The content will be periodically updated by our lawyers but, given the constantly evolving laws in this area, we cannot guarantee the content is complete and accurate.
Last reviewed April 2020
- The Constitution of Republic of Bulgaria (Promulgated, SG No. 56/13.07.1991, as amended) (Art. 32 and Art. 34);
- Regulation (EU) 2016/679 (General Data Protection Regulation) (the GDPR) (OJ L 119, 4.5.2016, p. 1–88);
- The Personal Data Protection Act (Promulgated, SG No. 1/4.01.2002, as amended) (the PDPA);
- Special provisions in various legal acts e.g. Ministry of Interior Act, Health Act, Credit Institutions Act, Telecommunications Act, Measures against Money Laundering Act.
Secondary legislation, including Rules on the activity of the Commission for Personal Data Protection and its administration (Promulgated, SG No. 60/30.07.2019, as amended), etc.
Personal Data Protection Commission (hereinafter the Commission),
2, Prof. Tsvetan Lazarov Blvd.
Inspectorate with the Supreme Judicial Council (hereinafter the Inspectorate) – the supervisory authority in respect of personal data processing by courts; the prosecutor’s office and investigation authorities when exercising their duties.
17, Georg Washington
If applicable: stage of legislative implementation of GDPR
On 26 February 2019 the Bulgarian Parliament adopted amendments to the PDPA implementing the requirements under the GDPR.
The latest amendment of the PDPA is related to the proclaimed Judgment No. 8/15.11.2019 of the Constitutional Court of the Republic of Bulgaria - SG No. 93/26.11.2019. The Constitutional Court repealed article 25 „h“ paragraph 2 of the PDPA which used to establish the criteria with regard to the balance of the principles of freedom of expression and right to information and on the other side the right to protection of personal data which is processed for journalistic purposes and for the purposes of academic, artistic or literary expression where this is carried out to implement the freedom of expression and the right to information while respecting privacy.
If applicable: local derogations as permitted by GDPR
- The PDPA establishes 14 years as the minimum age for consent when using information society services. Otherwise, the consent of a parent/legal guardian is required.
- Data controllers/processors are not allowed to copy ID cards, driving licences or residence permits, except if otherwise provided by law.
- Public access to information, containing the personal identification number (PIN) or personal number of a foreign citizen is not allowed unless otherwise provided for explicitly by a legislative act. The personal identification number/personal number of a foreign citizen should not be the only identifier for a data subject using electronic public services.
- Employers, in their capacity as data controllers, are allowed to determine on their own the retention period for personal data of job applicants, however, this period should not exceed 6 months upon completion of the selection process unless the data subjects provide explicit consent for further processing of their personal data.
- Employers, in their capacity as data controllers, adopt rules and procedures regarding: whistle-blowing; limitation of the use of internal firm’s resources; systems for control of the access, the working time and labour discipline.
- When data processing is performed without legal grounds, the controller/processor shall return the personal data to the data subject or delete/destroy the data within 1 (one) month from finding out of the illegal processing.
In addition, the Commission has approved:
- a list of data protection operations that do not require consent of data subjects, e.g. when data is transferred from one controller to another based on an assignment agreement, data is collected while photographing or video-recording a public area, etc.; and
- a list of data processing operations that require performance of a data protection impact assessment, such as data processing in relation to an offer of information society services directly to a child, large scale processing of biometric data for the purpose of identification of individuals, data migration with respect to large scale data processing, etc.
Generally, the PDPA applies along with the GDPR with the purpose of providing additional protection in cases where the GDPR does not contain a specific provision.
The PDPA governs:
- processing of personal data, to the extent that it is not regulated by the GDPR;
- the rules regarding the protection of personal data when processed by administrative bodies for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including safeguarding against, and preventing, threats to public order and security.
- the status of the Commission and the Inspectorate;
- the status of the Commission and the Inspectorate;
- the available means for protection;
- accreditation and certification in the field of personal data protection; and
- derogations from the GDPR and other special provisions.
The PDPA does not apply to the processing of personal data for the purposes of national defence and national security except as otherwise provided for in specific legislative acts.
