Bulgaria Data Privacy Laws: GDPR & PDPA Complete Guide (2026)

Bulgaria's personal data is governed by the EU GDPR (Regulation (EU) 2016/679), which applies directly, and the national Personal Data Protection Act (ZZLD), last amended by State Gazette No. 70 of 20 August 2024. The independent CPDP supervises compliance and may fine violators up to EUR 20 million or 4% of global annual turnover.

Bulgaria implements EU data protection law through the directly applicable General Data Protection Regulation (GDPR) and the national Personal Data Protection Act (ZZLD), supervised by the Commission for Personal Data Protection (CPDP). The framework covers all personal data processing by controllers and processors operating in Bulgaria, regardless of whether the data subjects are Bulgarian citizens.

Information last verified on 2026-05-19. This article presents general legal information about Bulgarian data protection law. It is not legal advice.

Jurisdiction scope: This article addresses the data protection law of the Republic of Bulgaria, principally the EU GDPR (Regulation (EU) 2016/679) and the Bulgarian Personal Data Protection Act (Zakon za zashtita na lichnite danni, ZZLD), as amended through August 2024. It also addresses the EU AI Act (Regulation (EU) 2024/1689) as it applies in Bulgaria, and the ECHR context from Ekimdzhiev and Others v. Bulgaria. For the broader EU framework, see our EU data privacy laws guide. For Bulgarian recording and wiretapping rules, see our Bulgaria recording laws guide.

Quick Answer: Is Bulgaria GDPR-Compliant?

Bulgaria is an EU member state. The GDPR applies directly and in full throughout Bulgaria without the need for national transposition. The Bulgarian Personal Data Protection Act (ZZLD), promulgated in State Gazette No. 17 of 26 February 2019 and most recently amended in State Gazette No. 70 of 20 August 2024, supplements the GDPR in areas where the regulation expressly permits or requires national legislation. These include the structure and powers of the CPDP as supervisory authority, the age of digital consent (set at 14 years), provisions on video surveillance, rules for processing personal data for journalistic and academic purposes, and the transposition of Directive (EU) 2016/680 (the Law Enforcement Directive). Any natural or legal person, including non-EU organizations, that processes personal data of individuals in Bulgaria must comply with both the GDPR and the ZZLD. Non-compliance can result in administrative fines of up to EUR 20 million or 4% of global annual turnover, as well as criminal sanctions under the Bulgarian Criminal Code for certain categories of breach.

Legal Framework: GDPR, the Bulgarian PDPA, and the CPDP

The legal architecture of Bulgarian data protection rests on three layers. First, the GDPR provides the binding EU-level framework, applicable since 25 May 2018. Second, the ZZLD provides national implementing legislation. Third, the CPDP issues binding decisions, guidance, and opinions that interpret the framework in Bulgarian practice.

The ZZLD has been amended several times since 2019 to reflect legislative developments. The known amendment timeline is:

• State Gazette No. 17/26 February 2019 (principal implementing act, entered into force 2 March 2019)
• State Gazette No. 93/26 November 2019 (technical and procedural amendments)
• State Gazette No. 11/2 February 2023 (Whistleblower Protection Act integration, designating the CPDP as competent controlling body under the new Whistleblower Protection Act, entered into force 4 May 2023)
• State Gazette No. 84/6 October 2023 (Electronic Communications Act amendments affecting ePrivacy and direct marketing)
• State Gazette No. 70/20 August 2024 (most recent amendment as of the date of this article)

The Electronic Communications Act (amended October 2023) separately governs cookies, electronic direct marketing, and retention of traffic and location data, supplementing the GDPR's general framework with sector-specific rules. Under the Electronic Communications Act, e-mail marketing to individual subscribers requires prior express consent. Corporate subscribers are excluded from this requirement following 2021 amendments.

