Bulgaria applies the General Data Protection Regulation (GDPR) directly and enforces it through a dedicated national authority. For international businesses operating in Bulgaria - whether through a local subsidiary, a branch, or digital services targeting Bulgarian residents - compliance is not optional. The Commission for Personal Data Protection (Комисия за защита на личните данни, CPDP) has the power to impose fines, order processing bans, and refer matters for criminal prosecution. This article explains the legal framework, the key compliance obligations, the mechanics of breach response, the rules for cross-border data transfers, and the practical risks that foreign-owned entities most commonly underestimate.
The legal framework: GDPR, the PDPA, and the role of the CPDP
The primary instrument governing data protection in Bulgaria is Regulation (EU) 2016/679 - the GDPR - which applies directly as EU law. Bulgaria supplemented the GDPR through the Personal Data Protection Act (Закон за защита на личните данни, PDPA), most recently amended to align with the GDPR's requirements. The PDPA addresses matters the GDPR leaves to member state discretion: the minimum age for a child's consent (set at 14 years under Article 25a of the PDPA), specific rules for processing in employment contexts, and the legal basis for processing by public authorities.
The CPDP is the supervisory authority under Article 51 of the GDPR. It operates independently, maintains a public register of data controllers, issues binding decisions, and conducts both reactive and proactive inspections. The CPDP also issues guidelines and opinions that, while not legally binding in the same sense as regulations, carry significant weight in enforcement proceedings. Ignoring CPDP guidance is a recognised aggravating factor when fines are calculated.
A non-obvious risk for foreign businesses is the interaction between the GDPR's 'one-stop-shop' mechanism and the CPDP's jurisdiction. If a company's EU main establishment is in another member state, the lead supervisory authority for cross-border processing is that other state's regulator - not the CPDP. However, if the company has no EU establishment and processes data of Bulgarian residents, the CPDP has direct jurisdiction. Many international operators incorrectly assume that registering a holding in another EU state removes them from CPDP oversight entirely. It does not, where the Bulgarian entity makes independent processing decisions.
The PDPA also incorporates Directive (EU) 2016/680 on law enforcement data processing, and Directive (EU) 2022/2555 (NIS2) intersects with data protection obligations for operators of essential services and digital service providers active in Bulgaria.
Core compliance obligations for businesses operating in Bulgaria
Every data controller or processor with a presence in Bulgaria, or targeting Bulgarian data subjects, must satisfy a set of baseline obligations derived from the GDPR and the PDPA.
Lawful basis for processing. Article 6 of the GDPR requires that every processing activity rest on one of six legal bases. In a Bulgarian business context, the most commonly used bases are: legitimate interest (Article 6(1)(f)), contractual necessity (Article 6(1)(b)), and consent (Article 6(1)(a)). A common mistake made by international clients is treating consent as the default basis for all processing. Consent is the most fragile basis - it can be withdrawn at any time, and withdrawal must be as easy as giving it. Where processing is genuinely necessary for a contract or a legitimate interest, relying on consent creates unnecessary operational risk.
Records of processing activities (ROPA). Article 30 of the GDPR requires controllers with more than 250 employees, or those processing sensitive data or data that poses a risk to individuals, to maintain a written record of all processing activities. In practice, the CPDP expects all commercial entities to maintain a ROPA regardless of size, and the absence of one is treated as an indicator of systemic non-compliance during inspections.
Privacy notices. Articles 13 and 14 of the GDPR require that data subjects receive clear, layered information at the point of collection. Bulgarian courts and the CPDP have found that generic English-language privacy policies, without a Bulgarian-language version, do not satisfy the transparency requirement when the primary audience is Bulgarian residents.
Data subject rights. The GDPR grants individuals rights of access, rectification, erasure, restriction, portability, and objection. Article 12 of the GDPR sets a one-month response deadline, extendable by two further months for complex requests. Failure to respond within the deadline is itself a violation, independent of whether the underlying processing was lawful.
