Page 1

begining

Public registers

The institution

Legal framework

Guidelines

Practice

Contacts

Home » Legal framework » Personal Data Protection Act

search

Policy for
confidentiality

Personal Data Protection Act

Useful information
Official under
data protection

Annual reports
Personal Data Protection Act (PDF)

Submit to
notifications to the CPDP

Information
bulletin

Personal Data Protection Act (DOC)

Buyer profile

Filing complaints and
signals

Administratively
service

PERSONAL DATA PROTECTION ACT

Internationally
cooperation

In force since 01.01.2002

Media

Prom. DV. issue 1 of 4 January 2002, amended DV. issue 70 of 10 August 2004, amended DV.

Data Transmission
to third countries

No. 93 of October 19, 2004, as amended. DV. issue 43 of 20 May 2005, amended DV. issue 103 of 23
December 2005, amended DV. issue 30 of 11 April 2006, amended DV. No. 91 of November 10, 2006,
ed. DV. issue 57 of 13 July 2007, amended DV. issue 42 of 5 June 2009, amended DV. issue 94 of 30
November 2010, amended DV. issue 97 of 10 December 2010, amended DV. issue 39 of 20 May 2011,

Schengen
space

Messages
Information campaign

ed. DV. issue 81 of 18 October 2011, amended DV. issue 105 of December 29, 2011, amended and ext.

On complaints

DV. issue 15 of 15 February 2013, supplement DV. issue 81 of 14 October 2016, amended DV. No. 85 of

Auctions

October 24, 2017, ext. DV. issue 103 of 28 December 2017, amended DV. issue 7 of 19 January
2018, amended and ext. DV. issue 17 of 26 February 2019, amended DV. No. 93 of November 26
Calendar of events

2019

June 2021
P
Chapter One.
GENERAL
Art. 1. (Amended, SG No. 103/2005, amended, SG No. 17/2019) (1) This Act

IN

C

Ch

P

01 02 03 04 05 06
07 08 09 10 11 12 13
14 15 16 17 18 19 20

regulates public relations related to the protection of the rights of individuals

21 22 23 24 25 26 27

when processing their personal data, insofar as they are not regulated in Regulation (EU)

28 29 30

2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of
individuals in connection with the processing of personal data and on freedom
movement of such data and repealing Directive 95/46 / EC (General Regulation on
data protection) (OJ L 119/1 of 4 May 2016), hereinafter "Regulation (EU)
2016/679 ".
(2) This law shall also determine rules in connection with the protection of the physical
persons in the processing of personal data by the competent authorities for the purposes of
the prevention, investigation, detection or prosecution of
crimes or the execution of penalties, including the prevention of threats to

Archive
News
SMEData Conference 2019
ICDPPC Conference 2018
Conference 2015
Competition for students 2020
Competition for children 2017

public order and security and their prevention.
(3) The purpose of the law is to provide protection of the natural persons in connection with
the processing of personal data in accordance with Regulation (EU) 2016/679, and in
connection with the processing of personal data by the competent authorities for the purposes under para. 2.
(4) This law also regulates:
1. the status of the Commission for Personal Data Protection as a supervisory body,
responsible for protecting the fundamental rights and freedoms of individuals in connection with
the processing and facilitation of the free movement of personal data in the European Union
union;
2. the powers of the Inspectorate at the Supreme Judicial Council at
the implementation of supervision in the processing of personal data in the cases under Art. 17;
3. the means for legal protection;
4. accreditation and certification in the field of personal data protection;
5. special cases of personal data processing.
(5) This law shall not apply to the processing of personal data for the purposes of
the country's defense and national security, insofar as it is not in a special law
provided otherwise.
(6) This law shall not apply to the processing of personal data of deceased persons,
except in the cases under Art. 25e.
(7) In the processing of personal data under Art. 2 of Regulation (EU) 2016/679
countries that are parties to the Agreement on the European Economic Area
and the Swiss Confederation are equal to the Member States of
The European Union. All other countries are third countries.
(8) In the processing of personal data for the purposes under Art. 42, para. 1 countries
involved in the implementation, application and development of the acquis by
Schengen are equal to the Member States of the European Union. All others
countries are third countries.
Art. 2. (Supplemented, SG No. 70/2004, effective 01.01.2005, amended, SG No. 103/2004)
2005, revoked - SG, no. 17 of 2019)
Art. 3. (Repealed, SG No. 17/2019)
Art. 4. (Amended, SG No. 103/2005, repealed, SG No. 17/2019)
Art. 5. (Amended, SG No. 103/2005, repealed, SG No. 17/2019)