Constitutional Foundation

The Bulgarian Constitution of 1991 provides the fundamental rights basis for data protection. Article 32 guarantees that no one shall be subjected to interference with their personal or family affairs or correspondence. Everyone has the right to protection against unlawful collection, storage, use, and dissemination of information about them. Article 34 protects the freedom and secrecy of correspondence and other communications. These constitutional guarantees underpin the ZZLD and give Bulgarian courts the authority to strike down legislation that fails to provide adequate protection.

The Bulgarian Constitutional Court has also engaged with data protection questions. Provisions of the ZZLD that created a predetermined list of criteria for assessing whether processing for journalistic and expression purposes was proportionate were challenged and struck down as unconstitutional, requiring case-by-case balancing instead.

The CPDP: Structure, Powers, and Enforcement

The Commission for Personal Data Protection (CPDP/КЗЛД) is Bulgaria's independent supervisory authority under Article 51 of the GDPR. The CPDP is a collegial body consisting of a chairperson and four members, all appointed by the National Assembly (parliament) for five-year terms. The current chairperson is Borislav Bozhinov. Former chairperson Ventsislav Karadjov previously served as a Vice-Chair of the European Data Protection Board during an earlier term.

The CPDP's annual budget for 2024 was BGN 6,403,403 (approximately EUR 3,274,008). The Commission maintains its own staff of approximately 117 people, making it one of the larger data protection authorities among Central and Eastern European EU member states. The CPDP's Rules of Operation were last updated on 28 April 2023.

The CPDP publishes a bimonthly newsletter that provides information on enforcement decisions and regulatory developments. Since 2024, the CPDP has reduced the number of individually published decisions on its website, so the newsletter has become the primary channel for tracking enforcement trends between annual reports.

Since 2023, the CPDP has additionally served as the competent controlling body under Bulgaria's Whistleblower Protection Act (Zakon za zashtita na licata, izvestyavashti za zakononarusheniya ili tekuschata zashtita na licata). Sessions at which the CPDP acts in this capacity are closed.

CPDP Powers and Functions

The CPDP holds the full range of GDPR supervisory and corrective powers under Articles 58 and 83. These include:

• Conducting investigations into complaints filed by individuals or on the CPDP's own initiative
• Carrying out on-site inspections of controllers and processors
• Issuing warnings, reprimands, and orders to comply
• Imposing temporary or permanent bans on processing
• Ordering suspension of data flows to third-country recipients
• Levying administrative fines in accordance with GDPR Articles 83(4) and 83(5)

The CPDP also fulfils advisory functions: issuing opinions on proposed legislation, providing guidance to controllers, and conducting public awareness campaigns. It maintains a public register of controllers and processors who have appointed Data Protection Officers, and a register of accredited certification bodies.

The CPDP does not itself enforce its fines through collection proceedings. Enforcement of financial sanctions follows a separate administrative procedure under the Bulgarian Administrative Violations and Penalties Act (ZANN). This distinction is relevant for businesses assessing the timeline from fine imposition to actual collection.

Enforcement Statistics

CPDP enforcement activity by year:

The CPDP's 2024 Activity Report confirms that complaints and notifications predominantly concern electronic communications, postal operators, online betting, fast credit services, private enforcement agents, and direct marketing. The reduction in on-site inspections from 324 in 2022 to 237 in 2023 reflects a shift toward complaint-driven rather than proactive inspection activity.

The typical range for GDPR/ZZLD penalty proceedings is BGN 1,000 to BGN 10,000 (approximately EUR 500 to EUR 5,000). The CPDP usually imposes either a fine or mandatory corrective instructions, rarely both simultaneously. The landmark fines against the NRA and DSK Bank in 2019 remain exceptional rather than representative of everyday enforcement.

