Data Protection in Bulgaria

From GDPRhub
Data Protection in Bulgaria
Bg.png
Data Protection Authority: CPDP (Bulgaria)
National Implementation Law (Original): Data Protection Act (2019)
English Translation of National Implementation Law: English Translation
Official Language(s): Bulgarian
National Legislation Database(s): Link
English Legislation Database(s): n/a
National Decision Database(s): n/a


Legislation[edit | edit source]

History[edit | edit source]

No separate data protection law. Directive 95/46/EC was implemented by the Personal Data Protection Act (Закон за защита на личните данни), promulgated with State Gazette No. 1/ 4.01.2002 and entered into force 1.01.2002). Bulgarian law does not define legal entities as data subjects (only natural persons). The term ‘data protection’ (or ‘право на защита на личните данни’) appeared for the first time.

National constitutional protections[edit | edit source]

The constitutional right to data protection is established by Article 32 para.1. The ECHR was ratified in 1992 whereby the Right to Privacy in Article 8 was established in Bulgaria.

National GDPR implementation law[edit | edit source]

In Bulgaria the GDPR is implemented by the Personal Data Protection Act or PDPA, promulgated with State Gazette No. 17/26.02.2019 and entered into force on 2nd March 2019.

The Bulgarian government has also passed numerous laws to update data protection rules and terminology in many other national provisions.

Age of consent[edit | edit source]

According to Art. 25c PDPA, the age of consent is 14 years old, in line with Bulgarian civil law provisions. Processing of children’s personal data (which includes but is not limited to processing in relation to online services) who are below 14 years old may only take place if a valid consent is obtained by the parents or legal guardians.

There are no specific provisions regarding the processing of personal data of children aged 14 to 18 years. Under general rules of Bulgarian law they have limited legal capacity, i.e. prior consent of their parents or legal guardians is necessary, except for minor transactions relating to children’s on-going and customary needs and save for transactions where children receive the benefit in consideration to their labor.

Freedom of Speech[edit | edit source]

Under the PDPA, the processing of personal data for journalistic purposes is lawful when carried out on the grounds of freedom of expression and the right to information, while simultaneously respecting privacy (Article 25h PDPA).

Where personal data is processed for journalist purposes, there are certain provisions of the GDPR that do not apply –Article 6 GDPR, Article 9 GDPR, Article 10 GDPR, Article 30 GDPR and Article 34 GDPR, as well as the provision of the PDPA governing processing of personal data of a child (Article 25c). Moreover, the controller or processor may deny the data subjects, fully or partially, the exercise of their rights pursuant to Articles 12-21 GDPR.

The Draft Law for the implementation of GDPR had introduced certain criteria for evaluation of the balance between the freedom of expression and the right to information, and the right of personal data protection. However, the Bulgarian Constitutional Court has ruled them as unconstitutional with Decision No 9/15.11.2019. The court found the criteria too vague and could lead to different interpretations, opening the way for the Commission for Personal Data Protection “to have unpredictable power to interpret it not necessarily in the public interest regarding pluralistic information about the policies and activities of the government”.

Employment context[edit | edit source]

Personal data can be processed for the purposes of recruitment, employment and tax purposes. Data Protection matters in the employment context are regulated in Article 25i and 25j of the PDPA.

According to Article 25i, any employer or appointing authority, in the capacity of data controller, shall adopt rules and procedures for: (1) use of an infringement reporting system; (2) restrictions on the use of internal company resources; (3) implementation of control system for access, working time and discipline. The rules and procedures shall contain information relating to the scope, obligations and methods for its practical application and shall take into consideration the activity of the employer or appointing authority and the related nature of work and may not restrict the rights of data subjects pursuant to GDPR and the PDPA. Employees shall be informed about these rules and procedures.

The employer or appointing authority, in the capacity of data controller, shall determine a storage period for the personal data of candidates in staff selection procedures, which may not be longer than 6 months, unless the applicant has given consent for a longer period of storage. When the period expires, the employer or appointing authority shall erase or destroy the documents containing personal data unless otherwise provided for by a special law.