Chapter two.
COMMISSION FOR THE PROTECTION OF PERSONAL DATA
Art. 6. (1) (Amended, SG No. 17/2019) The Commission for Personal Data Protection,
hereinafter referred to as "the Commission", is a permanent independent supervisory body,
which protects individuals in the processing of their personal data and in
access to this data, as well as monitoring compliance with the Regulation
(EU) 2016/679 and this law.
(2) (New, SG No. 94/2010) The Commission shall assist in the conduct of
state policy in the field of personal data protection.
(3) (suppl. - SG 91/06, in force from 01.01.2007, previous para 2 - SG, iss.
94 of 2010, amended. - SG, no. 15 of 2013, in force from 01.01.2014, amended. - SG, no. 17 from
2019) The Commission is a budget-supported legal entity based in Sofia, a
its chairman is the primary budget manager.
Art. 7. (1) The commission is a collegial body and consists of a chairman and 4 members.
(2) (Amended, SG No. 91/2006, supplemented, SG No. 17/2019) The members of
the commission and its chairman are elected by the National Assembly on the proposal of
Council of Ministers for a term of 5 years and may be re-elected for another term.
The chairman and the members of the commission shall perform their functions even after the expiration of
their term of office until the election of the new chairman and members.
(3) The chairman and the members of the commission shall carry out their activity under
employment relationship.
(4) (New, SG No. 91/2006) The members of the commission shall receive basic
monthly remuneration equal to 2.5 average monthly salaries of employees
on labor and official legal relations in the public sector according to data of
National Statistical Institute. The basic monthly salary is
recalculates each quarter, taking into account the average monthly salary
for the last month of the previous quarter.
(5) (New, SG No. 91/2006) The chairman of the commission shall receive monthly
remuneration by 30 per cent higher than the basic monthly remuneration under para. 4.
(6), Amended, SG No. 103/2005, previous para 4, SG No. 91/2006, amended,
SG, no. 17 of 2019) By 31 March each year, the Commission shall present an annual report on
its activity before the National Assembly.
Art. 8. (1) Bulgarian citizens may be elected as members of the commission,
who:
1. have a higher education in informatics, law or have a master's degree in
Information Technology;
2. have work experience in their specialty not less than 10 years;
3. (supplemented, SG No. 103/2005) have not been sentenced to imprisonment for
intentional crimes of a general nature, whether or not rehabilitated;
(2) Members of the commission may not:
1. (amended, SG No. 103/2005) to be persons who are sole traders,
managers / procurators or members of management or supervisory bodies of
commercial companies, cooperatives or personal data controllers within the meaning of
this law;
2. to hold another paid position, except when exercising scientific or
teaching activity;
3. (New, SG No. 42/2009) to be persons who are spouses or are present
in actual cohabitation, relatives in the direct line, in the lateral line - up to the fourth
degree inclusive, or by marriage - up to the second degree inclusive, with another member of
the commission.
(3) A qualified lawyer shall be elected chairman of the commission, who shall be responsible
of the requirements under par. 1 and 2.
(4) The term of office of the chairman or a member of the commission shall be terminated ahead of time:
1. in case of death or placement under guardianship;
2. by decision of the National Assembly, when:
(a) has applied for exemption;
b) has committed a gross violation of this law;
(c) has committed an intentional crime of a general nature for which he has entered
force sentence;
(d) is unable to perform his duties for a period longer than
six months;
e) (new - SG, iss. 42 in 2009, amended - SG, iss. 97 in 2010, in force from 10.12.2010
г., изм. - SG, no. 7 of 2018) there is an effective act with which a conflict has been established
of interests under the Anti-Corruption and Confiscation of Illegal Act
the acquired property.
(5) (Amended and supplemented, SG No. 103/2005) In the cases under para. 4 The Council of Ministers
proposes to the National Assembly to elect a new member for a term until the end of the initial one
term of office of the respective member of the commission.
(6) The time during which the person has served as chairman or member of
the commission is also recognized for length of service under the Civil Servant Act.
(7) (New, SG No. 103/2017, effective 01.01.2018) The circumstances under para.
1, item 3 shall be established ex officio by the body, which makes the proposal.
Art. 9. (1) (Amended, SG No. 17/2019) In carrying out its activity
the commission is assisted by an administration.
(2) (Amended, SG No. 17/2019) The Commission shall regulate in regulations its activity,
the activity of its administration and the procedure for considering the proceedings before it and it
promulgated in the State Gazette.
(3) The decisions of the commission shall be taken by a majority of the total number of members
her.
(4) The sittings of the commission shall be open. The Commission may decide individually
meetings to be closed.
Art. 10. (1) (New, SG No. 17/2019) The Commission shall perform the tasks under Art. 57
of Regulation (EU) 2016/679.
(2) (Repealed, previous para 1, amended, SG No. 17/2019) In addition to the tasks under para. 1,
the commission:
1. analyze and carry out comprehensive supervision and ensure compliance with
Regulation (EU) 2016/679, of this law and of the normative acts in the field of protection
of personal data, except in the cases under Art. 17;
2. issue by-laws in the field of personal protection
data;
3. ensure the implementation of the decisions of the European Commission in the field of
the protection of personal data and the enforcement of binding European decisions
data protection committee under Art. 65 of Regulation (EU) 2016/679;
4. participate in the international cooperation with other bodies for protection of
personal data and international organizations in the field of protection of
personal data;
5. participate in the negotiations and the conclusion of bilateral or multilateral
agreements on matters within its competence;
6. organize, coordinate and conduct training in the field of protection of
personal data;
7. issue general and normative administrative acts, related to the powers
her, in the cases provided by law.
(3) (Supplemented, SG No. 103/2005, amended, SG No. 91/2006) The Commission shall issue
a bulletin in which he publishes information about his activity and about the decisions taken. IN
the bulletin shall be published and the report under art. 7, para. 6.
(4) (New, SG No. 103/2005, amended, SG No. 91/2006, repealed, SG No. 17/2005)
2019)
Art. 10a. (New, SG No. 17/2019) (1) The Commission shall exercise the powers under
Art. 58 of Regulation (EU) 2016/679.
(2) The Commission shall also have the following powers:
1. refer the matter to the court for violation of Regulation (EU) 2016/679;
2. give instructions, issue guidelines, recommendations and best practices in connection with
protection of personal data.
Art. 10b. (New, SG No. 17/2019) Others may be assigned to the commission
tasks and powers only by law.
Art. 10c. (New, SG No. 17/2019) (1) The Commission shall participate in the mechanism for
coherence under Art. 63 of Regulation (EU) 2016/679 and cooperates with
the supervisor or the supervisory authorities of the Member States of the European Union concerned
Union, including by exchanging information, providing or requesting mutual assistance or
participates in joint operations under Regulation (EU) 2016/679.
(2) The forms of participation in the mechanism for coherence, provision and request
of mutual assistance and participation in joint operations, as well as the procedures under which they are
carried out shall be determined by the regulations under Art. 9, para. 2.
Art. 10g. (New, SG No. 17/2019) In exercising its tasks
its powers in respect of controllers or processors of personal data which
are micro-enterprises, small and medium-sized enterprises within the meaning of Art. 3 of the Law on
small and medium-sized enterprises, the commission takes into account their special
needs and available resources.
Art. 11. The chairman of the commission:
1. organize and manage the activity of the commission according to the law and the decisions
to the commission and is responsible for the performance of its duties;
2. represent the commission before third parties;
3. (supplemented, SG No. 103/2005, amended, SG No. 81/2011) appoint and
dismisses civil servants and concludes and terminates the employment contracts of
the employment employees of the administration.
4. (New, SG No. 103/2005, amended, SG No. 17/2019) issue criminal penalties
resolutions under Art. 87, para. 3.
Art. 12. (Amended, SG No. 91/2006) (1) (Amended, SG No. 17/2019)
The chairman and the members of the commission or persons authorized by it from
its administration shall exercise control through prior consultations, inspections and
joint operations to comply with Regulation (EU) 2016/679 and this law.
(2) (Amended, SG No. 17/2019) Except in the cases under Art. 36 (1) of
Regulation (EU) 2016/679, prior consultations shall also take place when
process personal data in the performance of a task in the public interest, including
processing in relation to social protection and public health. In this case
the commission may authorize the processing before the expiration of the term under Art. 36,
paragraph 2 of Regulation (EU) 2016/679.
(3) (Amended, SG No. 17/2019) The preliminary consultations shall be carried out
according to art. 36, paragraphs 2 and 3 of Regulation (EU) 2016/679.
(4) (Amended, SG No. 17/2019) Inspections shall be carried out on the initiative of
the commission, upon a complaint of interested persons or after a signal has been submitted.
(5) The inspectors shall identify themselves with an official card and an order of
the chairman of the commission for the respective inspection.
(6) When carrying out inspections the persons under para. 1 may entrust the preparation of
expertise under the Code of Civil Procedure.
(7) The inspection shall end with a statement of findings.
(8) (Amended, SG No. 17/2019) When in the course of the inspection it is established
administrative violation, administrative penal proceedings are instituted.
(9) (New, SG No. 17/2019) Irrespective of the administrative penalty,
when an administrative violation is established, coercion may be applied
administrative measure under Chapter Nine.
(10) (Renumbered from Paragraph 9, SG No. 17/2019) The conditions and the procedure for implementation
of control are determined by an instruction of the commission.
(11) (New, SG No. 17/2019) Joint operations with supervisory bodies of
other Member States of the European Union, according to Art. 62 of Regulation (EU)
2016/679 shall be carried out as appropriate for joint investigations and joint
implementing measures and in addition to the persons under para. 1 and members or authorized
representatives of the supervisory authority of the European Member State concerned
union.
Art. 12a. (New, SG No. 17/2019) (1) Upon request, the administrator and
the processor of personal data assists the commission in the implementation of its
tasks and powers.
(2) When in the exercise of the powers of the commission under art. 58,
paragraph 1, points "e" and "f" of Regulation (EU) 2016/679 may breach an obligation
to the controller or processor for the protection of professional secrecy
or any other obligation of confidentiality arising by law, the administrator or
the processor refuses to provide or access only the information,
protected as a secret.
(3) When the information contains data representing classified
information, the procedure for access under the Classified Protection Act shall apply
information.
Art. 13. (amend. SG 103/05) (1) The chairman and the members of
the commission and the employees of its administration are obliged not to disclose and not to
take advantage of the information they represent for their own or others' benefit
a secret protected by law which became known to them in the course of their exercise
activity, until the expiration of the term for its protection.
(2) Upon entering work, the persons under para. 1 submit a declaration for
its obligations under para. 1.
(3) (New, SG No. 17/2019) The chairman, the members of the commission and
the employees of the administration, employed, have the right
annually of representative clothing worth up to two minimum wages,
as the funds are provided from the budget of the commission. The individual size of
the funds shall be determined by the chairman of the commission under conditions and in accordance with the procedure determined
with the regulations under Art. 9, para. 2.
Art. 14. (Amended, SG No. 103/2005, amended, SG No. 17/2019) (1) The Commission
performs accreditation of certification bodies in accordance with Regulation (EU)
2016/679 on the basis of requirements laid down by it or by the European Committee for
data protection.
(2) The accreditation shall be issued according to art. 43 (2) of Regulation (EU)
2016/679 for a period of 5 years and can be renewed.
(3) The Commission shall revoke the accreditation of a certification body when they are not
the conditions for accreditation are met or when undertaken by the certification body
actions violate this law or Regulation (EU) 2016/679.
(4) The decisions of the commission for revocation of accreditation under para. 3 can be
appeal under the Administrative Procedure Code.
(5) The conditions, including the requirements under par. 1, and the procedure for accreditation and
revocation of accreditation shall be determined by an ordinance adopted by the commission. The ordinance is
promulgated in the State Gazette.
(6) Criteria, mechanisms and procedures for certification, seals and
markings are determined by an ordinance adopted by the commission. The ordinance is promulgated in
"State Gazette".
Art. 14a. (New, SG No. 17/2019) (1) The Commission shall approve draft codes
for conduct by sectors and areas of activity according to art. 40 of Regulation (EU)
2016/679. The conditions, procedure and criteria for approval of codes of conduct are
determined by the regulations under Art. 9, para. 2.
(2) The Commission shall carry out accreditation of bodies for monitoring of approved
codes of conduct under para. 1 in accordance with art. 41 of Regulation (EU) 2016/679.
(3) The requirements for accreditation under para. 2 and the procedure for accreditation and revocation of
the accreditation is determined by an ordinance adopted by the commission. The ordinance is promulgated in
"State Gazette".
(4) The Commission shall revoke the accreditation of a body for monitoring of approved
codes of conduct when accreditation requirements are not met, or when
the actions taken by the authority violate this law or Regulation (EU) 2016/679.
(5) The decisions of the commission for revocation of accreditation under para. 4 can be
appeal under the Administrative Procedure Code.
Art. 15. (Repealed, SG No. 103/2005, new, SG No. 17/2019) (1) The Commission
keeps the following public registers:
1. register of the administrators and the processors of personal data, which are
designated data protection officials;
2. register of the accredited under art. 14 certification bodies;
3. register of the codes of conduct under art. 40 of Regulation (EU) 2016/679.
(2) The Commission shall keep the following registers, which are not public:
1. register of violations of Regulation (EU) 2016/679 and of this law, as well as
of the measures taken in accordance with the exercise of the powers under Art. 58,
paragraph 2 of Regulation (EU) 2016/679;
2. register of the notifications for breaches of the security of the personal data under
Art. 33 of Regulation (EU) 2016/679 and under Art. 67.
(3) The procedure for creation and maintenance of the registers under para. 1 and 2 and access to them
are determined in accordance with the Electronic Government Act, and their content - with
the regulations under Art. 9, para. 2.
Art. 16. (Amended, SG No. 103/2005, repealed, SG No. 91/2006, new, SG No. 17/2005)
from 2019) (1) The conditions and the order for conducting training under art. 10, para. 2, item 6 se
determined by the regulations under Art. 9, para. 2.
(2) The Commission shall issue a certificate to the persons, who have passed training under para. 1, after
successfully passed the exam. The certificate is issued for a period of three years. After the expiration of
the term under sentence two of the certificate shall be renewed after successfully passing the examination at
conditions and by order, determined by the regulations under art. 9, para. 2.
(3) The presence of a certificate under para. 2 cannot be a mandatory condition for
appointment or performance of the functions of a data protection officer.
(4) For the training under par. 1 fees shall be collected, except in the cases of training,
organized and conducted on the initiative of the commission. Fees are determined by a tariff,
approved by the Council of Ministers on a proposal of the commission.
Chapter three.
INSPECTORATE TO THE SUPREME JUDICIAL COUNCIL (TITLE AMENDED, SG No. 103 OF
2005, AM. - SG, BR. 17 OF 2019)
Art. 17. (Amended, SG No. 103/2005, amended, SG No. 91/2006, amended, SG No. 1/2005)
17 of 2019) (1) The Inspectorate to the Supreme Judicial Council, hereinafter referred to as
the "inspectorate" supervises and ensures compliance with Regulation (EU) 2016/679,
of this law and of the normative acts in the field of personal data protection at
processing of personal data by:
1. the court in the performance of its functions as a body of the judiciary, and
2. the prosecution and the investigative bodies in the performance of their functions of
judicial authorities for the purposes of prevention, investigation, detection
or the prosecution of crimes or the execution of sentences.
(2) The procedure for carrying out the activity under para. 1, including the performance of
inspections and for consideration of the proceedings before the inspectorate, shall be determined by
the regulations under Art. 55, para. 8 of the Judiciary Act.
(3) In carrying out the supervision under para. 1 shall be applied also art. 12a.
Art. 17a. (New, SG No. 91/2006, amended, SG No. 17/2019) (1)
exercising supervision over the processing of personal data by the court in the performance of
its functions as a body of the judiciary, except in the processing of personal data for
the objectives under Art. 42, para. 1 the inspectorate:
1. perform the tasks under art. 57 (1) (a) - "i", "l", "u" and "x" i
paragraphs 2 and 3 of Regulation (EU) 2016/679;
2. exercise the powers under art. 58 (1) (a), (b), (d), (e), (e),
paragraph 2 (a) to (g), (i) and (j) and paragraph 3 (a), (b) and (c) of Regulation (EU)
2016/679;
3. apply accordingly the list, prepared by the commission according to art. 35 (4)
of Regulation (EU) 2016/679 in relation to the requirement to assess the impact on
data protection;
4. refer the case to the court for violation of Regulation (EU) 2016/679.
(2) In addition to the tasks and powers under para. 1 the inspectorate:
1. participate in the international cooperation with other bodies for protection of
personal data and international organizations in the field of protection of
personal data;
2. give instructions, issue guidelines, recommendations and best practices in connection with
protection of personal data.
(3) When carrying out the supervision during processing of personal data for the purposes under
Art. 42, para. 1 by the court, the prosecution and the investigative bodies in the performance of their functions
to their bodies of the judiciary, the inspectorate performs the tasks and exercises
powers under Chapter Eight.
Art. 17b. (New, SG No. 91/2006, amended, SG No. 17/2019) (1)
The Inspectorate provides preliminary consultations:
1. in the cases under art. 36 (1) of Regulation (EU) 2016/679;
2. when processing personal data in the performance of a task in the public interest;
in this case, the inspectorate may authorize the processing before the expiry of the period
under Art. 36 (2) of Regulation (EU) 2016/679.
(2) The preliminary consultations shall be carried out according to art. 36, paragraphs 2 and 3
of Regulation (EU) 2016/679.
Art. 18. (Amended, SG No. 103/2005, amended, SG No. 17/2019) (1)
carrying out the supervision under Art. 17, para. 1 the inspectorate carries out inspections,
provided for in its annual program or on signals. A publication is also accepted as a signal
in the media.
(2) The inspection shall be carried out by the chief inspector or by an inspector who is
assisted by experts, based on an order of the Chief Inspector.
Art. 19. (Suppl. - SG, iss. 93 in 2004, amended - SG, iss. 103 in 2005, amended - SG, iss.
17 of 2019) (1) The inspection shall end with an act for results, in which they shall be reflected
the findings made and, if necessary, recommendations are made.
(2) Where the inspection reveals a breach of Regulation (EU)
2016/679 and of this law, depending on the nature and extent of the violation
apply the measures under Art. 58 (2) (a) - "g" and "j" of Regulation (EU) 2016/679
or under Art. 80, para. 1, items 3, 4 and 5 and / or administrative penalties shall be imposed in
compliance with Art. 83 of Regulation (EU) 2016/679, as well as under Chapter Nine.
(3) The measures under art. 58 (2) (a) to (g) and (j) of Regulation (EU)
2016/679 and under Art. 80, para. 1, items 3, 4 and 5 shall be applied by a decision of the inspectorate under
proposal of the inspector who performed the inspection.
Art. 20. (Amended, SG No. 103/2005, amended, SG No. 17/2019) The Chief
inspector, inspectors and court employees in the administration of the inspectorate are
obliged not to disclose and not to use for their own or others' benefit from
information constituting a secret protected by law which has become known to them
in carrying out their activity under this law, until the expiration of the term for protection
her.
Art. 21. (Amended, SG No. 103/2005, amended, SG No. 17/2019) (1)
The Inspectorate keeps the following registers, which are not public:
1. register of violations of Regulation (EU) 2016/679 and of this law, as well as
of the measures taken in accordance with the exercise of the powers under Art. 58,
paragraph 2, points "a" - "g", "i" and "j" of Regulation (EU) 2016/679;
2. register of the notifications for breaches of the security of the personal data under
Art. 33 of Regulation (EU) 2016/679 and under Art. 67.
(2) The procedure for creation and maintenance of the registers under para. 1 and access to them
determined in accordance with the Electronic Government Act, and their content - with
the regulations under Art. 55, para. 8 of the Judiciary Act.
Art. 22. (Amended, SG No. 103/2005, repealed, SG No. 17/2019)
Art. 22a. (New, SG No. 91/2006, repealed, SG No. 17/2019)

