Skip to content
World Watch/Bulgaria/Data & Privacy

Data & Privacy ยท Bulgaria

Data protection & GDPR compliance in Bulgaria (2026)

Comprehensive lawEU GDPR (Regulation (EU) 2016/679) directly applicable, supplemented by Bulgaria's Personal Data Protection Act (PDPA, State Gazette No. 17/26.02.2019, in force 2 March 2019); supervised by the Commission for Personal Data Protection (CPDP)Country index 96 ยท A+

Bulgaria shaded by its data & privacy status

Data protection in Bulgaria: comprehensive law, under EU GDPR (Regulation (EU) 2016/679) directly applicable, supplemented by Bulgaria's Personal Data Protection Act (PDPA, State Gazette No. 17/26.02.2019, in force 2 March 2019); supervised by the Commission for Personal Data Protection (CPDP).

Bulgaria operates under the EU GDPR as the primary binding framework, complemented by the national PDPA which exercises permitted national discretions covering employment data, children's consent for digital services, personal identification numbers, and data of deceased persons. The Commission for Personal Data Protection (CPDP) is the independent supervisory authority, while the Inspectorate to the Supreme Judicial Council holds concurrent competence for judicial-body processing. NIS2 transposition via Cybersecurity Act amendments entered into force in February 2026, integrating incident-reporting pathways with GDPR breach notification.

GDPR & data protection in Bulgaria

In Bulgaria, data protection is governed by the EU General Data Protection Regulation (GDPR), which applies directly and is enforced by the Commission for Personal Data Protection (CPDP).

Framework
the GDPR (Regulation (EU) 2016/679) plus the national data-protection act
Supervisory authority
the Commission for Personal Data Protection (CPDP)
Applies to
any organisation processing the personal data of people in Bulgaria, wherever the organisation is based
Maximum fine
โ‚ฌ20 million or 4% of global annual turnover, whichever is higher
Breach notification
within 72 hours of becoming aware, to the supervisory authority
DPO
required for large-scale monitoring or large-scale special-category processing

The GDPR is bloc-wide; Bulgaria supplements it with a national data-protection act and its own supervisory authority.

GDPR in Bulgaria: FAQ

Does the GDPR apply in Bulgaria?

Yes. As an EU/EEA member, Bulgaria applies the GDPR (Regulation (EU) 2016/679) directly, enforced by the Commission for Personal Data Protection (CPDP).

Who enforces data protection law in Bulgaria?

The Commission for Personal Data Protection (CPDP).

What are the GDPR fines in Bulgaria?

Up to โ‚ฌ20 million or 4% of global annual turnover, whichever is higher.

Do you need a Data Protection Officer in Bulgaria?

A DPO is required where you carry out large-scale monitoring or process special-category data at scale.

How quickly must a data breach be reported in Bulgaria?

Personal-data breaches must be notified to the supervisory authority within 72 hours of becoming aware.

Key points

Primary Legal Basis

The GDPR applies directly as EU law. The national PDPA (State Gazette No. 17/26.02.2019) supplements it without repeating GDPR provisions, exercising national discretions permitted by Articles 6(2), 9(4), and 88, replacing the prior 2002 Data Protection Act.

Supervisory Authority

The Commission for Personal Data Protection (CPDP), an independent body comprising a chairman and four members, is the lead supervisory authority for both GDPR and PDPA compliance. The Inspectorate to the Supreme Judicial Council holds concurrent competence exclusively for data processing by courts, prosecution offices, and criminal investigative bodies acting as judicial authorities.

National PDPA Specifics

The PDPA addresses areas where GDPR grants member-state discretion: employment-related data processing, a 14-year age threshold for children's consent to information-society services, use of personal identification numbers, freedom of expression and journalism exemptions, and processing of data belonging to deceased individuals.

Enforcement Record

The largest GDPR enforcement action in Bulgaria was a BGN 5.1 million (~โ‚ฌ2.61 million) fine against the National Revenue Agency following unlawful access and online distribution of personal data of more than 6 million individuals. Routine CPDP sanctions have generally been modest (BGN 1,000-10,000), partly due to resource constraints and governance issues within the commission.

Whistleblower Protection Integration

Since May 2023, the CPDP has been additionally designated as the competent controlling body under the Bulgarian Whistleblower Protection Act, expanding its regulatory remit beyond personal data supervision.

