Bulgaria Data Privacy Laws: GDPR Implementation Guide (2026)

Bulgaria's data protection story is defined by a single event that transformed the country's approach to privacy compliance. In 2019, a massive data breach at the National Revenue Agency exposed personal information of over 6 million individuals, affecting nearly the entire adult population. The resulting enforcement action and public outcry elevated data protection from a bureaucratic obligation to a national priority.

This guide covers Bulgaria's complete data protection framework, from the legal foundations through enforcement practices and the lessons that the NRA breach taught about the cost of inadequate security.

Legal Framework and GDPR Implementation

Bulgaria's data protection system operates under the GDPR as supplemented by the Personal Data Protection Act (Zakon za zashtita na lichnite danni, or LPPD). The LPPD has been substantially amended to incorporate GDPR requirements and to address the areas where the regulation permits or requires national legislation.

The GDPR became directly applicable in Bulgaria on 25 May 2018. The amendments to the LPPD that aligned it with the GDPR were adopted by the Bulgarian parliament and established the national framework for implementation.

The LPPD addresses several specific areas including the structure and powers of the CPDP, rules for processing certain categories of personal data, provisions on video surveillance, rules for the processing of personal data for journalistic, academic, artistic, or literary purposes, and the transposition of the Law Enforcement Directive.

Constitutional Foundation

The Bulgarian Constitution provides the foundation for data protection rights. Article 32 guarantees that no one shall be subjected to interference with their privacy, family life, or correspondence, and that everyone has the right to protection against unlawful interference. Article 34 protects the freedom and secrecy of correspondence and other communications.

The CPDP: Bulgaria's Data Protection Authority

The Commission for Personal Data Protection (CPDP) is Bulgaria's independent supervisory authority responsible for overseeing compliance with data protection legislation. The CPDP is a collegial body consisting of a chairperson and four members, all appointed by the National Assembly (parliament) for five-year terms.

The CPDP operates with its own budget and a total staff of 117 people. This staffing level makes it one of the larger data protection authorities among the newer EU member states in Central and Eastern Europe.

Powers and Functions

The CPDP holds the full range of GDPR supervisory and enforcement powers. It can investigate complaints and conduct inspections on its own initiative, issue corrective measures including warnings, reprimands, and compliance orders, impose temporary or permanent processing bans, and levy administrative fines.

The CPDP also maintains advisory and awareness-raising functions. It provides guidance on data protection compliance, issues opinions on proposed legislation, and conducts public education campaigns about data protection rights and obligations.

Enforcement Focus Areas

According to the CPDP's activity reports, the complaints and notifications it receives predominantly concern electronic communications, postal operators, online betting, fast credit services, private enforcement agents, and direct marketing. These sectors have generated the most compliance issues and enforcement attention.

Fines and Penalties

Bulgaria follows the GDPR's standard two-tier penalty framework. Fines of up to EUR 10 million or 2% of worldwide annual turnover apply to certain violations, while more serious infringements can attract fines of up to EUR 20 million or 4% of worldwide annual turnover.

Most enforcement actions in Bulgaria have been based on violations of data processing principles (Article 5 GDPR), insufficient legal basis for processing (Article 6 GDPR), or inappropriate security measures (Article 32 GDPR).

Notable Enforcement Actions

National Revenue Agency (EUR 2.55 Million, 2019): The largest GDPR fine in Bulgarian history was imposed on the National Revenue Agency (NRA) after a catastrophic data breach. Hackers gained unauthorized access to NRA systems and obtained personal data of approximately 6,074,140 individuals, representing nearly the entire adult population of Bulgaria. The stolen data included names, personal identification numbers (EGN), addresses, income information, and tax data. The CPDP found that the NRA had failed to implement adequate technical and organizational security measures as required by the GDPR, and imposed a fine of approximately BGN 5.1 million (EUR 2.55 million).

DSK Bank (EUR 500,000): DSK Bank was fined approximately BGN 1 million (EUR 500,000) after unauthorized parties accessed personal and financial data of more than 33,000 customers. The CPDP determined that the bank had not implemented appropriate technical and organizational security measures to protect customer data.

