GDPR Enforcement in Bulgaria

Trend: Have the national data protection authorities in Bulgaria focused on certain types of non-compliance... Do you see a focus on certain industries/sectors? If so, which ones?

In its Annual Report for 2025 the Bulgarian Commission for Personal Data Protection (“CPDP”) has declared its focus on protecting minors’ personal data online.

Apart from that, the proceedings before the CPDP are most commonly initiated on the basis of complaints and reports, rather than as part of targeted campaigns by the supervisory authority. Most of the punitive proceedings have been brought for violations of Article 6 (1) GDPR (processing without a legal basis) and Article 5 (1) GDPR (principles of lawfulness, fairness, data minimisation, integrity, confidentiality and accuracy). Video surveillance was the leading area of complaints (425 complaints in 2025). Banks and credit institutions ranked second (131 complaints), with allegations typically involving unlawful disclosure of personal data to debt collection firms and unauthorised use of personal data for credit products, including electronic lending. Complaints against state authorities also increased – from 61 in 2024 to 105 in 2025. The media sector also saw a rise (from 22 in 2024 to 48 in 2025), while the telecommunications count was 56 complaints and the healthcare count was 23 complaints.

Overall, what was the most significant fine in Bulgaria to date (recipient, amount, violation, sector, short summary)? Has it been challenged in court?

The highest GDPR fine in Bulgaria to date was imposed on the Bulgarian National Revenue Agency ("NRA"). The main government revenue authority was fined approx. EUR 2,550,000 by the CPDP in August 2019 for failing to implement appropriate technical and organisational measures for the protection of personal data. This resulted in the unauthorised access to and dissemination of 6,074,140 individuals' personal data. The NRA appealed the decision before the Sofia City Administrative Court, which finally dismissed the case due to expiration of the absolute statute of limitations.

A number of the affected data subjects brought claims against the state of Bulgaria for damages resulting from the data leakage. Most of the proceedings on these claims are now delayed as the Bulgarian Supreme Administrative Court referred the matter to the Court of Justice of the European Union (“CJEU”) with a request for a preliminary ruling on questions related to liability for violation of the GDPR in case of a data breach resulting from criminal activity (Case C 340/21). On 14 December 2023, the CJEU issued its judgment on the case, ruling, among other things, that Articles 24 and 32 GDPR must be interpreted as meaning that unauthorised disclosure of personal data or unauthorised access to those data by a “third party”, within the meaning of Article 4 (10) of that regulation, is not sufficient in itself for it to be held that the technical and organisational measures implemented by the controller in question were not “appropriate” within the meaning of Articles 24 and 32. The appropriateness of the technical and organisational measures implemented by the controller must be assessed by the national courts concretely by taking into account the risks associated with the processing concerned and by assessing whether the nature, content and implementation of those measures are appropriate to those risks.

How is the data protection authority organised in Bulgaria? Budget, staff, assignment to a ministry?

The CPDP is the supervisory authority responsible for the application of the GDPR and compliance with the Bulgarian Personal Data Protection Act.

The CPDP consists of a chairman and four members. The CPDP is supported by a special staff with 117 approved staff positions and 88 in post.

The chairman and members of the CPDP are elected by the National Assembly, following a nomination by the Council of Ministers, for a term of five years.

The CPDP is organised into five directorates. These include the general administration directorate: Resource Management and Administrative Legal Services Directorate, and four specialised directorates: Legal Affairs and International Affairs Directorate, Legal Proceedings and Supervision Directorate, Legal Analysis, Information and Control Activities Directorate and the Channel for Internal Whistleblowing Directorate.

The approved budget for 2025 was approx. EUR 3.5 million, of which 95.92 % was spent.

The CPDP is not subordinate to any ministry; it reports directly to the National Assembly.

How does a fine procedure work in Bulgaria? Can the authority impose fines itself? Procedural steps? Legal remedies?

Administrative proceedings are governed by general national law, in particular the Bulgarian Administrative Violations and Penalties Act and the Bulgarian Administrative Procedure Code, as well as some specific provisions of the Bulgarian Personal Data Protection Act.

The authority will initiate proceedings at the request of a data subject or may initiate proceedings on its own merits. Complaints may be filed within 6 months of the data subject becoming aware of the violation, but no later than 2 years after it occurred. Complaints must be in writing (by post, fax, or electronically with a qualified electronic signature) and in Cyrillic script; anonymous complaints are not considered.

If the facts of the case require more clarification, the CPDP may request that the parties involved provide additional proof/information. The respective data controller or data processor may provide its views on both factual and legal aspects of the case. The authority must carefully consider these before reaching its decision.

