Privacy Laws

Bulgaria's data protection in comparison to the GDPR

The flag of Slovakia with a stone monument in the background — © Emil / stock.adobe.com | #140849922

General overview

Bulgaria's data protection framework is primarily governed by the Protection of Personal Data Act 2002 ('the Act'), which has been amended multiple times to align with the General Data Protection Regulation (GDPR). The Commission for Personal Data Protection (CPDP) further provides guidelines and opinions to assist in the application of the Act and the GDPR.

GDPR opening clauses

The Act serves as Bulgaria's main legislative instrument for data protection and has been in place since 2002. It has undergone several amendments, the most recent of which followed the enactment of the Whistleblowers Protection Act in May 2023. The Act aims to implement the provisions of the GDPR and sets the legal framework for the CPDP.

Key differences and national specifics

Whistleblowers Protection Act: The Act was recently revised to incorporate the new Whistleblowers Protection Act, which came into effect in May 2023.
Presidential veto and constitutional court ruling: A significant development was the veto by the President of Bulgaria, Rumen Radev, on a provision related to the processing of personal data for journalistic purposes. Although the veto was overturned by the Parliament, the Bulgarian Constitutional Court later declared the criteria unconstitutional.
Repeal of the ordinance: Prior to the GDPR, Ordinance No. 1 on the Minimum Level of Technical and Organizational Measures was a key regulatory source. It was repealed on 25 May 2018 but may be revised into methodical instructions by the CPDP.
CPDP guidelines: The CPDP has issued a plethora of guidelines and opinions on various aspects of data protection, ranging from the implementation of the GDPR to the rights of data subjects and the obligations of data controllers.

Conclusion

Bulgaria has a well-established data protection framework that closely aligns with the GDPR. The Act serves as the cornerstone of data protection in the country and has been amended to address specific national concerns, such as whistleblower protection. The CPDP plays a crucial role in providing guidelines and opinions to ensure compliance with data protection laws. Despite some legal challenges, such as the Presidential veto and the Constitutional Court ruling, Bulgaria continues to strive for a balanced and comprehensive approach to data protection.

Write email

Group	external media
Name	Calendly
Technical name	_cf_bm,__cfruid,OptanonConsent
Provider	Calendly LLC
Expire in days	365
Privacy policy	https://calendly.com/privacy
Use	To arrange appointments via the provider Calendly.
Allowed
Group	essential
Name	Contao CSRF Token
Technical name	csrf_contao_csrf_token
Provider	Contao
Expire in days	0
Privacy policy
Use	Serves to protect the website from being falsified by cross-site requests. The cookie is deleted again after the browser is closed.
Allowed
Name	Contao HTTPS CSRF Token
Technical name	csrf_https_contao_csrf_token
Provider	Contao
Expire in days	0
Privacy policy
Use	Used to protect the encrypted website (HTTPS) from being falsified by cross-site requests. The cookie is deleted again after the browser is closed.
Allowed
Name	PHP SESSION ID
Technical name	PHPSESSID
Provider	Contao
Expire in days	0
Privacy policy
Use	Cookie from PHP (programming language), PHP data identifier. Contains only a reference to the current session. No information is stored in the user's browser and this cookie can only be used by the current website. This cookie is mainly used in forms to increase user-friendliness. Data entered in forms is stored for a short time, for example, if the user makes an input error and receives an error message. Otherwise, all data would have to be entered again.
Allowed
Name	FE USER AUTH
Technical name	FE_USER_AUTH
Provider	Contao
Expire in days	0
Privacy policy
Use	Saves a visitor's information as soon as they log in to the frontend.
Allowed