Chapter four.
PROTECTION OF PERSONAL DATA (CANCELED - SG, ISSUE 17 OF 2019)
Art. 23. (Amended, SG No. 103/2005, repealed, SG No. 17/2019)
Art. 23a. (New, SG No. 81/2011, repealed, SG No. 17/2019)
Art. 23b. (New, SG No. 81/2011, repealed, SG No. 17/2019)
Art. 24. (Repealed, SG No. 17/2019)
Art. 25. (Repealed, SG No. 17/2019)

Chapter four "a".
GENERAL RULES FOR THE PROCESSING OF PERSONAL DATA. SPECIAL CASES OF
PROCESSING OF PERSONAL DATA (NEW, SG No. 17/2019)
Art. 25a. (New, SG No. 17/2019) When personal data are provided by
the data subject of a controller or processor of personal data without a legal basis
under Art. 6, paragraph 1 of Regulation (EU) 2016/679 or in contradiction with the principles under Art.
5 of the same regulation, within one month from the knowledge of the administrator or
the processor returns the personal data and, if this is not possible or requires it
disproportionately large efforts, erases or destroys them. Deletion and destruction
are documented.
Art. 25b. (New, SG No. 17/2019) The administrator and the personal processor
data shall notify the Commission of the names, the unique civil number or the personal number of
foreigner or other similar identifier, and for the official's contact details
data protection officer, as well as for subsequent changes in them. The form and
the content of the notification and the procedure for its submission shall be determined by the regulations under
Art. 9, para. 2.
Art. 25c. (New, SG No. 17/2019) The processing of data by a data subject
- a person under 14 years of age, on the basis of consent within the meaning of Art. 4, item 11 of
Regulation (EU) 2016/679, including in cases of direct provision of services to
the information society within the meaning of Art. 1, para. 3 of the Electronic Act
trade is lawful only if the consent is given by the exercising parent
rights parent or guardian of the data subject.
Art. 25г. (New, SG No. 17/2019) Administrator or processor of personal data
can copy identity document, driving license
vehicle or residence document only if provided by law.
Art. 25d. (New, SG No. 17/2019) (1) The administrator or the processor
personal data adopts and applies rules for large - scale processing of personal data or
in the case of systematic large - scale monitoring of publicly accessible areas, including through
video surveillance, which introduces appropriate technical and organizational measures for
protection of the rights and freedoms of data subjects. The rules for systematic
large-scale monitoring of publicly accessible areas contains the legal grounds and objectives
to establish a monitoring system, the territorial scope of monitoring and
the means of monitoring, the retention period of the information records and the deletion
their right of access by the observed persons, informing the
the public for the monitoring carried out, as well as restrictions on provision
access to third party information.
(2) The Commission shall give guidelines to the controllers and to the processors of personal data
in fulfilling their obligation under para. 1, which he publishes on the website
you are.
Art. 25e. (New, SG No. 17/2019) (1) The administrator or the processor
personal data may process personal data of deceased persons only in the presence of
legal basis for this. In these cases, the administrator or processor personal
take appropriate measures to prevent adverse effects on
the rights and freedoms of others or of the public interest.
(2) The administrator shall provide upon request access to personal data of
deceased person, including providing a copy of them, to his heirs or to others
persons with a legal interest.
Art. 25g. (New, SG No. 17/2019) (1) Free public access to
information containing a unique civil number or personal number of a foreigner is not
allows, unless otherwise provided by law.
(2) The administrators providing services electronically shall undertake
appropriate technical and organizational measures that do not allow uniform
civil number or personal number of a foreigner to be the only means for
identification of the user when providing remote access to the respective
service.
(3) For the purposes of providing administrative services electronically at
the terms of the Electronic Government Act provide the administrator with an opportunity
of the data subject to be identified in accordance with the law.
Art. 25z. (New, SG No. 17/2019) (1) The processing of personal data for
journalistic purposes, as well as for academic, artistic or literary purposes
expression is lawful when exercised for the exercise of the freedom of
expression and the right to information, while respecting the inviolability of the private
life.
(2) (Declared unconstitutional by RAC № 8 of 2019 - SG, issue 93 of
2019) Upon disclosure by transmission, distribution or otherwise
personal data collected for the purposes under para. 1, become available, the balance between the freedom of
expression and the right to information and the right to protection of personal data are
assessed on the basis of the following criteria, in so far as relevant:
1. the nature of the personal data;
2. the influence that the disclosure of personal data or their public
disclosure would affect the privacy of the data subject
and his good name;
3. the circumstances under which the personal data have become known to
administrator;
4. the nature and the nature of the statement, through which the rights under
al. 1;
5. the importance of the disclosure of personal data or their public data
disclosure of a matter of public interest;
6. reporting whether the data subject is a person holding a position under Art. 6 of
The Anti-Corruption and Confiscation of Illegally Acquired Act
property, or is a person who due to the nature of his activity or his role in
public life has a lower protection of personal privacy or whose
actions have an impact on society;
7. reporting whether the data subject has contributed to the disclosure by his actions
of their personal data and / or information about their personal and family life;
8. the purpose, the content, the form and the consequences of the statement through which
exercise the rights under para. 1;
9. the conformity of the statement, through which the rights under para 1 are exercised. 1, p
the fundamental rights of citizens;
10. other circumstances relevant to the specific case.
(3) When processing personal data for the purposes under para. 1:
1. Art. 6, 9, 10, 30, 34 and Chapter Five of Regulation (EU) 2016/679,
as well as Art. 25c;
2. the controller or the processor of personal data may refuse completely or
the partial exercise of the rights of the data subjects under Art. 12 - 21 of the Regulation
(EU) 2016/679.
(4) The exercise of the powers of the commission under art. 58 (1) of
Regulation (EU) 2016/679 cannot lead to the disclosure of the secrecy of the source of
information.
(5) In the processing of personal data for the purposes of creating a photographic
or an audio-visual work by capturing a person in the course of his public
activity or in a public place Art. 6, Art. 12 - 21, art. 30 and 34 of
Regulation (EU) 2016/679.
Art. 25i. (New, SG No. 17/2019) (1) An employer or body under
the appointment, in his capacity as controller of personal data, adopts rules and
procedures for:
1. use of a system for reporting violations;
2. restrictions on the use of internal company resources;
3. introduction of systems for access control, working hours and working hours
discipline.
(2) The rules and procedures under para. 1 contain information about the scope,
obligations and methods for their implementation in practice. They take into account the subject of
activity of the employer or the appointing authority and the related nature of
work and the rights of data subjects under Regulation (EU) cannot be restricted
2016/679 and under this law.
(3) The workers and the employees shall be notified about the rules and the procedures under para.
1.
Art. 25k. (New, SG No. 17/2019) (1) An employer or body under
the appointment, in his capacity as controller of personal data, sets a time limit for
storage of personal data of participants in procedures for recruitment and selection of
staff, which may not be longer than 6 months, unless the applicant has given his
consent to storage for a longer period. After the expiration of this period, the employer
or the appointing authority deletes or destroys the stored personal documents
data, unless a special law provides otherwise.
(2) When in a procedure under par. 1 the employer or the appointing body is
requested to submit originals or notarized copies of documents that
certify the physical and mental fitness of the candidate required
qualification degree and length of service for the position held, he returns these documents to
the data subject who has not been approved for appointment within 6 months of the final date
completion of the procedure, unless a special law provides otherwise.
Art. 25л. (New, SG No. 17/2019) The processing of personal data for the purposes of
The National Archive Fund of the Republic of Bulgaria is processing in the public interest.
In these cases Art. 15, 16, 18, 19, 20 and 21 of Regulation (EU) 2016/679.
Art. 25m. (New, SG No. 17/2019) When processing personal data for
statistical purposes Art. 15, 16, 18 and 21 of Regulation (EU) 2016/679.
Art. 25н. (New, SG No. 17/2019) Personal data initially collected for
other purpose, may be processed for the purposes of the National Archives, for the purposes of
scientific or historical research or for statistical purposes. In these cases
the administrator shall apply appropriate technical and organizational measures which
guarantee the rights and freedoms of the data subject in accordance with Art. 89 (1)
of Regulation (EU) 2016/679.
Art. 25o. (New, SG No. 17/2019) The processing of personal data for
humanitarian purposes by public authorities or humanitarian organizations, and
disaster management within the meaning of the Disaster Protection Act, f
legally. In this case Art. 12 - 21 and Art. 34 of Regulation (EU)
2016/679.
Chapter five.
RIGHTS OF NATURAL PERSONS (TITLE AMENDED, SG No. 103/2005, REPEALED, SG No.
BR. 17 OF 2019)
Art. 26. (Repealed, SG No. 17/2019)
Art. 27. (Amended, SG No. 103/2005, repealed, SG No. 91/2006)
Art. 28. (Amended, SG No. 103/2005, repealed, SG No. 17/2019)