The PDPA does not apply to the processing of personal data of deceased persons, except in limited cases.
The GDPR applies.
In case of other violations of the provisions of the PDPA, that are not provided for under the GDPR, the Commission/Inspectorate can impose a sanction up to BGN 5,000 (ca. EUR 2,500) and in case of a repeated violation the sanction would be double.
According to the PDPA, the Commission can impose fines and administrative measures, but it does not have enforcement powers. Enforcement of the sanctions is done by way of a separate administrative procedure under the Bulgarian Administrative Infringement and Penalties Act.
The requirement for registration of data controllers is abolished in compliance with the GDPR and such registration is no longer required.
The Commission maintains the following registers:
- public register of the controllers and processors that have appointed DPOs;
- public register of the accredited certifying bodies;
- public register of codes of conduct under Art. 40 of the GDPR;
- internal register for breaches of the GDPR and the Act and the measures implemented under Art.58, §2 of the GDPR;
- internal register for the notifications of a personal data breach under Art. 33 and Art. 67 of the GDPR.
The Inspectorate maintains the last two types of registers above.
Main obligations and processing requirements
The GDPR applies, i.e. data controllers must:
- Demonstrate compliance;
- Establish transparent data protection policies;
- Respect the data subject rights and comply with information requirements;
- Use a valid legal declaration for consent in accordance with the GDPR rules;
- Implement proper data protection provisions in the respective commercial and employment contracts, as well as conclude a data processing agreement according to Art. 28. GDPR when processing is carried out by another processor on behalf of the controller;
- Have lawful legal ground for data processing and valid legal ground for data transfers;
- Establish a procedure for notification in case of breach; and
- Keep records of the data processing operations, etc.
Data subject rights
The GDPR applies, i.e.:
- Right of access (Art. 15 GDPR)
- Right to rectification (Art. 16 GDPR)
- Right to erasure (Art. 17 GDPR)
- Right to restriction of processing (Art. 18 GDPR)
- Right to data portability (Art. 20 GDPR)
- Right to object (Art. 21 GDPR)
- Right to lodge a complaint to the supervising authority (Art. 13 (2) (d) GDPR).
The data subject shall exercise the rights under Articles 15 to 22 of the GDPR by means of a written application to the data controller or by another method determined by the controller. The application may alternatively be submitted by electronic means under the conditions of the Electronic Document and Electronic Trust Services Act, the Electronic Signature Act, the Electronic Governance Act and the Electronic Commerce Act.
The application may alternatively be submitted by accessing the user interface of the data-processing information system after the person has identified themselves by the relevant means of identification.
Under the PDPA, in case of violation of data subject’s rights under the GDPR or under the PDPA, the data subject is entitled to file an appeal within 6 months of becoming aware of the violation, but no later than two years from the date of the violation.
The appeal might be filed with the PDPC/the Inspectorate or the court, alternatively.
The data subject cannot file an appeal to the court if proceedings in connection with the same infringement are pending before the Commission or a decision of the Commission regarding the same infringement has been appealed and there is no enforceable judgment of the court. At the request of the data subject, the Commission shall certify the lack of proceedings pending before it on the same dispute.
Processing by third parties
The relationship between the data controller and the data processor must be governed by a legal act that is binding on the controller, or by a data processing agreement provided for under Art. 28 of the GDPR, defining the scope of duties assigned by the controller to the data processor.
The processor shall take appropriate technical and organisational security measures to protect the personal data.
Transfers out of country
The GDPR applies.
The transfer of data outside the EEA to a third country is allowed only after providing the necessary safeguards and in the presence of a lawful transfer mechanism (Binding Corporate Rules, EU Model Clauses, Privacy Shield recipient, code of conduct or certification mechanism, ad hoc data transfer agreement, etc.).
The controllers are no longer required to notify the Commission for the conclusion of EU Model Clauses.
