Privacy Around the World: Privacy Landscape in Bulgaria

I am currently acting as an internal DPO for a large media companý offering services such as: streaming, email, video platform, various websites etc. My position gave me a good opportunity to work actively with data privacy laws in Bulgaria, and, because of that, I was invited to share an overview for privacy professionals not familiar with the privacy landscape in Bulgaria. 

DATA PROTECTION IN BULGARIA

Data protection in Bulgaria has gone through different stages of development since the adoption of the GDPR and the Bulgarian Personal Data Protection Act. One of the main challenges was the establishment of the local DPA and the familiarization of the general public with its functions and jurisdictions. 

As of today, the concept of personal data is not so unfamiliar, on the contrary, there has been increasing public engagement and interest.

However, thlanguage is still an obstacle for exercising your rights under the GDPR in Bulgaria. The lead DPA accepts complaints, written only in Bulgarian which notably limits the foreign citizens. 

Personal Data Protection Act

The local data protection law is represented by the Personal Data Protection Act (the Act) or “Закон за защита на личните данни” in Bulgarian. You can find the latest version of the Act on the official website of the Bulgarian DPA -  Commission for Personal Data Protection (CPDP).

It largely repeats the provisions of the GDPR, with some variations, presented below.

The Act was adopted in 2002 and has been amended several times. Its last significant revision followed the entry into force of the new Act on Protection of Persons Reporting Information, or Publicly Disclosing Information about Breaches (Whistleblowers Protection Act) in May 2023.

Variations from the GDPR

1. The provisions of the Act, similar to the GDPR do not apply for the personal data of the deceased persons. An exception is provided for the processing of personal data of deceased persons in Article 25f, only on a legal basis and if appropriate measures are taken to avoid adversely affecting the rights and freedoms of others or the public interest.
2. The minimum age for valid consent introduced in the Act is 14 years. The consent of people under that age is valid only when given by the data subject's parent (who is exercising the parent’s rights) or guardian.
3. Under the Act, any employer or appointing authority, which acts as a controller, cannot store any personal data of the job applicants for more than 6 months, if the data subject hasn’t given consent for longer storage.
4. The Act contains provisions regarding the journalistic exemption in accordance with the Article 85 of the GDPR. The general rule under Section 25(h) of the Act, states that when processing personal data for journalistic purposes as well as for academic, artistic or literary expression, Articles 6, 9, 10, 30, 34 of the GDPR do not apply. 

There are no national variations of the key definitions presented by the GDPR.

Bulgarian DPA

The Lead Data Protection Authority in the meaning of the GDPR in Bulgaria is the Commission for Personal Data Protection (CPDP). 

There is an official website of the Commission, and all the legal framework in Bulgaria, regarding data protection is also regularly updated on their website.

Anyone can report a complaint to the CPDP free of charge if they suspect that their rights under personal data protection have been violated. 

The complaint must be submitted in Bulgarian, and the overview of the submission methods and the form are available on the website. Anonymous complaints shall not be considered, also complaints that are not signed by the complainant or his/her legal representative or proxy.

The Commission acts as the central authority for external whistleblowing under the Bulgarian Whistleblower Protection Act.

The CPDP has published on its website many guidelines and opinions, since the adoption of the Act, such as: (all are available only in Bulgarian)

• Opinion of the CPDP on the application of the right to be forgotten in the context of personal data processing for journalistic purposes

• List of processing operations which require data protection impact assessment (DPIA) pursuant to Art. 35, paragraph 4 of Regulation (EU) 2016/679)

• List of personal data processing operations for which prior consultation is mandatory under Section 65(3) of the Act

• Opinion of the CPDP on the qualification of payment service providers as data controllers, etc.

At the moment, there are no accredited certification bodies in accordance with Article 14 of the Act and no approved Codes of conduct in accordance with Art. 40 of the GDPR.

Regarding the processing of personal data by the courts, prosecutors and investigating authorities in the exercise of their functions as judicial authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offenses or the execution of penalties, the lead supervisory authority in Bulgaria is the Inspectorate of the Supreme Judicial Council.

Data Protection Officer 

The Act does not implement any variations from the GDPR, regarding the role of the DPOs, their tasks or appointment. The CPDP, however, has to be notified for any DPO appointment, including their name, ID, contact details, and any additional changes that were made.

The CPDP maintains a public register of data controllers and processors that have appointed data protection officers available on website.

ePrivacy Directive 

The principles and provisions of the ePrivacy Directive, as opposed to the GDPR, do not have direct effect but has to be implemented in national laws of the EU member states. Some countries in the EU have chosen to implement the Directive in their data protection laws, where others have chosen to implement it into their telecommunications laws. Bulgaria chose the second approach, as the provisions of the ePrivacy Directive are implemented into the Electronic Communications Act. The lead authority regarding these provisions is the Communications Regulation Commission.