21
Thu, Nov
48 New Articles

Data Protection Laws and Regulations in Bulgaria

Data Protection Comparative Guide: 2024
Tools
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

Contributed by Kinstellar.

What are the main data protection-related pieces of legislation and other regulations in Bulgaria?

The main act regulating the protection of personal data in Bulgaria is Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation or GDPR). With effect from 25 May 2018, the GDPR takes precedence over national legislation and sets forth the main concepts and principles of data protection. It governs the rights and obligations of data controllers, data processors, and data subjects, sets out the rules for international data transfers, and regulates the competence of data protection authorities, as well as remedies, liability, and sanctions in the field of data protection.

The most important piece of national legislation complementing the GDPR is the Personal Data Protection Act (PDPA). The PDPA provides the implementing rules of the GDPR, sets forth certain derogations, and transposes Directive (EU) 2016/680 on the protection of individuals with regard to the processing of personal data by competent authorities for the purpose of the prevention, investigation, detection or prosecution of criminal offenses or the execution of criminal penalties (Law Enforcement Directive). The provisions of the PDPA are further detailed in the related secondary legislation governing the procedural rules of the data protection authority – the Regulations for the Activities of the Commission for Personal Data Protection and the Instruction for the Practical Implementation of the Supervisory Powers of the Commission for Personal Data Protection.

The PDPA does not codify all relevant data protection rules in Bulgaria. Therefore, in addition to the PDPA provisions, a number of other rules, regulated by sector-specific legislation, apply. Such rules are set out in the Electronic Communications Act and E-Commerce Act, the Act on the Protection of Persons Who Report or Publicly Disclose Information on Infringements, the Health Act, the Anti-Money Laundering Act, the Public Information Access Act, and a number of other laws. In terms of sanctions and enforcement, the Administrative Procedure Code and the Administrative Penalties and Sanctions Act are also applicable.

What are the other primary definitions outlined in the legislation within your jurisdiction (among others, data processing, data processor, data controller, data subject, personal data, sensitive personal data, consent, etc., or equivalent)?

Following the entry into force of the GDPR, the definitions of key data protection terms under Bulgarian law, such as personal data, data processing, data processor, data controller, and consent, have been superseded by the corresponding definitions under the GDPR. The PDPA does not define “data subject” and “special category of data,” but due to the direct applicability of the GDPR in Bulgaria, the same concepts apply under the GDPR. For businesses operating in Bulgaria, this shift ensures a higher level of consistency and uniformity in data protection practices. The harmonization brought about by the GDPR means that companies can now navigate data protection obligations with greater clarity and predictability.

Which entities fall under the data privacy regulations in Bulgaria?

The key players in the field of data protection are controllers, processors, and joint controllers. Properly identifying and understanding the role of the organization as controller, processor, or joint controller is crucial to ensure compliance with data protection laws, as each role comes with distinct rights and responsibilities. Thus:

  • An organization that determines the purposes and means of data processing is a controller. Controllers bear the most extensive responsibilities under the data protection law. They must adhere to all data protection principles and demonstrate compliance. Controllers are in charge of implementing data protection by design and by default obligation, appointing a data protection officer, keeping records of processing activities, and implementing appropriate technical and organizational measures to ensure data security. They are also subject to a number of other obligations, such as notifying the data protection authority and, in some cases, the data subject in the event of a personal data breach, carrying out a data protection impact assessment, and, in certain circumstances, prior consultation with the supervisory authority. In addition, data controllers are responsible for ensuring that any processors they engage comply with data protection requirements.
  • An organization that processes data on behalf of a controller, without determining the processing purposes, has the role of processor. While processors have fewer responsibilities than controllers, they still have some obligations of their own. The relationship between controllers and processors is governed by a written contract, the mandatory minimum content of which is specified in the GDPR and which sets out the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects, the obligations and rights of the controller and other details. Processors carry out processing on the basis of documented instructions from the controller and are not permitted to appoint another processor without prior specific or general written authorization from the controller.
  • Apart from acting as a controller or processor, an organization may determine the purposes and means of processing together with another controller. In this case, it is considered a joint controller – a role that did not exist in Bulgarian law prior to the GDPR. Joint controllers must clearly define their respective roles and responsibilities in an arrangement that is transparent to the data subjects.

Do specific sectors or types of data have distinct regulatory regimes within your jurisdiction? If so, which?

