Bulgaria Recording Laws: Consent Rules and Penalties (2026)

Bulgaria Recording Laws: What You Need to Know

Bulgaria requires that all parties to a conversation know a recording is taking place. The country's Constitution establishes this rule at the highest legal level, and the Criminal Code backs it with criminal penalties. Unlike the United States -- where many states permit one participant to record without notifying others -- Bulgaria has no equivalent statutory safe harbor.

Jurisdiction scope: This article covers recording law in the Republic of Bulgaria under the Constitution of the Republic of Bulgaria (1991, amended 2015), the Bulgarian Criminal Code (Nakazatelen kodeks), the Electronic Communications Act, the Special Intelligence Means Act, and EU law (GDPR, EU AI Act) as directly applicable in Bulgaria. It does not cover recording laws in other EU member states; for those, see the world recording laws hub.

Anyone recording conversations, phone calls, or video in Bulgaria must navigate several overlapping legal frameworks: the Constitution, the Criminal Code, EU data protection law, and -- for AI-generated content -- the EU AI Act. The result is one of Europe's more comprehensive privacy regimes, enforced by both criminal prosecution and GDPR administrative fines.

Quick Answer: Recording Consent in Bulgaria

Bulgaria does not follow a simple one-party or all-party consent model. Article 32, Paragraph 2 of the Bulgarian Constitution states that no one may be "followed, photographed, filmed, recorded, or subjected to any other similar activity without his knowledge or despite his express disapproval, except when such actions are permitted by law." The prohibition triggers in two separate scenarios: recording without the person's knowledge, or recording over their explicit objection.

The Supreme Court of Cassation (Varhoven Kasatsionen Sad -- VKS) has held in Decision No. 224 of March 14, 2019 (Criminal Case No. 1033/2018) that private recordings produced in violation of the Criminal Procedure Code and Special Intelligence Means Act are inadmissible as evidence. For recordings made by a private person (not a state authority), courts apply a balancing test: they assess the degree to which the private sphere was violated, whether the violation was committed by a public authority or a private person, and whether the violation affected the credibility of the evidence.

The practical bottom line: obtaining consent before recording is the only reliable safe harbor. Participant recordings made without informing the other party carry both criminal exposure under Art. 171 of the Criminal Code and civil liability under Art. 32 of the Constitution, even if the recording may later be admitted in court under the VKS balancing test.

Scenario	Legal position	Primary authority
Participant records without notifying others	Prohibited -- criminal + civil risk	Constitution Art. 32(2)
All parties notified and do not object	Permitted	Constitution Art. 32(2)
Party notified but objects	Prohibited	Constitution Art. 32(2)
Law enforcement with court warrant	Permitted	Special Intelligence Means Act Art. 3
Business call recording with prior notification	Permitted (with GDPR compliance)	Constitution Art. 32 + GDPR Art. 6

Constitutional Protections: Articles 32 and 34

The foundation of Bulgaria's recording laws sits in the Constitution of the Republic of Bulgaria, adopted in 1991 and last amended in 2015.

Article 32: The Right to Privacy

Article 32, Paragraph 1 establishes that the privacy of citizens is inviolable and that everyone is entitled to protection against illegal interference in their private or family affairs and against encroachments on their honor, dignity, and reputation.

Paragraph 2 contains the provision most directly relevant to recording. It states:

"No one shall be followed, photographed, filmed, recorded, or subjected to any other similar activity without his knowledge or despite his express disapproval, except when such actions are permitted by law."

This language is unusually broad compared to the recording statutes found in other countries. It does not distinguish between audio recording, video recording, or photography. It covers all forms of surveillance and documentation of individuals. The prohibition triggers in two separate scenarios: when the person being recorded does not know about the recording, or when they have explicitly objected to being recorded.

The exception clause ("except when such actions are permitted by law") means that other Bulgarian statutes can authorize recording in specific circumstances, such as law enforcement surveillance conducted with judicial approval.

Article 34: Confidentiality of Communications

Article 34 provides an additional layer of protection specifically for communications:

"The freedom and confidentiality of correspondence and all other communications is inviolable."

