Bulgaria Recording Laws: Consent Rules and Penalties (2026)

Overview of Recording Laws in Bulgaria

Bulgaria sits at the intersection of strong constitutional privacy protections and European Union data protection standards. Anyone who records conversations, phone calls, or video in the country must navigate multiple overlapping legal frameworks: the Bulgarian Constitution, the Criminal Code, the Electronic Communications Act, the Special Intelligence Means Act, and the EU's General Data Protection Regulation (GDPR) as implemented through Bulgaria's Personal Data Protection Act.

The result is a legal environment that broadly prohibits recording people without their knowledge. Bulgaria does not follow a simple one-party or all-party consent model like many common law countries. Instead, its Constitution creates a blanket prohibition on recording someone without their knowledge or over their explicit objection, and then carves out exceptions through specific statutes. In practice, this means you should obtain consent before recording anyone in Bulgaria.

Violations carry real consequences. Depending on the circumstances, illegal recording can result in criminal prosecution under the Penal Code, civil liability for privacy violations, and administrative fines under the GDPR.

Constitutional Protections: Articles 32 and 34

The foundation of Bulgaria's recording laws sits in the Constitution of the Republic of Bulgaria, adopted in 1991 and last amended in 2015.

Article 32: The Right to Privacy

Article 32, Paragraph 1 establishes that the privacy of citizens is inviolable and that everyone is entitled to protection against illegal interference in their private or family affairs and against encroachments on their honor, dignity, and reputation.

Paragraph 2 contains the provision most directly relevant to recording. It states:

"No one shall be followed, photographed, filmed, recorded, or subjected to any other similar activity without his knowledge or despite his express disapproval, except when such actions are permitted by law."

This language is unusually broad compared to the recording statutes found in other countries. It does not distinguish between audio recording, video recording, or photography. It covers all forms of surveillance and documentation of individuals. The prohibition triggers in two separate scenarios: when the person being recorded does not know about the recording, or when they have explicitly objected to being recorded.

The exception clause ("except when such actions are permitted by law") means that other Bulgarian statutes can authorize recording in specific circumstances, such as law enforcement surveillance conducted with judicial approval.

Article 34: Confidentiality of Communications

Article 34 provides an additional layer of protection specifically for communications:

"The freedom and confidentiality of correspondence and all other communications is inviolable."

Exceptions to this protection require permission from the judicial authorities, and only for the purpose of discovering or preventing a "grave crime." This sets a high threshold. Routine law enforcement investigations do not meet this standard. Only serious criminal matters justify court-authorized interception of communications.

Taken together, Articles 32 and 34 create a constitutional framework that treats recording and surveillance as presumptively unlawful unless specifically authorized by statute.

Criminal Code Penalties for Illegal Recording

The Bulgarian Criminal Code (Nakazatelen kodeks) translates constitutional protections into enforceable criminal law. Two articles are particularly relevant.

Article 171: Unlawful Interception of Communications

Article 171 addresses the unauthorized interception of private communications. A person who uses special technical means to unlawfully gain access to or receive a message not addressed to them, communicated by telephone, telegraph, computer network, or any other telecommunications method, faces imprisonment of up to two years.

The penalties increase when aggravating circumstances are present. If the interception was carried out with a financial motive (described in the statute as a "venal goal"), or if it caused considerable damage, the punishment rises to imprisonment of up to three years plus a fine of up to BGN 5,000 (approximately EUR 2,500).

The same penalty applies when the target of the interception is computer data transmitted within or between information systems, including electromagnetic emissions from those systems.

Article 171a: Unlawful Handling of Communications Data

Article 171a targets a broader range of activities. Anyone who unlawfully acquires, stores, discloses, or disseminates data of the type collected, processed, retained, or used under the Electronic Communications Act faces imprisonment of up to three years or probation.

When a financial motive is involved, the punishment jumps to imprisonment of one to six years. This is a significant escalation and reflects Bulgaria's concern about the commercial exploitation of illegally obtained communications data.

These provisions apply regardless of whether the person doing the recording is a private citizen, a business, or a government official acting outside their authority.

The Electronic Communications Act

The Electronic Communications Act (Zakon za elektronnite saobshteniya) regulates telecommunications networks and services in Bulgaria. While its primary focus is on the telecommunications industry, several provisions affect recording.