According to PDPA, a competent authority may transfer personal data which are in processing procedure or are intended for processing after transfer to a third country or to an international organisation, including for subsequent transfers to another third country or international organisation, provided that the transfer takes place in compliance all of the following conditions:
- the transfer is necessary for the purposes referred to in Article 42, paragraph 1 of the PDPA;
- the personal data are transferred to a controller in a third country or international organisation that is an competent authority for the purposes referred to in Article 42, paragraph 1 of the PDPA;
- where personal data received from another Member State of the European Union are transmitted, that Member State has given its prior authorisation to the transfer in accordance with its national law;
- the European Commission has adopted a decision to the effect that the third country, territory or one or more specified sectors in the third country concerned, or the international organisation concerned, ensure an adequate level of protection, or
- in the absence of a decision under point (a), appropriate safeguards have been provided or exist pursuant to Article 74 of the PDPA, or
- in the absence of a decision under point (a) and of appropriate safeguards under point (b), the transfer of personal data is necessary in the cases referred to in Article 75 of the PDPA;
- in the case of a subsequent transfer to another third country or international organisation, the competent authority that carried out the original transfer or another competent authority in the Republic of Bulgaria authorises the subsequent transfer, after taking due account of all relevant factors, including the seriousness of the criminal offence, the purpose for which the personal data were originally transferred and the level of personal data protection in the third country or an international organisation to which personal data are onward transferred.
Transfers of personal data without the prior authorisation by another Member State of the European Union in accordance with point 3 shall be permitted only if the transfer of the personal data is necessary for the prevention of an immediate and serious threat to public order and security of a Member State of the European Union or a third country or to essential interests of a Member State of the European Union and the prior authorisation cannot be obtained in good time. In such cases, the authority of the Member State of the European Union that provided the personal data which is competent to give prior authorisation under point 3 shall be informed.
Data Protection Officer
The GDPR applies. The PDPA provides for an obligation for appointment of a data protection officer in the following cases, namely:
- processing by authority or public body;
- core activity consists of extensive regular and systematic monitoring; or
- the core activity is the extensive processing of special categories of data or criminal data.
The controller shall assign to the data protection officer at least the following tasks:
- to inform and advise the controller and the staff who carry out processing of their obligations under PDPA and in accordance with other statutory requirements for personal data protection;
- to monitor compliance with the PDPA and with other statutory requirements for personal data protection and the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
- to provide advice where requested regarding the data protection impact assessment under article 64 of the PDPA and to monitor the performance of said assessment;
- to cooperate with the Commission or, respectively, with the Inspectorate;
- to act as the contact point for the Commission, including for the purposes of the prior consultation referred to in article 65 of the PDPA, and to consult, where appropriate, the Commission or, respectively, the Inspectorate with regard to matters concerning personal data processing.
The GDPR applies.
It is expected that the Commission will issue detailed guidelines on the technical and organisational measures, and to replace the repealed Ordinance № 1 dated 30 January 2013, which used to regulate the proper measures. The Commission has not issued such guidelines so far.
The GDPR applies. In case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after becoming aware, notify the supervisory authority competent in accordance with Art 55 GDPR of the personal data breach, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.
When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall also communicate the data breach to the data subject without undue delay.
The controller shall document any personal data breaches, including the facts relating to the breach, its effects and the actions taken.
Where the personal data breach involves personal data that have been transmitted by or to the controller of another Member State of the European Union, the notification shall be communicated to said controller without undue delay but not later than seven days after the breach has been ascertained.
While under the GDPR direct marketing can be provided on the basis of the legitimate interest of the controller, there are provisions under Bulgarian law which require the consent of the data subject. The development based on the ePrivacy Regulation is yet to be implemented in Bulgaria.
Under the Telecommunications Act, the establishment of calls, messages or electronic mail for the purposes of direct marketing and advertising shall be allowed only in respect of consumers who have given their prior consent. The consent may be withdrawn at any time. The same principle applies under the Electronic Commerce Act in respect of unsolicited commercial communication by providers of information services to consumers. Commission for Consumer Protection shall keep an electronic register of the e-mail addresses of the legal persons that do not wish to receive unwanted commercial communication, following a procedure established in a regulation adopted by the Council of Ministers. Sending unwanted commercial communication to consumers without their preliminary consent is not allowed.
