Bulgaria implemented the EU Data Protection Directive 95/46/EC with the Personal Data Protection Act (In Bulgarian: Закон за защита на личните данни), promulgated in the State Gazette No. 1 of 4 January 2002, as amended periodically (“Act”). The Act came in force on
1 January 2002.
The Act was last amended by the State Gazette, Issue No. 81 of 29 December 2011.
Definition of Personal Data
Personal data means “any information relating to an individual who is identified or can be identified directly or indirectly by ID or by one or more specific signs”.
Definition of Sensitive Personal Data
Sensitive personal data means personal data:
- revealing racial or ethnic origin;
- revealing political, religious or philosophical beliefs, political parties or organisations, associations with religious, philosophical, political or trade union purposes; or
- Concerning health, sexual life or the human genome.
National Data Protection Authority
The Bulgarian data protection authority (“DPA”) is the Personal Data Protection
Commission (In Bulgarian: Комисия за защита на личните данни):
15 Academia van Evstatiev Geshov Str. Sofia 1431
Unless an exemption applies, prior to initiating any personal data processing data controllers must apply for registration with the DPA. The registration covers the data controller and
the personal data registers controlled by it. Changes to the initial registration will require notification of the DPA prior to implementing such changes. The registration is free of charge. The DPA support the following public registers:
- register of registered data controllers;
- register of data controllers exempt from registration; and
- register of data controllers with refused registration.
The prior notification shall inter alia specify the following information (as outlined in the DPA
standard notification forms):
- Application Form covering data controllers’ details, such as:
- the controller’s identification details;
- the controller’s location;
- whether the controller processes data for the purposes of defence, national security, public
order or criminal proceedings;
- the controller’s main activity;
- whether the purpose and the means of processing are determined by the controller or by
- whether the data is processed by the controller or data processor; or
- the number of data registers.
- Registry Description Form covering each separate register:
- name and full address of the register;
- the purpose(s) of the processing;
- legal ground of the processing;
- whether automatic or non-automatic means are used;
the categories of data subjects;
- the categories of personal data processed, including sensitive data (if processed);
- the recipients or categories of recipients of the personal data;
- whether a data transfer to foreign countries is required and the specific countries;
- sources for collection of the data;
- whether an explicit consent of the data subjects is available; and
- descriptions of technical and organisational measures for data protection in accordance
with DPA regulation.
- Exemptions apply in the following situations:
- data controllers operating the public register on the basis of law which is publicly accessible
or accessible to those who have a legal interest;
- non profit making organisations carrying out enumerated processing; and
- data controllers explicitly exempt from registration by the DPA on the basis that the processing does not endanger the rights and legal interests of data subjects. The rules and conditions for this exemption are specified in a special regulation of the DPA. In such cases the data controller should apply for and obtain the DPA’s decision on the exemption of registration. However, such decision would not relieve the respective data controllers from the DPA’s control under the Act.
Data Protection Officers
There is no legal requirement in Bulgaria for organisations to appoint a data protection officer (“DPO”). Appointment of a DPO is recommended since it helps to build and develop a focus for data protection compliance efforts. It would be a positive signal to the DPA who may investigate the company that the company takes data protection compliance seriously.
At the beginning of 2009 the DPA proposed a Draft Amendment of the Act and initiated public discussion. One of the proposed amendments provided an obligation on data controllers to appoint a specially trained DPO. The Draft Amendment is still under discussion and internal preparation by the DPA, but it is a sign of its understanding of the necessity of a DPO.
Collection and Processing
Any personal data must be processed in a way that is consistent with the following general
- processed fairly and lawfully;
- processed only for specific and legal purposes and used only for the purposes stated at the
time it is collected;
- adequate, relevant and not excessive for the purposes for which it is processed;
- accurate, complete and where necessary kept up to date;
- not kept in a personally identifiable form longer than necessary;
- processed in accordance with the rights of the data subject under applicable law;
- kept securely; and
- not transferred to countries that do not have adequate data protection laws unless the data
exporter takes certain specific steps to ensure that the data is adequately protected.
- In addition to the general principles above, data controllers may only process personal data if one of the following conditions are satisfied:
- the processing is pursuant to a statutory obligation of the data controller;
- the respective person has provided his/her explicit consent;
- the processing is necessary for the performance of a contract to which the data subject is a party;
- the processing is necessary for the protection of the life and health of the data subject;
- the processing is necessary for the controller to carry out certain duties, in the public interest or by virtue of law; or
- the processing is necessary for the purpose of legitimate interests pursued by the data controller or data recipients, provided that the interests of the data subject are protected.
- Should the personal data be considered “sensitive” specific processing conditions must be satisfied.