Notable Enforcement Actions

National Revenue Agency (BGN 5,100,000 / EUR 2,550,000, 2019): The largest GDPR fine in Bulgarian history was imposed on the National Revenue Agency (NRA) after a cyberattack in which a hacker gained remote unauthorized access to NRA servers and exfiltrated personal data of approximately 6,074,140 individuals, representing nearly the entire adult population of Bulgaria. The data included names, personal identification numbers (EGN), addresses, income information, and tax and social security details. The CPDP found that the NRA had failed to implement adequate technical and organizational security measures as required by Article 32 of the GDPR, and imposed a fine of BGN 5,100,000 (approximately EUR 2,550,000). The NRA breach prompted a national reckoning with public-sector cybersecurity and elevated data protection to a political priority.

DSK Bank (BGN 1,000,000 / EUR 500,000, 2019): DSK Bank was fined BGN 1,000,000 (approximately EUR 500,000) after unauthorized parties accessed personal and financial data of more than 33,000 customers. The CPDP found that the bank had failed to comply with the formal requirements of Article 32 of the GDPR by not implementing appropriate technical and organizational measures to protect customer data.

Bulgarian Post EAD (BGN 1,000,000 / EUR 500,000, 2022): Bulgarian Post was fined BGN 1,000,000 (approximately EUR 500,000) for inappropriate technical and operational security measures that resulted in unauthorized access to and disclosure of personal data, including identity documents, addresses, phone numbers, financial data, and health information.

Political Party (BGN 25,000 / EUR 12,786, 2023): The CPDP fined a political party BGN 25,000 for unlawful processing of personal data of supporters in connection with national parliamentary elections, demonstrating that enforcement extends beyond the private sector.

Interior Ministry (BGN 2,000 / EUR 1,022, 2023): The CPDP fined the Interior Ministry BGN 2,000 for retaining personal data beyond the statutory retention period, illustrating that even modest violations by public authorities attract formal sanctions.

Constitutional Basis and ECHR Context

Bulgaria's commitment to privacy protection extends beyond the ZZLD and GDPR. Article 8 of the European Convention on Human Rights (ECHR), which Bulgaria has ratified, guarantees the right to respect for private and family life, home, and correspondence. The European Court of Human Rights (ECHR) has adjudicated directly on Bulgarian surveillance practices.

In Ekimdzhiev and Others v. Bulgaria (App. No. 70078/12, judgment of 11 January 2022), the Court held unanimously that Bulgaria had violated Article 8 of the Convention in two respects. First, Bulgarian legislation governing secret surveillance (special intelligence means) lacked effective legal safeguards against arbitrariness and abuse, failing the quality-of-law requirement of the Convention. Second, Bulgarian rules governing the retention of and law enforcement access to telecommunications traffic data were also deficient, leaving surveillance data without adequate protection against nefarious use. The case concerned both the general legal framework and the practices of Bulgaria's State Agency for National Security (DANS).

The Ekimdzhiev judgment has direct significance for data protection in Bulgaria. It reinforces that surveillance activities must be grounded in clear, accessible, and foreseeable law. Any processing of personal data by Bulgarian intelligence or law enforcement agencies that falls outside the ZZLD's Law Enforcement Directive transposition provisions must independently comply with ECHR Article 8 standards.

A subsequent related case, Kanev and Bulgarian Helsinki Committee v. Bulgaria, found that the State Agency for National Security's refusal to confirm or deny holding data on a human rights activist and an NGO violated Article 8 due to the lack of effective safeguards against arbitrary processing.

Lawful Bases and Consent

The GDPR's six lawful bases under Article 6 apply directly in Bulgaria without national modification. A controller processing personal data must identify and document at least one applicable basis before processing begins:

The ZZLD adds a specific rule: where a controller discovers it has breached Article 5 (principles) or Article 6 (lawful basis), it must return or delete the unlawfully processed data within one month of discovering the violation.

Special Categories of Personal Data

Special categories (Article 9 GDPR) receive heightened protection in Bulgaria. Processing requires both a lawful basis under Article 6 and an additional condition under Article 9(2). The ZZLD does not impose additional restrictions beyond the GDPR for most special categories. However, the ZZLD specifies that in the employment context, processing of criminal records and offence data requires an explicit legal authorization; consent and legitimate interest are insufficient bases for such processing.