Exceptions to this protection require permission from the judicial authorities, and only for the purpose of discovering or preventing a "grave crime." This sets a high threshold. Routine law enforcement investigations do not meet this standard. Only serious criminal matters justify court-authorized interception of communications.

Taken together, Articles 32 and 34 create a constitutional framework that treats recording and surveillance as presumptively unlawful unless specifically authorized by statute.

Criminal Code Framework: Articles 171, 171a, 339a, and 145a

The Bulgarian Criminal Code (Nakazatelen kodeks) translates constitutional protections into enforceable criminal law. Four articles are directly relevant to recording and surveillance.

Article 171: Unlawful Interception of Communications

Article 171 addresses the unauthorized interception of private communications. A person who uses special technical means to unlawfully gain access to or receive a message not addressed to them, communicated by telephone, telegraph, computer network, or any other telecommunications method, faces imprisonment of up to two years.

The penalties increase when aggravating circumstances are present. If the interception was carried out with a financial motive (described in the statute as a "venal goal"), or if it caused considerable damage, the punishment rises to imprisonment of up to three years plus a fine of up to BGN 5,000 (approximately EUR 2,500).

The same penalty applies when the target of the interception is computer data transmitted within or between information systems, including electromagnetic emissions from those systems.

Article 171a: Unlawful Handling of Communications Data

Article 171a targets a broader range of activities. Anyone who unlawfully acquires, stores, discloses, or disseminates data of the type collected, processed, retained, or used under the Electronic Communications Act faces imprisonment of up to three years or probation.

When a financial motive is involved, the punishment jumps to imprisonment of one to six years. This is a significant escalation and reflects Bulgaria's concern about the commercial exploitation of illegally obtained communications data.

Article 339a: Unlawful Use of Special Technical Surveillance Devices

Article 339a takes a device-level approach. It criminalizes the manufacture, use, sale, and retention of special technical means for the secret gathering of information without authorization received in accordance with law. Enacted in 1997, this provision targets the surveillance hardware itself rather than the communications it captures. A person who builds or operates a covert listening device -- even before any interception occurs -- may face criminal liability under this article.

This is distinct from Art. 171, which focuses on the content of intercepted communications. The two provisions operate in parallel: using an unauthorized device to intercept a call could engage both articles simultaneously.

Article 145a: Unlawful Disclosure of Surveillance Data

Article 145a, also enacted in 1997, addresses the misuse of information that was lawfully gathered through special technical surveillance means (razuznavatelni sredstva). It criminalizes the disclosure and use of such information outside its intended purpose of protecting national security or conducting criminal proceedings.

The penalties are calibrated by the offender's status. General offenders face up to three years imprisonment and a fine of up to BGN 500. Public officials who obtained the information through their duties face imprisonment of one to five years, a fine of up to BGN 5,000, and potential deprivation of certain rights. This escalation reflects the heightened responsibility of those with lawful access to surveillance intelligence.

Penalties at a Glance

Violation	Article	Penalty
Intercepting private communications	Criminal Code Art. 171	Up to 2 years imprisonment
Interception with financial motive or considerable damage	Criminal Code Art. 171	Up to 3 years + BGN 5,000 fine
Unlawful acquisition/storage/disclosure of communications data	Criminal Code Art. 171a	Up to 3 years or probation
Communications data handling with financial motive	Criminal Code Art. 171a	1 to 6 years imprisonment
Manufacture/use/sale of unlawful surveillance devices	Criminal Code Art. 339a	Criminal penalties (per statute)
Disclosure of lawfully obtained surveillance data outside authorized purpose	Criminal Code Art. 145a	Up to 3 years + BGN 500 fine
Same by a public official	Criminal Code Art. 145a	1 to 5 years + BGN 5,000 fine + deprivation of rights
GDPR violations (lower tier)	GDPR Art. 83(4)	Up to EUR 10 million or 2% global turnover
GDPR violations (higher tier)	GDPR Art. 83(5)	Up to EUR 20 million or 4% global turnover
Constitutional privacy violation	Constitution Art. 32	Civil liability and damages

The Electronic Communications Act

The Electronic Communications Act (Zakon za elektronnite saobshteniya) regulates telecommunications networks and services in Bulgaria. While its primary focus is on the telecommunications industry, several provisions affect recording.

