After extensive public consultations and discussions in parliament, Bulgarian lawmakers passed amendments to the Personal Data Protection Act, which implements the EU's General Data Protection Regulation (GDPR) with a few local exemptions. The Act was promulgated into the Bulgarian State Gazette on February 26 and enters into force on March 2.

Employment relationships

New requirements contained in the Act include regulations concerning employment relationships, such as:

  • Employers are allowed to determine on their own the retention period for the personal data of job applicants. This period, however, may not exceed six months.
  • Employers, in their capacity as controllers, adopt rules and procedures regarding whistleblowing, limitations on the use of a firm’s internal resources, access controls, working time and labour discipline.

The Bulgarian Personal Data Protection Commission (PDPC)

The PDPC, as a leading supervisory authority, will monitor and facilitate the processing and movement of personal data. Responsible for the accreditation of bodies monitoring codes of conduct, the PDPC will in compliance with the GDPR certify bodies, which issue, review and withdraw data protection certification, seals and marks.

The PDPC will also approve codes of conduct in specific sectors. Requirements and procedures for accreditation and certification will be regulated in secondary legislation to be adopted within two months after the enforcement of the Act.

Other responsibilities of the PDPC include conducting seminars and trainings of data protection officers (DPOs). Additionally, all data controllers or processors who have appointed a DPO must notify the PDPC of the DPO’s identity and contact details.

Instead of a data controller's register, the PDPC will maintain separate registers for:

  • controllers and processors who have appointed DPOs;
  • accredited certifying bodies;
  • codes of conduct;
  • breaches of the GDPR and the Act with the measures implemented (internal register);
  • notifications of a personal data breach (internal register).

The Inspectorate to the Supreme Judicial Council

As the new supervisory authority within the judiciary, the Inspectorate will receive all complaints, requests and signals related to processing of personal data within the courts, investigation and prosecutor's office. Data processing complaints within the judiciary will no longer be filed to the PDPC, and the Inspectorate, like the PDPC, is entitled to impose sanctions for GDPR infringements of up to EUR 20 million.

Other important practical issues include:

  • Data controllers and processors are not allowed to copy ID cards, driving licenses or residence permits, except if otherwise provided for by law. One exception is included in the Anti-Money Laundering Measures Act, which obliges entities collecting information for anti-money laundering prevention to make copies of the ID cards of legal representatives of clients which are legal entities.
  • The minimum age for valid consent is 14 years when using information society services. Otherwise, parental consent is required.
  • When data processing is performed without legal grounds, the controller or processor must return the personal data to the data subject or destroy the data within one month of learning of the illegal processing.
  • The personal identification number or personal number of a foreigner cannot be publicly accessible unless otherwise provided by law. The personal identification number or personal number of a foreigner cannot be the only identifier for a data subject using electronic public services.
  • In a data subject`s rights are violated under the GDPR or the Act, the data subject is entitled to file an appeal within six months of becoming aware of the violation, but no later than two years from the date of the violation. The appeal can be filed with the PDPC, Inspectorate or the courts.