Photo gallery

C

N

Art. 28a. (New, SG No. 103/2005, repealed, SG No. 17/2019)
Art. 29. (Repealed, SG No. 17/2019)
Art. 30. (Amended, SG No. 103/2005, repealed, SG No. 17/2019)
Art. 31. (Repealed, SG No. 17/2019)
Art. 32. (Amended, SG No. 103/2005, repealed, SG No. 17/2019)
Art. 33. (Repealed, SG No. 17/2019)
Art. 34. (Repealed, SG No. 17/2019)
Art. 34a. (New, SG No. 103/2005, repealed, SG No. 17/2019)
Art. 34b. (New, SG No. 103/2005, repealed, SG No. 17/2019)
Chapter six.
PROVISION OF PERSONAL DATA TO THIRD PARTIES (CANCELED - SG, ISSUE 17 OF 2019)
Art. 35. (Amended, SG No. 103/2005, repealed, SG No. 91/2006)
Art. 36. (Amended, SG No. 103/2005, effective until 01.01.2007, repealed, SG No. 17/2005)
2019)
Art. 36a. (New, SG No. 103/2005, effective 01.01.2007, repealed, SG No. 17/2005)
2019)
Art. 36b. (New, SG No. 103/2005, effective 01.01.2007, repealed, SG No. 17/2005)
2019)
Art. 36c. (New, SG No. 81/2011, repealed, SG No. 17/2019)
Art. 36г. (New, SG No. 81/2011, repealed, SG No. 17/2019)
Art. 36d. (New, SG No. 81/2011, repealed, SG No. 17/2019)
Art. 36e. (New, SG No. 81/2011, repealed, SG No. 17/2019)
Art. 36ж. (New, SG No. 81/2011, repealed, SG No. 17/2019)
Art. 36з. (New, SG No. 81/2011, repealed, SG No. 17/2019)
Art. 36i. (New, SG No. 81/2011, repealed, SG No. 17/2019)
Art. 37. (Repealed, SG No. 103/2005)
Chapter seven.
EXERCISE OF THE RIGHTS OF DATA SUBJECTS. REMEDIES
PROTECTION (TITLE AMENDED - SG, ISSUE 17 OF 2019)
Art. 37a. (New, SG No. 17/2019) (1) The administrator or the processor
personal data may deny full or partial exercise of the rights of subjects
of data under Art. 12 - 22 of Regulation (EU) 2016/679, as well as not to fulfill the obligation
under Art. 34 of Regulation (EU) 2016/679, when the exercise of rights or
the fulfillment of the obligation would create a risk for:
1. national security;
2. defense;
3. public order and security;
4. the prevention, investigation, detection or criminal
prosecution of crimes or execution of imposed penalties, including
the prevention of and the prevention of threats to public order and security;
5. other important objectives of general public interest and in particular important
economic or financial interest, including monetary, budgetary and fiscal interests
issues, public health and social security;
6. the protection of the independence of the judiciary and judicial proceedings;
7. the prevention, investigation, detection and criminal prosecution
violations of codes of ethics in regulated professions;
8. the protection of the data subject or of the rights and freedoms of other persons;
9. the enforcement of civil claims.
(2) The conditions and the order for application of para. 1 shall be determined by law and in
compliance with Art. 23 (2) of Regulation (EU) 2016/679.
Art. 37b. (New, SG No. 17/2019) (1) The data subject shall exercise the rights
under Art. 15 - 22 of Regulation (EU) 2016/679 by written application to the administrator of
personal data or in another way determined by the administrator.
(2) An application may also be submitted electronically under the conditions of the Law on
the electronic document and the electronic certification services, the Electronic Law
management and the Electronic Identification Act.
(3) An application may also be submitted through actions in the user interface of
the information system that processes the data after the person has been identified
with the appropriate means of identification for the information system.
Art. 37c. (New, SG No. 17/2019) (1) The application under Art. 37b contains:
1. name, address, unique civil number or personal number of a foreigner or another
similar identifier, or other identification data of the natural person,
determined by the administrator, in connection with the activity performed by him;
2. description of the request;
3. preferred form for obtaining information in the exercise of
the rights under Art. 15 - 22 of Regulation (EU) 2016/679;
4. signature, date of submission of the application and address for correspondence.
(2) When submitting an application by an authorized person to the application shall be
also applies the power of attorney.
Art. 38. (1) (Amended, SG No. 103/2005, amended, SG No. 91/2006, amended, SG No. 1/2005)
no. 17 of 2019) In case of violation of his rights under Regulation (EU) 2016/679 and under this
By law, the data subject has the right to refer the matter to the Commission within 6 months of learning of it
the infringement, but not later than two years after its commission.
(2) (New, SG No. 17/2019) The Commission shall inform the complainant of
progress in examining the complaint or the outcome thereof within three months of
referring it.
(3) (Amended, SG No. 103/2005, previous para 2, amended, SG No. 17/2019)
The commission shall issue a decision and may apply the measures under Art. 58 (2),
letters "a" - "h" and "j" of Regulation (EU) 2016/679 or under Art. 80, para. 1, items 3, 4 and 5 and c
supplement these measures or instead impose an administrative penalty in
compliance with Art. 83 of Regulation (EU) 2016/679, as well as under Chapter Nine.
(4) (New, SG No. 17/2019) When the appeal is manifestly unfounded or
excessive, with a decision of the commission the complaint may be left without consideration.
(5) (Renumbered from Paragraph 4, amended, SG No. 17/2019) The Commission shall send a copy of
its decision and the data subject.
(6) (New, SG No. 91/2006, previous para 5, amended, SG No. 17/2019) In
the cases under par. 1, when personal data are processed for the purposes under Art. 42, para. 1,
the commission 's decision contains only a finding as to the legality of
processing.
(7) (Amended, SG No. 103/2005, previous para 5, SG No. 91/2006, amended,
SG, no. 39 of 2011, previous para. 6, as amended - SG, no. 17 of 2019) The decision of
the commission under par. 3 and 4 shall be subject to appeal by the order of the Administrative Procedure
code within 14 days of receipt.
Art. 38a. (New, SG No. 17/2019) (1) The appeal to the commission may be filed
submitted by letter, fax or electronically in accordance with the Electronic Act
document and electronic certification services.
(2) Anonymous complaints shall not be considered, as well as complaints that have not been signed by
the sender or his representative by law or power of attorney.
Art. 38b. (New, SG No. 17/2019) (1) In case of violation of his rights under
Regulation (EU) 2016/679 and under this law when processing personal data by the court at
performance of its functions as a body of the judiciary and by the prosecution and
investigative bodies in the performance of their functions as bodies of the judiciary for
the purposes of prevention, investigation, detection or criminal
prosecution of crimes or the execution of penalties, the data subject has
the right to lodge a complaint with the inspectorate within 6 months of learning of the violation, but
no later than two years after its implementation.
(2) In the cases under par. 1, Art. 38a.
Art. 38c. (New, SG No. 17/2019) (1) The appeal under Art. 38b, para. 1 is considered
by an inspector appointed on a random basis by the Chief Inspector.
(2) During the examination of the appeal data relevant to the alleged shall be collected
violation, including information from the administrator or processor personal
data.
(3) The complainant shall be informed about the progress in the examination of the complaint or
for the result thereof within three months from the referral to the inspectorate.
(4) When the appeal is unfounded, the inspector shall pronounce with a decision, which
subject to appeal under the Administrative Procedure Code within 14 days
term from its receipt.
(5) When the appeal is well-founded, the inspectorate shall rule with a decision on
proposal of the inspector. The decision is subject to appeal under
The Administrative Procedure Code within 14 days of its receipt.
(6) When the complaint is obviously unfounded or excessive, the inspector may
to leave it without consideration.
Art. 38г. (New, SG No. 17/2019) (1) When in the proceedings under Art. 38c be
established infringement of Regulation (EU) 2016/679 and of this law, depending on
the nature and the degree of the violation, the measures under art. 58, paragraph 2, letters
"a" - "g" and "j" of Regulation (EU) 2016/679 or under Art. 80, para. 1, items 3, 4 and 5 and / or
impose administrative penalties in accordance with Art. 83 of Regulation (EU) 2016/679,
as well as in Chapter Nine.
(2) The measures under art. 58 (2) (a) to (g) and (j) of Regulation (EU)
2016/679 and under Art. 80, para. 1, items 3, 4 and 5 shall be applied by a decision of the inspectorate under
proposal of the inspector, who has considered the complaint under Art. 38b, para. 1.
Art. 39. (1) (Amended, SG No. 103/2005, amended, SG No. 30/2006, effective as
March 1, 2007, amended - SG, no. 91 of 2006, amended. - SG, no. 17 of 2019) In case of violation
of his rights under Regulation (EU) 2016/679 and under this law the data subject may
appeals actions and acts of the controller and the processor of personal data before the court
by the order of the Administrative Procedure Code.
(2) (Amended, SG No. 103/2005, amended and supplemented, SG No. 17/2019) In
the proceedings under para. 1, the data subject may claim compensation for those suffered by
damages him as a result of the unlawful processing of personal data by
the controller or the processor.
(3) (New, SG No. 81/2011, repealed, SG No. 17/2019)
(4) (New, SG No. 103/2005, previous para 3, SG No. 81/2011, amended,
SG, no. 17 of 2019) The data subject cannot refer to the court when there is a pending
proceedings before the commission for the same infringement or its decision on the same
violation has been appealed and no court decision has entered into force. At the request of the subject of
data or the court commission certifies the absence of pending proceedings before it on
the same dispute.
(5) (Renumbered from Paragraph 4, amended, SG No. 103/2005, amended, SG No. 30/2006, in
force from 12.07.2006, revoked - SG, no. 91 of 2006, new - SG, iss. 17 of 2019) Paragraph 4
it is also applied in case of pending proceedings before the inspectorate.
Art. 40. (Repealed, SG No. 103/2005, new, SG No. 17/2019) When
the decision under Art. 38, para. 3 has been adopted pursuant to a binding decision
of the European Data Protection Board, Art. 263 and 267 of
Treaty on the Functioning of the European Union.
Art. 41. (Repealed, SG No. 103/2005)

