By Deyan Terziev

Firm: Boyanov & Co.

This article reviews the first year of GDPR application in Bulgaria, including enforcement activity and campaigns to raise awareness of data protection issues by the Bulgarian Commission on Personal Data Protection Data Protection and the introduction of local legislation.

One year after the entry into application of the GDPR, the Bulgarian Commission on Personal Data Protection (the ‘Commission’) has taken a rather mild approach to enforcement. The Commission’s most common enforcement practices include issuing warnings, official reprimands, and orders for bringing processing activities into compliance with the GDPR. In a few isolated cases, particularly where the personal data controller at fault has been especially non-cooperative, they have issued fines in the range of EUR 500 to EUR 5,000, mostly for processing personal data without a sufficient legal basis under Article 6 of the GDPR. Proceedings before the Commission have usually been initiated on the basis of data subjects’ complaints.

Other than enforcement, the Commission has been preoccupied with issuing various statements on the GDPR’s application, conducting training, participating in conferences, and otherwise raising awareness on the new legal framework.

On the subject of legislation, the Commission took a significant role with respect to the amendments to the Bulgarian Personal Data Protection Act, promulgated in February 2019. Furthermore, in view of the general provisions of Article 32 GDPR on the required level of security, the Commission revoked Ordinance 1/2013 on the minimal level of technical and organisational measures and the permissible type of personal data protection, which used to impose specific obligations at a local level for Bulgarian controllers.

As of May 2019, the Commission has not issued any official statistics or estimates on the level of compliance of businesses and administrative bodies with the GDPR.