Data Protection Impact Assessments (DPIA). Article 35 of the GDPR requires a DPIA before commencing processing that is likely to result in a high risk to individuals. The CPDP has published a list of processing types that always require a DPIA in Bulgaria, including large-scale processing of health data, systematic monitoring of publicly accessible areas, and processing involving automated decision-making with legal effects.
To receive a checklist of core GDPR compliance obligations for businesses operating in Bulgaria, send a request to info@vlolawfirm.com.
Consent requirements and special categories of data in Bulgaria
Consent under the GDPR is defined in Article 4(11) as a freely given, specific, informed, and unambiguous indication of agreement. In Bulgaria, the CPDP has taken a strict position on what 'freely given' means in employment relationships: because of the inherent power imbalance, employee consent is rarely a valid legal basis for processing in the workplace. The PDPA, in its employment-specific provisions, requires that processing of employee data rest on legal obligation or legitimate interest rather than consent wherever possible.
For special categories of data - defined in Article 9 of the GDPR to include health data, biometric data, racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, and data concerning sex life or sexual orientation - the standard for processing is significantly higher. One of the explicit exceptions in Article 9(2) must apply. In Bulgaria, the most frequently used exceptions are: explicit consent (Article 9(2)(a)), employment and social security obligations (Article 9(2)(b)), and vital interests (Article 9(2)(c)).
The 14-year age threshold for children's consent in Bulgaria (Article 25a of the PDPA) is lower than in some other EU member states. For online services directed at children, this means that a child aged 14 or over can validly consent to processing without parental authorisation. However, verifying age in practice remains a significant operational challenge, and the CPDP has indicated that reliance on self-declared age without any verification mechanism is insufficient.
A practical scenario: a Bulgarian e-commerce platform collects health-related data (for example, dietary preferences linked to medical conditions) as part of a personalisation feature. If the platform relies on consent, it must obtain explicit consent specifically for health data processing, maintain records of that consent, and have a mechanism for withdrawal that immediately halts the relevant processing. If the platform instead argues legitimate interest, that basis is unavailable for special category data under Article 9 - a mistake that leads to unlawful processing findings.
Processing of criminal conviction data (Article 10 of the GDPR) is subject to additional restrictions under the PDPA. Only public authorities and entities with a specific legal mandate may process such data as a general rule. Private employers conducting background checks must rely on explicit statutory authorisation, which is narrow.
Data breach notification: obligations, timelines, and practical mechanics
A personal data breach is defined in Article 4(12) of the GDPR as a security incident leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. The GDPR imposes a two-tier notification obligation.
Notification to the CPDP. Under Article 33 of the GDPR, a controller must notify the CPDP within 72 hours of becoming aware of a breach, unless the breach is unlikely to result in a risk to individuals. The 72-hour clock starts from the moment the controller has sufficient certainty that a breach has occurred - not from the moment of initial suspicion, but also not from the completion of a full internal investigation. The CPDP expects an initial notification within 72 hours, with the option to supplement it as more information becomes available.
Notification to affected individuals. Under Article 34 of the GDPR, where a breach is likely to result in a high risk to individuals, the controller must also notify those individuals without undue delay. The notification must describe the nature of the breach, the likely consequences, and the measures taken or proposed. The CPDP can order notification even where the controller has assessed the risk as low, if the CPDP disagrees with that assessment.
In practice, the 72-hour deadline is extremely tight. Many organisations in Bulgaria - particularly SMEs and foreign-owned entities without a local legal team - discover breaches through third parties (IT vendors, customers, or journalists) rather than through internal monitoring. By the time the breach is confirmed internally, the 72-hour window may already be partially or fully elapsed. A common mistake is waiting for a complete forensic report before notifying the CPDP. The GDPR explicitly permits phased notification, and the CPDP has confirmed this approach in its published guidance.
