian schools. The CPDP issued strict guidelines regarding the use of facial recognition and other biometric technologies in educational institutions, emphasizing the need to protect students’ privacy while enabling technological innovation.
These cases demonstrate Bulgaria’s commitment to rigorously applying data protection principles, while adapting to specific challenges posed by new technologies and evolving business practices.
Good to Know:
In Bulgaria, data protection is primarily governed by the Personal Data Protection Act, which incorporated GDPR provisions into national law. The Commission for Personal Data Protection (CPDP) plays a key role in monitoring compliance with rules and taking action in case of violations. Influenced by historical distrust of state surveillance, Bulgarian companies and citizens are particularly vigilant about strict enforcement of these laws. A recent example is the fine imposed on a major national company for failing to secure customer data, highlighting the growing importance of compliance. Challenges include effectively integrating European standards while respecting local sensitivities, thus offering opportunities for companies to develop innovative and compliant solutions.
Company Compliance with Privacy Obligations in Bulgaria
Bulgarian Legal Framework on Data Privacy
Bulgaria has been implementing the European Union’s General Data Protection Regulation (GDPR) since May 2018. Additionally, the country adopted the Personal Data Protection Act, which came into force in February 2019, specifying certain GDPR provisions. This legislation establishes a strict framework for personal data protection, applying to all companies processing information of Bulgarian and European citizens.
Specific Obligations of Companies in Bulgaria
Companies operating in Bulgaria must:
Collect data lawfully, fairly, and transparently Limit collection to specific and legitimate purposes Minimize collected data Ensure data accuracy and updates Limit data retention Guarantee data security and confidentiality
Essential Compliance Measures
To comply with regulations, companies must:
- Establish a clear and accessible privacy policy
- Appoint a Data Protection Officer (DPO) if necessary
- Maintain a record of processing activities
- Conduct Data Protection Impact Assessments (DPIAs) for high-risk processing
- Implement appropriate technical and organizational measures
- Regularly train staff on data protection best practices
Penalties and Fines for Non-Compliance
Companies failing to meet privacy obligations face severe penalties. The Bulgarian Commission for Personal Data Protection can impose fines of up to €20 million or 4% of annual global turnover, whichever is higher. In 2019, the Bulgarian National Revenue Agency was fined €2.6 million following a massive data leak affecting over 5 million citizens.
Specifics of the Bulgarian Context
Bulgaria has recently strengthened its data breach notification requirements. Companies must now inform the supervisory authority within 72 hours of discovering a breach, even if all details are not yet known. Additionally, the Bulgarian Commission for Personal Data Protection has issued new guidelines on artificial intelligence use, emphasizing the importance of algorithm transparency and explainability.
Recommended Best Practices
To ensure ongoing compliance, companies should:
Conduct regular audits of their data protection practices Implement a process for handling data subject access requests Adopt a data protection by design approach for all new projects Establish a security incident response plan Collaborate closely with data protection authorities in case of doubt
By following these recommendations and remaining vigilant about regulatory developments, companies in Bulgaria can significantly reduce non-compliance risks and effectively protect the personal data they process.
Good to Know:
In Bulgaria, company compliance with personal data privacy obligations is governed by the EU GDPR, complemented by specific national legislation, such as the Personal Data Protection Act. Companies must ensure compliant collection, storage, processing, and disclosure of personal data, and establish clear privacy policies. Appointment of a Data Protection Officer may be required, and regular assessment of practices is essential. In case of non-compliance, severe penalties can be applied, as illustrated by recent cases of companies receiving significant fines. Recent developments, including court decisions and guidelines from the Bulgarian Data Protection Agency, may influence compliant practices. To ensure ongoing compliance and avoid violations, it is advisable to adopt best practices from Bulgarian and European guidelines, while keeping an eye on legislative updates.
Disclaimer: The information provided on this website is for informational purposes only and does not constitute financial, legal, or professional advice. We encourage you to consult qualified experts before making any investment, real estate, or expatriation decisions. Although we strive to maintain up-to-date and accurate information, we do not guarantee the completeness, accuracy, or timeliness of the proposed content. As investment and expatriation involve risks, we disclaim any liability for potential losses or damages arising from the use of this site. Your use of this site confirms your acceptance of these terms and your understanding of the associated risks.
Cyril Jarnias is an independent expert in international wealth management with over 20 years of experience. As an expatriate himself, he is dedicated to helping individuals and business leaders build, protect, and pass on their wealth with complete peace of mind.
On his website, cyriljarnias.com, he shares his expertise on international real estate, offshore company formation, and expatriation.
Thanks to his expertise, he offers sound advice to optimize his clients' wealth management. Cyril Jarnias is also recognized for his appearances in many prestigious media outlets such as BFM Business, les Français de l’étranger, Le Figaro, Les Echos, and Mieux vivre votre argent, where he shares his knowledge and know-how in wealth management.