The law prohibits the interception of electronic communications without proper authorization. Telecommunications providers are required to retain certain communications metadata (source, destination, date, time, duration, type of communication, and device identifiers) for six months, with the possibility of a court-ordered extension of up to three additional months.

Access to this retained data requires a court order issued by the chairman of the relevant regional court or a judge authorized by them. The court must provide a reasoned decision, meaning rubber-stamp approvals are not supposed to occur.

The Act also governs direct marketing communications. Businesses cannot make calls, send messages, or transmit emails for advertising purposes unless the consumer has given prior consent. This intersects with recording law because many business call recordings involve sales or marketing contexts.

A bill to amend the Electronic Communications Act was introduced in late 2024 to implement the EU's Digital Services Act requirements. The bill was adopted at first reading; as of early 2026, the full amendment process was continuing through the Bulgarian National Assembly.

The Special Intelligence Means Act and ECHR Scrutiny

The Special Intelligence Means Act (Zakon za spetsialnite razuznavatelni sredstva) governs law enforcement and intelligence agency surveillance. It defines "special intelligence means" in Article 2 as technical means and operative methods, including electronic devices used to produce audio recordings, video recordings, photographs, and other surveillance products.

Under Article 3, these tools can only be deployed to prevent or detect "grave intentional criminal offenses" as defined in specific sections of the Criminal Code. This includes crimes such as terrorism, organized crime, espionage, sabotage, and murder.

The authorization process requires a court warrant. The presidents of a limited list of courts have the authority to issue surveillance warrants, and only when the circumstances of the investigation cannot be established through less intrusive means.

Oversight falls to the National Bureau for Control of Special Intelligence Means and a special parliamentary committee. If special intelligence means are used illegally, the National Bureau is required to notify the prosecutor's office.

The Ekimdzhiev Line of Cases

Despite this legal framework, the European Court of Human Rights has repeatedly found serious problems with how Bulgaria's surveillance system operates in practice.

In the January 11, 2022 ruling Ekimdzhiev and Others v. Bulgaria, the Court unanimously held that Bulgaria violated Article 8 of the European Convention on Human Rights (the right to respect for private life and correspondence). The Court identified several deficiencies in Bulgaria's surveillance regime:

• Vague definitions of surveillance targets that allowed overly broad interpretation
• Authorities providing "blanket and generalised reasons" for most warrants rather than substantive justification
• Judges lacking adequate inspection powers and independence to serve as effective oversight
• Evidence of practical abuse, including documented illegal surveillance of anti-government protesters
• Notification requirements that applied only when surveillance was found to be unlawful, not as a standard practice

The Court concluded that "surveillance in Bulgaria, applied in practice, does not yet meet the minimum safeguards against arbitrariness and abuse."

The Ekimdzhiev line continued in Green Alliance v. Bulgaria (Application no. 6580/22), decided on February 17, 2026. The ECHR unanimously found Bulgaria violated Art. 8 again, this time for the infiltration of undercover agents into NGOs and liberal professions. The Court identified five critical deficiencies: broadly defined deployment grounds lacking independent scrutiny; no time limits on agent infiltration; inadequate procedures without judicial authorization; absent effective supervision; and no effective remedies available to targets. The Court held that the surveillance method -- technical versus human -- does not determine the level of protection required; the degree of intrusion into private life does.

Following both judgments, the Council of Europe's Committee of Ministers issued a decision in March 2026 confirming that Bulgaria remains not in full compliance with the Ekimdzhiev judgment, with "key concerns remain[ing] about the screening and processing of data and the independence of external oversight."

GDPR and the Personal Data Protection Act

As an EU member state, Bulgaria is subject to the EU General Data Protection Regulation (GDPR, Regulation (EU) 2016/679). Voice recordings that can identify individuals qualify as personal data under GDPR Art. 4(1), which means any recording of a conversation triggers data protection obligations.

