Law: The Protection of Personal Data Act 2002 (last amended in 2023) ('the Act') and the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR)

Regulator: Commission for Personal Data Protection (CPDP)

Summary: The Protection of Personal Data Act 2002 (last amended in 2023) (the Act) is the main source of local data protection law. Since then, the Act has undergone several amendments and was extensively modified, on February 26, 2019, to harmonize with the provisions of GDPR and to implement the GDPR into national legislation with the Law for amendments and supplement of the Act (only available in Bulgarian here). In addition, the Act was amended in May 2023 with the entry into force of the Act on Protection of Persons Reporting Information, or Publicly Disclosing Information about Breaches (the Whistleblowers Protection Act).

The Act, together with the Rules on the Activity of the Commission for Personal Data Protection and its Administration set forth the legal framework for supervisory and regulatory functions of the Commission for Personal Data Protection (CPDP). Since the entry into force of the GDPR, the CPDP has been very active both in terms of issuing regulatory guidance and in terms of enforcement.