Support Centre

Bulgaria

Summary

Law: The Protection of Personal Data Act 2002 (last amended in 2023) ('the Act') and the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR)

Regulator: Commission for Personal Data Protection (CPDP)

Summary: The Protection of Personal Data Act 2002 (last amended in 2023) (the Act) is the main source of local data protection law. Since then, the Act has undergone several amendments and was extensively modified, on February 26, 2019, to harmonize with the provisions of GDPR and to implement the GDPR into national legislation with the Law for amendments and supplement of the Act (only available in Bulgarian here). In addition, the Act was amended in May 2023 with the entry into force of the Act on Protection of Persons Reporting Information, or Publicly Disclosing Information about Breaches (the Whistleblowers Protection Act).

The Act, together with the Rules on the Activity of the Commission for Personal Data Protection and its Administration set forth the legal framework for supervisory and regulatory functions of the Commission for Personal Data Protection (CPDP). Since the entry into force of the GDPR, the CPDP has been very active both in terms of issuing regulatory guidance and in terms of enforcement.

Insights

Article 37 of the General Data Protection Regulation (GDPR) obliges data controllers and processors to designate a data protection officer (DPO). As part of this obligation, data controllers and processors are also required to publish the contact details of the DPO and to communicate the DPO's contact details to relevant supervisory authorities. In part one of this Insight series, OneTrust DataGuidance focuses on the requirement to communicate DPO contact details to the relevant supervisory authorities, providing an overview on the rules and guidelines for DPO contact registration across Austria, Belgium, Bulgaria, Croatia, Czech Republic, Denmark, Estonia, Finland, France, Germany, and Greece.