The law prohibits the interception of electronic communications without proper authorization. Telecommunications providers are required to retain certain communications metadata (source, destination, date, time, duration, type of communication, and device identifiers) for six months, with the possibility of a court-ordered extension of up to three additional months.

Access to this retained data requires a court order issued by the chairman of the relevant regional court or a judge authorized by them. The court must provide a reasoned decision, meaning rubber-stamp approvals are not supposed to occur.

The Act also governs direct marketing communications. Businesses cannot make calls, send messages, or transmit emails for advertising purposes unless the consumer has given prior consent. This intersects with recording law because many business call recordings involve sales or marketing contexts.

A bill to amend the Electronic Communications Act was submitted to Parliament in late 2024 to implement the EU's Digital Services Act, and was adopted at first reading. The amendment process was still ongoing as of early 2026.

The Special Intelligence Means Act

The Special Intelligence Means Act (Zakon za spetsialnite razuznavatelni sredstva) governs law enforcement and intelligence agency surveillance. It defines "special intelligence means" in Article 2 as technical means and operative methods, including electronic devices used to produce audio recordings, video recordings, photographs, and other surveillance products.

Under Article 3, these tools can only be deployed to prevent or detect "grave intentional criminal offenses" as defined in specific sections of the Criminal Code. This includes crimes such as terrorism, organized crime, espionage, sabotage, and murder.

The authorization process requires a court warrant. The presidents of a limited list of courts have the authority to issue surveillance warrants, and only when the circumstances of the investigation cannot be established through less intrusive means.

Oversight falls to the National Bureau for Control of Special Intelligence Means and a special parliamentary committee. If special intelligence means are used illegally, the National Bureau is required to notify the prosecutor's office.

The Ekimdzhiev ECHR Ruling

Despite this legal framework, the European Court of Human Rights found serious problems with how Bulgaria's surveillance system operates in practice. In the January 2022 ruling Ekimdzhiev and Others v. Bulgaria, the Court unanimously held that Bulgaria violated Article 8 of the European Convention on Human Rights (the right to respect for private life and correspondence).

The Court identified several deficiencies in Bulgaria's surveillance regime:

• Vague definitions of surveillance targets that allowed overly broad interpretation
• Authorities providing "blanket and generalised reasons" for most warrants rather than substantive justification
• Judges lacking adequate inspection powers and independence to serve as effective oversight
• Evidence of practical abuse, including documented illegal surveillance of anti-government protesters
• Notification requirements that applied only when surveillance was found to be unlawful, not as a standard practice

The Court concluded that "surveillance in Bulgaria, applied in practice, does not yet meet the minimum safeguards against arbitrariness and abuse."

This ruling carries legal weight in Bulgaria as a Council of Europe member state and has put pressure on the Bulgarian government to reform its surveillance legislation.

GDPR and the Personal Data Protection Act

As an EU member state, Bulgaria is subject to the General Data Protection Regulation (GDPR). Voice recordings that can identify individuals qualify as personal data under the GDPR, which means any recording of a conversation triggers data protection obligations.

Bulgaria implemented the GDPR through its Personal Data Protection Act (Zakon za zashtita na lichnite danni), promulgated in the State Gazette on February 26, 2019. The Act complements the GDPR by addressing areas where the regulation allows member states to exercise legislative discretion.

Lawful Bases for Recording

Under Article 6 of the GDPR, any processing of personal data (including recording) requires one of six lawful bases:

• Consent of the data subject
• Contractual necessity for performing a contract with the data subject
• Legal obligation imposed on the data controller
• Vital interests of the data subject or another person
• Public interest or exercise of official authority
• Legitimate interests of the controller or a third party, unless overridden by the data subject's fundamental rights and freedoms

For most private recordings, consent is the most straightforward lawful basis. Businesses sometimes rely on legitimate interests, but this requires a documented balancing test demonstrating that the business need outweighs the individual's privacy rights.

The Commission for Personal Data Protection (CPDP)

The Commission for Personal Data Protection (Komisiya za zashtita na lichnite danni) is Bulgaria's independent supervisory authority for data protection. It has the power to investigate complaints, conduct audits, and impose administrative fines.