Although the GDPR and the PDPA set forth the overreaching principles of the data protection law, these primary pieces of statutory legislation do not codify the data protection rules in Bulgaria. Under Bulgarian data protection law, there are sectors and types of data that are subject to specialized regulations or laws tailored to address their unique characteristics, risks, or requirements. Examples of such sectors are the electronic communications sector and the processing carried out in the context of employment relations. Those rules are specific to the sector and supplement or prevail over the general rules of data protection law.

Electronic communications sector

The data protection rules applicable to the sector of electronic communications are set forth primarily in the Electronic Communications Act. Some of the sector-specific rules are those concerning traffic data retention and disclosure, data breach notification, and the exceptions concerning communications confidentiality.

In Bulgaria, electronic communications providers are subject to the obligation to retain certain traffic data for a period of six months. This data includes the information necessary to trace and identify the source and type of connection, its direction, date, time, and duration, and to identify the end user's terminal device and the identifiers of the cells used. Access and disclosure of such data are strictly limited to specific law enforcement and disaster control authorities as detailed in the law. Electronic communications providers may retain and disclose this data for the purposes of, among others, facilitating the investigation of serious crimes, national security purposes, locating people at risk or in emergency situations, and in the cases of searching for persons declared wanted by the state. At the end of the six-month period, the service providers must delete the retained traffic data. Moreover, the traffic data retention obligation gives rise to specific reporting obligations: electronic communications providers must report certain data retention and disclosure activities to the Bulgarian Commission for Personal Data Protection. This includes monthly reports on the data deleted during the preceding month and an annual statistical report on data disclosures requested by competent authorities.

In the event of a personal data breach, electronic communications providers must notify the Bulgarian Personal Data Protection Commission within 24 hours of becoming aware of the breach – a notably shorter timeframe compared to the 72 hours stipulated by the GDPR. Moreover, under certain circumstances, the affected individual must also be notified. Specific notification rules and procedures deviating from the GDPR and provided by Regulation (EU) 611/2013 apply in respect of personal data breach notifications in the sector.

To protect the confidentiality of communications and related traffic data, Bulgarian law prohibits listening to, recording, storing, or otherwise intercepting or tracking communications by parties other than the sender and recipient, unless express consent has been obtained. However, there are specific exceptions for the regulated activities of electronic communications providers. For instance, these prohibitions do not apply when storage is necessary for technical reasons or is an integral part of providing the service, and when the technical parameters of the service are verified by authorized persons. In such cases, providers must delete the stored communications data immediately after the reason for storage ceases to exist.

Processing in the context of employment relations

The PDPA establishes specific national rules for processing employee personal data, in some cases including data on criminal convictions and offenses. As data controllers, employers must adopt the following internal rules and procedures if the relevant activities are in place: (i) for use of whistleblowing systems (currently subject to additional rules under whistleblowing legislation); (ii) for restrictions in internal resource usage; and (iii) when introducing systems for access control, working time and working discipline. These rules and procedures must include detailed information about their scope of application, the obligations they impose, and the methods for practical application. They should be tailored to the specific business activities of the employer and the specific nature of the work, ensuring that they do not infringe upon employees' rights. Employees must be informed about these rules and procedures.

Pursuant to the PDPA, employers must set a storage period for personal data collected during recruitment and selection processes. This period cannot exceed six months unless the applicant consents to a longer retention period. After the expiration of the retention period, employers are required to delete or destroy the stored personal data and return any original documents provided by the data subject.

Under the data protection law, personal data relating to criminal convictions and offenses is not a special category of data, but its processing is limited to the cases where it is carried out under the control of an official authority or where the processing is authorized by the EU or Bulgarian law. In the employment context, Bulgarian law provides for such exceptions in certain cases, for example: (i) under the Private Security Activities Act with respect to employees carrying out functions as heads of private security activities and as security guards; (ii) under the Discrimination Protection Act with respect to the members of the Commission for Protection of Discrimination; (iii) under the Insurance Code with respect to members of the management and controlling bodies of insurance and re-insurance companies; (iv) under the Currency Law with respect to organizations carrying out transactions with currency in cash; (v) under the Road Transportation Act with respect to heads of the transportation activities of passenger and cargo transport services providers; (vi) under the Anti-Money Laundering Act with respect to the managing director, member of a management or supervisory body, or partner in a company carrying out intermediation activities in sales of real estate. Given the GDPR's prohibition on processing data relating to criminal convictions and offenses, the number of exemptions for processing such data in the context of employment law has increased significantly in recent years in order to facilitate employers.

What rights do data subjects have under the data protection regulations in Bulgaria?