However, any person who, in the context of a commercial transaction for the provision of products or services, has obtained data through which electronic contact can be established with the consumer, may use the data for the dispatch of marketing messages and advertising for its own similar products or services provided that the person gives each consumer the opportunity, free of charge and in an easy manner:
- to object at the time of conclusion of the transaction;
- to refuse to receive such communications in future in case the consumer has not done so at the time of conclusion of the transaction.
The above rules are subject to certain legal exceptions.
According to the Electronic Commerce Act independent usage of the following does not constitute commercial communication:
- information, assuring direct access to the person's activities, like the name of its domain or e-mail address;
- messages for the goods, services or for the reputation of the person, the information for which has been collected in an independent manner with no payment made for this.
The commercial communication that is part of or constitutes a service shall meet the following requirements:
- to be easily identifiable as commercial;
- to enable clear identification of the natural or legal persons on whose behalf it has been made;
- to define clearly and unambiguously the conditions for participation in promotional offers such as discounts, premiums and gifts, if such are included;
- to assure easy access to clear and unambiguous conditions for participation in competitions and games with declared prizes, if they contain such information;
- to contain any other information, stipulated in other statutory instruments.
The rules on cookies will be changing – again under the ePrivacy Regulation referred to above which is still not finalised.
Last reviewed April 2020
Laws and regulations
The Cyber Security Act (Promulgated, SG No. 94/13.11.2018) is the main piece of legislation dealing with cyber security and transposing the NIS Directive in Bulgaria. Other relevant provisions are distributed in various legal acts, such as:
- National Strategy on Cybersecurity “Cyber Resilient Bulgaria 2020” adopted in July 2016 and valid until the end of 2020 – National Strategy;
- Act on the Management and Functioning of the System for National Security Protection (Promulgated, SG No. 61/11.08.2015, effective 1.11.2015, as amended) – National Security Protection Act;
- Classified Information Protection Act (Promulgated, SG No. 45/30.04.2002, corrected, SG No. 5/17.01.2003, as amended) – Classified Information Act;
- Electronic Government Act (Promulgated, SG No. 46/12.06.2007, as amended) – E-Government Act;
- The Criminal Code (Promulgated, SG No. 26/02.04.1968, effective on 01.05.1968, as amended) – Criminal Code;
- Ordinance on the minimum requirements for network and information security (Promulgated, SG No. 59/26.07.2019) - NIS Ordinance;
- Regulations on the organization and the activity of the Cybersecurity Council (Promulgated, SG No. 102/31.12.2019) – Cybersecurity Council’ Regulations; and
- Regulations on the activity, structure and organization of the State Agency “Electronic Government” (Promulgated, SG No. 74/20.09.2019) - E-Government Agency’ Regulations.
Anticipated changes to law
- Cyber Security Act – regulates (i) the organization, management and control activities regarding cyber security, including any cyber defence and cybercrime combatting activities; (ii) the designation of national and specialized responsible authorities in the field of cyber security, as well as their powers and functions; (iii) the security and notification requirements for operators of essential services, digital service providers and competent administrative bodies; and (iv) the appropriate actions to achieve a high common network and information security level;
- National Strategy – the main objectives are to provide a modern framework and a stable environment for developing the national cyber-security system and to achieve an open, safe and secure cyberspace;
- National Security Protection Act – regulates the government authorities and structures comprising the system of national security protection and their basic functions;
- Classified Information Act – regulates the public relations arising in connection with the generation, the processing, and the storage of classified information and lays down the conditions and procedure for the release thereof and access thereto. The classified information is any information which is a state secret or an official secret, and any foreign classified information. Access to classified information is allowed only to those having an appropriate clearance in keeping with the "need- to-know" principle. The principle is the restriction of access to particular classified information to such persons whose official duties, or a special assignment, require such access;
- E-Government Act – (i) regulates the public relations between administrative authorities in relation to working with electronic documents and provision of administrative services by electronic means, as well as the interchange of electronic documents among the administrative authorities; (ii) applies also in relation to the activities of the persons performing public functions (such as notaries public) and organisations providing public services (such as schools, utility companies etc.);
- Criminal Code – determines which acts dangerous to society constitute crimes and what punishments shall be imposed for them. There are Chapters in the Criminal Code specifically for Computer Crimes (Chapter 9A) and Crimes against information classified as state secret and international classified information (Chapter 12);
- NIS Ordinance – regulates (i) the requirements for minimum network and information security measures; (ii) the recommended measures for network and information security; (iii) the rules for carrying out checks regarding compliance with the requirements with the Ordinance; and (iv) the order for keeping, storing and accessing the register of essential services in compliance with the Cybersecurity Act;
- Cybersecurity Council Regulations – regulates the organization and the activity of the Cybersecurity Council;
- E-Government Agency Regulations – regulates the activity, functions, structure, number of employees and organization of work of the E-Government Agency and its administrative units.