Bulgarian Post EAD (EUR 500,000, 2022): Bulgarian Post was fined BGN 1 million (approximately EUR 500,000) for inappropriate technical and operational measures that resulted in unauthorized access and disclosure of personal data.

Political Party (EUR 12,786, 2023): The CPDP fined a political party BGN 25,000 for unlawful processing of personal data of supporters in connection with national parliamentary elections, demonstrating that enforcement extends beyond the private sector.

The NRA Breach: A National Wake-Up Call

The 2019 National Revenue Agency breach deserves special attention because of its scale and impact on Bulgarian data protection awareness.

A hacker gained access to NRA servers and exfiltrated personal data of over 6 million people. The stolen information was initially shared via email with Bulgarian journalists, and portions subsequently appeared online. The breach exposed names, addresses, EGN (personal identification numbers), income data, tax information, and social security details.

The incident had profound consequences for Bulgarian data protection policy. It prompted a national discussion about cybersecurity in government institutions, led to increased CPDP scrutiny of public sector data handling practices, and raised public awareness of data protection rights to a level not seen before in Bulgaria.

EGN Personal Identification Number

Bulgaria's Edinen Grazhdanski Nomer (EGN), or unified civil number, is a unique personal identification number assigned to Bulgarian citizens. The EGN is widely used across government administration, healthcare, social services, and private sector interactions.

The CPDP has established guidelines on EGN processing that limit unnecessary disclosure. When imposing administrative sanctions such as public reprimands, information about EGN, date and place of birth, ID number, exact address, personal data of third parties, and other unrelated personal data should not be disclosed.

The NRA breach highlighted the catastrophic risks of EGN exposure, as the stolen database included EGN numbers for millions of citizens, potentially enabling identity theft and fraud on a national scale.

Video Surveillance

The LPPD includes specific provisions on video surveillance that supplement the GDPR's general framework. Organizations deploying CCTV systems must have a legitimate basis for surveillance, provide clear information to individuals entering surveilled areas, conduct data protection impact assessments where required, and establish proportionate retention periods.

The CPDP has issued guidance on video surveillance compliance and has investigated complaints about inappropriate camera use in workplaces, residential buildings, and commercial premises.

Data Breach Notification

Standard GDPR breach notification requirements apply in Bulgaria. Controllers must notify the CPDP within 72 hours of becoming aware of a personal data breach that poses a risk to individuals' rights and freedoms. The NRA case demonstrated that the CPDP takes breach reporting seriously and will investigate both the breach itself and the adequacy of the security measures that were in place.

International Data Transfers

Bulgaria follows the standard GDPR framework for international data transfers. Transfers outside the EEA require an adequacy decision, appropriate safeguards such as Standard Contractual Clauses or Binding Corporate Rules, or applicable derogations.

Age of Digital Consent

Bulgaria set the age of digital consent at 14 years old. Children aged 14 and older may independently consent to information society services, while younger children require parental authorization.

Journalism and Expression Exemptions

The LPPD includes provisions addressing the balance between data protection and freedom of expression. Processing of personal data for journalistic, academic, artistic, or literary purposes benefits from certain exemptions from GDPR requirements, reflecting the need to protect freedom of expression alongside data protection rights.

Practical Compliance Tips

Organizations operating in Bulgaria should prioritize cybersecurity measures. The NRA and DSK Bank fines demonstrate that the CPDP treats security failures as serious violations deserving substantial penalties. Conduct regular security assessments and ensure that technical measures are actually implemented, not just documented.

EGN handling requires careful attention. Minimize the collection and storage of EGN numbers, and ensure they are not included in communications, published documents, or data exports where they are not strictly necessary.

Organizations in high-complaint sectors such as electronic communications, online betting, fast credit services, and direct marketing should expect heightened CPDP scrutiny. Review compliance practices proactively rather than waiting for a complaint to trigger an investigation.

Ensure breach response procedures are tested and ready. The scale of the NRA breach was compounded by delayed detection and response. Organizations should have incident response plans that enable rapid identification, containment, and notification of data breaches.

Disclaimer: This article provides general information about Bulgaria's data privacy laws and is not legal advice. Data protection laws change frequently. Consult a qualified attorney licensed in Bulgaria for guidance on your specific situation.