Bulgaria - National GDPR Implementation Overview
1.1. National implementing legislation of the GDPR
The Protection of Personal Data Act 2002 ('the Act') is the main source of local data protection law. It was adopted in 2002 and now implements the provisions of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). The Act sets forth the legal framework for the Commission for Personal Data Protection ('CPDP') established in 2002. Since then, the Act has been amended several times and its last revision followed the entry into force of the GDPR.
The Law for amendment and supplement of the Act ('the Law') (only available in Bulgarian here) was first published as a draft in April 2018 and underwent lively public discussions, which resulted in certain revisions of the initial text before it was submitted to Parliament. It introduces legislative changes related to the GDPR and to the transposition of the Data Protection Directive with Respect to Law Enforcement (Directive (EU) 2016/680).
After passing the second final reading at Parliament, the Law was vetoed by the President of the Republic of Bulgaria, Rumen Radev, who issued, on 4 February 2019, a motion vetoing a provision of the Law ('the Motion') (only available in Bulgarian here). In particular, the Motion referred to Section 25 of the Law, which included a provision on ten different criteria for the processing of personal data for journalistic purposes and for purposes of academic, artistic, or literary expression, according to Article 85(1) of the GDPR.
Furthermore, the Motion highlighted that the presence of such criteria is an excessive and unbalanced measure which would lead to overregulation and a need for a continuous balancing of the right to protection of data with the right to freedom of expression and information. These considerations were not accepted by the Parliament. The Motion was overturned, and the Law was promulgated in the State Gazette on 26 February 2019.
However, in November 2019 the aforementioned criteria were declared unconstitutional by the Bulgarian Constitutional Court, which means that currently only the general rule under Article 25(h) of the Act applies (only available in Bulgarian here).
Before 25 May 2018, along with the Law, the main regulatory source of personal data protection rules was Ordinance No. 1 on the Minimum Level of Technical and Organisational measures and the Admissible Type of Personal Data Protection (30 January 2013 ) ('the Ordinance'). It was repealed on 25 May 2018; however, its provisions may be revised by the CPDP into methodical instructions to controllers, which will be a source of soft law, helping controllers to choose appropriate measures for personal data protection in compliance with the GDPR requirements.
The CPDP has published several guidelines and explanatory materials on its website, which relate to the application of the GDPR, such as:
- Ten practical steps for the implementation of the GDPR (only available in Bulgarian here);
- Practical questions regarding personal data protection after 25 May 2018 (only available in Bulgarian here);
- Obligations of personal data controllers under the GDPR (only available in Bulgarian here);
- Data protection officers (only available in Bulgarian here);
- Rights of data subjects (only available in Bulgarian here);
- Consent under the GDPR (only available in Bulgarian here);
- Practical guidelines of the CPDP regarding cases where consent for personal data processing is not necessary (only available in Bulgarian here);
- Opinion of the CPDP on the qualification of payment service providers as data controllers (only available in Bulgarian here);
- Opinion of the CPDP on the application of the right to be forgotten in the context of personal data processing for journalistic purposes (only available in Bulgarian here);
- Opinion of the CPDP on the Codes of Conduct and monitoring authorities (only available in Bulgarian here); and
- Opinions of the CPDP on other specific queries, for example regarding personal data processing with respect to provision of sports cards to employees and the general qualification of banks, insurers, and courier firms as data controllers under the GDPR (only available in Bulgarian here).
1.3. Case Law
A data subject filed a complaint with the CPDP against a Bulgarian state agency, claiming that the subject’s personal data had been accessed by an employee of the agency without a proven professional necessity, which constitutes a failure to comply with the purpose limitation principle under the GDPR. The state agency was fined BGN 5,000 (approx. €2,560), by the CPDP, and the decision was subsequently appealed in court. The Sofia Court of Appeal rejected the appeal and confirmed the imposed sanction.
The biggest sanctions imposed by the CPDP so far are the following:
- The National Revenue Agency ('the NRA') was fined BGN 5.1 million (approx. € 2.6 million) for leakage of personal data of over 6 million persons due to a hacking attack. The CPDP found that the NRA had not undertaken sufficient technical and organizational measures for data protection.
