The Bulgarian legislation with respect to data protection is based on the principles agreed in the European legislation facilitating the free movement of personal information within the European Union and guaranteeing equal level of protection. This is a comparatively new element of the Bulgarian legal system and continuous efforts for ensuring its effective application are still in place. The competent national regulatory authority vested with supervision powers related to compliance with data protection rules is the Commission for Personal Data Protection and one of its priority tasks is ensuring compliance by state authorities, companies and individuals.

Main Legislative Framework

The main legislative act regulating data protection in Bulgaria is the Personal Data Protection Act  (“PDPA”) from 2002 (last amended 2009). The PDPA has been harmonized with the relevant European requirements as set out in Directive 95/46/EC and provides for the same level of data protection in Bulgaria as in the European Union. In addition, Bulgaria has ratified Convention No. 108 for the Protection of Individuals with regard to Automatic Processing of Personal Data and it is in force in the country since January 1, 2003.

Regulatory Authority

The competent national regulatory authority is the Personal Data Protection Commission (the "Commission") (www.cpdp.bg). The Commission in its official capacity of regulator is entitled to monitor compliance with the requirements for the protection of personal data. The Commission is competent to investigate cases, to provide mandatory instructions, to impose fines and restrictions, including to order temporary prohibition of illegal personal data management. According to the Commission's 2008 Annual Report accepted by the 41st Bulgarian National Assembly on September 1, 2009, the Commission is considered to function effectively and in accordance with the European data protection standards.

Registration

Registration with the Commission is required prior to initiating any personal data processing by a data controller. The registration includes: general registration as a data controller and registration of the personal data registers controlled by the relevant data controller. Any changes in the registered data/registers require prior notification of the Commission. At the present moment the registration is free of charge.

General Principles of Data Protection

There are several main principals which govern the processing of personal data within Bulgaria as a member state of the EU. In general, personal data must be:

• Processed fairly and lawfully;
• Processed only for specific and legal purposes and used only for the purposes stated at the time it is collected;
• Adequate, relevant and not excessive for the purposes for which it is processed;
• Accurate, complete and where necessary kept up-to-date;
• Not kept in personally identifiable form longer than necessary;
• Processed in accordance with the rights of the data subject under applicable law;
• Kept securely;
• Not transferred to countries that do not have adequate data protection laws unless the data exporter takes certain specific steps to ensure that the data is adequately protected.

Along with the above principals a data controller may process personal data only if one of the below stated conditions are satisfied:

• The processing is pursuant to a statutory obligation of the data controller;
• The respective person has provided his/her explicit consent;
• The processing is necessary for the performance of a contract to which the data subject is a party;
• The processing is necessary for the protection of the life and health of the data subject;
• The processing is necessary for the controller to carry out certain duties, in public interest or by virtue of law,
• The processing is necessary for the purpose of legitimate interests pursued by the data controller or data recipients, provided that the interests of the data subject are protected.

Transfer of Personal Data

The transfer of personal data within the EU and EAA is free. The transfer of personal data outside of the EU and the EEA should be permissible only on condition that the recipient state can ensure an adequate level of personal data protection within its territory. The assessment concerning the adequacy of the level of personal data protection in the recipient state should be made by the Commission. The Commission should not undertake an assessment where a decision of the European Commission has to be implemented whereby the European Commission has ruled that (1) the third country to which the personal data are transferred has ensured an adequate level of protection; or (2) certain appropriate contractual clauses are in place ensuring the adequate level of protection (the EU model contractual clauses). The Commission has not issued any statement of approval or recognition regarding the use of binding corporate rules (BCR). Should the Commission consider that the protection level of personal data protection in the recipient state is unsatisfactory, it may prohibit the personal data transfer. Even in such case, the Commission may authorise the transfer should the data controller provides sufficient warranties with respect to the protection of the individual's fundamental rights. In any case, the data controller should notify in advance the Commission for its intention to transfer personal data to countries outside EU and EAA by specifying the countries of transfer, the purpose of transfer and the categories of personal data subject to transfer. 

Liability

Administrative sanctions in the form of fines for violations of the PDPA range from BGN 10,000 to BGN 100,000.

Data controllers are liable for any damage caused to an individual as a result of unlawful processing or by breaching the technical requirements of data protection. The data controller is also liable for any damage caused by data processor acting on behalf of the data controller.