The CPDP has also issued guidance on biometric technologies in educational settings, emphasizing that the use of facial recognition in schools requires a compelling justification given the special category nature of biometric data and the vulnerability of child data subjects.

Age of Digital Consent

Bulgaria set the age of digital consent at 14 years, lower than the GDPR's default of 16 years but within the permissible range of Article 8(1) of the GDPR (which allows member states to lower the threshold to 13 years). The CPDP published an information booklet in March 2022 setting out detailed requirements: consent for children's online services must be collected per processing activity, using active positive selection interfaces (no pre-ticked boxes), and with data minimization principles strictly applied. Children under 14 require parental or guardian consent for consent-based processing in information society services.

Data Subject Rights

Under the GDPR and ZZLD, individuals in Bulgaria have the following rights:

• Right of access (Article 15): Individuals may request confirmation of whether their data is processed and obtain a copy. The first request is free of charge. The CPDP may charge a reasonable fee for subsequent requests that are manifestly unfounded or excessive.
• Right to rectification (Article 16): Individuals may request correction of inaccurate data and completion of incomplete data.
• Right to erasure (Article 17): Also known as the right to be forgotten. Applies where the data is no longer necessary, consent is withdrawn (and no other basis exists), or processing is unlawful. Exemptions apply for legal claims, public interest, and archiving purposes.
• Right to restriction of processing (Article 18): Applies during accuracy disputes, when processing is contested, or when the data subject requires data for legal claims.
• Right to data portability (Article 20): Applies where processing is based on consent or contract performance, and is carried out by automated means.
• Right to object (Article 21): Applies to processing based on public task or legitimate interests. Also provides an absolute right to object to direct marketing at any time.

Requests must be submitted in writing, dated, and signed. The ZZLD preserves standard GDPR exceptions for journalistic, academic, artistic, and literary expression purposes. Controllers must respond to data subject requests without undue delay and within one month, extendable by two further months for complex requests.

Individuals whose rights are denied or ignored may lodge a complaint with the CPDP, which is free of charge, or pursue judicial remedies in Bulgarian courts under Article 79 of the GDPR.

Data Protection Officer Requirements

DPO appointments in Bulgaria follow GDPR Article 37 without additional national requirements. A DPO must be appointed when:

• The controller or processor is a public authority or body (except courts acting in their judicial capacity)
• Core activities consist of processing operations that require regular and systematic monitoring of data subjects on a large scale
• Core activities consist of large-scale processing of special categories of data (Article 9) or criminal convictions and offences data (Article 10)

The CPDP maintains a public register of controllers and processors that have appointed DPOs. Controllers must notify the CPDP of DPO details using approved registration forms. Bulgaria-based organizations may appoint DPOs located abroad, but those DPOs must be registered with the CPDP.

DPOs cannot be dismissed or penalized for performing their functions and must report directly to the highest management level of the organization. They may be employed by the organization (internal DPO) or act under a service contract (external DPO). Shared DPOs across a group of undertakings are permissible where the DPO is easily accessible from each establishment.

Breach Notification

Standard GDPR breach notification requirements apply in Bulgaria. Controllers must notify the CPDP of a personal data breach without undue delay and no later than 72 hours after becoming aware of it, unless the breach is unlikely to result in a risk to individuals' rights and freedoms. Where notification cannot be provided within 72 hours, the notification must be accompanied by reasons for the delay.

Where a breach is likely to result in a high risk to individuals' rights and freedoms, the controller must also notify the affected individuals without undue delay. The CPDP provides template notification forms. The Commission maintains a non-public register of personal data breaches.

The NRA breach underscored the CPDP's serious approach to breach investigations. The Commission examined not only whether notification was timely, but also whether the underlying security architecture was adequate under Article 32 of the GDPR.

