PRIVACY LAWS
The Complete Guide to GDPR in Bulgaria: Navigating the PDPA and Local Deviations
As data privacy enforcement tightens across Europe, businesses must remember that the General Data Protection Regulation (GDPR) is not entirely uniform. The GDPR allows EU member states to implement national deviations through “opening clauses,” adapting certain rules to fit local legal landscapes.
In Bulgaria, the GDPR is supplemented by the Personal Data Protection Act (PDPA), which introduces highly specific and strict requirements for businesses operating within its borders. Enforcement is actively managed by the Bulgarian Commission for Personal Data Protection (CPDP), an authority known for heavily scrutinizing both local and international companies.
For businesses targeting the Bulgarian market or employing local staff, a generic “EU-wide” compliance strategy is a massive risk. At Complico Consulting GmbH, we specialize in identifying and implementing these national specifics. Here is everything you need to know about navigating Bulgaria’s unique data protection landscape.
Key Deviations Between the EU GDPR and Bulgaria’s PDPA
Bulgaria has utilized the GDPR’s opening clauses to enact specific rules regarding identification documents, employee data, and digital consent. To avoid severe regulatory penalties, companies must adjust their compliance frameworks to account for the following local deviations:
1. Strict Prohibitions on Copying ID Cards
One of the most heavily enforced local rules in Bulgaria concerns the processing of identification documents and the Bulgarian Uniform Civil Number (EGN).
ID Copies: The PDPA explicitly prohibits the copying and storing of personal identification documents (such as ID cards or driver’s licenses) unless expressly required by law (e.g., anti-money laundering regulations).
National ID Numbers (EGN): An individual’s EGN cannot be made public and cannot be used as the sole identifier to grant access to IT systems or digital services.
2. The Age of Digital Consent
Under the standard GDPR framework, the default age for a child to consent to information society services (like online accounts, apps, and social media) is 16.
The Bulgarian Deviation: Bulgaria has lowered the age of digital consent to 14 years old. For children under 14, businesses must obtain explicit, verifiable consent from a parent or legal guardian before processing their data.
3. Rigid Rules for Employee and Recruitment Data
Bulgaria has introduced stringent rules protecting employee privacy, particularly regarding the recruitment process.
The 6-Month Rule: Employers may only store the personal data of unsuccessful job applicants (such as CVs, reference letters, or medical fitness certificates) for a maximum of six months following the completion of the recruitment process. Retaining this data longer requires explicit, opt-in consent from the candidate.
Workplace Monitoring: Employers implementing internal whistleblowing systems or monitoring employee access to premises, working hours, and IT resources must adopt specific, detailed internal policies justifying their legitimate interests.
4. Mandatory DPO Registration
While the GDPR outlines specific scenarios where a Data Protection Officer (DPO) is required, Bulgaria adds an administrative layer.
The Bulgarian Deviation: If your company is required to appoint a DPO for its Bulgarian operations, that individual—even if they are based abroad—must be officially registered with the Bulgarian CPDP using a standardized local registration form.
5. Strict Opt-In Requirements for Direct Marketing
Under Bulgarian law, conducting calls, sending SMS messages, or emailing individuals for direct marketing purposes requires prior explicit consent (opt-in) from the consumer. Unlike some jurisdictions where “legitimate interest” can occasionally justify B2B marketing, Bulgaria strictly enforces the consumer’s right to consent beforehand and withdraw it at any time.
The Cost of Non-Compliance in Bulgaria
The Bulgarian Commission for Personal Data Protection (CPDP) is highly proactive. Most administrative proceedings are triggered by direct complaints from data subjects, notably concerning video surveillance, unsolicited marketing, and unauthorized data sharing. The CPDP does not hesitate to issue massive fines—including a historic multi-million Euro penalty against the National Revenue Agency for failing to implement appropriate technical security measures.
How Complico Consulting GmbH Ensures Your Compliance
Navigating the intersection of the overarching EU GDPR and the specific rules of the Bulgarian PDPA requires local expertise. At Complico Consulting GmbH, we ensure your business operations remain secure, compliant, and uninterrupted.
Our tailored services for the Bulgarian market include:
PDPA Gap Assessments: We review your data flows to ensure compliance with Bulgaria’s strict rules on ID document copying and EGN processing.
HR Data Compliance: We align your recruitment, retention, and employee monitoring policies with Bulgarian labor and privacy laws, ensuring the strict 6-month deletion rule is enforced.
DPO Representation & Registration: We act as or assist your Data Protection Officer, managing the mandatory registration process with the Bulgarian CPDP and acting as your local liaison.
Localized Consent Strategies: We update your cookie banners, marketing protocols, and privacy notices to respect the 14-year age of consent and local direct marketing laws.
Conclusion
Expanding into Bulgaria offers excellent business opportunities, but it demands strict adherence to the Personal Data Protection Act. By understanding and respecting local deviations from employment data retention limits to the prohibition of ID copying you protect your business from the CPDP’s scrutiny while building trust with your Bulgarian customers.