A practical scenario: a Bulgarian subsidiary of an international group suffers a ransomware attack. The parent company's IT security team in another country takes the lead on incident response. The Bulgarian entity's management is not informed until 48 hours after the attack is detected. The Bulgarian controller then has only 24 hours to notify the CPDP. If the parent company's response protocol does not include immediate escalation to the Bulgarian legal team, the notification deadline will be missed - triggering a separate violation independent of the underlying breach.
Processors operating in Bulgaria have an obligation under Article 33(2) of the GDPR to notify the controller without undue delay after becoming aware of a breach. Data processing agreements (DPAs) governed by Bulgarian or EU law should specify a processor notification deadline of no more than 24 hours to give the controller sufficient time to meet its own 72-hour obligation.
The cost of breach response - including forensic investigation, legal advice, regulatory liaison, and individual notification - typically starts from the low thousands of EUR for a contained incident and can reach six figures for a large-scale breach affecting many individuals.
To receive a checklist for data breach response procedures applicable in Bulgaria, send a request to info@vlolawfirm.com.
Cross-border data transfers from Bulgaria
Bulgaria, as an EU member state, applies Chapter V of the GDPR to transfers of personal data to third countries (countries outside the European Economic Area). A transfer is any disclosure or making available of personal data to a recipient in a third country, including remote access by a parent company's IT team located outside the EEA.
Adequacy decisions. The European Commission has adopted adequacy decisions for a number of third countries, including the United Kingdom (subject to periodic review), Japan, South Korea, and others. Transfers to these countries do not require additional safeguards. However, adequacy decisions can be invalidated or suspended, and controllers must monitor the status of any adequacy decision they rely on.
Standard Contractual Clauses (SCCs). For transfers to countries without an adequacy decision, the most commonly used mechanism is the Standard Contractual Clauses adopted by the European Commission under Article 46(2)(c) of the GDPR. The 2021 SCCs replaced the earlier versions and introduced a modular structure covering controller-to-controller, controller-to-processor, processor-to-controller, and processor-to-processor transfers. Bulgarian controllers using the 2021 SCCs must also conduct a Transfer Impact Assessment (TIA) to verify that the legal framework of the destination country does not undermine the protections offered by the SCCs.
Binding Corporate Rules (BCRs). For multinational groups with significant intra-group data flows, BCRs approved by a lead supervisory authority offer a more durable transfer mechanism. The approval process is lengthy - typically one to two years - and requires substantial internal governance infrastructure. BCRs are most viable for large groups with a dedicated privacy function.
Derogations. Article 49 of the GDPR provides limited derogations for specific situations: explicit consent of the data subject, necessity for contract performance, important reasons of public interest, and others. The CPDP, consistent with the European Data Protection Board's guidance, treats Article 49 derogations as exceptional and not suitable for systematic or repetitive transfers. A non-obvious risk is that many Bulgarian entities use 'consent' under Article 49 for routine transfers to US-based cloud providers, without appreciating that this approach is unlikely to survive regulatory scrutiny.
A practical scenario: a Bulgarian HR software company stores employee data on servers operated by a US-based cloud provider. The company signs the provider's standard DPA, which incorporates the 2021 SCCs. However, the company has not conducted a TIA and has not assessed whether US surveillance laws (such as FISA Section 702) undermine the SCC protections. The CPDP, following the logic of the Schrems II judgment of the Court of Justice of the EU, could find the transfer unlawful even though SCCs are in place.
The practical cost of establishing a compliant transfer framework - including legal review of SCCs, TIA preparation, and DPA negotiation - typically starts from a few thousand EUR for a straightforward arrangement and increases with the complexity of the transfer relationships.
The Data Protection Officer: appointment, role, and liability exposure
The Data Protection Officer (DPO) is a role created by Articles 37-39 of the GDPR. Appointment of a DPO is mandatory for: public authorities and bodies; controllers or processors whose core activities require large-scale, regular, and systematic monitoring of individuals; and controllers or processors whose core activities involve large-scale processing of special category data or criminal conviction data.