As of 2019, the section of the PDPA governing the rights of natural persons has been repealed, and currently, the rights of data subjects are regulated by the GDPR. Therefore, data subjects in Bulgaria enjoy the same rights as other individuals protected by the EU data protection laws. These rights include:

  • the right to be informed (the right to know how personal data is being used);
  • the right of access (the right to access personal data held about data subject);
  • the right to rectification (the right to have inaccurate data corrected);
  • the right to erasure (the right to have personal data deleted);
  • the right to restrict processing (the right to limit the processing of subjects’ data);
  • the right to data portability (the right to transfer data to another service provider);
  • the right to object to data processing;
  • the right not to be subject to automated decision-making, including profiling; and
  • the right to judicial or administrative remedy, including to seek compensation for violations of data protection rights.

In addition to the GDPR provisions, Bulgarian law details how data subjects can make requests regarding their data. Such requests must be in writing (irrespective of in hard copy or in the form of an electronic document) unless the controller has established an alternative method. As a minimum, the request must include:

  • the name, address, unique nationality number, or other identification data of the natural person;
  • a description of the request;
  • the preferred form for obtaining the information;
  • an address for correspondence;
  • the date and the data subject’s signature; and
  • if submitted by a proxy, relevant authorization documents must be attached.

To balance individual rights with other critical interests, Bulgarian law provides specific derogations that may limit data subject rights in certain circumstances. Organizations acting in Bulgaria must consider those derogations to better navigate the balance between data protection compliance and other essential legal and societal obligations. Among such critical interests are national security; public policy; the prevention, investigation, and prosecution of crimes and violations of codes of ethics of regulated professions important economic or financial interests, such as the state budget and fiscal matters, public health, and social security; independence of the judiciary system; and enforcement of civil claims. In cases where exercising data subject rights poses a risk to these interests, controllers, and processors may refuse to fully or partially honor data protection requests and are not required to notify the data subject of a data breach. In addition, under the PDPA, the controller or processor may refuse to honor, in whole or in part:

  • all of the abovementioned data subjects' rights, except for the right not to be subject to a decision based solely on automated processing, including profiling, when processing concerns (i) personal data for journalistic purposes, for academic, artistic, or literary expression and if carried out for the exercise of freedom of expression and the right to information; or (ii) personal data for the purpose of creating a photographic or audio-visual work by filming a person in the course of their public activity or in a public place;
  • the rights of access, rectification, restriction of processing, and the right to object if the processing of personal data is for the purposes of the National Archive Fund of the Republic of Bulgaria or for statistical purposes.

What is the territorial application of the data privacy regime in your jurisdiction?

The territorial application of data protection laws is governed by the GDPR rather than local Bulgarian legislation. This depends, on the one hand, on the establishment of the data controller or data processor and, on the other hand, on the nature of the processing activities. The GDPR applies regardless of whether the processing occurs within or outside the EU, under the following circumstances:

  • The processor or controller is established in an EU Member State.
  • The processor or controller is established in a non-EU Member State, but where the EU Member State law applies by virtue of public international law (such as in Bulgarian diplomatic and consular missions abroad).

The location of the establishment is crucial, as it typically determines where the controller or processor conducts its business and the local laws that must be observed. However, the GDPR also extends its reach to data controllers and processors that are not established in the EU, but that process the personal data of EU citizens. This is applicable when the processing activities are related to:

  • offering of goods or services to data subjects in the EU; or
  • monitoring of data subject’s behavior as far as their behavior takes place within the EU;

In addition to the GDPR, the PDPA includes specific derogations, rules implementing the GDPR, and provisions transposing the Law Enforcement Directive. In the absence of extra-territorial provisions, these national data protection rules apply solely within Bulgaria or in areas where Bulgarian laws are enforced by international law (e.g., Bulgarian diplomatic and consular missions abroad, Bulgarian-flagged ships sailing in international waters, and similar situations governed by international law).

What are the key factors and considerations to adhere to when engaging in the processing of personal data within your jurisdiction?