Bulgaria's domestic data protection framework traces back to the Personal Data Protection Act (Zakon za zashtita na lichnite danni), originally enacted in 2002 (State Gazette No. 1/2002) and substantially amended in 2019 to transpose the GDPR into Bulgarian national law. The Act complements the GDPR by addressing areas where the regulation allows member states to exercise legislative discretion.

Lawful Bases for Recording

Under GDPR Art. 6, any processing of personal data (including recording) requires one of six lawful bases:

• Consent of the data subject
• Contractual necessity for performing a contract with the data subject
• Legal obligation imposed on the data controller
• Vital interests of the data subject or another person
• Public interest or exercise of official authority
• Legitimate interests of the controller or a third party, unless overridden by the data subject's fundamental rights and freedoms

For most private recordings, consent is the most straightforward lawful basis. Businesses sometimes rely on legitimate interests, but this requires a documented balancing test demonstrating that the business need outweighs the individual's privacy rights.

The Commission for Personal Data Protection (CPDP)

The Commission for Personal Data Protection (Komisiya za zashtita na lichnite danni -- CPDP) is Bulgaria's independent supervisory authority under GDPR Art. 51. It has the power to investigate complaints, conduct audits, and impose administrative fines.

Under the GDPR, fines for violations can reach EUR 20 million or 4% of global annual turnover, whichever is higher. The CPDP has actively enforced data protection rules: the highest fine imposed to date reached approximately EUR 2.55 million (against the National Revenue Agency in 2019 for a data breach affecting over six million individuals). Video surveillance is the sector generating the highest and still-increasing volume of CPDP complaints. Most fines have involved violations of GDPR Art. 5 (processing principles), Art. 6 (insufficient legal basis), or Art. 32 (inadequate security).

Phone Recording and In-Person Conversations

Bulgaria's approach to recording phone calls and in-person conversations flows directly from Article 32 of the Constitution. The prohibition on recording someone "without his knowledge or despite his express disapproval" applies equally to telephone calls and face-to-face discussions.

Phone Calls

Recording a phone call in Bulgaria without the other party's knowledge is prohibited under the Constitution and can constitute a criminal offense under Article 171 of the Criminal Code if special technical means are used. The Electronic Communications Act adds another layer by prohibiting the interception of electronic communications without authorization.

Businesses that record customer calls must comply with both the Constitutional requirement of knowledge and the GDPR's data processing rules. This means providing clear notification at the start of the call that the conversation is being recorded, identifying the purpose of the recording, and offering the caller the option to decline.

In-Person Conversations

The Constitutional prohibition covers in-person recording as well. Secretly recording a private conversation with a hidden microphone or phone violates Article 32, Paragraph 2. The same applies to filming someone without their knowledge.

The key distinction is between private and public settings. While recording someone in a clearly public space (such as a public event or protest) may benefit from the PDPA's exemption for filming persons during public activities, recording a private conversation without the participants' knowledge remains constitutionally prohibited regardless of location.

Participant Recording and the VKS Balancing Test

Bulgaria has no statutory one-party consent rule equivalent to those found in US federal law or many US states. The Constitutional text prohibits recording someone "without his knowledge," which the VKS has interpreted through a case-by-case balancing analysis.

In Decision No. 224 of March 14, 2019 (Criminal Case No. 1033/2018), the Supreme Court of Cassation (VKS) held that private recordings produced in violation of the Criminal Procedure Code and Special Intelligence Means Act are inadmissible as evidence. For recordings made by a private person, courts apply a multi-factor test: the degree to which the other person's private sphere was violated; whether the violation was committed by a public authority (higher threshold) or a private person; and whether the violation affected the credibility of the evidence itself.

This means that a participant's recording made to protect their own legitimate interests -- such as documenting threats or proving the terms of an agreement -- has a better chance of admission than one made for commercial or prurient purposes. However, neither scenario provides immunity from criminal prosecution under Arts. 171 or 339a, nor from civil liability under Art. 32. The recording may be admitted in evidence while the person who made it simultaneously faces prosecution for making it.

