Dimitrov, Petrov & Co.,
What law(s) specifically govern personal data / information?
Regulation (EU) 2016/679 (General Data Protection Regulation - “GDPR”)
- GDPR is the principal data protection legislation, applicable on the territory of Bulgaria.
Personal Data Protection Act (“PDPA”)
- PDPA is the local personal data protection act, which supplements the GDPR.
- There are a number of sector-specific acts, containing rules relevant to the protection of personal data. For example:
- Electronic Communications Act;
- Act on the State Agency “National Security”;
- Customs Act;
- Ministry of Interior Act;
- Health Act.
What are the key data protection principles in this jurisdiction?:
Bulgaria complies with the fundamental principles of Article 5 of the GDPR, namely:
- Lawfulness, fairness & transparency – personal data shall be processed lawfully and fairly; information and communication relating to the processing of personal data must be transparent, easily accessible and easy to understand;
- Purpose limitation – personal data should only be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
- Data minimisation – processing of personal data must be adequate, relevant and limited to what is necessary in relation to the purposes;
- Accuracy – organisations must ensure that personal data is accurate and, where necessary, kept up to date;
- Storage Limitation – personal data should only be kept for as long as is necessary;
- Integrity & Confidentiality – personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data;
- Accountability – organisations must take responsibility for their processing of personal data and shall be able to demonstrate how they comply with GDPR.
What is the supervisory authority / regulator in charge of data protection?
The Bulgarian supervisory authority/regulator is the Commission for Personal Data Protection.
Is there a requirement to register with a supervisory authority / regulator?
There is no requirement to register with a supervisory authority/regulator as a data controller/processor. Prior to 25 May 2018 data controllers were obliged to register before the Commission for Personal Data Protection and the latter maintained public records of registered data controllers.
Is there a requirement to notify the supervisory authority / regulator?
No, there is no requirement for a notification to the supervisory authority/regulator indicating that a controller processes personal data.
Is it possible to register with / notify the supervisory authority / regulator online?
Not applicable.
What are the key data subject rights under the data protection laws of this jurisdiction?
Right to be informed: the individuals have the right to be informed about the direct and indirect collection and use of their personal data;
Right of access: individuals have the right to obtain confirmation as to whether personal data related to them is being processed, as well as to be provided with access to these data and to detailed information regarding the processing and their rights according to GDPR, including to request a copy of the data;
Right to rectification: a right for individuals to require their personal data to be rectified or completed if the data are inaccurate or incomplete;
Right to erasure (right to be forgotten): the right of individuals to require their personal data to be erased if there are grounds for this provided for in GDPR;
Right to restriction of processing: the right of individuals to require the restriction of the processing of their personal data as per GDPR if there are grounds for this set forth therein;
Right to data portability: the right of the individual to receive the personal data in a structured, commonly used and machine-readable format and to transmit these data to another controller without any hindrance if there are grounds for this provided for in GDPR;
Right to object: gives individuals the right to object, on grounds relating to their particular situation, to the processing of their personal data when the processing of their data is based on legitimate interest or when the data is processed for public interest;
Right not to be subject to a decision based solely on automated processing (i.e. without human intervention), including profiling within the meaning of GDPR;
Right to withdraw consent for processing at any time and without negative consequences for the individual where processing is based on consent;
Right to lodge a complaint with a data protection supervising authority in particular in the (EU/EEA) Member State of the individual’s habitual residence, place of work or place of the alleged infringement in case the processing infringes provisions the GDPR or any other applicable data protection requirements.
Is there a requirement to appoint a data protection officer (or equivalent)?
Article 37 of the GDPR stipulates the conditions for designation of a DPO as follows:
- the processing is carried out by a public authority or body (except for courts acting in their judicial capacity);
- the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
- the core activities of the controller or the processor consist of processing on a large scale of special categories of data or data relating to criminal convictions and offences.
Organisations that are not required to appoint a DPO may do so voluntarily.
Do data protection/ privacy impact assessments need to be carried out in certain circumstances?
Yes, as per Article 35 GDPR the controller is obliged – prior to the processing – to carry out a data protection impact assessment ("DPIA"), where the type of processing, in particular using new technologies and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons.