Administrative sanctions (including fines) are imposed directly by the CPDP as part of its administrative proceedings. The CPDP may also apply other corrective powers under Article 58 (2) GDPR, such as warnings, reprimands, orders to comply and administrative fines.

Companies may appeal against the decisions of the CPDP with the competent administrative courts within 14 days of being notified. Two-instance judicial review applies. No fees are charged for complaint proceedings.

When fines are imposed: Where does the money go? (state treasury / authority budget / other)

The proceeds from fines imposed by the CPDP are credited to the budget of the CPDP.

Is there an official calculation methodology for fines in Bulgaria?

There is no separately published official calculation methodology or fine calculator. However, the CPDP follows the criteria set out in Article 83 (2) GDPR. The leading factors considered when determining the type of corrective measures and the amount of the fines are: the nature, gravity and duration of the infringement; the purpose of the processing; the number of affected data subjects; categories of personal data involved; actions taken by the controller to mitigate damage; prior infringements; whether the offender is a natural or legal person (or a micro, small or medium enterprise); and the degree of cooperation with the authority. Sanctions must be “effective, proportionate and dissuasive”. The CPDP also refers to the Art. 29 Working Party’s WP 253 Guidelines on the application and setting of administrative fines.

Can public authorities be fined in Bulgaria? If yes: Where does this money go?

Yes, public authorities can be subject to corrective measures in Bulgaria. Тhe money is credited to the budget of the CPDP. The CPDP has imposed orders and sanctions on state bodies, including municipalities, the Ministry of the Interior, the State Agency for Refugees and other government entities.

Does the authority publish information on individual fine cases (website/annual report)? Are companies identifiable?

There is a section on the CPDP’s website where selected decisions are made publicly available. However, there is a tendency towards decreasing transparency and in 2024 and 2025 no decisions were published. Information on some decisions of the CPDP is published in the CPDP’s bimonthly newsletter, which is available online.

A summary of the CPDP’s decisions, as well as more detailed information on some more notable cases, is included in its annual report. The parties involved are generally not identifiable, unless the case is of public interest.

If no individual publication: aggregated figures? Provide annual figures from 2019 onwards (if available).

The CPDP provides aggregated information on the total number of cases reviewed in its annual reports. 
In 2025, over 1,700 complaints were received by the CPDP, while in 2024 the number was 1080, in 2023 – 925, in 2022 – 770. Thus, over the last four years the number of complaints has increased by more than 100%.
The total amount of the fines imposed each year equals: in 2025 - BGN 226,000 (approx. EUR 115,552); in 2024 – BGN 74,700 (approx. EUR 38,194), in 2023 – BGN 90,900 (approx. EUR 46,500); in 2022 – BGN 247,500 (approx. EUR 126,545); in 2021 – BGN 112,150 (approx. EUR 57,340); in 2020 – BGN 87,063 (approx. EUR 44,515).

Does Bulgaria have model declaratory proceedings/class actions in data protection law?

Class actions have been possible under the Bulgarian Civil Procedure Code since March 2008. Within class action proceedings, it is possible to obtain a decision establishing the fact of an infringement. Such a judgment makes it much easier for claimants to pursue their individual claims for compensation, as they do not need to prove the fact of the infringement and the fact that the controller is at fault. Nevertheless, class actions are not common in Bulgaria. There is a tendency towards seeking compensation through individual claims rather than filing a class action.

There are a few rulings of Bulgarian courts related to the leakage of personal data from the databases of the NRA, in which the courts have dismissed the review of class actions brought based on the opinion that class actions can only be brought in relation to equality (i.e. in civil proceedings) and not in subordination (i.e. relations with public bodies such as the NRA).

What is more relevant: fines from authorities or court proceedings (damages/injunctions)? Outlook for the coming 12 months?

Fines imposed by the CPDP are more common, mostly due to the gravity of the fines and their general preventive effect. Court proceedings related to claims for damages are less popular. This is most likely due to litigation costs, lengthy proceedings and a lack of established common/uniform judicial practice in this area.

Based on how actively the CPDP pursues data protection infringements, it can be assumed that its role in enforcing the GDPR will continue to be crucial in the foreseeable future.

Looking ahead, based on the Strategy of the CPDP for Development in the Areas of Personal Data Protection and Whistleblower Protection – Horizon 2030, the CPDP is expected to further strengthen GDPR enforcement through a more structured, risk based and sector focused supervisory approach. Increased emphasis is expected on consistency with EU level practice, digitalisation related risks and the use of guidance, awareness raising and corrective powers alongside sanctions.