Under the GDPR, fines for violations can reach EUR 20 million or 4% of global annual turnover, whichever is higher. The CPDP has actively enforced data protection rules, with most proceedings involving violations of data processing principles (Article 5 GDPR), insufficient legal basis for processing (Article 6 GDPR), or inadequate security measures (Article 32 GDPR).

Phone Recording and In-Person Conversations

Bulgaria's approach to recording phone calls and in-person conversations flows directly from Article 32 of the Constitution. The prohibition on recording someone "without his knowledge or despite his express disapproval" applies equally to telephone calls and face-to-face discussions.

Phone Calls

Recording a phone call in Bulgaria without the other party's knowledge is prohibited under the Constitution and can constitute a criminal offense under Article 171 of the Criminal Code if special technical means are used. The Electronic Communications Act adds another layer by prohibiting the interception of electronic communications without authorization.

Businesses that record customer calls must comply with both the Constitutional requirement of knowledge/consent and the GDPR's data processing rules. This means providing clear notification at the start of the call that the conversation is being recorded, identifying the purpose of the recording, and offering the caller the option to decline.

In-Person Conversations

The Constitutional prohibition covers in-person recording as well. Secretly recording a private conversation with a hidden microphone or phone violates Article 32, Paragraph 2. The same applies to filming someone without their knowledge.

The key distinction is between private and public settings. While recording someone in a clearly public space (such as a public event or protest) may fall under different considerations, recording a private conversation without the participants' knowledge remains constitutionally prohibited.

Participant Recording

Bulgaria's law does not contain a clear statutory exemption equivalent to the "one-party consent" rule found in countries like the United States. The Constitutional text prohibits recording someone "without his knowledge," which some legal scholars interpret as requiring that all parties be aware a recording is taking place. In practice, if you are a participant in a conversation and you record it without informing the other party, you may face legal exposure under both the Constitution and the Criminal Code.

Court decisions have sometimes allowed recordings made by participants to serve as evidence in certain circumstances, particularly when the recording was made to protect legitimate rights. However, this is evaluated on a case-by-case basis and does not provide a reliable safe harbor for routine participant recording.

Workplace Recording and Employee Monitoring

Workplace recording in Bulgaria is subject to both Constitutional privacy protections and specific GDPR guidelines as interpreted by the CPDP.

Video Surveillance in the Workplace

The CPDP has issued detailed guidance on workplace video surveillance. Employers can install cameras in certain circumstances, but the rules are strict:

• Video surveillance for the sole purpose of monitoring employee performance is generally not permitted
• Surveillance is acceptable when required by legislation or in genuinely high-risk production environments (pharmaceutical, chemical, or nuclear facilities)
• Employers must adopt written internal rules covering the legal basis for surveillance, the areas under monitoring, data retention periods, employee access rights, and restrictions on sharing footage with third parties
• Employees must be notified about the surveillance system, including its scope and operation
• Information boards must be placed at visible locations to alert people entering monitored areas

The CPDP has specifically ruled that using video surveillance recordings with audio to assess employee performance and determine bonuses does not comply with Article 6, Paragraph 4 of the GDPR and is inadmissible.

Audio Recording at Work

Audio recording in the workplace faces even stricter scrutiny than video surveillance. Because voice recordings inherently capture personal data and the content of private communications, they trigger protections under both Article 32 of the Constitution and the GDPR.

Employers who wish to record audio (such as in call centers) must:

• Establish a documented lawful basis under the GDPR
• Provide clear advance notice to employees
• Limit recording to what is strictly necessary for the stated purpose
• Implement appropriate data security measures
• Define and enforce retention periods

Email and Digital Monitoring

If an employer plans to monitor official email correspondence of employees, it must first issue a written prohibition on using official email for personal purposes. Without this written policy, monitoring employee email risks violating the employee's constitutionally guaranteed privacy rights. Even with a policy in place, monitoring must comply with GDPR principles of proportionality and data minimization.

Recording in Public Spaces

Public space recording in Bulgaria requires careful attention to context. The Constitutional protection in Article 32 applies to individuals, not to locations. Even in a public place, recording a specific person without their knowledge or against their objection can violate the law.