- A bank was fined BGN 1 million (approx. € 511,000) for leakage of personal data of over 33,000 customers in over 23,000 credit files. Due to insufficient technical and organizational measures, third parties had access to personal data including copies of ID cards, tax and financial documents, health data, etc.
- The NRA was fined BGN 55,000 (approx. € 28,100) for insufficient legal basis for personal data processing. Data was unlawfully collected and used by the NRA in relation to an enforcement case against the data subject.
- A telecommunication service provider was fined BGN 53,000 (approx. € 27,100) for insufficient legal basis for personal data processing. The provider had repeatedly made registration of prepaid services without the knowledge and consent of the data subject, as the latter had not signed the application.
2. DATA PROTECTION AUTHORITY | REGULATORY AUTHORITY
2.1. Main regulator for data protection
The CPDP is the national supervisory authority within the meaning of the GDPR. It is an independent public authority, carrying out protection of individuals in processing their personal data and in providing access to this data, as well as control over the observance of data protection legislation.
The CPDP consists of a chairperson and four members. The members of the CPDP and its chairperson are elected by the Parliament on proposal from the Council of Ministers for a term of five years, and they may be re-elected for another mandate.
The CPDP's activity is regulated by the Act and by the Rules on the Activity of the Commission for Personal Data Protection and its Administration ('the Rules') were adopted in 2019 to reflect the legislative changes after entry into force of the Law.
2.2. Main powers, duties and responsibilities
As the Bulgarian supervisory authority, the CPDP's competence, tasks, and duties are those established in Articles 55 to 58 of the GDPR, for example monitoring and enforcing the application of the GDPR, carrying out data protection audits, and imposing administrative fines.
The Law specifically provides that the CPDP has the powers and duties to, among other things:
- issue by-laws in the field of personal data protection;
- organise, coordinate, and conduct training in the field of personal data protection;
- issue guidelines, recommendations, and best practices, where such have not been issued by the European Data Protection Board ('EDPB');
- bring infringements of the GDPR to the court; and
- impose compulsory administrative measures.
3.1. National requirements
In accordance with the GDPR, Bulgaria has repealed its registration regime. As of 25 May 2018, controllers are no longer obliged to register with the CPDP, which ceased to maintain the public register of data controllers.
In accordance with Article 37(7) of the GDPR, a notification should be filed with the CPDP by controllers/processors who have designated a data protection officer ('DPO'). The CPDP has published a sample notification form in this respect (only available in Bulgarian here).
The CPDP plans to maintain several public registries, namely:
- a register of data controllers and data processors who have designated a DPO;
- a register of accredited certification bodies; and
- a register of codes of conduct.
4. DATA SUBJECT RIGHTS
The Law does not implement variations of the GDPR on the right of information to be provided.
However, the Law contains a derogation from certain rights of the data subjects including the right of information. It provides that processing of personal data for humanitarian purposes by public authorities and/or humanitarian organisations, as well as processing in the event of disasters within the meaning of the Disaster Protection Act 2011 is lawful and in this case Articles 12 to 22 and Article 34 of the GDPR do not apply.
On a separate note, following Article 23 of the GDPR, the Law provides that the controller or processor may refuse fully or partially the exercise of data subjects' rights under Article 12 to 22 of the GDPR, and is allowed not to fulfil their obligation under Article 34 of the GDPR, where their exercise would create a risk for example towards the national security, defence, public order and security, the prevention, investigation, detection or prosecution of criminal offences, or the execution of criminal penalties. The terms and conditions for application of this provision should be further regulated by a specific law.
The Law contains derogations also in cases of personal data processing for journalistic purposes, or for the purposes of academic, artistic, or literary expression, as well as for the purpose of creating a photographic or audiovisual work by filming a person in the course of their public activities or in a public place.
The Law does not implement variations of the GDPR on the right to erasure.
The Law does not implement variations of the GDPR on the right to restriction of processing.
The Law does not implement variations of the GDPR on the right to data portability.
The Law does not implement variations of the GDPR on automated individual decision making, including profiling.
