Data protection and cybersecurity laws in Bulgaria

Data protection

1. Local data protection laws and scope

2. Data protection authority

3. Anticipated changes to local laws

There are no anticipated changes to local laws.

4. Sanctions & non-compliance

Administrative sanctions:

The GDPR applies. In case of other violations of the provisions of the PDPA, which are not provided for under the GDPR, the Commission/Inspectorate can impose a sanction up to BGN 5,000 (EUR 2,500). In case of a repeated violation, there will be a double sanction.

According to the PDPA, the Commission can impose fines and administrative measures, but it does not have enforcement powers. Enforcement of the sanctions is done by way of a separate administrative procedure under the Bulgarian Administrative Infringement and Penalties Act.

Criminal sanctions:

A person who creates, obtains for himself/herself or for someone else, imports or otherwise distributes computer programmes, passwords, codes, or other similar data for access to an information system or part thereof in order to commit certain crimes under the Bulgarian Criminal Code (Art. 171 (3), Art. 319a, Art. 319b, Art. 319c or Art. 319d), faces a punishment of imprisonment of up to two years. When personal data, classified information or another secret protected by law is disclosed, and the breach does not constitute a graver offence, the punishment is imprisonment of up to three years.

Others:

Third parties that suffer damage as a result of an infringement of the relevant legislation may bring compensation claims.  

5. Registration / notification / authorisation

The requirement for registration of data controllers is abolished in compliance with the GDPR and such registration is no longer required. 

The Commission maintains the following registers:

  • public register of the controllers and processors that have appointed DPOs;
  • public register of the accredited certifying bodies;
  • public register of codes of conduct under Art. 40 of the GDPR;
  • internal register for breaches of the GDPR and the Act and the measures implemented under Art.58, §2 of the GDPR;
  • internal register for the notifications of a personal data breach under Art. 33 and Art. 67 of the GDPR.

The Inspectorate also maintains the last two types of registers.

6. Main obligations and processing requirements

There are no derogations from the GDPR.

7. Data subject rights

There are no derogations from the GDPR.

8. Processing by third parties

There are no derogations from the GDPR.

9. Transfers out of country

There are no derogations from the GDPR.

10. Data Protection Officer

There are no derogations from the GDPR.

11. Security

There are no derogations from the GDPR.

12. Breach notification

There are no derogations from the GDPR.

13. Direct marketing

While under the GDPR, direct marketing can be provided based on the legitimate interest of the controller, there are provisions under Bulgarian law which require the consent of the data subject.  The development based on the ePrivacy Regulation is yet to be seen. 

Under the Electronic Communications Act, the establishment of calls, messages, or electronic mail for the purposes of direct marketing and advertising shall be allowed only in respect of consumers who have given their prior consent. The consent may be withdrawn at any time.  

The same principle applies under the Electronic Commerce Act in respect of unsolicited commercial communication by providers of information services to consumers.  The Commission for Consumer Protection shall keep an electronic register of the email addresses of the legal persons that do not wish to receive unwanted commercial communication, following a procedure established in a regulation adopted by the Council of Ministers. Sending unwanted commercial communication to consumers without their preliminary consent is not allowed.

However, any person who, in the context of a commercial transaction for the provision of products or services, has obtained data through which electronic contact can be established with the consumer, may use the said data for the dispatch of a marketing messages and advertising for its own similar products or services provided that the said person gives each consumer the opportunity, free of charge and in an easy manner:

  • to object at the time of conclusion of the transaction;
  • to refuse to receive such communications in future in case the consumer has not done so at the time of conclusion of the transaction. 

14. Cookies and adtech

The data subjects must be informed about the use of cookies.  Bulgarian legislation provides for opt-out (pre-consent is not required, the consumer has the opportunity to opt out).

In the future, the rules on cookies may change under the ePrivacy Regulation referred to above.

15. Risk scale

Moderate

Cybersecurity

1. Local cybersecurity laws and scope

The Cybersecurity Act is the main piece of legislation dealing with cybersecurity and transposing the NIS Directive in Bulgaria. 

Other relevant provisions are distributed in various legal acts, including:

  • The Act on the Management and Functioning of the System for National Security Protection– The National Security Protection Act;
  • The Classified Information Protection Act – The Classified Information Act;
  • The Electronic Government Act– The E-Government Act;
  • The Criminal Code – The Criminal Code;
  • The Ordinance on the minimum requirements for network and information security- The NIS Ordinance;
  • The Regulations on the organization and the activity of the Cybersecurity Council – The Cybersecurity Council’ Regulations;
  • The Regulations on the activity, structure and organization of the State Agency “Electronic Government” - The E-Government Agency’ Regulations

2. Anticipated changes to local laws

No anticipated changes to local laws in the short term. 