NIS2 Incident Reporting (From February 2026)

Separately, Bulgaria's Cybersecurity Act was amended to transpose the NIS2 Directive (Directive (EU) 2022/2555), with the amendments entering into force on 17 February 2026. Essential and important entities must notify CERT.bg of significant cybersecurity incidents within the following windows:

• 24 hours: Early warning upon identifying a significant incident
• 72 hours: Detailed notification with initial impact assessment
• 30 days: Final report with full analysis of causes and remediation measures

Where a cybersecurity incident also constitutes a personal data breach, both CERT.bg and the CPDP must be notified. However, if the CPDP has already imposed a fine for the same infringement under data protection law, the cybersecurity authority should not impose an additional fine for the identical violation. Bulgaria's NIS2 transposition expanded covered sectors from 8 to 18 and brought an estimated 10,000 to 12,000 entities into scope. Bulgaria received a formal reasoned opinion from the European Commission on 7 May 2025 for failing to notify full transposition before the October 2024 deadline, reflecting the delays in the legislative process.

Cross-Border Data Transfers

Bulgaria follows the standard GDPR framework for international data transfers under Articles 44 to 49. Transfers of personal data to third countries outside the European Economic Area (EEA) require one of the following:

• An adequacy decision by the European Commission (e.g., the EU-US Data Privacy Framework, the UK adequacy decisions, Switzerland)
• Appropriate safeguards such as Standard Contractual Clauses (SCCs) adopted by the Commission
• Binding Corporate Rules (BCRs) approved by a competent supervisory authority
• An approved code of conduct or certification mechanism
• Derogations for specific situations under Article 49 (limited scope; not for systematic transfers)

Following the Court of Justice of the European Union's Schrems II judgment (Case C-311/18, Data Protection Commissioner v Facebook Ireland and Maximillian Schrems, 16 July 2020), Bulgarian controllers and processors must conduct transfer impact assessments (TIAs) when relying on SCCs or BCRs to assess whether the law and practices of the destination country provide equivalent protection to EU standards. The CPDP has not issued Bulgaria-specific supplementary guidance on TIAs beyond the general EDPB recommendations.

Schengen Accession and SIS Data Sharing

Bulgaria joined the Schengen Area by stages. Air and sea border controls were lifted in March 2024. Full Schengen membership, including lifting of land border controls, took effect on 1 January 2025 following a Council decision of 12 December 2024. Full Schengen membership gives Bulgarian law enforcement access to the Schengen Information System (SIS), the EU's database for border management, law enforcement cooperation, and immigration control. All data processing through SIS must comply with Regulation (EU) 2018/1861 (SIS for border checks), Regulation (EU) 2018/1862 (SIS for police cooperation), and the Law Enforcement Directive (EU) 2016/680 as transposed by the ZZLD. The Schengen accession does not alter the standard GDPR rules for commercial cross-border data transfers, which remain governed by the framework described above.

EU AI Act Overlay

The EU Artificial Intelligence Act (Regulation (EU) 2024/1689) entered into force on 1 August 2024 and applies directly in Bulgaria as an EU member state. The phased implementation timeline is:

The AI Act supplements rather than replaces the GDPR. Data protection obligations for AI systems that process personal data remain governed by the GDPR. The AI Act adds a risk-based overlay: high-risk AI systems must implement quality management systems, maintain technical documentation, enable human oversight, and achieve conformity assessment before deployment.

As of May 2026, Bulgaria has not yet completed its national implementation framework for the AI Act. A Bulgarian Ministry of Electronic Governance report confirmed that no decisions had been taken on the national coordination model, competent market surveillance authorities, or sanctioning regime. An interdepartmental working group was formally established but the regulatory framework is not expected to be complete before late 2026.

The CPDP has been designated as one of seven competent bodies for the protection of fundamental rights under the AI Act pursuant to Council of Ministers Decision No. 398 of 18 June 2025. The other six designated bodies are the National Ombudsman, the Central Election Commission, the Commission for Protection against Discrimination, the Commission for Consumer Protection, the State Agency for Child Protection, and the General Labour Inspectorate Executive Agency.