In addition, under the Bulgarian Labour Code, any employer is required to keep a record of each employee which record contains documents related to the occurrence, existence, modification and termination of the employment relationship. There are specific provisions defining what kind of documents are necessary (e.g. originals or copies certified by a notary, ascertaining the physical and mental fitness of the applicant, the required qualification degree and experience for the position held), and the deadlines for the storage of the personal data, depending on the type of document and the information it contains.

Research[edit | edit source]

According to Article 25h of the PDPA, the processing of personal data for the purposes of academic, artistic or literary expression shall be lawful when carried out on the ground of freedom of expression and the right to information, while simultaneously respecting privacy.

Where personal data is processed for the purposes of creating a photographic or audio-visual work by means of capturing the image of a person in the course of the public activity or in a public place, Article 6, Articles 12 to 21, and Articles 30 to 34 of GDPR shall not apply (Article 25 para. 5).

Other relevant national provisions and laws[edit | edit source]

(SPAM). Sending unsolicited commercial communication to those e-mail addresses, including specific provisions in the E-Commerce Act which are relevant - Article 4 to 7 (‘Закон за електронната търговия‘). Spam e-mails are regulated in Article 261 of the Electronic Communications Act (‘Закон за електронните съобщения’) and Article 5 and 6 of the E-Commerce Act.

Regarding direct marketing, the e-Commerce Act requires the consent of the subscriber (legal and natural person) as a condition for legally making direct marketing and advertising by e-mail with or without human intervention (Article 261). Such consent is subject to withdrawal at any time.

No prior consent is required for cases where the similar products and services exemption applies. The ECA prohibits direct marketing and advertising e-mails from being sent if: (i) the identity of the sender is disguised or concealed; or (ii) the provided opt-out address is not valid.

Additionally, pursuant to the E-Commerce Act, the Bulgarian Commission on Consumer Protection keeps a register of the e-mail addresses of legal entities which have expressly opposed receiving unsolicited commercial communication for direct marketing purposes, is prohibited.

Many other GDPR provisions were introduced in the sector-specific laws throughout the relevant acts.

National ePrivacy Law[edit | edit source]

The main part of the ePrivacy Directive is implemented in the Electronic Communications Act.

Some amendments to the ePrivacy Directive have not been implemented into Bulgaria national law. For instance, the E-Commerce Act has not been amended yet to implement the consent requirements regarding cookies. The E-Commerce Act allows the use of cookies provided that the user has been informed of the use of cookies and he/she has been given the opportunity to refuse the storage of or access to such cookies, ‘opt-out’ (Article 4, para. 1, p. 2).

Data Protection Authority[edit | edit source]

The Bulgarian Data Protection Authority (Комисия за защита на личните данни) is the national data protection authority for Bulgaria.

→ Details see CPDP (Bulgaria)

Judicial protection[edit | edit source]

Civil Courts[edit | edit source]

You can help us fill this section!

Administrative Courts[edit | edit source]

In Bulgaria administrative courts are in charge of data protection claims. According to Article 39 para. 1 of the PDPA, upon any infringement of the rights pursuant to the GDPR and pursuant to this Act, the data subject may appeal against any actions or acts of the data controller and processor before the court pursuant to the Administrative Procedure Code (‘Административно-процесуален кодекс‘).

Claims shall be brought before the administrative court where the address of the data subject is (Article 133 of the APC). This requires representation by a lawyer. The claim can be further brought before the Bulgarian Supreme Administrative Court (‘Върховен административен съд’).

Data subjects may also submit complaints before the CPDP. The data subject may not bring a violation to the attention of the court if proceedings on the same infringement are pending before the CPDP or a decision of the CPDP regarding the same infringement has been appealed and there is no enforceable judgment of the court. At the request of the data subject, the CPDP shall certify the lack of proceedings pending before it on the same dispute (Article 39, para. 4 of the PDPA).

Constitutional Court[edit | edit source]

Regarding data protection matters, the role of the Bulgarian Constitutional Court (‘Конституционен съд’) is mainly related to providing binding interpretations of the Constitution and declaring unconstitutional acts adopted by the Parliament.