Workplace Recording and Employee Monitoring

Workplace recording in Bulgaria is subject to both Constitutional privacy protections and specific GDPR guidance as interpreted by the CPDP.

Video Surveillance in the Workplace

The CPDP has issued detailed guidance on workplace video surveillance. Employers can install cameras in certain circumstances, but the rules are strict:

• Video surveillance for the sole purpose of monitoring employee performance is generally not permitted
• Surveillance is acceptable when required by legislation or in genuinely high-risk production environments (pharmaceutical, chemical, or nuclear facilities)
• Employers must adopt written internal rules covering the legal basis for surveillance, the areas under monitoring, data retention periods, employee access rights, and restrictions on sharing footage with third parties
• Employees must be notified about the surveillance system, including its scope and operation
• Information boards must be placed at visible locations to alert people entering monitored areas

The CPDP has specifically ruled that using video surveillance recordings with audio to assess employee performance and determine bonuses does not comply with GDPR Art. 6(4) and is inadmissible for that purpose.

Audio Recording at Work

Audio recording in the workplace faces even stricter scrutiny than video surveillance. Because voice recordings inherently capture personal data and the content of private communications, they trigger protections under both Article 32 of the Constitution and the GDPR.

Employers who wish to record audio (such as in call centers) must:

• Establish a documented lawful basis under the GDPR
• Provide clear advance notice to employees
• Limit recording to what is strictly necessary for the stated purpose
• Implement appropriate data security measures
• Define and enforce retention periods

Email and Digital Monitoring

If an employer plans to monitor official email correspondence of employees, it must first issue a written prohibition on using official email for personal purposes. Without this written policy, monitoring employee email risks violating the employee's constitutionally guaranteed privacy rights. Even with a policy in place, monitoring must comply with GDPR principles of proportionality and data minimization.

Recording Police and Public Officials

Recording police officers and other public officials during the exercise of their duties occupies a specific legal space in Bulgaria. The Constitution's Art. 32 prohibition applies to individuals, not to roles -- but Bulgaria's Personal Data Protection Act carves out a relevant exemption.

The PDPA provides that certain data subject rights do not apply when a controller processes personal data to create a photographic or audiovisual work by filming a person in the course of their public activity or in a public place. This exemption provides a partial legal basis for recording public officials during official acts, including police interactions in public spaces.

At the same time, this exemption does not override Art. 32 entirely. Recording a police officer who has explicitly objected to being filmed remains legally contested, and Bulgarian courts have not established a clear bright-line rule. The GDPR's legitimate interests basis (Art. 6(1)(f)) can also support recording for accountability purposes, where the public interest in transparency outweighs the official's reduced expectation of privacy while performing public duties.

From a practical standpoint, filming police during public protests or public enforcement actions is more defensible than secretly recording private police conversations. The 2024 US State Department Human Rights Report on Bulgaria noted ongoing concerns about accountability mechanisms for police conduct, which underscores the public interest dimension of police recording.

Watch out: Even if you film police in a public space without legal risk, storing and sharing the footage online triggers GDPR obligations (the footage contains identifiable individuals who are personal data). You need a lawful basis for sharing -- typically legitimate interest with a documented proportionality assessment.

Recording in Public Spaces

Public space recording in Bulgaria requires careful attention to context. The Constitutional protection in Article 32 applies to individuals, not to locations. Even in a public place, recording a specific person without their knowledge or against their objection can violate the law.

For CCTV and other systematic video surveillance of public areas, the Personal Data Protection Act requires controllers to:

• Establish a documented legal basis
• Define the territorial scope of surveillance
• Post visible notification signs (without revealing the precise camera locations)
• Set clear data retention and deletion schedules
• Establish procedures for data subjects to exercise their access rights
• Restrict third-party access to footage

Entities authorized to conduct public space video surveillance include merchants or legal persons licensed for providing private security services and state institutions performing statutory surveillance functions. All other entities need either a regulatory basis or explicit consent.