- Whichever of the above conditions is relied upon, the controller must first provide the data subject with certain information, unless an exemption applies, namely:
- identification data of the controller and its representative;
- the purposes for which the data will be processed;
- the recipients or categories of recipients to whom the personal data may be disclosed;
- whether the provision of personal data is obligatory or voluntary and the consequences if the data is not provided (applicable if the data is gathered directly from the person to whom it relates);
- the categories of personal data relating to the respective individual (applicable if the data is not gathered directly from the data subject); or
- information about the right of access to the data and the right to rectify the collected data. The prior notification obligation is not applicable to a data controller who does not collect the data directly from the data subject and where one of the below conditions is present:
- processing is made for statistical purposes or for the purposes of historical or scientific research and the provision of the data is impossible or would involve a disproportionate effort;
- recording or disclosure of data is explicitly laid down by law; or
- the individual to whom such data relates already has the required information.
The transfer of personal data within the European Union (“EU”) and European Economic Area
(“EEA”) is free and should be in compliance with the applicable Bulgarian data protection law.
The transfer of personal data outside of the EU and the EEA is permissible only on the condition that the recipient state can ensure an adequate level of personal data protection within its territory. The assessment concerning the adequacy of the level of personal data protection in the recipient state should be made by the DPA.
The DPA should not undertake an assessment where a decision of the European Commission has to be implemented whereby the European Commission has ruled that (1) the country to which the personal data are transferred has ensured an adequate level of protection; or
(2) certain appropriate contractual clauses are in place ensuring the adequate level of protection
(the EU model contractual clauses).
The DPA has still not issued any statement of approval or recognition regarding the use of binding corporate rules (“BCR”). Should the DPA consider that the protection level of personal data protection in the recipient state is unsatisfactory, it may prohibit the personal data transfer. Even in such a case, the DPA may authorize the transfer should the data controller provide sufficient warranties with respect to the protection of the individual’s fundamental rights. In any case, the data controller should notify in advance the DPA of its intention to transfer personal data to countries outside the EU and EEA by specifying the countries of transfer, the purpose of the transfer and the categories of personal data subject to transfer.
Data controllers must implement appropriate technical and organisational measures to protect personal data against accidental or intentional destruction or loss, unauthorized disclosure or access, amendments or distribution and against all other unlawful forms of processing. Data controllers must implement special protection measures in cases of electronic data transfer.
The minimum level of technical and organisational measures, as well as the admissible type of protection are specified by the DPA in a regulation. The Act requires data protection measures to be specified in an internal instruction issued by the data controller and to be announced in the registration application before the DPA.
The Act does not provide for a data security breach notification duty.
The DPA is responsible for the enforcement of the Act. Either acting ex officious or upon a complaint from a data subject the DPA is entitled to: (i) initiate an investigation; (ii) provide mandatory instructions, including but not limited to order the database to be erased when
it does not comply with the data protection regulations; (iii) provide a mandatory term for rectification of the breach; (iv) temporarily prohibit any unlawful data processing, after preliminary notification (temporary prohibition of data processing could be imposed also in case of failure by the data controller to comply with the Commission’s mandatory instructions); and (v) impose administrative sanctions.
Administrative sanctions in the form of fines for violations of the Act range from BGN 10,000 to BGN 100,000 (approximately EUR 5,000 to EUR 50,000).
Data controllers are liable for any damage caused to an individual as a result of unlawful processing or by breaching the technical requirements of data protection. The data controller is also liable for any damage caused by a data processor acting on behalf of the data controller.
The DPA decisions are subject to appeal before the Bulgarian Supreme Administrative Court within 14 days of receipt and the data subject may, in the case of an infringement of his/her rights under the Act, appeal against actions and acts of the data controllers before the relevant administrative court or the Supreme Administrative Court, as the case may be, in accordance with the general rules governing jurisdiction.
The transfer or distribution of computer or system passwords which results in the illegitimate disclosure of personal data constitutes a crime under the Bulgarian Criminal Code (promulgated in the State Gazette No. 26 of 2 April 1968, as amended periodically) and the penalty for such a crime includes imprisonment for up to three years.
Data protection of electronic marketing falls under the general regulations of the Personal Data Protection Act which currently requires the explicit consent of the data subject for processing of his/her personal data.
There are grounds for lawful processing of personal data (as mentioned above) but taking into account their limited and specific scope, for e-marketing specific purposes, the explicit consent of the data subject is likely to be necessary. The absence of a special legal framework concerning exclusively data protection in e-marketing makes the opt-in regime the only possible legitimate method of pursuing e-marketing. This is further supported by the current regulations concerning direct marketing activities.
The Bulgarian E-commerce Act explicitly requires, when it comes to direct marketing to natural persons, the opt-in mechanic to be mandatory applied. Moreover, after the natural person’s consent is provided, the person shall always be given the opportunity to opt-out from the direct marketing network and refuse his/her personal data to be further processed for such purposes.
Online Privacy (Including Cookies and Location Data)
Again neither the current Personal Data Protection Act nor any other legislative act in force, Recognizes a specific framework or protection for processing of personal data as part of any kind of online activities, including cookies and traffic and location data. In the absence of specific rules, the general regime for processing of personal data shall apply and the data controller shall insure one of the above mentioned grounds to process the data lawfully is satisfied.