Chapter eight.
RULES FOR THE PROTECTION OF INDIVIDUALS IN CONNECTION WITH PROCESSING
OF PERSONAL DATA BY THE COMPETENT AUTHORITIES FOR THE PURPOSES OF
PREVENTION, INVESTIGATION, DISCLOSURE OR CRIMINAL
PROSECUTION OF CRIMES OR ENFORCEMENT OF PENALTIES,
INCLUDING PROTECTION AGAINST THREATS TO PUBLIC ORDER AND
SECURITY AND THEIR PREVENTION (TITLE AMENDED - SG, ISSUE 17 OF 2019)
Section I.
General provisions (New, SG No. 17/2019)
Art. 42. (Amended, SG No. 103/2005, amended, SG No. 17/2019) (1) The Rules
of this Chapter shall apply to the processing of personal data by competent authorities for
the purposes of prevention, investigation, detection or criminal
prosecution of crimes or execution of punishments, including
the protection against threats to public order and security and their prevention.
(2) Personal data collected for the purposes under para. 1, are not processed for other purposes,
unless the law of the European Union or the legislation of the Republic of Bulgaria
provides otherwise.
(3) When the competent authorities under par. 1 process personal data for purposes
different from those under para. 1, as well as in the cases under para. 2, Regulation (EU) shall apply
2016/679 and the relevant provisions of this law, which introduce measures for its
application.
(4) Competent authorities under para. 1 are the state bodies, which have powers
on the prevention, investigation, detection or prosecution of
crimes or the execution of penalties, including the prevention of threats to
public security and their prevention.
(5) Unless otherwise provided by law, an administrator within the meaning of this Chapter
in the processing of personal data for the purposes under para. 1 is a competent body under para. 4 or
the relevant administrative structure, part of which is this body, which independently
or together with other bodies determine the purposes and means for processing personal
data.
Art. 42a. (New, SG No. 103/2005, repealed, SG No. 17/2019)
Art. 43. (1) (Amended, SG No. 103/2005, amended, SG No. 17/2019) The rules
of this chapter shall apply to the processing of personal data in whole or in part by
automatic means, as well as for the processing by other means of personal data which
are part of a personal data register or are intended to form part of such
register.
Art. 44. (New, SG No. 17/2019) The exchange of personal data between
the competent authorities of the Member States of the European Union, where such exchanges
required by European Union law or by the law of the Republic
Bulgaria is not limited or prohibited for reasons related to the protection of
individuals in connection with the processing of personal data.
Art. 45. (New, SG No. 17/2019) (1) When processing personal data for
the objectives under Art. 42, para. 1 personal data must:
1. are processed lawfully and in good faith;
2. are collected for specific, explicitly indicated and lawful purposes and not to be
processed in a way that is incompatible with those purposes;
3. are appropriate, relevant and do not exceed what is necessary in connection with
the purposes for which the data are processed;
4. are accurate and, if necessary, be kept up to date; must be
take all necessary measures to ensure timely erasure
or correcting inaccurate personal data, taking into account the purposes for which they are
process;
5. be stored in a form that allows the identification of the subject of
the data for a period not longer than necessary for the purposes for which they are processed;
6. be handled in a way that ensures an appropriate level of security
personal data, including protection against unauthorized or unlawful
treatment and against accidental loss, destruction or damage, applying
appropriate technical or organizational measures.
(2) The processing of personal data by an administrator who is originally them
collected, or by another administrator for any of the purposes under Art. 42, para. 1, other than
the purpose for which the personal data are collected is permitted provided that:
1. the controller is authorized to process personal data for such purpose in
in accordance with the law of the European Union or the legislation of the Republic
Bulgaria, and
2. the processing is necessary and proportionate to this different purpose in
in accordance with European Union law or the law of the Republic
Bulgaria.
(3) The processing by an administrator under para. 2 may include archiving in
public interest, scientific, statistical or historical use of data for
the objectives under Art. 42, para. 1 in the application of appropriate guarantees for rights and freedoms
of the data subject.
(4) The administrator shall be responsible for the observance of para. 1, 2 and 3 and must be
able to prove it.
Art. 46. ​(New, SG No. 17/2019) (1) When the terms for deletion of personal
data or for periodic verification of the need for their storage are not
legally established, they are determined by the administrator.
(2) The performance of a periodic inspection under para. 1 shall be documented, and the decision
to continue data storage is motivated.
Art. 47. (New, SG No. 17/2019) The administrator, when applicable and
as far as possible, make a clear distinction between the personal data of different
categories of data subjects, for example:
1. persons for whom there are serious grounds to believe that they have committed or will commit
commit a crime;
2. persons convicted of a crime;
3. persons, victims of a crime, or persons, in respect of whom
certain facts give reason to believe that they may have suffered from
crime, and
4. other third parties in respect of a crime, for example persons who would
could be called to testify in a criminal investigation or in
criminal proceedings, persons who can provide information about
crimes or related parties.
Art. 48. (New, SG No. 17/2019) (1) The competent authority, insofar as
make a distinction between personal data based on facts and personal data,
based on personal assessments.
(2) The competent authority shall take the necessary measures personal data, which are
inaccurate, incomplete or no longer up to date, not to be transmitted. For this purpose, everyone
competent authority shall, as far as possible, verify the quality of personal data
before their transmission. As far as possible, any transfer of personal data
add the necessary information enabling the receiving competent authority to
assess the degree of accuracy, completeness and reliability of personal data and to what extent
degree they are relevant.
(3) When the transmitted personal data are inaccurate or have been transmitted
illegally, the recipient shall be notified immediately. In this case, the transmitter
competent authority and the recipient shall correct, delete or restrict the processing of
personal data.
Art. 49. (New, SG No. 17/2019) The processing of personal data shall be
lawfully when necessary for the exercise of powers by a competent
body for the purposes under Art. 42, para. 1 and is provided for in the law of the European Union or in
a normative act in which the purposes of the processing and the categories of personal are defined
data being processed.
Art. 50. (New, SG No. 17/2019) (1) When the law of the European Union or
the legislation of the Republic of Bulgaria applicable to the transmitting competent
authority, provides specific conditions for the processing of personal data, the authority
notify the recipient of the data of these conditions and of his obligation to comply with them.
(2) The transfer of personal data to recipients in other Member States of
European Union, or of European Union agencies, services and bodies established
pursuant to Title V, Chapters 4 and 5 of the Treaty on the Functioning of the European Union,
carried out under the same conditions as apply to such a transfer in the Republic
Bulgaria.
Art. 51. (New, SG No. 17/2019) (1) The processing of personal data,
revealing racial or ethnic origin, political views, religious or
philosophical beliefs, membership in trade unions, the processing of genetic
data, biometric data for the purpose of unique identification of the individual, data,
related to health or sexual life and sexual orientation
of the person is allowed, when absolutely necessary, there are appropriate
guarantees for the rights and freedoms of the data subject and is provided for in the law of
European Union or in the legislation of the Republic of Bulgaria.
(2) When the processing under par. 1 is not provided for in European law
Union or in the legislation of the Republic of Bulgaria, the data under para. 1 can be
processed when absolutely necessary, there are appropriate safeguards for
the rights and freedoms of the data subject and:
1. the processing is for the protection of vital interests of the data subject
or to another natural person, or
2. if the processing relates to data which have obviously been made
public domain by the data subject.
(3) When processing data under par. 1, appropriate measures and guarantees shall be applied
to prevent discrimination against individuals.
Art. 52. (New, SG No. 17/2019) (1) The taking of a decision based on
only of automated processing, including profiling, which generates
adverse legal consequences for or substantially affecting the data subject, is
prohibited, except where provided for in European Union law or in
legislation of the Republic of Bulgaria and appropriate guarantees are provided for
the rights and freedoms of the data subject, at least human interference in the taking of
the relevant decision by the administrator.