The key factor is the proper identification and consideration of the organization's role as a controller, processor, or joint controller. Correctly determining this role is crucial, as it defines the organization's specific data protection rights and responsibilities. Below are key obligations for controllers that must be considered:

  • adhering to data processing principles (such as lawfulness, transparency, purpose limitation, data minimization, and storage limitation as set forth in the GDPR) when processing personal data;
  • appointing a data protection officer, if required;
  • managing the data protection risk by ensuring data protection by design and by default, conducting data protection impact assessment, undertaking prior consultation with the data protection authority, and implementing suitable technical and organizational measures;
  • ensuring accountability through measures demonstrating compliance with data protection laws, including keeping records of processing activities, adhering to the approved code of conduct or data protection certification mechanism, as well as employing other means for ensuring accountability;
  • managing relations with the data protection authority by cooperating when the authority exercises its powers and complying with the statutory obligations for data breach notification;
  • regulating the relations among joint controllers by defining in an arrangement the respective responsibilities for GDPR compliance of each joint controller and making those arrangements accessible to data subjects;
  • appointing an EU representative, if the organization lacks an EU establishment and processes the data of EU residents;
  • taking responsibility for controller-processors relations by using processors providing sufficient guarantees for GDPR compliance and formalizing the relationship in a contract;
  • ensuring compliant data processing in an international context by taking measures to ensure that transfers of personal data outside the EU provide adequate protection, through adequacy decisions, appropriate safeguards, binding corporate rules, or other means.

All these obligations are governed by the GDPR, not by local Bulgarian legislation. Although certain processing operations concerning these obligations may call for the application of local derogations or national Bulgarian law rules, businesses can rely on the uniform set of key data protection obligations established by the GDPR throughout the EU.

What are the regulations and best practices concerning the retention and deletion of personal data in Bulgaria?

The PDPA provides а few rules on data retention that are specific to the GDPR. If a controller or processor becomes aware that it is retaining data contrary to the principles of the GDPR or without a legal basis, it must either return the data to the data subject within one month of becoming aware of the retention or, if this is impossible or involves a disproportionate effort, erase or destroy the data. In addition, any employer acting as a data controller must determine a retention period for personal data relating to job applicants, which may not exceed six months, unless the job applicant has consented to the retention for a longer period. Sector-specific legislation provides for some sector-specific statutory retention periods (e.g., 50 years for payroll records, ten years for accounting records and financial statements, including tax control, and five years for reports on occupational accidents) and for some specific retention rules (see for example the traffic data retention obligations of electronic communications providers discussed above). Apart from this, Bulgarian data protection law does not provide for general rules on data retention and therefore data controllers need to develop retention policies based on the general principle of the GDPR on storage limitation and the specific sectoral legislation, if any.

At the end of the retention period, retained data would generally be erased (if in electronic form) or destroyed (if on a physical medium). The PDPA defines “erasure” as the irreversible deletion of information from the relevant medium and “destruction” as the irreversible physical destruction of the tangible information medium. Otherwise, there are no specific local rules for erasure or destruction. Therefore, similarly to retention activities, when deleting or destroying personal data, the organization acts in accordance with the GDPR rules.

Who serves as the regulatory authority(s) in your jurisdiction regarding data protection?

Top of Form Bottom of Form

The Commission for Personal Data Protection (CPDP) is the statutory authority that supervises the protection of personal data in Bulgaria. The CPDP is an independent supervisory authority consisting of a chairman and four members. The authority performs the tasks set out in Art. 57 (e.g., handling complaints from a data subject, raising awareness among the public, data controllers, data processors, and data subjects, cooperating with other supervisory authorities, advising national institutions on data protection issues) and has the powers set out in Art. 58 of the GDPR (e.g., to conduct investigations, request information, issue orders, warnings, and reprimands, impose fines, accredit certification bodies, advise controllers during the prior consultation process, and others). In addition, it exercises general supervision and ensures compliance with the GDPR and the PDPA, issues regulations and administrative acts in the field of personal data protection, ensures the implementation of binding decisions of the European Data Protection Board, and carries out other activities, unless the law entrusts supervision to the Inspectorate of the Supreme Judicial Council.

The Inspectorate of the Supreme Judicial Council supervises the protection of personal data when the data processor is the court, the public prosecutor, and the investigating authorities when they act in their judicial capacity for the purpose of the prevention, investigation, detection, or prosecution of criminal offenses or the execution of criminal penalties.

Is the appointment of a Data Protection Officer mandatory for certain organizations or sectors in Bulgaria, and under what conditions?

With respect to the appointment of a data protection officer (DPO), Bulgarian data protection law does not provide for any rules that differ from the GDPR. Therefore, the obligation to appoint a DPO arises for the controller where:

  • the processing is carried out by a public authority or body, with the exception of courts acting in their judicial capacity; or
  • its activities, by their nature, scope, and purposes, require regular and systematic monitoring of data subjects on a large-scale; or
  • its core activities consist of the large-scale processing of special categories of data and personal data relating to criminal convictions and offenses.