For AI systems that process personal data, businesses operating in Bulgaria should expect dual-authority scrutiny: the CPDP reviewing GDPR compliance, and (once the national AI Act framework is in place) the relevant market surveillance authority reviewing AI Act compliance. The GDPR's requirements for data protection impact assessments (DPIAs) under Article 35 are directly relevant to high-risk AI systems. Controllers should conduct DPIAs proactively for any AI system that profiles individuals, uses biometric data, or makes automated decisions with significant effects.

EGN Personal Identification Number

Bulgaria's Edinen Grazhdanski Nomer (EGN), or unified civil number, is a unique ten-digit personal identification number assigned to Bulgarian citizens at birth. The EGN encodes the holder's date of birth and sex. It is used pervasively across government administration, healthcare, social services, banking, and private sector transactions.

The CPDP has established guidelines limiting unnecessary EGN disclosure. When imposing administrative sanctions such as public reprimands, the CPDP's guidance confirms that the decision should not disclose the subject's EGN, date and place of birth, ID number, exact address, personal data of third parties, or unrelated personal information.

Under the GDPR's framework, the EGN qualifies as personal data and may constitute a unique identifier that warrants protection analogous to special categories depending on context. Article 87 of the GDPR expressly permits member states to specify the conditions under which national identification numbers may be processed. Bulgaria has implemented this through ZZLD provisions that require a specific legal justification for EGN processing beyond general data minimization obligations.

The NRA breach illustrated the catastrophic risks of EGN exposure. Because the EGN encodes birth information and is used as a primary identification key across multiple government databases, exposure enables coordinated identity theft, fraud, and targeted phishing on a national scale. The breach prompted public calls for redesigning EGN-dependent systems to reduce the number of entities that require and store the full EGN.

Video Surveillance

The ZZLD includes specific provisions on video surveillance that supplement the GDPR's general framework. The CPDP has been active in this area: 324 of its 2022 on-site inspections focused predominantly on video surveillance compliance. Controllers deploying CCTV systems in Bulgaria must:

• Establish and document a legitimate basis for surveillance
• Provide clear and conspicuous information to individuals entering surveilled areas (layered notices are acceptable for small signs)
• Conduct a DPIA where surveillance is likely to result in high risk, including large-scale monitoring of public spaces
• Establish proportionate retention periods and delete footage that is no longer necessary
• Apply access controls limiting who can review footage

The CPDP has investigated complaints about video surveillance in workplaces, residential buildings, and commercial premises, and has issued orders requiring removal of cameras that lacked legal justification or that monitored areas where individuals had a reasonable expectation of privacy.

Recent Developments 2024-2026

PDPA Amendment (August 2024): The ZZLD was amended by State Gazette No. 70 of 20 August 2024. As of this article's verification date, the CPDP has not published an English-language summary of the specific changes introduced by this amendment. Practitioners should consult the ZZLD in its current Bulgarian-language version at cpdp.bg or lex.bg for the current text.

Whistleblower Protection Act (2023, ongoing): The CPDP became the competent controlling body under Bulgaria's Whistleblower Protection Act (entered into force 4 May 2023). Organizations with 50 or more employees must establish internal reporting channels under the Act. The CPDP oversees the confidentiality and data protection obligations attached to whistleblower reports, which are a distinct processing activity requiring its own GDPR compliance analysis.

NIS2 Transposition (February 2026): Bulgaria's amendments to the Cybersecurity Act transposing NIS2 entered into force on 17 February 2026. The law expanded the list of covered sectors, introduced new incident notification timelines, and brought an estimated 10,000 to 12,000 entities into mandatory cybersecurity compliance. Entities in essential sectors such as energy, transport, banking, health, digital infrastructure, and water supply now have mandatory security obligations that intersect with GDPR security requirements.

Full Schengen Accession (January 2025): Bulgaria became a full Schengen member on 1 January 2025 when land border controls were lifted. This activated Bulgarian participation in SIS data exchanges and increased the volume of cross-border law enforcement data flows subject to the Law Enforcement Directive transposition provisions of the ZZLD.