Page 2

(2) The decisions under par. 1 cannot be based on the categories of personal data under
Art. 51, para. 1, unless appropriate measures for protection of the rights and freedoms have been introduced
and the legitimate interests of the data subject.
(3) In the cases under par. 1 and 2 the administrator shall perform an impact assessment
under Art. 64.
(4) Profiling shall be prohibited, which shall lead to discrimination on a physical basis
persons on the basis of the categories of personal data under Art. 51, para. 1.
(5) The data subject shall have the right to receive information about the processing under para.
1, to express his opinion, to receive an explanation for the decision under para. 1, taken as a result
of this processing, as well as to appeal the decision.
Section II.
Rights of the data subject (New, SG No. 17/2019)
Art. 53. (New, SG No. 17/2019) (1) The administrator shall take the necessary measures
measures for providing the data subject with the information under Art. 54 and for
correspondence with him in connection with Art. 52, para. 5, Art. 55 - 58 and 68 on processing
of personal data in a concise, understandable and easily accessible form, using clear and simple
language. The administrator provides the information on the manner of receipt of the request.
When this is not possible or requires a disproportionate effort, information is obtained
provided by other appropriate means, including electronically.
(2) The controller shall facilitate the exercise of the rights of the data subject under
Art. 52, para. 5 and Art. 55 - 58.
(3) The controller shall respond to the request of the data subject or inform him
in writing for the actions taken in connection with his request, within two months
from receipt of the request. The term can be extended by another month when this happens
required because of the complexity or number of requests.
(4) The information under art. 54 and the correspondence or actions taken
according to art. 52, para. 5, Art. 55 - 58 and 68 are free. When requests from an entity
data are manifestly unfounded or excessive, in particular because of their
repeatability, the administrator can:
1. charge a fee in an amount commensurate with the administrative costs for
providing information either for correspondence with the data subject or for
taking action on the request, or
2. refuse to take action on the request.
(5) The administrator shall bear the burden of proving the obviously unfounded
or excessive nature of the request.
(6) When the administrator has reasonable doubts about the identity of
the natural person who submits a request under Art. 55 or 56, he may ask to
provide additional information necessary for verification of identity
of the data subject. The term under par. 3 starts running from receiving this
more information.
Art. 54. (New, SG No. 17/2019) (1) The administrator shall provide to the subject
data at least the following information:
1. the data that identify the administrator and the contact details
him;
2. the contact details of the data protection officer, when
applicable;
3. the purposes for which the personal data are processed;
4. the right of appeal to the commission, respectively to the inspectorate, and their coordinates
Connection;
5. the right to request from the administrator access to, correction, supplementation or
deleting personal data and restricting the processing of personal data related
with the data subject;
6. the possibility in case of refusal under para. 3, under Art. 55, para. 3 and 4 and Art. 56, para. 6 and 7 yes
exercise his rights through the commission, respectively through the inspectorate.
(2) In addition to the information under para. 1, at the request of the data subject or on his own
initiative the controller provides to the data subject, in specific cases and with
in order to enable him to exercise his rights, the following additional
information:
1. the legal basis for the processing;
2. the term for which the personal data will be stored, and if this is not possible the criteria used to determine this period;
3. where applicable, the recipients or categories of recipients of the personal
data, including in third countries or international organizations;
4. where necessary, and other additional information, in particular in
cases where personal data are collected without the knowledge of the data subject.
(3) The administrator may delay or refuse in whole or in part
the provision of the information under para. 2, when necessary to:
1. the obstruction of official or legally regulated shall not be allowed
inspections, investigations or procedures;
2. the prevention, detection,
the investigation or prosecution of criminal offenses or the execution of
penalties;
3. protect public order and security;
4. protect national security;
5. the rights and freedoms of other persons shall be protected.
(4) After dropping of a circumstance under par. 3 the administrator provides without
delay of the requested information within the term under Art. 53, para. 3.
(5) When making a decision under para. 3 the administrator shall take into account the fundamental rights and
the legitimate interests of the individual concerned.
Art. 55. (New, SG No. 17/2019) (1) The data subject shall have the right to receive
confirmation by the controller whether personal data concerning him are being processed, and
if so, obtain access to them, as well as information on:
1. the circumstances under art. 54, para. 1, items 3 - 5 and para. 2, items 1 - 3;
2. the processed categories of personal data;
3. the personal data, which are in the process of processing, and any available data
information about their origin, unless it is protected by law.
(2) The administrator shall provide the information under para. 1 within the term under Art. 53, para. 3.
(3) The right of access to the data and the information under para. 1 may be limited
wholly or partly taking into account the fundamental rights and legitimate interests of
the affected natural person in the cases under Art. 54, para. 3. In these cases art. 54,
al. 4.
(4) In the cases under par. 3, the administrator shall inform in writing within the term under art. 53,
al. 3 data subjects for each refusal of access or restriction of access and for
the reasons for this. This information may not be provided when its
provision would impede the achievement of any of the objectives under Art. 54, para. 3.
The controller shall inform the data subject of his right to complain to the commission,
respectively to the inspectorate, or to seek protection in court.
(5) The administrator shall document the factual or legal grounds for
the solution. This information is provided to the commission, respectively to the inspectorate.
Art. 56. (New, SG No. 17/2019) (1) The data subject shall have the right to request
the administrator to correct inaccurate personal data related to him. As there is
given the purpose of the processing, the data subject has the right to request incomplete data
personal data to be supplemented, including by providing additional
application.
(2) The administrator under para. 1 shall be obliged to delete the personal data and the subject of
data has the right to request the controller to delete the personal data that it
affect when the processing violates the provisions of Art. 45, 49 or 51 or when
personal data must be deleted in order to comply with a legal obligation of
administrator.
(3) The administrator shall correct or supplement the data under para. 1 or deletes the data
in the cases under par. 2 within the term under Art. 53, para. 3.
(4) The administrator shall restrict the processing of personal data without them
delete when:
1. the accuracy of the personal data is disputed by the data subject and this cannot
to check, or
2. personal data must be kept for evidentiary purposes.
(5) In the cases under par. 4, item 1 the controller shall inform the data subject,
before removing the processing restriction.
(6) Correcting, supplementing, deleting or limiting the processing of
personal data may be waived, taking into account fundamental rights and legitimate interests
of the affected natural person, in the cases under Art. 54, para. 3. In these cases art.
54, para. 4. The controller shall inform the data subject in writing of the refusal as well as of
the reasons for it within the term under Art. 53, para. 3.
(7) The administrator may not inform the data subject about the refusal under para.
6 in the cases under art. 54, para. 3, applying respectively Art. 54, para. 4 and 5.
(8) The controller shall inform the data subject of his right to appeal by
the commission, respectively to the inspectorate and for seeking protection in court.
(9) The administrator shall notify the competent authority from which he has received
inaccurate personal data for their correction.
(10) When personal data have been corrected, supplemented, deleted or processed
is limited to them, the administrator notifies their recipients, who respectively them
correct, supplement, delete or limit their processing.
Art. 57. (New, SG No. 17/2019) (1) In the cases under Art. 54, para. 3, Art. 55, para. 3 and
4 and Art. 56, para. 6 and 7 the data subject may exercise his rights through the commission,
respectively through the inspectorate. In these cases the commission, respectively the inspectorate
checks the legality of the refusal.
(2) In the cases under par. 1 the commission, respectively the inspectorate shall inform the subject
of the data at least that all necessary checks have been carried out or
references, as well as for his right to seek protection in court.
Art. 58. (New, SG No. 17/2019) The exercise of the rights under Art. 54, 55 and 56,
where personal data are contained in a judgment, document or case file,
drawn up in criminal proceedings, does not affect and cannot contradict
the provisions of the Code of Criminal Procedure.