NIS2 & Harmonised Incident Reporting

Bulgaria's Cybersecurity Act amendments transposing the NIS2 Directive entered into force on 17 February 2026 following significant delay (the EU Commission issued a reasoned opinion for non-transposition in May 2025). The framework establishes a single-entry notification point harmonising breach-reporting obligations across NIS2, GDPR, DORA, and eIDAS.

Timeline - major decisions & events

Jan 1, 2024decision
CPDP 2024 Activity Report: Minimal Published Decisions, Sector Focus Identified

The CPDP's 2024 activity report (budget BGN 6.4 M / ~EUR 3.27 M) recorded no individually published decisions, with enforcement concentrated in telecom, postal operators, online betting, fast crediting, private enforcement agents, and direct marketing. Bulgaria's average sanction continues to rank among the lowest in the EU, reflecting the regulator's conservative posture.

CMS GDPR Enforcement Tracker 2024 โ†—
May 1, 2023law
PDPA Amendment Designates CPDP as Whistleblower Protection Authority

A PDPA amendment effective May 2023 formally added a second supervisory mandate to the CPDP, making it the competent controlling body under Bulgaria's new Whistleblower Protection Act. This expanded the Commission's jurisdiction beyond pure data protection for the first time since its founding.

CEE Legal Matters 2024 (citing CPDP annual report) โ†—
Nov 15, 2019decision
Constitutional Court Strikes Down PDPA's Journalistic-Exception Balancing Test

Decision No. 8/2019 (Constitutional Case 4/2019) declared Article 25ะท(2) of the PDPA unconstitutional, finding its open-ended balancing criteria impermissibly elevated privacy rights over freedom of expression. The ruling created a legislative vacuum: Bulgaria lost its GDPR Article 85 implementing provision, leaving the scope of the journalistic exemption unresolved.

AmCham Bulgaria (reporting on Constitutional Court Decision 8/2019) โ†—
Aug 29, 2019enforcement
NRA Fined BGN 5.1 Million, Bulgaria's Record GDPR Sanction

The CPDP imposed a BGN 5,100,000 (~EUR 2.6 million) fine on the National Revenue Agency under GDPR Article 32 for failing to maintain adequate security over databases holding fiscal and personal data of millions of citizens. This remains the largest privacy fine in Bulgarian history and triggered lasting debate about state-sector cyber-governance.

Wolf Theiss (citing CPDP decision, August 2019) โ†—
Jul 15, 2019incident
National Revenue Agency Mega-Breach Exposes Data of 5 Million+ Bulgarians

A hacker breached the NRA's online tax-return infrastructure and exfiltrated ~11 GB of records encompassing the personal and fiscal data of over five million citizens, effectively Bulgaria's entire adult population, leaking the dataset to national media. It was, and remains, the country's largest data breach on record.

BankInfoSecurity โ†—
Mar 1, 2019law
Revised PDPA Enters into Force: GDPR and Law Enforcement Directive Implemented

The comprehensively amended Personal Data Protection Act (promulgated State Gazette No. 17, 26 February 2019) took effect on 1 March 2019, formally designating the CPDP as Bulgaria's GDPR supervisory authority, transposing the EU Law Enforcement Directive (2016/680), and adding sectoral rules for employment data, recruitment records, and children's data. The law closed a nine-month gap during which GDPR applied but Bulgaria lacked a designated DPA.

CMS Law (citing State Gazette No. 17/2019) โ†—
May 23, 2002decisionofficial
Parliament Establishes the Commission for Personal Data Protection (CPDP)

By parliamentary decision of 23 May 2002, Bulgaria elected the founding members of the CPDP, a Chair and four Members, operationalising the supervisory framework mandated by the January 2002 PDPA. The Commission has since served as Bulgaria's sole independent data-protection regulator for both the public and private sectors.

CPDP โ€” Official History โ†—
Jan 4, 2002lawofficial
Personal Data Protection Act Enacted, Bulgaria's Foundational Privacy Law

Promulgated in State Gazette No. 1 of 4 January 2002 and entering into force on 1 January 2002, the PDPA transposed EU Directive 95/46/EC. It established data-subject rights, controller obligations, a registration regime, and the legal basis for an independent supervisory authority, marking Bulgaria's integration into the EU privacy framework ahead of its 2007 accession.

CPDP โ€” Personal Data Protection Act (official text) โ†—

Bulgaria - other topics

Data & Privacy in other countries

Last verified 5/24/2026 ยท Orientation, not legal advice - verify against the primary sources linked above. Methodology & how to cite ยท Explore the full world map โ†’