This is always a given in the following circumstances:
- a systematic and extensive evaluation of personal aspects is based on automated processing, including profiling, on which decisions are based that produce legal effects concerning the natural person;
- processing on a large scale of special categories of data, or of personal data relating to criminal convictions and offences; or
- a systematic monitoring of a publicly accessible area on a large scale.
In accordance with Article 35, para. 4 of GDPR, the Commission for Personal Data Protection has also adopted a list of use cases where personal data processing operations require a data protection impact assessment. The list is not exhaustive and can be updated when necessary:
- Large-scale processing of biometric data for the purposes of unique identification of a natural person, which is not sporadic;
- Processing of genetic data for the purpose of profiling which gives rise to legal consequences for the data subject or similarly affects him to a significant extent;
- Processing of location data for the purpose of profiling, which gives rise to legal consequences for the data subject or similarly affects him to a significant extent;
- If it is impossible to provide information to the data subject under Article 14 of GDPR or if the provision of this information requires a disproportionately large effort, or is likely to make impossible or seriously hinder the achievement of the purposes of the processing, when it is related to large-scale data processing;
- Processing of personal data carried out by a controller whose main seat is outside the EU, when the designated representative in the EU is located on the territory of the Republic of Bulgaria;
- Regular and systematic processing, in which the provision of the information under Article 19 of GDPR by the controller to the data subject is impossible or requires disproportionately large efforts;
- Processing of personal data of children when directly offering information society services;
- Carrying out data migration from existing to new technologies when it is related to large-scale data processing.
Does this jurisdiction have any specific data breach notification requirements?
In accordance with Article 33 of GDPR, the data controller should submit to the Commission for Personal Data Protection a notification of personal data breach without undue delay and no later than 72 hours after they became aware of the breach. The data controller has the obligation to inform about any change in the circumstances/data from the notification.
Based on the received data breach notification, the Commission for Personal Data Protection initiates an administrative procedure following its locally adopted instructions for the practical implementation of the Commission’s supervisory activities and its methodology for determining the level of risk in relation to data breaches. The documents are a local specific.
What restrictions apply to the international transfer of personal data / information?
In cases of data transfer from Bulgaria (or another EU Member State) to third countries and/or international organisations, it could be performed only if the data controller or processor fulfils the conditions or complies with the personal data transfer rules, defined in Chapter V of the GDPR, namely:
- The transfer is subject to an adequacy decision of the European Commission;
- In the absence of an adequacy decision, a transfer tool containing appropriate safeguards is implemented. The main transfer tools are standard contractual clauses, binding corporate rules, codes of conduct, certification mechanisms, ad hoc contractual clauses;
- In the absence of an adequacy decision or of appropriate safeguards, GDPR allows for derogations in certain situations as listed in Article 49 of GDPR.
The transfer of personal data for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties within the scope of Directive (EU) 2016/680 is performed under the conditions, set in Chapter VIII of the PDPA.
Do the data protection laws in this jurisdiction have “extra-territorial effect” (i.e. do they apply to organisations outside this jurisdiction)?
As per Article 3 of GPDR, the act also applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
- the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union (e.g. Bulgaria); or
- the monitoring of their behaviour as far as their behaviour takes place within the Union (e.g. on the territory of Bulgaria).
What is more, the GDPR applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law (i.e. Bulgarian law) applies by virtue of public international law.
What rules specifically deal with marketing?
GDPR, Article 6 of the Bulgarian E-Commerce Act and Article 261 of the Electronic Communications Act regulate marketing rules.
Do different rules apply to business-to-business and business-to-consumer marketing?
Yes, in general the applicable regime for B2C direct marketing is opt-in (with one exception mentioned below), while the one applicable to B2B is opt-out.
Е-Commerce Act (Article 6)
The E-Commerce Act introduces the general rule that a service provider who sends unsolicited commercial messages by e-mail without the prior consent of the recipient shall ensure that the commercial message is clearly and unambiguously identifiable as unsolicited as soon as it reaches the recipient.
Unsolicited commercial messages can be sent B2B without prior consent. However, it is prohibited if the business recipient's email address is listed in the Bulgarian Commission for Consumer Protection's register of legal entities that have explicitly opted out of receiving unsolicited commercial communications.
Unsolicited commercial messages to consumers (B2C) are prohibited without their prior consent.
