Bulgaria's data protection in comparison to the GDPR
Bulgaria's data protection framework is primarily governed by the Protection of Personal Data Act 2002 ('the Act'), which has been amended multiple times to align with the General Data Protection Regulation (GDPR). The Commission for Personal Data Protection (CPDP) further provides guidelines and opinions to assist in the application of the Act and the GDPR.
GDPR opening clauses
The Act serves as Bulgaria's main legislative instrument for data protection and has been in place since 2002. It has undergone several amendments, the most recent of which followed the enactment of the Whistleblowers Protection Act in May 2023. The Act aims to implement the provisions of the GDPR and sets the legal framework for the CPDP.
Key differences and national specifics
- Whistleblowers Protection Act: The Act was recently revised to incorporate the new Whistleblowers Protection Act, which came into effect in May 2023.
- Presidential veto and constitutional court ruling: A significant development was the veto by the President of Bulgaria, Rumen Radev, on a provision related to the processing of personal data for journalistic purposes. Although the veto was overturned by the Parliament, the Bulgarian Constitutional Court later declared the criteria unconstitutional.
- Repeal of the ordinance: Prior to the GDPR, Ordinance No. 1 on the Minimum Level of Technical and Organizational Measures was a key regulatory source. It was repealed on 25 May 2018 but may be revised into methodical instructions by the CPDP.
- CPDP guidelines: The CPDP has issued a plethora of guidelines and opinions on various aspects of data protection, ranging from the implementation of the GDPR to the rights of data subjects and the obligations of data controllers.
Bulgaria has a well-established data protection framework that closely aligns with the GDPR. The Act serves as the cornerstone of data protection in the country and has been amended to address specific national concerns, such as whistleblower protection. The CPDP plays a crucial role in providing guidelines and opinions to ensure compliance with data protection laws. Despite some legal challenges, such as the Presidential veto and the Constitutional Court ruling, Bulgaria continues to strive for a balanced and comprehensive approach to data protection.