Data & Privacy ยท Bulgaria
Data protection & GDPR compliance in Bulgaria (2026)
Bulgaria shaded by its data & privacy status
Data protection in Bulgaria: comprehensive law, under EU GDPR (Regulation (EU) 2016/679) directly applicable, supplemented by Bulgaria's Personal Data Protection Act (PDPA, State Gazette No. 17/26.02.2019, in force 2 March 2019); supervised by the Commission for Personal Data Protection (CPDP).
Bulgaria operates under the EU GDPR as the primary binding framework, complemented by the national PDPA which exercises permitted national discretions covering employment data, children's consent for digital services, personal identification numbers, and data of deceased persons. The Commission for Personal Data Protection (CPDP) is the independent supervisory authority, while the Inspectorate to the Supreme Judicial Council holds concurrent competence for judicial-body processing. NIS2 transposition via Cybersecurity Act amendments entered into force in February 2026, integrating incident-reporting pathways with GDPR breach notification.
GDPR & data protection in Bulgaria
In Bulgaria, data protection is governed by the EU General Data Protection Regulation (GDPR), which applies directly and is enforced by the Commission for Personal Data Protection (CPDP).
- Framework
- the GDPR (Regulation (EU) 2016/679) plus the national data-protection act
- Supervisory authority
- the Commission for Personal Data Protection (CPDP)
- Applies to
- any organisation processing the personal data of people in Bulgaria, wherever the organisation is based
- Maximum fine
- โฌ20 million or 4% of global annual turnover, whichever is higher
- Breach notification
- within 72 hours of becoming aware, to the supervisory authority
- DPO
- required for large-scale monitoring or large-scale special-category processing
The GDPR is bloc-wide; Bulgaria supplements it with a national data-protection act and its own supervisory authority.
GDPR in Bulgaria: FAQ
Yes. As an EU/EEA member, Bulgaria applies the GDPR (Regulation (EU) 2016/679) directly, enforced by the Commission for Personal Data Protection (CPDP).
The Commission for Personal Data Protection (CPDP).
Up to โฌ20 million or 4% of global annual turnover, whichever is higher.
A DPO is required where you carry out large-scale monitoring or process special-category data at scale.
Personal-data breaches must be notified to the supervisory authority within 72 hours of becoming aware.
Key points
The GDPR applies directly as EU law. The national PDPA (State Gazette No. 17/26.02.2019) supplements it without repeating GDPR provisions, exercising national discretions permitted by Articles 6(2), 9(4), and 88, replacing the prior 2002 Data Protection Act.
The Commission for Personal Data Protection (CPDP), an independent body comprising a chairman and four members, is the lead supervisory authority for both GDPR and PDPA compliance. The Inspectorate to the Supreme Judicial Council holds concurrent competence exclusively for data processing by courts, prosecution offices, and criminal investigative bodies acting as judicial authorities.
The PDPA addresses areas where GDPR grants member-state discretion: employment-related data processing, a 14-year age threshold for children's consent to information-society services, use of personal identification numbers, freedom of expression and journalism exemptions, and processing of data belonging to deceased individuals.
The largest GDPR enforcement action in Bulgaria was a BGN 5.1 million (~โฌ2.61 million) fine against the National Revenue Agency following unlawful access and online distribution of personal data of more than 6 million individuals. Routine CPDP sanctions have generally been modest (BGN 1,000-10,000), partly due to resource constraints and governance issues within the commission.
Since May 2023, the CPDP has been additionally designated as the competent controlling body under the Bulgarian Whistleblower Protection Act, expanding its regulatory remit beyond personal data supervision.
Bulgaria's Cybersecurity Act amendments transposing the NIS2 Directive entered into force on 17 February 2026 following significant delay (the EU Commission issued a reasoned opinion for non-transposition in May 2025). The framework establishes a single-entry notification point harmonising breach-reporting obligations across NIS2, GDPR, DORA, and eIDAS.
Timeline - major decisions & events
The CPDP's 2024 activity report (budget BGN 6.4 M / ~EUR 3.27 M) recorded no individually published decisions, with enforcement concentrated in telecom, postal operators, online betting, fast crediting, private enforcement agents, and direct marketing. Bulgaria's average sanction continues to rank among the lowest in the EU, reflecting the regulator's conservative posture.
CMS GDPR Enforcement Tracker 2024 โA PDPA amendment effective May 2023 formally added a second supervisory mandate to the CPDP, making it the competent controlling body under Bulgaria's new Whistleblower Protection Act. This expanded the Commission's jurisdiction beyond pure data protection for the first time since its founding.
CEE Legal Matters 2024 (citing CPDP annual report) โDecision No. 8/2019 (Constitutional Case 4/2019) declared Article 25ะท(2) of the PDPA unconstitutional, finding its open-ended balancing criteria impermissibly elevated privacy rights over freedom of expression. The ruling created a legislative vacuum: Bulgaria lost its GDPR Article 85 implementing provision, leaving the scope of the journalistic exemption unresolved.
AmCham Bulgaria (reporting on Constitutional Court Decision 8/2019) โThe CPDP imposed a BGN 5,100,000 (~EUR 2.6 million) fine on the National Revenue Agency under GDPR Article 32 for failing to maintain adequate security over databases holding fiscal and personal data of millions of citizens. This remains the largest privacy fine in Bulgarian history and triggered lasting debate about state-sector cyber-governance.
Wolf Theiss (citing CPDP decision, August 2019) โA hacker breached the NRA's online tax-return infrastructure and exfiltrated ~11 GB of records encompassing the personal and fiscal data of over five million citizens, effectively Bulgaria's entire adult population, leaking the dataset to national media. It was, and remains, the country's largest data breach on record.
BankInfoSecurity โThe comprehensively amended Personal Data Protection Act (promulgated State Gazette No. 17, 26 February 2019) took effect on 1 March 2019, formally designating the CPDP as Bulgaria's GDPR supervisory authority, transposing the EU Law Enforcement Directive (2016/680), and adding sectoral rules for employment data, recruitment records, and children's data. The law closed a nine-month gap during which GDPR applied but Bulgaria lacked a designated DPA.
CMS Law (citing State Gazette No. 17/2019) โBy parliamentary decision of 23 May 2002, Bulgaria elected the founding members of the CPDP, a Chair and four Members, operationalising the supervisory framework mandated by the January 2002 PDPA. The Commission has since served as Bulgaria's sole independent data-protection regulator for both the public and private sectors.
CPDP โ Official History โPromulgated in State Gazette No. 1 of 4 January 2002 and entering into force on 1 January 2002, the PDPA transposed EU Directive 95/46/EC. It established data-subject rights, controller obligations, a registration regime, and the legal basis for an independent supervisory authority, marking Bulgaria's integration into the EU privacy framework ahead of its 2007 accession.
CPDP โ Personal Data Protection Act (official text) โBulgaria - other topics
Data & Privacy in other countries
Last verified 5/24/2026 ยท Orientation, not legal advice - verify against the primary sources linked above. Methodology & how to cite ยท Explore the full world map โ