Electronic Communications Act (Article 261 – applicable to B2C)
Under this Act, conducting calls, sending messages or emails for the purposes of direct marketing and advertisement is allowed only upon prior consent of the consumer. This applies to both automated and manual communications. The consumer must provide explicit consent, which they have the right to withdraw at any time.
If the contact information was obtained during a commercial transaction for products or services, the data of the customer can be used to send marketing messages about the business’ own similar products or services. However, the customer must be provided with a clear and free-of-charge option to:
- Opt-out at the time of the transaction;
- Opt-out from receiving future marketing communications if they did not do so during the transaction.
Even if the above requirements are met, sending marketing communications is prohibited in the following cases:
- The sender cannot be identified;
- The communication does not include a valid address or mechanism through which the recipient can easily opt-out;
- The message does not comply with the specific requirements outlined in Article 5 of the E-Commerce Act;
- The communication directs recipients to websites that do not comply with Article 5 of the E-Commerce Act.
Besides the above, under GDPR (which would apply whenever the marketing activity involves processing of personal data) the data subject shall have the right to object at any time to processing of personal data concerning him or her for the purposes of direct marketing and such processing should be suspended immediately.
What rules specially deal with electronic marketing (for example, by email, text message, WhatsApp message, online ads etc)?
The rules above deal with any type of electronic marketing, including but not limited to, emails, text messages, messages sent through applications such as Viber or WhatsApp etc.
What rules specifically deal with cookies?
The E-Commerce Act is the national legislation which transposes the rules of the e-Privacy Directive regarding cookies. These rules should be analysed and applied in combination with GDPR.
Article 4a of the E-Commerce Act regulates the conditions under which providers of information society services can store or access information on a user’s device. The regulation foresees an opt-in regime for all cookies except for the strictly necessary cookies under the following conditions:
- Providers must inform users clearly and comprehensively about the data processing as per Article 13 of GDPR;
- Users are provided with an option to refuse such data storage or access;
- Users should be able to access information about the data stored on their devices at any time;
The requirements above do not apply if the storage or access to information is necessary for transmission of messages over an electronic communications network or for the provision of information society services explicitly requested by the recipient of the information society service.
What are the consequences of non compliance with data protections laws (including marketing laws)?
In the event of non-compliance with data protection laws (including marketing laws) the following administrative measures apply:
- Infringement of Article 6 of the E-Commerce Act regarding unsolicited commercial communications or Article 4a of the E-Commerce Act regarding cookies – an administrative fine of BGN 250 to BGN 1,500 (in case of a service provider – physical person) or BGN 500 to BGN 2,000 (in case of a service provider – legal entity);
- Infringement of Article 261 of the Electronic Communications Act in case the person has not complied with the refusal of the customer to receive messages for marketing purposes – a fine of BGN 5,000 to BGN 10 000;
- If a specific marketing communication infringes GDPR (for example, data is processed without a proper legal basis under Article 6 of GDPR), the GDPR sanctions apply (i.e. up to EUR 20,000,000 to 4% depending on the type of infringement).
In broad terms, multinational organisations should be aware of what key factors if they process personal data / information from individuals within this jurisdiction, without being located there?
Firstly, the cross-border territorial scope of GDPR under Article 3 should be taken into consideration.
Secondly, Article 27 of GDPR should be taken into consideration - in the case controllers and processors not established in the EEA fall within the territorial scope of the EEA data protection regime under Article 3, para. 2 of GDPR, then they are required (with a few exceptions) to designate a representative in the EEA.
What upcoming data protection developments should multinational organisations be aware of?
Multinational organisations should proactively monitor the developments occurring in Europe as the regulations and technologies are advancing rapidly. Staying ahead of these changes will assist with mitigating risks and maintaining trust with customers.
A significant development is the Artificial Intelligence Act (AI Act), which governs artificial intelligence and its purpose is to promote technologies while ensuring a high level of protection. Companies using AI have to ensure compliance with data governance, transparency, risk management requirements and protection of the end user rights depending on the level of risk associated.
Further upcoming or already in force regulations which might have an impact on data protection are the Digital Services Act (DSA), the Digital Markets Act (DMA), Data Governance Act (DGA), European Health Data Space (EHDS), Data Act, NIS2 Directive, including national supplementary legislation in this regard.
Companies must also remain updated with:
- The guidelines and practice by competent authorities on EU level; and
- National GDPR enforcement trends – for example, Bulgaria has specific local trends when it comes to data breaches.