Neither the PDPA through its provisions nor the CPDP in its practice has clarified concepts such as “systematic,” “core activities,” or “significant number.” Therefore, in assessing the requirement to appoint a data protection officer, controllers and processors in Bulgaria closely follow the Guidelines on Data Protection Officers issued by Working Party 29 and endorsed at the first plenary meeting of the European Data Protection Board. However, an issue specific to Bulgaria arose before the CPDP in relation to the obligation to keep a register of designated DPOs. Due to the different understanding of whether the DPO must be a natural person or whether such obligations can be fulfilled by legal persons, the CPDP had to unify the practice of controllers and processors and issue a specific publication on the matter. In its position, the data protection authority (DPA) did not explicitly exclude the possibility of a legal entity or other organization providing services related to the functions of the DPO, but considered that the functions of the DPO can only be performed by an individual. Therefore, the DPA has expressed the opinion that controllers and processors who have delegated the functions of the DPO to legal entities under a service contract must designate a specific individual responsible for performing the functions of the DPO for a particular controller or processor.

How should data breaches be handled in your jurisdiction?

The activities of processors and controllers with respect to data breaches are regulated by the GDPR, and the PDPA does not provide for further implementing or deviating from local rules. With respect to data breaches, the CPDP generally advises controllers and processors to comply with the requirements of Article 33 of the GDPR and Guidelines 9/2022 on personal data breach notification issued by the European Data Protection Board. However, in order to raise awareness among both the public and obligated entities, the CPDP has published an information brief summarizing the main obligations relevant in the event of a data breach. The briefing covers issues such as what a data breach is, types of data breaches, what actions should be taken when notification to the supervisory authority or data subjects is required, what technical and organizational measures should be taken to minimize the likelihood of a breach occurring, and others. In addition, the CPDP has developed a personal data breach notification form which, while not mandatory, is designed to help controllers better navigate the information they need to provide in relation to the breach and to facilitate the fulfillment of this obligation.

What are the potential penalties and fines for non-compliance with data protection regulations in Bulgaria?

Due to the direct application of the GDPR, the grounds for the imposition of administrative sanctions and the constituent elements of the offenses are laid down in the GDPR, not in local legislation. GDPR allows for two tiers of administrative fines based on the severity and nature of the infringement:

  • The lower tier of sanctions envisages administrative fines of up to EUR 10 million or, in the case of legal entities, 2% of their total worldwide annual turnover for the preceding financial year, whichever is higher. This tier of sanctions extends to violations such as failure to comply with the obligations related to the processing of children’s personal data, the tasks of a DPO, implementation of data protection by design and by default, and others.
  • A higher tier, of administrative fines of up to EUR 20 million or, in the case of legal entities, 4% of their total worldwide annual turnover for the preceding financial year, whichever is higher, applies to more serious violations, including breaches of the basic principles for processing, including conditions for consent, infringements of data subjects' rights, infringements related to international transfers of personal data, and others.

In addition to the GDPR measures, the PDPA provides for a local rule pursuant to which, for violations that are not amongst the ones explicitly listed in the PDPA, a controller or processor of personal data shall be subject to an administrative sanction of up to BGN 5,000 (approximately EUR 2,500). For repeated violation i.e., committed within one year from the date of a final CPDP decision by virtue of which the authority has imposed a sanction for the same type of breach, the administrative sanction is doubled.

Some breaches of data protection rules may qualify as crimes under Bulgarian law. As an example, the use of data from a payment instrument without the consent of the owner qualifies as a crime and it is punishable with imprisonment of two to eight years. The unlawful acquiring, storage, or disclosure of traffic data is a crime punishable with imprisonment of up to three years or probation.

Are there any noticeable patterns or trends in how enforcement is carried out in Bulgaria?

Despite operating in an environment with relatively low data protection awareness, the CPDP has not been among the more active data protection regulators. This inactivity is largely due to insufficient financial and human resources and the unique situation of the chairman and some commission members who hold long-expired mandates (nearly five years). Typically, when a data protection violation is identified, the CPDP imposes administrative sanctions ranging from BGN 1,000 (approximately EUR 500) to BGN 10,000 (approximately EUR 5,000). Larger sanctions are rare (with isolated instances in 2019, 2021, and 2022) and usually involve breaches affecting a large number of data subjects.