5.1. National regulation of the processing of children's data and age of consent
The Law lowers the age for valid consent given by children from 16 to 14 years old in relation to processing their data based on consent in the meaning of Article 4, paragraph 11 of the GDPR, including in cases of offer of information society services directly to a child. Where the data subject is under 14, processing is lawful only if consent is given by the parent who is exercising the parental rights, or by the guardian of the data subject.
6.1. National regulation concerning the processing of special categories of data and criminal conviction data
The Law does not contain provisions regarding processing of special categories of data and criminal conviction data.
Generally, under Bulgarian employment law (more specifically, pursuant to Ordinance No. 4 of May 11, 1993 on the documents required for the conclusion of an employment contract (only available to download in Bulgarian here)), a certificate of conviction should be presented only when the law requires certification of criminal record. Therefore, these provisions should be considered when controllers undertake processing of personal data related to criminal convictions.
7.1. Additional/varied requirements on DPO appointment, role and tasks
The Law does not implement variations of the GDPR regarding the requirements on DPO appointment, role, and tasks.
The Law provides that the CPDP should be notified of the appointment of the DPO, their name, identification number and contact details, as well as of any subsequent changes. The notification form, which can be accessed here, should be completed following the instructions in it and could be submitted on paper or electronically.
8.1. Variation/exemptions on breach notification obligation
The Law does not implement exemptions or variations from the GDPR on breach notification to the supervisory authority.
Regarding communication of a personal data breach to the data subject, the Law contains exemptions for cases where there is:
- personal data processing for journalistic purposes, or for the purposes of academic, artistic, or literary expression, as well as for the purpose of creating a photographic or audiovisual work by filming a person in the course of his/her public activities or in a public place (Article 25(d) of the Law);
- processing of personal data for humanitarian purposes by public authorities and/or humanitarian organisations, as well as processing in the event of disasters within the meaning of the Disaster Protection Act (Article 25(h) of the Law);
- a risk for the national security, defence, public order and security, the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, etc., where the terms and conditions should be governed by a specific law (Article 37(a) of the Law)
8.2. Sectoral obligations
The Law does not establish specific sectoral obligations with respect to data breach notification (besides processing activities performed by courts and prosecution authorities where notifications should be filed with the Inspectorate to the Supreme Judicial Council instead of the CPDP).
9.1. National activities subject to prior consultation/authorisation
On 13 February 2019, the CPDP adopted а list ('the List') of the processing activities where data protection impact assessment ('DPIA') is mandatory.
Pursuant to the List, data controllers whose main or only place of establishment is in the territory of Bulgaria will be required to conduct a DPIA when carrying out the following types of processing operations:
- Large scale processing of biometric data for the unique identification of the individual which is not sporadic.
- Processing of genetic data for profiling purposes which produces legal effects for the data subject or similarly significantly affects them.
- Processing of location data for profiling purposes which produces legal effects for the data subject or similarly significantly affects them.
- Processing operations for which the provision of information to the data subject pursuant to Article 14 of the GDPR is impossible or would involve disproportionate effort or is likely to render impossible or seriously impair the achievement of the objectives of that processing, when they are linked to large scale processing.
- Personal data processing by controller with main place of establishment outside the EU when its designated representative for the EU is located on the territory of the Republic of Bulgaria.
- Regular and systematic processing for which the provision of information pursuant to Article 19 of GDPR by the controller to the data subject is impossible or requires disproportionate efforts.
- Processing of personal data of children in relation to the offer of information society services directly to a child.
- Migration of data from existing to new technologies when this is linked to large scale data processing.
9.2. National activities not subject to prior consultation/authorisation
So far, such a national list has not been published.
10.1. National implementation of Article 89 of the GDPR
The Law provides the following derogations, pursuant to Article 89 of the GDPR:
- Personal data processing for the purpose of the National Archives Fund of Bulgaria is processing in the public interest. In this case, the rights under Articles 15, 16, 18, 19, 20 and 21 of the GDPR are derogated.
- When processing personal data for statistical purposes, the rights under Articles 15, 16, 18 and 21 of the GDPR are derogated.
The Law provides that further processing for the purposes of archiving in the public interest, for purposes of scientific or historical research, or for statistical purposes, is compatible and lawful personal data processing. In such cases, the controller shall apply appropriate technical and organisational measures to guarantee the rights and freedoms of the data subject in accordance with Article 89(1) of the GDPR.
