HomeInsightsGDPR Compliance for Bulgarian Companies

GDPR Compliance for Bulgarian Companies (2026)

The General Data Protection Regulation (GDPR) has been in effect since 25 May 2018 and is directly applicable in all EU Member States, including Bulgaria. Nevertheless, many Bulgarian companies have yet to achieve full compliance. This guide will familiarise you with the legal framework, obligations and practical steps for bringing your organisation into compliance with personal data protection requirements.

Legal Framework for Personal Data Protection in Bulgaria

Personal data protection in Bulgaria is based on several interconnected legislative acts that form a comprehensive regulatory system:

  • Regulation (EU) 2016/679 (GDPR) — directly applicable from 25 May 2018, without the need for transposition. The Regulation establishes uniform rules for the processing of personal data throughout the EU and is binding on all controllers and processors operating within the Union or processing data of EU data subjects.
  • Personal Data Protection Act (PDPA) — amended in 2019 to align with GDPR. The PDPA governs specific national aspects, including additional grounds for processing, the age of consent for children (14 years in Bulgaria), processing for journalistic purposes and sanctions under national law.
  • Electronic Communications Act — transposes Directive 2002/58/EC (ePrivacy) and regulates the confidentiality of electronic communications, including cookie rules, direct email marketing and data breach notification in the telecommunications sector.

This three-pronged regulatory framework means that Bulgarian companies must ensure their operations comply not only with GDPR but also with the national provisions that supplement it.

Commission for Personal Data Protection (CPDP)

The Commission for Personal Data Protection (CPDP) is the independent national supervisory authority within the meaning of Art. 51 of GDPR. Established in 2002, the CPDP has broad powers to ensure compliance with the Regulation and national legislation:

  • Handling complaints — the CPDP receives and examines complaints from individuals (data subjects) who consider that their GDPR rights have been violated. The Commission issues a decision within a reasonable period.
  • Conducting inspections — the authority has the right to carry out planned and ad hoc inspections of controllers and processors, including access to premises and documentation.
  • Imposing sanctions — upon finding violations, the CPDP may impose corrective measures and administrative penalties, including fines under GDPR and national legislation.
  • Advisory activities — the Commission provides opinions and guidance on data protection matters, including prior consultations under Art. 36 of GDPR.

It should be noted that the CPDP has faced institutional challenges, including periods with expired mandates of its members. Nevertheless, the authority continues to function and exercise its supervisory powers.

Data Protection Officer (DPO)

The GDPR introduces the obligation to designate a Data Protection Officer (DPO) in certain circumstances. Not every organisation is required to appoint a DPO, but the obligation arises in the following cases:

  • Public authorities and bodies — all state and municipal authorities that process personal data (with the exception of courts acting in their judicial capacity) are required to designate a DPO.
  • Large-scale monitoring — where the core activities of the controller or processor consist of processing operations which, by their nature, scope and/or purposes, require regular and systematic large-scale monitoring of data subjects (e.g. video surveillance of public areas, online behavioural tracking).
  • Special categories of data — where the core activities consist of large-scale processing of special categories of data under Art. 9 of GDPR (health data, biometric data, data on racial or ethnic origin, etc.) or personal data relating to criminal convictions and offences under Art. 10.

Internal or External DPO

GDPR provides flexibility regarding the status of the DPO. The officer may be:

  • Internal employee — a member of the organisation's staff who combines this role with other duties, provided no conflict of interest arises (e.g. the DPO cannot also be the managing director or head of the IT department).
  • External contractor — the function may be outsourced to an external person or organisation under a service contract. This is particularly suitable for small and medium-sized enterprises.
  • Legal entity — the DPO function may also be performed by a legal entity (law firm, consultancy), provided that a specific natural person is designated as the point of contact.

Even where the appointment of a DPO is not mandatory, many organisations voluntarily designate one as a matter of good practice and to facilitate communication with the supervisory authority.

Data Protection Impact Assessment (DPIA)

A Data Protection Impact Assessment (DPIA) is a mandatory tool under Art. 35 of GDPR that applies when a particular type of processing is likely to result in a high risk to the rights and freedoms of natural persons.

When is a DPIA mandatory?

A DPIA is mandatory in the following cases:

  • Systematic and extensive evaluation of personal aspects of natural persons, based on automated processing, including profiling, on the basis of which decisions with legal effects on the subjects are taken.
  • Large-scale processing of special categories of data under Art. 9 or data relating to criminal convictions and offences under Art. 10.
  • Systematic large-scale monitoring of a publicly accessible area.

Pursuant to Art. 35(4) of GDPR, the CPDP has published a list of the types of processing operations for which a DPIA is required. This list includes additional scenarios specific to the Bulgarian context and is binding on all controllers operating within the country.

A DPIA must be carried out before the start of processing and must include: a systematic description of the operations and purposes, an assessment of necessity and proportionality, an assessment of the risks to rights and freedoms, and the measures to address those risks. Where a high residual risk remains, the controller must consult the CPDP before processing (prior consultation under Art. 36).

