National Data Protection Act


    National Data Protection Act

    National Data Protection Act

    On 18 July 2018, the Council of Ministers submitted, to the Bulgarian National Assembly, a bill for amendments and supplements to the Personal Data Protection Act. The bill was adopted by the National Assembly during its second and final reading on 24 January 2019. The adopted Act is yet to be published in the Official Journal.

    Last Updated: July 30, 2019

  • General

    The provisions in this new Act are structured in two major groups. One one hand, the Act introduces the necessary data protection provisions implementing the GDPR; on the other, it includes a section with the transposition of the provisions contained in Directive (EU) (theLaw Enforcement Directive). This entry is concerned with the former.

    There is little information about this Act at the moment, but three main characteristics of the law have been made public. First, this is an omnibus Act that introduces transitional provisions amending or supplementing Bulgarian sectoral legislation. A second characteristic is that this Act does not replicate the provisions contained in the GDPR, but complements the latter with derogations and opening clauses that reflect the national circumstances and practice of data protection aspects that are specific to the Bulgarian context.  In light of this:

    1. This implementing Act has to be interpreted in conjunction with the GDPR;  and,
    2. It adds several derogations.

    Derogations and opening clauses

    • a lower threshold for minors consenting to Information Society Services, set at 14 years of age;
    • obligations to communicate the details of DPOs to the CPDP;
    • a requirement that personal data ought to be destroyed or returned to data subjects when processing is not based on legal grounds;
    • restrictions on photocopying official identity documents;
    • restrictions on accessing information containing the personal identification of a foreigner;
    • new enforcement competencies for the Bulgarian Commission for Personal Data Protection (CPDP);
    • limited powers of the CPDP to supervise national courts acting in their judicial capacity;
    • the Inspectorate to the Supreme Judicial Council (ISJC) is the public body responsible for monitoring the processing operations carried out by (a) courts acting in their judicial capacity, and (b) prosecutors;
    • it lays down provisions concerning all specific processing situations mentioned in the GDPR (freedom of expression, employment, processing for archiving purposes carried out in the public interest, processing for scientific or historical research, and processing for statistical purposes); and,
    • it lays down provisions regulating the processing of personal data carried out by public and private organisations for humanitarian purposes in response to natural or man-made disasters.



  • DatabreachPedia


    In Bulgaria, there is a general requirement under the General Data Protection Regulation for data controllers to notify personal data breaches to their regulator and in cases of likely high risk to the rights and freedoms of natural persons, also to them.

    Is it Mandatory to Notify Individuals?

    Yes, if the personal data breach is likely to result in a high risk to their rights and freedoms.

    Is it Mandatory to Notify Regulator?

    Yes, if the personal data breach is likely to result in a risk to the rights and freedoms of natural persons.

    Notification Deadline

    72 hours

    Responsible Regulator

    Commission for Protection of Personal Data
    Komisiya za zashtita na lichnite danni
    Prof. 2 Tsvetan Lazarov Str.
    1592 Sofia

    Tel. 02 / 9153518
    Fax 02 / 9153525
    E-mail: [email protected]

    Breach Notification Format

    Minimum requirements: nature of the breach, categories and approx. number of data subjects concerned, name and contact details of the DPO, likely consequences, measures taken/proposed to be taken. Bulgarian regulator allows for the breach notification to be made in person, by post, by e-mail or by fax.

Want to learn more? Login to the full DataGuidance platform.

About OneTrust

OneTrust is the #1 most widely used privacy, security and third-party risk technology platform trusted by more than 3,000 companies to comply with the CCPA, GDPR, ISO27001 and hundreds of the world’s privacy and security laws. OneTrust's three primary offerings include OneTrust Privacy Management Software, OneTrust PreferenceChoice™ consent and preference management software, and OneTrust Vendorpedia™ third-party risk management software and vendor risk exchange. To learn more, visit or connect on LinkedIn, Twitter and Facebook.