The Law provides that for infringements of the GDPR, the CPDP may impose sanctions (fines), as well as compulsory administrative measures (such as issuance of warnings, orders to comply with certain requirements, etc.).
Regarding the fines, the Law refers to the respective GDPR provisions and does not introduce minimum amounts (the first draft of the Law contained such, which provoked lively discussions that led to the removal of the proposed minimums). The fines provided for in the GDPR shall be determined in accordance with the criteria set out therein and shall be imposed in their BGN equivalence.
Additionally, for other violations under the Law, a fine of up to BGN 5,000 (approx. €2,560) may be imposed on the respective personal data controller or processor.
Where the violations under the GDPR and the Law are repeated, a fine shall be imposed in double the amount of the initially imposed fine, but not more than the maximum envisaged in Article 83 of the GDPR. A repeated violation is one committed within one year from the entry into force of the Act imposing a sanction for the same type of violation.
Historically, under the previous regime, the maximum amount of the fine established in the Act was BGN 100,000 (approx. €51,130), which could be doubled in case of repeated violations.
So far, the biggest fine imposed by the CPDP amounts to €2,600,000 (see Section 1.3. above).
12. OTHER SPECIFIC JURISDICTIONAL ISSUES
The Law contains some additional rules regulating specific situations of personal data processing:
- Where personal data are provided by the data subject to a controller/processor without a legal ground under Article 6(1) or contrary to the principles under Article 5 of the GDPR, within one month of being notified, the controller/processor returns them and, if this is impossible or requires disproportionate effort, erases or destroys them. Erasure and destruction must be documented. A data controller can copy an ID document, a driving licence, or a foreigner's residence permit only if a specific law provides for this.
- Free public access to information containing personal identification number ('PIN') is not allowed unless a specific law provides for this. Controllers providing public electronic services shall take appropriate technical and organisational measures to prevent PIN from being the only means of identifying the user when providing remote access to the respective service.
- Employers have to adopt (and bring to the knowledge of employees) rules and procedures when:
- using systems for reporting of violations (e.g. the so called 'whistleblowing systems');
- restricting the use of internal resources; and
- introducing access control systems, or systems for control of working time and labour discipline.
- Employers shall determine a retention period for processing personal data of job applicants, which should be no longer than six months, unless the applicant has given consent for a longer storage period. Upon expiry of the period, the employer deletes/destroys the stored documents containing personal data, unless a special law provides otherwise. The Law further provides that where the employer has requested certain originals or notarised copies of documents certifying abilities, qualifications and experience of the applicant and they are not hired, the controllers shall return the documents within six months as of the end of the application procedure.
- Controllers/processors have to adopt special rules for the processing of personal data by monitoring publicly accessible areas on a large scale, including through video surveillance. The rules regulate the legal basis and purposes of building the monitoring system; the location, scope and means of monitoring; the storage period of the information records and their deletion; the right of access by the monitored persons; informing the public about the monitoring, as well as restrictions on the provision of access to information to third parties. Under the Law, the CPDP shall provide guidance in this respect, which should be published on its website.
- When processing personal data of deceased persons, the controller takes appropriate measures to prevent the unfavourable impairment of the rights and freedoms of other persons and/or the public interest. In such cases, the controller may store the data only if there is a legal ground for that. Upon request, the controller provides access to the personal data of a deceased person, including a copy thereof, to their heirs or other persons having legal interest.
On a separate note, the Law contains specific provisions related to exercise of data subjects' rights in terms of:
- Content of the request filed with the data controller: the name, address, identifier of the data subject; description of the request; preferred way of communication and actions under Article 15 to 22 of the GDPR; signature, date of filing and address for correspondence; power of attorney (if filed by a proxy);
- Introducing a deadline for exercising the rights: in case of violation of their rights, the data subject has the right to bring the matter to the CPDP within six months as of discovering the violation, but no later than two years from its occurrence;
- The data subject may address the matter to the CPDP or the court, at their discretion. However, the data subject cannot bring a case before the court where there is pending proceedings before the CPDP (or currently appealed decision of the CPDP) for the same violation.