- The Cybersecurity Council is a consultative and coordinating body to the Council of Ministers on cybersecurity issues. The council is primarily responsible for proposing to the Council of Ministers a National Cybersecurity Strategy and a roadmap to it, as well as preparing periodic updates. Additional functions include the analysis of cyber trends, risks, methods of counteraction and developing the necessary capacity for counteraction as well as setting the priorities for the construction and development of human, technological, infrastructure, financial and organisational components and, if necessary, proposing solutions and actions in relation to them;
- The National Cybersecurity Coordinator assists with the preparation of the National Cybersecurity Strategy and its updates. Importantly, the coordinator also participates in the establishment and development of the National Cybersecurity Coordination and Organisational Network and ensures its reliability, security and sustainability. Furthermore, the coordinator participates in the establishment and development of the National Cybersituation Centre, coordinates the response to the threat of cyber-crisis and threats of a hybrid nature;
- The National Security State Agency implements the policy of protection against cyber incidents within the communication and information systems of the strategic locations and activities of significance for the national security and shall establish a Monitoring and Response Centre for incidents having significant damaging impact on the communication and information systems of the strategic locations and activities of significance for the national security;
- The General Directorate for Combating Organised Crime establishes a Cybercrime Unit that organizes an investigation in relation to computer crimes or crimes committed in or through computer networks and systems on a national level;
- The E-Government Agency, as a national competent authority under the NIS Directive, is empowered to monitor, coordinate and facilitate the compliance of all administrative bodies to network and information security requirements. It also has to maintain a register of essential services operators, digital service providers and competent authorities on network and information security and oversee a register of essential services.
- The National Single Point of Contact is established by the E-Government Agency and is responsible for the coordination of network and information security issues and cross-border cooperation issues with the relevant authorities of other EU Member States;
- The National Computer Security Incident Response Team (NCSIRT) and the Sector Computer Security Incident Response Teams (SCSIRT) is established by the E-Government Agency. The SCSIRTs are set up within competent local authorities in the various sectors (i.e. energy, transport, banking, financial market infrastructures, health, and digital) in compliance with the instructions of European Union Cybersecurity Agency (ENISA). Once every 3 months, the SCSIRTs send to the NCSIRT summary statistics of all network and information security incidents registered thereby and they shall immediately notify the NCSIRT on any notifications of incidents having significant damaging impact, incidents having substantial impact and cross-border incidents. They coordinate their activities with the national CERT. The Bulgarian CERT (www.govcert.bg) assists in reducing the risks of information security incidents and resolving such incidents in the event that they have already occurred;
- The Chairperson of the E-Government Agency is generally responsible for implementing the government network and information security policy;
- The Minister of Defence implements the government policy in the area of protection and active combat against cyberattacks and hybrid action particularly on the defence and military management systems. The Minister of Defence is empowered to organise the cyber defence preparation of the country’s management systems in a state of war, martial law or national emergency;
- The Minister of Interior is generally responsible for implementing the government policy in the area of combatting cybercrime;
- National competent authorities that decide on which entities meet the criteria to be determined as Operators of Essential Services (OESs) in the respective sectors are as follows:
- The Minister of Energy, who is responsible for the Energy sector;
- The Minister of Transport, Information technology and Communications, who is responsible for the Transport, Digital infrastructure and Digital services sectors;
- The Minister of Health, who is responsible for the Health sector; and
- The Minister of Regional Development and Public Work, who is responsible for the Drinking water supply and distribution sector.