Section III.
Administrator of personal data and processor of personal data (New, SG No. 17 of
2019)
Art. 59. (New, SG No. 17/2019) (1) The personal data controller, as
takes into account the nature, scope, context and purposes of the processing, as well as the risks to
the rights and freedoms of individuals, apply appropriate technical and
organizational arrangements to ensure and be able to demonstrate that processing
is carried out in accordance with this law. If necessary, these measures shall be reviewed
and update.
(2) When this is proportional to the processing activities, the measures under para.
1 include application by the administrator of appropriate data protection policies.
(3) Through measures under par. 1 the administrator provides protection of personal data of
the design stage, taking into account the state of the art, the cost of
application and the nature, scope, context and purposes of the processing of personal data,
as well as the risks to the rights and freedoms of individuals during processing.
The measures must comply with the requirements of Art. 45, are planned at the time of
determine the means of processing personal data and apply to itself
processing. Measures may include pseudonymization, data reduction to
minimum and introduction of necessary guarantees in the process of processing personal
data.
(4) Through measures under par. 1 the administrator ensures that the default is
process only personal data that is necessary for each specific purpose of
processing. This obligation refers to the volume of personal data collected, the degree
of processing, their shelf life and their availability. Through these measures
ensures that, by default, without the intervention of the individual personal data
are not available to an unlimited number of individuals.
Art. 60. (New, SG No. 17/2019) (1) When two or more administrators
of personal data jointly determine the purposes and means of processing, they are
joint administrators.
(2) The joint administrators under par. 1 shall define the rights in a transparent manner
and its obligations under this Chapter, in particular those relating to the exercise of
the rights of the data subject and with the provision of the information by the order of art. 54 through
common rules, except where their rights and obligations are provided for in the law of
European Union or in the legislation of the Republic of Bulgaria. The rules are
designate the contact point for data subjects, such as joint controllers
they can indicate which of them acts as a single point of contact.
(3) Irrespective of what is determined in the rules under par. 1, the data subject can
exercise its rights under this chapter in relation to each of the administrators under para. 1.
Art. 61. (New, SG No. 17/2019) (1) A personal data controller may
entrust the processing of personal data on his behalf only to processors of personal data,
which provide sufficient guarantees that they will apply appropriate technical and
organizational measures in such a way that the processing meets the requirements of
this chapter and to ensure the protection of the data subject's rights.
(2) The processor of personal data may not include in the processing another
processing personal data without the prior specific or general written permission
of the administrator under par. 1. In the case of general written permission, the processor shall personal
inform the administrator of any planned changes to include or
replacement of other personal data processors, as the controller may object
these changes.
(3) The processing by the processor of personal data shall be regulated by a contract
or by another legal act under European Union law or the legislation of
Republic of Bulgaria, which binds the processor of personal data with the administrator under para.
1 and regulates the subject and the term of the processing, the nature and the purpose of
the processing, the type of personal data and the categories of data subjects, the obligations and
administrator rights. That contract or other legal act provides for more
in particular that the processor:
1. acts only on instructions of the administrator;
2. ensure that the persons authorized to process personal data have taken over
obligation of confidentiality or are obliged by law to observe confidentiality;
3. assist the administrator with all appropriate means to ensure
respect for the rights of the data subject;
4. at the choice of the administrator deletes or returns to the administrator all
personal data after the completion of the provision of data processing services and
delete existing copies, unless European Union law or
the legislation of the Republic of Bulgaria does not require storage of personal data;
5. provide to the administrator all the information necessary for proving
compliance with this article;
6. observe the conditions under items 1 - 5 and under para. 2 to include another personal handler
data.
(4) The contract or the other legal act, indicated in para. 3, shall be drawn up in writing,
including in electronic form.
(5) When a personal data processor determines in violation of the rules of this
chapter purposes and means of processing, he is considered a personal administrator
data regarding this processing.
(6) The processor of personal data and any person acting under his supervision
or under the guidance of the administrator under para. 1, which has access to personal data,
processes this data only on the instructions of the controller, except when the conditions and
the procedure for processing is provided for in European Union law or in
the legislation of the Republic of Bulgaria.
Art. 62. (New, SG No. 17/2019) (1) The personal data controller
maintains a register with the categories of personal data processing activities, which
contains:
1. the name and contact details of the administrator, and when it is
applicable to the joint administrators and the protection officer of
the data;
2. the purposes of the processing of personal data;
3. the categories of recipients to whom the personal data are or will be disclosed,
including recipients in third countries or international organizations;
4. description of the categories of data subjects and of the categories of personal data;
5. where applicable, information on whether profiling is performed;
6. where applicable, the categories of transfer of personal data to a third country
or an international organization;
7. the legal basis for the processing operation, including the transfer
of the data for which the personal data are intended;
8. where possible, the envisaged terms for deleting the different ones
categories of personal data;
9. where possible, a general description of the technical and organizational measures
for security under Art. 66.
(2) The processor of personal data shall maintain a register with the categories of activities under
processing performed on behalf of an administrator that contains:
1. the name and contact details of the processor or
the processors of personal data, to any controller of personal data on whose behalf
the processor of personal data, and the data protection officer,
where applicable;
2. the categories of personal data processing performed on behalf of everyone
administrator;
3. where applicable, the transfer of personal data to a third country or to
international organization, where there are explicit instructions from the administrator to do so,
including the name of the third country or international organization;
4. where possible, a general description of the technical and organizational measures
for security under Art. 66.
(3) The registers under para. 1 and 2 shall be maintained in writing, including in
electronic format.
(4) Upon request, the administrator and the processor shall provide personal data
access to the registers of the commission, respectively of the inspectorate.
Art. 63. (New, SG No. 17/2019) (1) In automated systems
processing maintained by the controller and the personal data processor are kept
system logs (logs) for at least the following processing operations - collection,
modification, reference, disclosure, including transmission, combination and deletion.
(2) Upon making a reference or disclosing data, the diaries under para. 1
must enable the grounds, date and time of these to be established
operations and, as far as possible, the identification of the person who performed it
reference or has disclosed personal data as well as data identifying the recipients
of this personal data.
(3) The diaries under para. 1 shall be used only for the verification of
the legality of processing, for self-control, to ensure integrity
and the security of personal data in criminal proceedings.
(4) The personal data controller shall set appropriate deadlines for
storage, including archiving of the diaries under par. 1.
(5) Upon request, the controller and the processor shall provide personal data
the diaries under para. 1 of the commission, respectively of the inspectorate.
Art. 64. (New, SG No. 17/2019) (1) When there is a probability of a certain type
processing, in particular that using new technologies and taking into account
the nature, scope, context and purposes of the processing, lead to a high risk for
the rights and freedoms of individuals before processing is carried out,
the personal data controller shall assess the impact of the foreseen
processing operations on the protection of personal data.
(2) The assessment under para. 1 shall contain at least a general description of the provisions
processing operations, risk assessment of the rights and freedoms of the entities of
the data, the measures envisaged to deal with these risks, guarantees, security measures
and mechanisms to ensure the protection of personal data and to prove
in accordance with the rules of this chapter, taking into account the rights and legal
interests of data subjects and other data subjects.
Art. 65. (New, SG No. 17/2019) (1) The administrator or the processor
personal data is consulted with the commission, respectively with the inspectorate before processing
of personal data, which will be part of a new register of personal data to be
create when:
1. according to the impact assessment under Art. 64 processing will generate high
risk despite the risk mitigation measures taken by the administrator, or
2. the type of processing, in particular when new technologies are used,
mechanisms or procedures involve a high degree of risk to the rights and freedoms of
data subjects.