According to the CPDP's 2023 annual report, during 2023 the data protection authority imposed administrative fines at the amount of BGN 90,900 (approximately EUR 45,450) based on 37 penal deeds and 12 settlement agreements with the controller. Given the figures in the annual report of the European Data Protection Board for the same year, the CPDP appears to be a conservative regulator, imposing administrative fines frequently – only Germany, Spain, Italy, and Hungary issued fines more often. However, the average amount of the fine remains very low, compared to other jurisdictions. In addition, corrective measures together with administrative sanctions were imposed only in five of the cases.

How do emerging technologies such as AI, IoT, and blockchain impact data protection considerations in Bulgaria?

Emerging technologies like the IoT, AI, and blockchain are revolutionizing our ability to collect, process, and derive new and even predictive information from vast and diverse datasets. While these technologies offer numerous benefits, they also introduce significant privacy and data protection challenges as vast amounts of personal information are collected and processed in increasingly sophisticated and opaque ways.

AI, in particular, presents several potential risks, including opaque decision-making processes, privacy invasions, and the potential for these technologies to be used unlawfully. Additionally, AI can perpetuate biases and lead to discrimination based on gender, race, ethnic or social origin, religion, political beliefs, property status, disability, age, or sexual orientation. To counterbalance these risks, effective application of data protection and privacy principles is a must.

Bulgarian data protection law aligns with the GDPR and does not provide additional rules specifically for data processing involving AI, IoT, or blockchain. However, all stakeholders – data controllers, data subjects, and regulators – are aware of the risks of these technological advancements.

To support the practical implementation of data protection requirements in the context of AI and big data trends, the Bulgarian regulator has developed several informational materials for both data subjects and controllers. These resources address the challenges of facial recognition, big data profiling, and best practices for using cloud services. They highlight key GDPR obligations and the associated risks and challenges of emerging technologies. While these publications are not legally binding, they provide insight into the CPDP's stance on these issues.

In its 2023 annual report, the Bulgarian data protection authority presented as a focus area for 2024 the conduct of data protection impact assessments when planning data processing activities involving AI. Additionally, there will be efforts to raise awareness among data subjects about the implications of increased data integration and faster exchanges between economic operators within the EU, driven by the Digital Services Act and the Digital Markets Act.

Are there any expected changes in data protection on the horizon in the next 12 months in Bulgaria?

Based on the recent draft laws submitted to the Bulgarian Parliament, amendments to personal data processing regulations in the Bulgarian electronic communications sector are on the horizon. The Court of Justice of the European Union in judgment C-350/21 ruled that general and non-selective retention of traffic and location data for law enforcement purposes, even if limited to six months and even if providing some safeguards, is incompatible with EU law. This judgment necessitates changes in Bulgarian laws, to ensure that data retention is strictly necessary and proportionate. In response to this judgment, on February 28, 2024, several Members of Bulgaria’s parliament proposed amendments to the Electronic Communications Act to align it with EU law. Key proposals include:

  • limiting traffic data retention by electronic communications providers for a period of ten days in un-encrypted form and for an additional 160 days in encrypted form, using asymmetric encryption;
  • obligation of the competent law enforcement authorities to keep a non-public centralized registry, detailing the legal basis of access requests, court order identifications, documents used in proceedings, authorized officials, and other relevant information;
  • obligation of the competent law enforcement authorities to notify, under certain conditions, the individuals whose traffic data has been retained, such as when criminal proceedings are terminated or when data has been used for preventing serious crime.

In addition to legislative updates, there is a long-overdue need to change the composition of the data protection authority in Bulgaria. The current CPDP chairman was elected in 2014 and should have been re-elected or replaced in 2019. Two members re-elected in 2014, are now ineligible for a third term. One new member needs to be elected to complete the commission, and another member was due for replacement or re-election in 2019. However, none of these changes have occurred. Instead, the law has been amended to allow elected members to remain in office until new appointments are made. This extension beyond the statutory mandate, even if legally provided for an unspecified term, makes the commission politically vulnerable and potentially undermines its independence.

At the time of writing, it is uncertain whether the proposed draft legislation will be enacted, having in mind the general elections in June 2024. It is anticipated that a new chairman and new members of the CPDP will only be elected after the elections, following a political agreement.

Download Guide PDF

 

Guide Contributors For Bulgaria

Milka Nikolova, Of Counsel, Head of Telecommunications in Sofia
milka.nikolova@kinstellar.com
+359 876 210 097

Vilislava Kolarova, Junior Associate
vilislava.kolarova@kinstellar.com
+359 878 763 060