The protection of personal data in Bulgaria is governed by the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”). On national level the Personal Data Protection Act (“PDPA”) is the main source of local data protection law. The right to privacy is also a constitutional right recognized and protected by the Constitution of the Republic of Bulgaria.
According to the GDPR there are six grounds that permit the processing of personal data: i) the consent of the data subject, ii) a contract, iii) the controller’s legal obligation, iv) the protection of vital interests, v) a task carried out in the public interest or the exercise of public authority, vi) and the legitimate interests of the controller or a third party.
According to the applicable law a notification should be filed with the CPDP by controllers/processors who have designated a data protection officer (“DPO”). The notification form should contain the name of the appointed DPO, identification number and contact details.
Supervisory authority and sanctions
The national supervisory authority in Bulgaria within the meaning of the GDPR is the Commission for Personal Data Protection (“the Commission”). The Commission is an independent public authority, carrying out protection of individuals in processing their personal data and in providing access to this data, as well as control over the observance of data protection legislation. The Commission has the duties and rights to monitor and enforce the application of the GDPR, carry out data protection audits, and impose sanctions (fines), as well as compulsory administrative measures. The commission has also the power to issue by-laws in the field of personal data protection.
In regards to the fines, the PDPA refers to the respective GDPR provisions and does not introduce minimum amounts. The fines provided for in the GDPR shall be determined in accordance with the criteria set out therein and shall be imposed in their BGN equivalence.
For other violations under the PDPA, a fine of up to BGN 5,000 (approx. €2,500) may be imposed on the respective personal data controller or processor.
Where the violations under the GDPR and the PDPA are repeated, a fine shall be imposed in double the amount of the initially imposed fine. A repeated violation is one committed within one year from the entry into force of the act imposing a sanction for the same type of violation.