EU AI Act Application (February 2025 onwards): Prohibited AI practices, including the use of real-time remote biometric identification in public spaces for law enforcement (with narrow exceptions), have been unlawful in Bulgaria since 2 February 2025. Bulgarian law enforcement and public authorities using AI systems must assess whether their systems fall within prohibited categories. The CPDP's designation as a fundamental rights body under the AI Act (Council of Ministers Decision No. 398, 18 June 2025) gives it formal standing to assess the fundamental rights impact of AI deployments.

Enforcement Trend (2024): The CPDP received 637 complaints and notifications in 2024 and imposed a total of BGN 74,700 (approximately EUR 38,194) in fines. No individual decisions were published on the CPDP website during 2024; enforcement developments were communicated through the bimonthly newsletter. The reduction in total fines compared to the landmark 2019 sanctions reflects both the absence of a comparable mass-breach event and the CPDP's tendency to resolve many cases through corrective orders rather than financial penalties.

Business Compliance Guide

Organizations operating in Bulgaria or processing data of Bulgarian residents should address the following areas:

1. Legal basis mapping. Document the lawful basis for each processing activity. Where processing relies on consent, ensure consent collection meets GDPR Article 7 standards. For children's services, implement age-verification or parental consent mechanisms calibrated to the 14-year threshold.

2. DPO appointment. Assess whether your organization's core activities meet the Article 37 criteria. If a DPO is required, register the appointment with the CPDP using the approved form. If the DPO is based outside Bulgaria, the registration requirement still applies.

3. Cybersecurity and the NRA lesson. The NRA and DSK Bank fines demonstrate that the CPDP treats Article 32 security failures as substantial violations warranting substantial penalties. Conduct regular security assessments. Ensure technical measures (encryption, access controls, penetration testing, patch management) are actually implemented and documented. Do not rely on policy documentation alone.

4. EGN handling. Minimize collection and storage of EGN numbers. Exclude EGNs from published documents, API responses, and data exports where they are not strictly necessary for the processing purpose. Assess whether your use of EGN falls within the ZZLD's specific authorization requirements.

5. Breach response readiness. Test incident response plans. Ensure you can identify, contain, and assess a breach rapidly enough to meet the 72-hour CPDP notification requirement and (from February 2026) the 24-hour CERT.bg early warning for NIS2-covered entities. Maintain a documented internal breach log even for low-risk breaches that do not require regulatory notification.

6. Video surveillance. Review CCTV deployments for legal basis, information notices, and proportionality. The CPDP's 2022 inspection wave focused heavily on surveillance. New deployments should include a preliminary privacy assessment.

7. Direct marketing. Confirm that e-mail marketing to Bulgarian individual subscribers has prior express consent as required by the Electronic Communications Act. Maintain withdrawal records and honor opt-outs without delay.

8. AI systems. Conduct a preliminary AI Act risk classification for any AI system used in Bulgaria. Prohibited practices (including certain biometric identification and social scoring systems) are unlawful since 2 February 2025. High-risk systems require DPIAs under the GDPR and, from August 2026, conformity assessment under the AI Act. Monitor the CPDP's guidance as its role as a fundamental rights body under the AI Act develops.

9. NIS2 compliance. If your organization is an essential or important entity under Bulgaria's Cybersecurity Act (as amended in February 2026), register with the relevant competent authority, implement required security measures, and establish incident reporting procedures.

10. Cross-border transfers. Where transferring data outside the EEA, document the transfer mechanism. For SCCs or BCRs, conduct a transfer impact assessment. Monitor the European Commission's adequacy decision register for updates.

Disclaimer: This article provides general information about Bulgaria's data protection laws and does not constitute legal advice. Data protection law is subject to frequent change. Consult a qualified lawyer licensed to practice in Bulgaria for guidance on your specific situation. Statutes cited in this article reflect their in-force version as of 2026-05-19.