In Bulgaria, the CPDP has taken the position that 'large-scale' should be assessed in context, and that entities processing the personal data of a significant proportion of the Bulgarian population - even if the absolute numbers are modest by EU standards - may meet the threshold. Bulgaria's population is approximately 6.5 million, and the CPDP has indicated that processing affecting tens of thousands of individuals may qualify as large-scale in the Bulgarian context.
The DPO must have expert knowledge of data protection law and practice (Article 37(5) of the GDPR). The DPO can be an employee or an external service provider. Many Bulgarian SMEs and foreign-owned subsidiaries use an external DPO service, which reduces cost and provides access to specialist expertise. However, a common mistake is treating the external DPO as a compliance rubber stamp rather than as a genuine advisory function. The DPO must be involved in all matters relating to personal data protection (Article 38(1) of the GDPR), and the CPDP checks whether this involvement is real or nominal.
The DPO must be independent - the controller cannot instruct the DPO on how to perform their tasks (Article 38(3) of the GDPR). The DPO cannot hold a position that creates a conflict of interest. In practice, this means that a CFO, Head of IT, or General Counsel cannot simultaneously serve as DPO, because their other responsibilities may conflict with the DPO's oversight function.
The DPO is not personally liable for the controller's GDPR violations. Liability rests with the controller or processor. However, a DPO who fails to perform their duties adequately may face employment or contractual consequences, and the CPDP may take the DPO's performance into account when assessing the controller's overall compliance posture.
A practical scenario: a Bulgarian insurance company appoints its Head of IT as DPO to save costs. The Head of IT is responsible for implementing the very systems whose data processing the DPO should oversee. The CPDP, during an inspection triggered by a customer complaint, identifies the conflict of interest and orders the company to appoint a qualified, independent DPO within 30 days. The company's failure to have a valid DPO appointment is treated as an aggravating factor in the fine calculation.
We can help build a strategy for DPO appointment and compliance governance in Bulgaria. Contact info@vlolawfirm.com.
Enforcement by the CPDP: fines, orders, and litigation
The CPDP has the full range of corrective powers set out in Article 58(2) of the GDPR. These include: warnings, reprimands, orders to bring processing into compliance, temporary or permanent bans on processing, and administrative fines. The GDPR's two-tier fine structure applies: up to EUR 10 million or 2% of global annual turnover for procedural violations (such as failure to maintain a ROPA or to appoint a DPO), and up to EUR 20 million or 4% of global annual turnover for substantive violations (such as unlawful processing or unlawful transfers).
The CPDP calculates fines using the criteria in Article 83(2) of the GDPR: the nature, gravity, and duration of the violation; the number of data subjects affected; the categories of data involved; the degree of responsibility; any previous violations; cooperation with the supervisory authority; and the financial situation of the controller. In practice, the CPDP has shown willingness to impose significant fines on both large and small entities, and the absence of a compliance programme is consistently treated as an aggravating factor.
Beyond administrative fines, Article 82 of the GDPR gives individuals the right to claim compensation for material or non-material damage caused by a GDPR violation. Bulgarian courts have jurisdiction over such claims. Non-material damage - including distress, anxiety, and loss of control over personal data - is compensable, though Bulgarian courts have generally awarded modest amounts for non-material harm in the absence of demonstrable psychological impact. The risk of class-action-style coordinated claims by multiple data subjects is lower in Bulgaria than in some Western European jurisdictions, but it is not absent.
The CPDP also has the power to refer matters to the Bulgarian prosecution authorities where criminal liability may arise. The PDPA contains criminal provisions for certain serious violations, including unlawful disclosure of personal data for commercial gain.