For CCTV and other systematic video surveillance of public areas, the Personal Data Protection Act requires controllers to:

• Establish a documented legal basis
• Define the territorial scope of surveillance
• Post visible notification signs (without revealing the precise camera locations)
• Set clear data retention and deletion schedules
• Establish procedures for data subjects to exercise their access rights
• Restrict third-party access to footage

Entities authorized to conduct public space video surveillance include merchants or legal persons licensed for providing private security services and state institutions performing statutory surveillance functions. All other entities need either a regulatory basis or explicit consent.

Recent Legal Developments

The 2025 Privacy Bill Controversy

In October 2025, Bulgaria's parliamentary Legal Affairs Committee approved draft amendments to the Criminal Code that would have imposed prison sentences of one to six years and fines of EUR 1,000 to 4,000 for disseminating information about a person's "personal life" without their consent.

The bill drew fierce criticism from journalists, media organizations, and the European Federation of Journalists. Critics warned the amendments could criminalize investigative journalism into corruption, shield public figures from accountability, and allow the use of wiretapping against reporters. The bill was ultimately dropped after sustained public pressure, but the debate highlighted the ongoing tension between privacy protections and press freedom in Bulgaria.

Ongoing ECHR Compliance

Following the Ekimdzhiev ruling in January 2022, Bulgaria faces continued pressure to reform its surveillance legislation. The Council of Europe's Committee of Ministers monitors compliance with ECHR judgments, and Bulgaria must demonstrate meaningful improvements to its surveillance oversight mechanisms, notification procedures, and judicial authorization processes.

Business Compliance Checklist

Organizations operating in Bulgaria that record calls, conduct video surveillance, or engage in any form of monitoring should take the following steps:

1. Identify your lawful basis under both Bulgarian law and the GDPR before implementing any recording system
2. Provide clear, advance notification to all individuals who will be recorded, whether they are customers, employees, or visitors
3. Document your data protection impact assessment for any systematic or large-scale recording activity
4. Adopt written internal policies covering the purpose, scope, retention period, and access controls for all recordings
5. Post visible signage in any area under video surveillance
6. Train staff on recording policies and ensure they understand the legal requirements
7. Appoint a Data Protection Officer if your recording activities involve large-scale processing of personal data
8. Establish procedures for responding to data subject access requests, deletion requests, and complaints
9. Review and update your policies regularly to reflect changes in Bulgarian law and CPDP guidance
10. Maintain records of processing activities as required by Article 30 of the GDPR

Non-compliance risks both criminal penalties under the Penal Code and substantial administrative fines under the GDPR.

Penalties Summary

Bulgaria imposes penalties for illegal recording through multiple legal channels:

Violation	Legal Basis	Penalty
Intercepting private communications	Criminal Code Art. 171	Up to 2 years imprisonment
Interception with financial motive	Criminal Code Art. 171	Up to 3 years + BGN 5,000 fine
Unlawful handling of communications data	Criminal Code Art. 171a	Up to 3 years or probation
Data handling with financial motive	Criminal Code Art. 171a	1 to 6 years imprisonment
GDPR violations (standard)	GDPR Art. 83(4)	Up to EUR 10 million or 2% turnover
GDPR violations (serious)	GDPR Art. 83(5)	Up to EUR 20 million or 4% turnover
Constitutional privacy violation	Constitution Art. 32	Civil liability and damages

Practical Guidance

For individuals and businesses navigating Bulgaria's recording laws, these practical guidelines can help reduce legal risk:

• Always inform people before recording. This applies to phone calls, in-person conversations, and video recording. Bulgaria's Constitution requires knowledge, not just consent.
• Get explicit consent when possible. While knowledge may be sufficient under Article 32, explicit consent provides the strongest legal protection, particularly under the GDPR.
• Never record someone who has objected. Article 32 specifically prohibits recording over a person's "express disapproval," even if they previously consented.
• Treat all recordings as personal data. Any recording that could identify an individual triggers GDPR obligations for storage, security, access rights, and deletion.
• Be especially careful with workplace recording. The CPDP takes a strict approach to employee monitoring. Performance-based recording is generally off limits.
• Keep recordings only as long as necessary. Both the GDPR and the Electronic Communications Act impose retention limits. Define your retention period and stick to it.
• Consult a Bulgarian lawyer before implementing recording systems. The intersection of Constitutional law, criminal law, and GDPR creates complexity that general guidance cannot fully resolve.