3. Application 

  • The Cybersecurity Act – regulates (i) the organisation, management and control activities regarding cybersecurity, including any cyber defence and cybercrime combatting activities; (ii) the designation of national and specialised responsible authorities in the field of cybersecurity, as well as their powers and functions; (iii) the security and notification requirements for operators of essential services,  digital service providers and competent administrative bodies; and (iv) the appropriate actions to achieve a high common network and information security level;
  • The National Security Protection Act – regulates the government authorities and structures comprising the system of national security protection and their basic functions;
  • The Classified Information Act – regulates the public relations arising in connection with the generation, the processing, and the storing of classified information, and lays down the conditions and procedure for the release thereof and the access thereto. The classified information is any information which is a state secret or an official secret, and any foreign classified information. Access to classified information is allowed only to those having an appropriate clearance in keeping with the "need-to-know" principle. The principle is the restriction of access to particular classified information to such persons whose official duties, or a special assignment, require such access; 
  • The E-Government Act – (i) regulates the public relations between administrative authorities in relation to working with electronic documents and provision of administrative services by electronic means, as well as the interchange of electronic documents among the administrative authorities; (ii) applies also in relation to the activities of the persons performing public functions (such as notaries public) and organisations providing public services (such as schools, utility companies etc.);
  • The Criminal Code – determines which acts dangerous to society constitute crimes and what punishments shall be imposed for them. There are chapters in the Criminal Code specifically dealing with computer crimes (Chapter 9A) and crimes against information classified as state secret and international classified information (Chapter 12);  
  • The NIS Ordinance – regulates (i) the requirements for minimum network and information security measures; (ii) the recommended measures for network and information security; (iii) the rules for carrying out checks regarding compliance with the requirements with the Ordinance and (iv) the order for keeping, storing and accessing the register of essential services in compliance with the Cybersecurity Act;
  • The Cybersecurity Council Regulations – regulates the organisation and the activity of the Cybersecurity Council;
  • The E-Government Agency’ Regulations – regulates the activity, functions, structure, number of employees and organisation of work of the E-Government Agency and its administrative units.

5. Key obligations 

  • Under the Bulgarian Cybersecurity Act, OESs, Digital Services Providers (DSPs), competent administrative bodies, persons responsible for performing public functions and organisations providing online administrative services are obliged to:
    • ensure that adequate technical and organisational measures are in place to respond to any risks or threats to the security of network and information systems;
    • notify the respective SCSIRT within two hours of becoming aware of a cybersecurity incident. Full information about the incident shall be provided within five working days; and
    • provide any and all information requested by the competent authorities. 

Upon justified assumption that the reported incident can be classified as a computer-related crime, the sector team shall notify the General Directorate for Combatting Organised Crime with the Ministry of Interior.  

  • The Cybersecurity Act provides for an obligation for all organisations affected by security incidents to cooperate, particularly in terms of notifying incidents and providing relevant information to the sector specific teams. 
  • The NIS Ordinance provides an obligation for each employee or the unit for network and information security of the respective administration to notify the respective SCSIRT in case of incident.

6. Sanctions & non-compliance 

Administrative sanctions:
  • The Cybersecurity Act provides for administrative fines in case of violations of any of the responsible bodies, agencies or natural persons/officials relating incidents reporting obligations, failure to provide certain information and evidence or failure to comply with mandatory instructions. For individuals, fines ranging from EUR 500 to EUR 5,000, and for legal entities and administrative bodies, pecuniary sanction ranging from EUR 750 to EUR 7,500 can be imposed. In the case of repeated violations, the amount increases and shall range from EUR 1,000 to EUR 10,000 for the fines and from EUR 2,500 to EUR 12,500 for the pecuniary sanction;
  • The Cybersecurity Act also provides for a fine if an official commits a violation or allows a violation to be committed. The fine shall vary between EUR 500 and EUR 5,000, unless the act constitutes a crime. In case of repeated violations, the fine shall range between EUR 700 and EUR 7,500.
  • The Classified Information Act provides for fines or pecuniary sanctions in the range of EUR 25 to EUR 10,000, depending on the type of violation and whether the perpetrator is an official, a natural person or a legal entity.
  • The E-Government Act also provides for fines or pecuniary sanctions in the range of EUR 250 to EUR 12,500, depending on the type of violation and whether the perpetrator is an official, natural person or legal entity.
  • See “Data Protection” section above.  
Criminal sanctions:
  • Cybercrimes: Imprisonment of up to eight years for cybercrimes, depending on the type of crime committed; and/or a fine of up to EUR 5,000, depending on the type of crime committed. 
  • Crimes against information classified as a state secret or international classified information: imprisonment of up to 15 years, depending on the type of crime committed.
Others:

Third parties that suffer damage as a result of an infringement of the relevant legislation may bring compensation claims.  

7. Is there a national computer emergency response team (CERT) or computer security incident response team (CSIRT)? 

Yes. CERT.bg (https://www.govcert.bg/) is the National Computer Security Incidents Response Team.  

The Centre helps its users to: 

  1. reduce the risks of information security incidents; 
  2. resolve already occurred incidents.

The centre maintains a centralised database of information related to ensuring secure information environment.

There is also a national Computer Security Incident Response Team (NCSIRT), and sector-level Computer Security Incident Response Teams (SCSRITs) established by the E-Government Agency. The SCSIRTs are set up within competent local authorities in the various sectors (i.e. energy, transport, banking, financial market infrastructure, health, and digital) in compliance with the instructions of European Union Cybersecurity Agency (ENISA). They coordinate their activities with the national CERT.

8. National cybersecurity incident management structure

The Cybersecurity Act establishes this structure. The core structure comprises a National Single Point of Contact, National cybersecurity coordinator, and computer security incident response teams on a national and sector level.

9. Other cybersecurity initiatives 

There will soon be a Monitoring and Response Centre for incidents that have significant damaging impact on the communication and information systems at strategic locations and activities of significance for national security within the National Security State Agency. Effective on 1 January 2022, this centre will:

  1. monitor and gather information on events and incidents related to the security of communication and information systems at strategic locations and activities of significance for national security;
  2. submit alerts on cyberthreats and information on cyberincidents at strategic locations and activities of significance for national security;
  3. provide methodological assistance in the cyberincident management process;
  4. provide a comprehensive analysis of incoming information and an assessment of information protection at strategic locations and activities of significance for national security;
  5. perform tasks related to some of the functions of the National Security State Agency.  
Portrait ofGentscho Pavlov
Gentscho Pavlov
Partner
Sofia
Portrait ofNevena Radlova
Nevena Radlova
Partner
Sofia