Voyeurism and Non-Consensual Intimate Images

Bulgaria's Constitution and GDPR provide the primary legal framework for non-consensual intimate images (NCII) in the absence of a standalone NCII criminal statute.

Article 32, Paragraph 2 of the Constitution prohibits filming or recording anyone without their knowledge or over their explicit objection, which covers covert recording in private spaces. GDPR Art. 9 provides heightened protection for sensitive categories of personal data, and nude or intimate images of identifiable individuals engage the GDPR's general personal data protections under Art. 4(1) at minimum.

At the EU level, the Violence Against Women Directive (Directive 2024/1385/EU) requires member states to criminalize the non-consensual sharing of intimate images, including AI-generated intimate images of identifiable persons. Bulgaria must transpose this directive by June 14, 2027. Until transposition, Bulgarian prosecutors rely on the Constitution, general criminal law provisions, and GDPR enforcement to address NCII cases.

Victims of non-consensual intimate image sharing in Bulgaria can file complaints with the CPDP (for GDPR violations in distribution of intimate images online) or pursue civil claims under Art. 32 of the Constitution. Criminal complaints may engage Art. 145a (disclosure of lawfully obtained surveillance material) in cases where the intimate image was initially collected through lawful means and then redistributed outside that purpose.

AI-Generated Content and Deepfakes

Bulgaria applies EU law directly in this area. The EU Artificial Intelligence Act (Regulation (EU) 2024/1689) entered into force on August 1, 2024 and introduces a phased schedule of obligations:

• February 2, 2025: Prohibited AI practices became enforceable. These include AI systems that deploy subliminal manipulation, exploit vulnerabilities, or engage in social scoring. AI-based identity manipulation that undermines fundamental rights falls under prohibited practices.
• August 2, 2025: Governance rules and obligations for general-purpose AI (GPAI) models became applicable.
• August 2, 2026: Article 50 transparency obligations for synthetic media become enforceable. Deployers of AI systems that generate synthetic audio, video, or images of identifiable persons must disclose that the content has been artificially generated or manipulated. The content must be marked in a machine-readable format detectable as AI-generated.

For recording law purposes, the AI Act's deepfake provisions interact with Art. 32 of the Bulgarian Constitution. A deepfake that places an identifiable person in a fabricated recording scenario "without their knowledge" engages both the Constitutional prohibition on recording-equivalent activity and the AI Act's transparency requirements. Persons who create and distribute deepfakes of private individuals without consent face potential liability under the Constitutional privacy framework, the GDPR (for processing identifying biometric data), and -- from August 2, 2026 -- the AI Act's transparency regime.

Violations of AI Act obligations can result in fines up to EUR 15 million or 3% of global annual turnover for providers of general-purpose AI models (under Art. 101).

Cross-Border Recording

Recording law in Bulgaria has cross-border dimensions that travelers and businesses need to understand.

Recording in Bulgaria from abroad: If you are outside Bulgaria and record a phone call with someone in Bulgaria, Bulgarian law applies to the portion of the communication occurring within Bulgaria. Art. 171 of the Criminal Code is not limited to recordings made on Bulgarian soil -- it criminalizes unlawful interception of communications regardless of where the intercepting party is located, provided the communication originated or was received in Bulgaria.

Bulgarian residents recording abroad: A Bulgarian resident recording conversations in another country is generally subject to the law of the country where the recording takes place, not Bulgarian law. However, if the recording is later processed, stored, or shared in Bulgaria, the GDPR applies to that processing activity.

Cloud storage and data transfers: Any recording stored on servers outside the EU triggers GDPR Chapter V requirements on international data transfers. Standard contractual clauses or other appropriate safeguards are required for transfers to countries without EU adequacy decisions.

EU visitors and tourists: The GDPR applies to all processing of personal data in Bulgaria, regardless of the nationality of the person doing the recording. A US tourist recording conversations in Bulgaria is not exempt from the Constitutional prohibition or GDPR obligations simply because they are not Bulgarian.