Data Breach Notification

Personal data breaches are subject to a strict notification regime, which is among the most significant innovations of GDPR:

Notification to the Supervisory Authority (CPDP)

  • The controller must notify the CPDP of a security breach without undue delay and no later than 72 hours after becoming aware of it, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons.
  • For electronic communications service providers (telecoms), a shorter deadline of 24 hours applies under the Electronic Communications Act.
  • The notification must describe the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences and the measures taken.

Notification to Data Subjects

Where the breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller must also notify the data subjects themselves without undue delay. The notification must be in clear and plain language and must include recommendations for mitigating the potential adverse effects.

Regardless of the notification obligation, every security breach (including those for which notification is not required) must be documented in an internal register.

Fines and Sanctions

The sanctions regime for violations of personal data protection rules is multi-layered and includes both GDPR fines and sanctions under national legislation:

GDPR Fines

Tier Maximum Amount Typical Violations
Lower tier EUR 10,000,000 or 2 % of annual turnover Violations of controller/processor obligations, DPO, certification
Upper tier EUR 20,000,000 or 4 % of annual turnover Violations of principles, lawfulness of processing, data subject rights, transfers

Fines Under the PDPA

The Personal Data Protection Act provides for additional sanctions for specific violations, including fines of up to BGN 5,000 for natural persons for certain violations of national provisions.

Enforcement Practice in Bulgaria

A notable case is the fine imposed on the National Revenue Agency (NRA) of BGN 5,100,000 (approximately EUR 2,550,000) by the CPDP following a large-scale data breach in 2019 affecting the data of over 5 million citizens. This remains one of the most significant sanctions in the region.

In more typical cases, however, fines are considerably lower. Average sanctions for Bulgarian companies usually range between BGN 1,000 and BGN 10,000. According to 2023 data, the CPDP imposed 37 penalties and concluded 12 settlement agreements totalling BGN 90,900.

It should be noted that the level of fines in Bulgaria has been trending upward with each passing year and that the CPDP is increasingly active in exercising its supervisory powers.

9 Practical Steps to GDPR Compliance

To achieve full compliance with GDPR and national legislation, we recommend the following methodology:

  1. Designate a Data Protection Officer (DPO)

    Assess whether your organisation falls within the scenarios requiring mandatory appointment of a DPO. Even where not required, consider voluntarily designating an internal or external DPO to coordinate data protection processes.

  2. Conduct a personal data mapping exercise

    Compile a complete record of processing activities (Art. 30 of GDPR). Identify what personal data you process, from whom you collect it, for what purposes, on what legal basis, with whom you share it and what the retention periods are.

  3. Update your privacy notices

    Ensure that the privacy policies of your website, mobile applications and internal processes meet the requirements of Art. 13 and Art. 14 of GDPR — including information on data subject rights, the legal basis for processing and retention periods.

  4. Conduct a Data Protection Impact Assessment (DPIA)

    Identify high-risk processing operations and conduct a DPIA for them. Consult the CPDP's list under Art. 35(4) for Bulgaria-specific requirements.

  5. Implement technical and organisational security measures

    Apply appropriate measures to protect personal data: encryption, pseudonymisation, access control, backup, regular security testing. The measures must comply with the principle of data protection by design and by default (Art. 25).

  6. Develop a breach response procedure

    Create a clear internal procedure for identifying, documenting and notifying data security breaches. Define the responsible persons, communication channels and deadlines (72 hours for the CPDP, 24 hours for telecoms).

  7. Enter into Data Processing Agreements (DPAs)

    If you use the services of third parties for data processing (cloud services, accounting firms, marketing agencies), enter into written Data Processing Agreements under Art. 28 of GDPR. These agreements must contain the mandatory clauses on the subject matter, duration, nature and purpose of the processing.

  8. Conduct staff training

    Organise regular training sessions for your employees on data protection rules, internal policies and incident response procedures. Document all training conducted.

  9. Maintain records and documentation

    Maintain a record of processing activities (Art. 30), a register of security breaches, DPIAs conducted, and document all decisions related to personal data processing. This documentation is essential during CPDP inspections.

Frequently asked questions

Is appointing a DPO mandatory for small businesses?
Not necessarily. The obligation to appoint a DPO depends on the type of data processed and the scale of the activity, not on the size of the company. If your core activities do not involve large-scale systematic monitoring of data subjects or large-scale processing of special categories of data, and you are not a public authority, a DPO is not mandatory. However, voluntary appointment is a recommended practice.
What is the deadline for notifying the CPDP of a data breach?
The general GDPR deadline is 72 hours from the moment of becoming aware of the breach. For electronic communications service providers, the deadline is 24 hours under the Electronic Communications Act. If the notification cannot be sent within 72 hours, it must be accompanied by the reasons for the delay. It is essential to have a pre-established procedure in place to enable a timely response.
What are the actual fines in Bulgaria for GDPR violations?
Although GDPR provides for fines of up to EUR 20,000,000 or 4 % of annual turnover, in Bulgarian practice sanctions are significantly lower for most companies — typically between BGN 1,000 and BGN 10,000. The exception is the NRA fine of BGN 5,100,000. However, the trend is towards increasing fines and more active enforcement by the CPDP.

Need assistance?

The Innovires team can help you with a full GDPR compliance audit, preparation of the necessary documentation, appointment of an external DPO and staff training.