Whistleblower protection and reporting channels in Bulgaria

Yes, the Bulgarian parliament adopted the Protection of Persons Reporting or Publicly Disclosing Information on Breaches Act on 2 February 2023. This Whistleblowing Act entered into force on 4 May 2023, but a prolonged implementation period extending to 17 December 2023 is envisaged for some private sector employers having between 50 and 249 employees.

The purpose of the Whistleblowing Act is to ensure protection of persons in the public and private sectors who report or publicly disclose information on breaches of Bulgarian or European Union legislation, which has become known to them during the performance of their employment or official duties or in any other work-related context.

Yes, the Whistleblowing Act requires certain private entities to establish a whistleblowing system. The Whistleblowing Act provides that, among others, employers in the private sector with 50 or more employees would fall under its provisions. Additionally, the obligations introduced by the Whistleblowing Act would also apply to private sectors employers, irrespective of the number of employees, if their activities fall within the scope of certain EU legal acts, such as financial services, money laundering and terrorism financing prevention, environment protection, etc.

The Whistleblowing Act envisages administrative fines for entities that fail to establish a reporting channel. The amount of the fine would range from BGN 5,000 to BGN 20,000 (approximately EUR 2,500 to EUR 10,000) for a first violation, and BGN 10,000 to BGN 30,000 (EUR 5,000 to EUR 15,000) for a repeated violation. The Whistleblowing Act envisages additional fines in cases when the obliged entity hinders or attempts to hinder the submission of a report, does not take the necessary follow-up actions within the statutory limits after the submission of a report, fails to comply with the confidentiality provisions provided for in the Whistleblowing Act, etc.

Under the Whistleblowing Act, entities ,must comply with certain requirements prior to the establishment of a reporting channel. These include:

• maintenance to ensure completeness, integrity and confidentiality of the information and to prevent unauthorised persons from accessing such information;
• storage of recorded information in a durable medium for verifying reporting and further investigation.

Entities bound by the Whistleblowing Act are obliged to carry outa review of their internal reporting rules and their follow-up at least every three years, and each entity must carry out an analysis of the practice of implementing the Whistleblowing Act and if necessary, update its internal rules.

Furthermore, under the Whistleblowing Act, obliged entities must:

• designate one or more employees who would be responsible for handling reports;
• establish clear and easy-to-understand information regarding reporting procedures;
• store records in compliance with data protection laws;
• submit statistical information to the national external whistleblowing body in accordance with relevant reporting procedures.

No, the implementation of a whistleblowing channel does not impose any obligation to provide information or engage in consultations with employees or their representatives. Nevertheless, the Whistleblowing Act does not affect the right of workers and employers to consult their representatives (e.g. trade unions) regarding whistleblowing issues.

No, there is no such a prohibition. In fact, the Whistleblowing Act explicitly provides whistleblowers with the opportunity to report via external channels or make public statements. External reporting could be made to the Commission for Personal Data Protection. In its capacity as a central external whistleblowing body, this Commission has a dedicated whistleblowing unit, which is responsible for handling the received reports. To verify the receipt of the report on publicly disclosed information about violations, as well as to take appropriate actions, the Commission, within seven days upon receipt, will forward the report to the competent authority (i.e. Commission for Consumer Protection, Commission for Protection of Competition, General Labour Inspectorate, National Revenue Agency, etc.)

Yes, the Whistleblowing Act safeguards whistleblowers against a non-exhaustive compilation of retaliatory actions and grants them protection. These retaliatory actions include, but are not limited to, termination of employment, delay in promotion, negative performance evaluations, disciplinary sanctions, direct or indirect discrimination, unequal treatment, and the decision not to prolong a temporary contract. If any form of retaliation is pursued, the whistleblower will be entitled to compensation for pecuniary and non-pecuniary damages.

Generally, entities that fall within the provisions of the Whistleblowing Act must take appropriate measures to protect the information related to the reported breaches and to protect the identity of the whistleblowers. They will do this by ensuring that only employees with authorised access to the pertinent information for the completion of their official duties will have access to this sensitive data. In addition, these entities may not directly or indirectly disclose the identity of whistleblowers or create a presumption of a whistleblower's identity. In that sense, any processing of personal data carried out pursuant to the Whistleblowing Act must be carried out in accordance with the EU's General Data Protection Regulation (GDPR). This means that obliged entities must ensure data related to whistleblowing reports are processed lawfully. Additionally, entities must ensure that sufficient technical and organisational measures are taken in data processing to prevent personal data leakages. Furthermore, as stated in the Whistleblowing Act, personal data that is not relevant to a specific report must not be collected or, if accidentally collected, this data must be deleted without delay.

Typically, there are no specific barriers for utilising a shared whistleblowing system involving multiple organisations in different jurisdictions. However, it is important to note that the joint whistleblowing system can only be used within the legal boundaries established by the Whistleblowing Act in Bulgaria. This means that if Bulgarian entities opt to participate in a collective reporting whistleblowing system, this system will be assessed to ensure that it complies with the Whistleblowing Act.

If a company established in Bulgaria has the status of "employer" (as most companies do), it is considered an independent subject under the law and should designate its own employee/unit for handling reports. A company may assign the functions of receiving and registering reports of violations to an external natural or legal entity abroad, but an appointed employee or employees of the local Bulgarian company must assess the procedures for investigating and assessing a whistleblowing report.