Data protection & privacy laws in Bulgaria (2026)

The GDPR applies directly as EU law. The national PDPA (State Gazette No. 17/26.02.2019) supplements it without repeating GDPR provisions, exercising national discretions permitted by Articles 6(2), 9(4), and 88, replacing the prior 2002 Data Protection Act.

The Commission for Personal Data Protection (CPDP), an independent body comprising a chairman and four members, is the lead supervisory authority for both GDPR and PDPA compliance. The Inspectorate to the Supreme Judicial Council holds concurrent competence exclusively for data processing by courts, prosecution offices, and criminal investigative bodies acting as judicial authorities.

The PDPA addresses areas where GDPR grants member-state discretion: employment-related data processing, a 14-year age threshold for children's consent to information-society services, use of personal identification numbers, freedom of expression and journalism exemptions, and processing of data belonging to deceased individuals.

The largest GDPR enforcement action in Bulgaria was a BGN 5.1 million (~€2.61 million) fine against the National Revenue Agency following unlawful access and online distribution of personal data of more than 6 million individuals. Routine CPDP sanctions have generally been modest (BGN 1,000–10,000), partly due to resource constraints and governance issues within the commission.

Since May 2023, the CPDP has been additionally designated as the competent controlling body under the Bulgarian Whistleblower Protection Act, expanding its regulatory remit beyond personal data supervision.

Bulgaria's Cybersecurity Act amendments transposing the NIS2 Directive entered into force on 17 February 2026 following significant delay (the EU Commission issued a reasoned opinion for non-transposition in May 2025). The framework establishes a single-entry notification point harmonising breach-reporting obligations across NIS2, GDPR, DORA, and eIDAS.