A practical scenario: a foreign-owned retail chain operating in Bulgaria runs a loyalty programme that tracks purchasing behaviour and shares aggregated profiles with a parent company outside the EEA, without SCCs or any other transfer mechanism. A customer complaint triggers a CPDP investigation. The CPDP finds: (a) no lawful basis for the profiling; (b) no valid transfer mechanism; (c) no DPIA despite the high-risk nature of the processing; and (d) no DPO despite the large-scale monitoring of customers. The cumulative fine exposure is substantial, and the CPDP also orders the processing to stop pending remediation.
The risk of inaction is concrete: the CPDP can impose a processing ban that effectively halts a business operation while compliance is remediated. For a company whose revenue depends on data-driven marketing or customer analytics, a processing ban can cause losses that far exceed the fine itself.
A non-obvious risk is the interaction between GDPR enforcement and Bulgarian consumer protection law. The Consumer Protection Act (Закон за защита на потребителите) gives the Commission for Consumer Protection (Комисия за защита на потребителите) concurrent jurisdiction over certain unfair commercial practices that involve misuse of personal data. A single incident can trigger parallel investigations by two regulators.
We can assist with structuring the next steps for CPDP enforcement response and remediation in Bulgaria. Contact info@vlolawfirm.com.
FAQ
What is the most significant practical risk for a foreign company processing data of Bulgarian residents without a local establishment?
Without an EU establishment, a foreign company targeting Bulgarian residents must designate a representative in the EU under Article 27 of the GDPR. Failure to do so is itself a violation subject to fines. More importantly, the CPDP has direct jurisdiction over the company and can impose fines calculated on global turnover - not just Bulgarian revenue. The absence of a local legal presence also means that CPDP correspondence may go unanswered, which the CPDP treats as non-cooperation and an aggravating factor. Appointing a local representative and establishing a compliance baseline before the CPDP initiates contact is significantly less costly than responding to an enforcement action.
How long does a CPDP investigation typically take, and what are the financial consequences of a finding of violation?
A CPDP investigation triggered by a complaint typically takes between six months and two years from the initial complaint to a final decision, depending on complexity. During this period, the CPDP may request extensive documentation, conduct on-site inspections, and issue interim orders. Financial consequences include the administrative fine itself - which can reach EUR 20 million or 4% of global turnover for serious violations - plus the cost of legal representation, remediation, and any compensation claims by affected individuals. The total cost of a contested enforcement action, including legal fees, typically starts from the low tens of thousands of EUR and can reach six figures for complex cases.
When should a business choose to appoint an external DPO rather than an internal one, and what are the key selection criteria?
An external DPO is generally preferable for SMEs, foreign-owned subsidiaries, and entities where no existing employee has the required expertise without a conflict of interest. The key selection criteria are: demonstrated expertise in EU and Bulgarian data protection law; genuine independence from the controller's management; availability to respond to data subject requests and CPDP inquiries within statutory deadlines; and the ability to advise on sector-specific issues relevant to the business. A common mistake is selecting an external DPO based solely on cost, without verifying their practical experience with CPDP enforcement. An external DPO who cannot engage substantively with the CPDP during an investigation provides limited protection.
Conclusion
Data protection compliance in Bulgaria requires a structured approach that combines GDPR obligations with the specific requirements of the PDPA and the enforcement priorities of the CPDP. The risks of non-compliance - fines, processing bans, litigation, and reputational damage - are concrete and increasing. International businesses operating in Bulgaria benefit from early investment in compliance infrastructure: a valid legal basis for each processing activity, a functioning DPO, a tested breach response procedure, and compliant transfer mechanisms for cross-border data flows.
To receive a checklist for building a GDPR-compliant data protection programme in Bulgaria, send a request to info@vlolawfirm.com.
Our law firm VLO Law Firm has experience supporting clients in Bulgaria on data protection and privacy matters. We can assist with CPDP compliance audits, DPO services, data breach response, cross-border transfer structuring, and representation in CPDP enforcement proceedings. To receive a consultation, contact: info@vlolawfirm.com.
