Data Privacy Law and GDPR Implementation in Bulgaria

Bulgaria’s Protection of Personal Data Act 2002 or the Act for short is a data privacy law that was originally passed in 2002. Prior to the passing of the General Data Protection Regulation or GDPR in 2016, data protection within the country of Bulgaria was governed by the Protection of Personal Data Act 2002. However, as Bulgaria is one of the many nations that make up the European Union, the Personal Data Act 2002 was amended to implement the applicable provisions of the EU’s GDPR law into Bulgarian law, effectively laying the legal framework from which personal data may be collected and processed within Bulgaria, as well as the punishments that can be imposed against individuals and organizations who are found to be in violation of said framework.

What is the scope and application of Bulgaria’s Protection of Personal Data Act 2002?

In terms of the scope and application of Bulgaria’s Protection of Personal Data Act 2002, the personal scope of the law “applies to organizations that process the data of identifiable natural persons. Personal data of deceased persons may be processed only based on legal grounds.” Alternatively, the territorial scope of the “law applies in the territory of the Republic of Bulgaria and imposes obligations on controllers and processors who process the data of natural persons in Bulgaria.” Moreover, the material scope of the law “covers the rules for the processing of personal data by private organizations and public authorities, specific categories of personal data, and personal data by automated means.”

What are the requirements of data controllers and processors under Bulgaria’s Protection of Personal Data Act 2002?

The requirements of data controllers and processors under Bulgaria’s Protection of Personal Data Act 2002 are largely the same as those that are set forth by the EU’s GDPR law. Under the EU’s GDPR law, data controllers and processors are responsible for adhering to a number of data protection principles when collecting or processing personal data. These principles include but are not limited to lawfulness, fairness and transparency, and data minimization. Additionally, the two laws vary as it pertains to the age of consent concerning data collection and processing. Under the EU’s GDPR law, the age of consent is 16, while Bulgaria’s Protection of Personal Data Act 2002 lowers this legal age to 14.

Furthermore, Bulgaria’s Protection of Personal Data Act 2002 also varies from the EU’s GDPR law as it relates to Data Protection Impact Assessments, or DPIAs for short. Under Bulgaria’s Protection of Personal Data Act 2002, data controllers and processors within the country must conduct DPIA’s if they carry out any of the following types of data processing operations:

• Large scale processing of biometric data for the unique identification of the individual which is not sporadic;
• Processing of genetic data for profiling purposes which produces legal effects for the data subject or similarly significantly affects them;
• Processing of location data for profiling purposes which produces legal effects for the data subject or similarly significantly affects them;
• Processing operations for which the provision of information to the data subject pursuant to Article 14 of the GDPR is impossible or would involve disproportionate effort or is likely to render impossible or seriously impair the achievement of the objectives of that processing, when they are linked to large scale processing;
• Personal data processing by the controller with the main place of establishment outside the EU when its designated representative for the EU is located on the territory of the Republic of Bulgaria;

What are the penalties for violating Bulgaria’s Protection of Personal Data Act 2002?

Bulgaria’s Protection of Personal Data Act 2002 is enforced by the Commission for Personal Data Protection or the CPDP for short. To this end, the CPDP has the authority to “impose sanctions (fines), as well as compulsory administrative measures (such as the issuance of warnings, orders to comply with certain requirements, etc.).” Such sanctions include a monetary fine ranging from BGN 5,000 ($2,901) to €2.6 million ($2,947,776), as well as a fine that can amount to “double the amount of the initially imposed fine, but not more than the maximum envisaged in Article 83 of the GDPR.” What’s more, data controllers and processors also face fines ranging from 2% of a company’s global turnover; or €10,000,000.00 ($11,291,250), whichever is higher, and fines ranging from 4% of a company’s global turnover, or €20,000,000.00 ($22,583,400), whichever is higher.

Through the amendment of Bulgaria’s Protection of Personal Data Act, 2002 is in accordance with the provisions of the EU’s GDPR law, the data protection and privacy rights of Bulgarian citizens were legally guaranteed. As Bulgaria has a strong history of providing such legal protections to its citizens, the implementation of the General Data Protection Regulation is fitting advancement in terms of the protection of personal data and privacy in the 21st century. Through the passing of such legislation, the European Union continues to set an international standard with respect to personal data protection that will continue to influence other nations for years to come.