- Under the Bulgarian Cybersecurity Act, OESs, Digital Services Providers (DSPs), competent administrative bodies, persons responsible for performing public functions and organisations providing online administrative services are obliged to:
- ensure that adequate technical and organisational measures are in place to respond to any risks or threats to the security of network and information systems;
- notify the respective SCSIRT within two hours of becoming aware of a cybersecurity incident. Full information about the incident shall be provided within five working days; and
- provide any and all information requested by the competent authorities.
- Upon justified assumption that the reported incident can be classified as a computer-related crime, the sector team shall notify the General Directorate for Combatting Organised Crime;
- The Cyber Security Act provides an obligation for all organisations affected by security incidents to cooperate, particularly in terms of notifying incidents and providing relevant information to the sector specific teams;
The NIS Ordinance provides an obligation for each employee or the unit for network and information security of the respective administration to notify the respective SCSIRT in case of incident.
Cyber Security Act
- The Act provides for administrative fines in case of violations of any of the responsible bodies, agencies or natural persons/officials relating incidents reporting obligations, failure to provide certain information and evidence or failure to comply with mandatory instructions. For individuals fines ranging from approx. EUR 500 to EUR 5,000 and for legal entities and administrative bodies pecuniary sanction ranging from approx. EUR 750 to EUR 7,500 can be imposed. In the case of repeated violations, the amounts increase and shall range from approx. EUR 1,000 to EUR 10,000 for the fines and from approx. EUR 2,500 to EUR 12,500 for the pecuniary sanction;
- The Act also provides for a fine if an official commits a violation or allows a violation to be committed. The fine shall vary between approx. EUR 500 and EUR 5,000, unless the act constitutes a crime. In case of repeated violations, the fine shall range between approx. EUR 700 and EUR 7,500.
Classified Information Act:
- The Act provides for fines or pecuniary sanctions in the range of approx. EUR 25 to EUR 10 000, depending on the type of violation and whether the perpetrator is an official, natural person or legal entity.
- This Act also provides for fines or pecuniary sanctions in the range of approx. EUR 250 to EUR 12 500, depending on the type of violation and whether the perpetrator is an official, natural person or legal entity.
- Chapter 9A, Cybercrimes:
- Imprisonment of up to 8 years, depending on the type of crime committed.
- Fine of up to approx. EUR 5 000, depending on the type crime committed.
- Chapter 12, Crimes against information classified as state secret and international classified information
- Imprisonment of up to 15 years, depending on the type of crime committed.
Is there a national computer emergency response team (CERT) or computer security incident response team (CSIRT)?
Yes. CERT.bg is the National Centre for Incident Response in Information Security. The Centre assists its users to:
- reduce the risks of information security incidents; and
- resolve already occurred incidents.
The Centre maintains a centralized database of information related to ensuring secure information environment.
Yes. There are Computer Security Incident Response Team on a national level (NCSIRT) and Computer Security Incident Response Teams on a sector levels (SCSRITs) established by the E-Government Agency. The SCSIRTs are set up within competent local authorities in the various sectors (i.e. energy, transport, banking, financial market infrastructures, health, and digital) in compliance with the instructions of European Union Cybersecurity Agency (ENISA). They coordinate their activities with the national CERT.
Is there a national incident management structure for responding to cybersecurity incidents?
The Cybersecurity Act establishes such structure. The core structure comprises a National Single Point of Contact, National cybersecurity coordinator, computer security incident response teams on a national and on a sector levels.
Other cybersecurity initiatives
Monitoring and Response Centre for incidents having significant damaging impact on the communication and information systems of the strategic locations and activities of significance for the national security is about to be established within the National Security State Agency. Effective on 01.01.2022 this centre will:
- monitor and gather information on events and incidents related to the security of the communication and information systems of the strategic locations and activities of significance for the national security;
- submit alerts on cyberthreats and information on cyberincidents to the strategic locations and activities of significance for the national security;
- provide methodological assistance in the cyberincident management process;
- provide a comprehensive analysis of the incoming information and an assessment of the information protection of the strategic locations and activities of significance for national security; and
- perform tasks related to some of the functions of the National Security State Agency.
<< back to Overview