Recent Legal Developments (2024-2026)

Green Alliance v. Bulgaria (February 2026)

The most recent ECHR surveillance ruling against Bulgaria came on February 17, 2026, in Green Alliance v. Bulgaria (Application no. 6580/22). The Court found Bulgaria violated Art. 8 ECHR through the deployment of undercover agents into NGOs and liberal professions without adequate legal safeguards. The ruling extended the Ekimdzhiev principle: regardless of whether surveillance is technical or human, the same minimum safeguards apply. Bulgaria must now reform its agents-on-cover framework to include judicial authorization, defined time limits, independent oversight, and effective notification and remedy mechanisms.

Committee of Ministers Compliance Decision (March 2026)

The Council of Europe's Committee of Ministers, responsible for overseeing execution of ECHR judgments, issued a decision in March 2026 confirming that Bulgaria remains out of full compliance with the Ekimdzhiev judgment of January 2022. Key concerns identified: the screening and processing of surveillance data, and the independence of external oversight mechanisms.

The 2025 Privacy Bill Controversy

In October 2025, Bulgaria's parliamentary Legal Affairs Committee approved draft Criminal Code amendments that would have imposed prison sentences of one to six years and fines of EUR 1,000 to 4,000 for disseminating information about a person's "personal life" without their consent. The bill drew fierce criticism from journalists, media organizations, and the European Federation of Journalists, who warned it would criminalize investigative journalism into corruption and shield public figures from accountability. The bill was withdrawn after sustained public pressure.

EU AI Act Enforcement Timeline

The EU AI Act's prohibition on manipulative AI practices became enforceable in Bulgaria on February 2, 2025. The next major milestone -- Art. 50 transparency obligations requiring disclosure of deepfake and synthetic media -- takes effect on August 2, 2026.

Business Compliance Checklist

Organizations operating in Bulgaria that record calls, conduct video surveillance, or engage in any form of monitoring should take the following steps:

1. Identify your lawful basis under both Bulgarian law and the GDPR before implementing any recording system
2. Provide clear, advance notification to all individuals who will be recorded, whether they are customers, employees, or visitors
3. Document your data protection impact assessment for any systematic or large-scale recording activity
4. Adopt written internal policies covering the purpose, scope, retention period, and access controls for all recordings
5. Post visible signage in any area under video surveillance
6. Train staff on recording policies and ensure they understand the legal requirements
7. Appoint a Data Protection Officer if your recording activities involve large-scale processing of personal data
8. Establish procedures for responding to data subject access requests, deletion requests, and complaints
9. Review and update your policies regularly to reflect changes in Bulgarian law and CPDP guidance
10. Maintain records of processing activities as required by GDPR Art. 30
11. Assess AI Act compliance if your organization uses AI tools that generate synthetic audio or video of identifiable persons -- Art. 50 transparency obligations apply from August 2, 2026

Non-compliance risks both criminal penalties under the Criminal Code and substantial administrative fines under the GDPR.

Practical Guidance

For individuals and businesses navigating Bulgaria's recording laws, these practical guidelines can help reduce legal risk:

• Always inform people before recording. This applies to phone calls, in-person conversations, and video recording. Bulgaria's Constitution requires knowledge -- silence is not consent.
• Get explicit consent when possible. While notification may satisfy Art. 32 in some circumstances, explicit affirmative consent provides the strongest protection under both the Constitution and the GDPR.
• Never record someone who has objected. Article 32 specifically prohibits recording over a person's "express disapproval," even if they previously agreed to the recording.
• Treat all recordings as personal data. Any recording that could identify an individual triggers GDPR obligations for storage, security, access rights, and deletion.
• Be especially careful with workplace recording. The CPDP takes a strict approach to employee monitoring. Performance-based recording is not permitted.
• Keep recordings only as long as necessary. Both the GDPR and the Electronic Communications Act impose retention limits. Define your retention period and adhere to it.
• For AI-generated content: Label all synthetic audio and video as AI-generated from August 2, 2026. Do not distribute AI-generated intimate images of identifiable persons without consent.
• Consult a Bulgarian lawyer before implementing recording systems. The intersection of Constitutional law, criminal law, and GDPR creates complexity that general guidance cannot fully resolve.