(2) In the preparation of draft laws and by-laws,
containing measures concerning processing, the Commission shall be consulted,
respectively with the inspectorate.
(3) The Commission shall adopt and publish a list of processing operations for
which the obligatory preliminary consultation under par. 1. The Inspectorate shall apply
respectively the list under sentence one.
(4) The administrator shall provide to the commission, respectively to the inspectorate,
the impact assessment under Art. 64 and on request - any other information that
will allow them to assess the conformity of the processing and in particular
the risks to the protection of personal data and the corresponding guarantees for that protection.
(5) When the commission, respectively the inspectorate deems that the planned
processing under para. 1 would violate the provisions of this chapter, in particular when
the administrator has not sufficiently identified or limited the risk, they
provide within 6 weeks of receipt of the request for consultation in writing
opinion of the administrator and, where applicable, of the personal processor
data. This period can be extended by another month depending on the complexity of
the planned processing. Within one month of receiving the request for
consultation the commission, respectively the inspectorate shall notify the administrator and when it is
applicable - the processor of the personal data, for the extension of the term, including for
the reasons for the delay.
(6) The provision of a written statement under para. 5 does not affect the possibility of
the commission, respectively of the inspectorate, to exercise its powers under art. 80 versus
the controller or processor of personal data.
Art. 66. (New, SG No. 17/2019) (1) The administrator and the processor of personal
taking into account the state of the art, implementation costs and
the nature, scope, context and purposes of the processing, as well as the risks to the rights
and the freedoms of individuals, apply appropriate technical and organizational
measures to ensure a level of security appropriate to this risk, in particular on
regarding the processing of the categories of personal data under Art. 51, para. 1.
(2) With regard to the automated processing, the administrator or
the processor, after assessing the risks, applies measures aimed at:
1. control over access to equipment - to deny access to
unauthorized persons to the equipment used for processing personal data;
2. control over the data carriers - to prevent reading, copying,
modification or removal of data carriers by unauthorized persons;
3. control over storage - to prevent the introduction of personal data
by unauthorized persons, as well as carrying out inspections, modifications or
the deletion of stored personal data by unauthorized persons;
4. control over consumers - to prevent the use of
automated systems for processing by unauthorized persons using
data transmission equipment;
5. control over access to data - to ensure that the persons to whom it is
allowed to use an automated processing system, have access only to
the personal data covered by their access authorization;
6. control over the communication - to guarantee the possibility for inspection and
establishing to which authorities personal data have been or may be transferred, or which
authorities have access to personal data through data transmission equipment;
7. control over data entry - to ensure the possibility of
subsequent verification and identification of what personal data have been entered into
automated processing systems, as well as when and by whom they were introduced;
8. transfer control - to prevent reading, copying,
modification or deletion of personal data by unauthorized persons during the transfer
of personal data or in the transfer of data carriers;
9. recovery - to ensure the possibility of recovery of
the installed systems in case of failure of the system functions;
10. reliability - to ensure the implementation of the functions of the system and
reporting of defects in the functions;
11. integrity - to ensure prevention of damage to the stored
personal data due to a malfunction of the system.
Art. 67. (New, SG No. 17/2019) (1) In the event of a breach of the security of
personal data, which is likely to risk the rights and freedoms of
data subjects, the administrator without undue delay, but not later than 72 hours
after learning of the violation, notify the commission, respectively the inspectorate, of
him. When the notification is submitted after the term under sentence one, it shall be
indicate the reasons for the delay.
(2) The processor of personal data shall notify the administrator without redundancy
delay, but not later than 72 hours after the security breach has been detected
personal data.
(3) The notification under para. 1 contains at least:
1. description of the breach of personal data security, including
where possible, the categories and approximate number of data subjects concerned
and the categories and approximate number of personal data records concerned;
2. the name and the contact details of the data protection official
or another contact point from which more information can be obtained;
3. description of the possible consequences of the breach of the security of
personal data;
4. description of the measures taken or proposed by the administrator for
dealing with breaches of personal data security, including
appropriateness measures to reduce any adverse effects.
(4) When it is not possible to submit the information simultaneously, it may
submitted in stages without further undue delay.
(5) The administrator shall document any violation of the security of the personal
data under para. 1, including the facts related to the violation, the consequences thereof and
actions taken to address it.
(6) When the breach of personal data security affects personal data,
which are sent by or to an administrator from another Member State of the European Union
union, the information under para. 3 shall be communicated to this administrator without undue delay,
but not later than 7 days from the establishment of the violation.
Art. 68. (New, SG No. 17/2019) (1) When there is a probability that the violation of
the security of the personal data under art. 67, para. 1 lead to a high risk for the rights and
the freedoms of data subjects, the personal data controller shall also notify the subject
of the data for the violation not later than 7 days from its establishment.
(2) In the notification under para. 1 in clear and intelligible language a description of
the violation and at least the information and the measures under Art. 67, para. 3, items 2, 3 and 4.
(3) The data subject shall not be notified of a violation under para. 1, if fulfilled
any of the following conditions:
1. the administrator has taken appropriate technical and organizational measures
protection measures and these measures have been applied to the personal data concerned by
the infringement, in particular measures which make personal data incomprehensible to anyone
a person who has no right of access to them, such as encryption;
2. the administrator has subsequently taken measures to ensure that it no longer exists
probability of realizing the high risk for the rights and freedoms of data subjects;
3. notification would lead to disproportionate efforts; in this case it is done
public notice or another similar measure is taken so that the data subjects are
equally effectively informed.
(4) When the controller has not notified the data subject of the violation of
the security of the personal data under par. 1, the commission, respectively the inspectorate, after
consider the likelihood that the breach is likely to give rise to a high risk
the controller to notify the data subject.
(5) In the cases under art. 54, para. 3 the administrator may not notify the subject of
the data for the violation under par. 1, to notify him after the term under par. 1, as well as to limit
the information under para. 2.
Art. 69. (New, SG No. 17/2019) (1) The personal data controller
appoints a data protection officer on the basis of his or her professional qualifications
qualities and in particular on the basis of his expertise in legislation and
personal data protection practices and its ability to enforce
the tasks under Art. 70.
(2) One data protection official may be appointed jointly
for several administrators, taking into account their organizational structure and scale.
(3) The administrator shall announce in an appropriate manner the contact details of
the data protection official and notifies the commission by the order of art. 25b.
(4) The data protection officials, appointed by the bodies of
the judiciary do not perform the tasks under Art. 70 when processing personal data for
the objectives under Art. 42, para. 1 by the court, the prosecution and the investigative bodies in execution of
their functions as bodies of the judiciary.
Art. 70. (New, SG No. 17/2019) (1) The personal data controller
ensure that the data protection officer is involved in an appropriate manner; and
timely consideration of all issues related to the protection of personal data
data.
(2) The administrator shall assign to the data protection official the most
a few of the following tasks:
1. to inform and advise the administrator and the employees who perform
processing, for their obligations under this law and according to other regulations
personal data protection requirements;
2. to monitor the observance of this law and of other normative requirements for
protection of personal data and the administrator's protection policies
of personal data, including the assignment of responsibilities, the promotion of
the awareness and training of personnel involved in processing operations, and
the relevant inspections;
3. upon request to provide advice regarding the assessment of
the impact under Art. 64 and to monitor its implementation;
4. to cooperate with the commission, respectively with the inspectorate;
5. to act as a point of contact with the commission, including for the purposes of
the preliminary consultation under Art. 65, and, if necessary, consult
the commission, respectively with the inspectorate on issues related to the processing of personal
data.
(3) The administrator shall ensure technically and organizationally the activity of
the data protection officer, including the necessary resources, access to
personal data and processing operations, as well as the maintenance of his
expert knowledge.
Art. 71. (New, SG No. 17/2019) The competent authorities shall determine appropriate ones
procedures that enable their employees to directly and confidentially
report to the relevant administrative unit in the structure of the administrator or
of the commission, respectively of the inspectorate, for violations under this chapter.
Section IV.
Transfer of personal data to third countries or international organizations
(New, SG No. 17/2019)
Art. 72. (New, SG No. 17/2019) (1) A competent authority may transmit
personal data that are being processed or intended for processing
after their transfer, to a third country or to an international organization, including
for subsequent transfer to another third country or international organization, at
provided that the transfer is in accordance with this law and each of
the following conditions:
1. the transfer is necessary for the purposes under art. 42, para. 1;
2. the personal data are transferred to an administrator in a third country or to
international organization, which are bodies competent for the purposes under Art. 42, para. 1;
3. when personal data received from another Member State are transmitted to
European Union, that Member State has given its prior authorization for
transmission in accordance with its national law;
4. when:
(a) the European Commission has decided that the third country concerned,
territory or one or more specific sectors in that third country, or the relevant
international organization provide an adequate level of protection, or
(b) in the absence of a decision under point (a), are provided for or exist
appropriate guarantees according to art. 74, or
(c) in the absence of a decision under point (a) and appropriate guarantees under point (b)
the transfer of personal data is necessary in the cases under Art. 75;
5. in case of subsequent transfer of personal data to another third country or
international organization, the competent authority which carried out the initial transmission,
or another competent authority in the Republic of Bulgaria authorizes the subsequent transfer
data, having duly taken into account all relevant factors, including
the gravity of the crime, the purpose of the initial transfer of personal data and
the level of protection of personal data in the other third country or international
organization to which the subsequent transfer of personal data takes place.
(2) The transfer of personal data without the prior permission of the other
Member State of the European Union, according to para. 1, item 3 shall be allowed only if
transmission is necessary to prevent an immediate and serious threat
for the public order and security of a Member State of the European Union or of a third country
country or for the essential interests of a Member State of the European Union, and
prior authorization cannot be obtained in a timely manner. In these cases
the authority of the Member State of the European Union shall be notified immediately,
provided the personal data that is competent to give prior authorization
under para. 1, item 3.
Art. 73. (New, SG No. 17/2019) When the European Commission repeals, amends
or suspend the effect of a decision under Art. 72, para. 1, item 4, letter "a", the transfer of personal
data of the third country concerned, the territory or one or more specific ones
sectors in that third country, or the relevant international organization may be
carried out under the conditions of Art. 74 and 75.
Art. 74. (New, SG No. 17/2019) (1) In the absence of a decision of the European Commission
commission under Art. 72, para. 1, item 4, letter "a" transfer of personal data to a third country or
an international organization may take place when:
1. in the legislation of the third country or in the statute of the international one
organization, or in an international agreement that has entered into force, under which the Republic of Bulgaria
is a party, or other legally binding act provides for appropriate safeguards in
connection with the protection of personal data, or
2. the administrator has performed an assessment of the circumstances related to
the transfer of personal data, and has considered that with regard to the protection of personal data
data there are appropriate guarantees.
(2) The administrator shall document the transfer in the cases under para. 1, item 2,
including the date and time of transmission, information about the recipient
competent authority, justification of the transfer and the transferred personal data.
(3) The administrator shall inform the commission, respectively the inspectorate for
the transmission categories under para. 1, item 2 and upon request provides them with access to
the documentation under para. 2.
Art. 75. (New, SG No. 17/2019) (1) In the absence of a decision of the European Commission
commission under Art. 72, para. 1, item 4, letter "a" or of appropriate guarantees according to art. 74
transfer of personal data to a third country or international organization may be
perform only if the transmission is necessary:
1. in order to protect the vital interests of the data subject or of
another person;
2. to protect the legitimate interests of the data subject when
the legislation of the Republic of Bulgaria provides for this;
3. for the prevention of an immediate and serious threat to the public
law and order of a Member State of the European Union or a third country;
4. in separate cases for the purposes under art. 42, para. 1, or
5. in separate cases for the establishment, exercise or protection of legal
claims related to the purposes under Art. 42, para. 1.
(2) Personal data may not be transmitted if the transmitting competent authority
decided that the fundamental rights and freedoms of the data subject prevail over the public
interest in the transmission under para. 1, items 4 and 5.
(3) The transmission of data under par. 1 shall be documented and the documentation shall be
provide to the commission, respectively to the inspectorate, upon request, including
the date and time of transmission, information on the receiving competent authority,
justification of the transfer and the transferred personal data.
Art. 76. (New, SG No. 17/2019) (1) In separate and specific cases
competent authority may, without the condition under Art. 72, para. 1, item 2 and without
affects an international agreement, to transmit personal data directly to established recipients
in third countries only if the provisions of this Chapter are complied with and each is complied with
one of the following conditions:
1. without the transfer it cannot be performed or it would be seriously difficult
the performance of a task of the transmitting competent authority arising from the right of
The European Union or the legislation of the Republic of Bulgaria, for the purposes under Art. 42,
al. 1;
2. the transmitting competent authority decides that the fundamental rights and freedoms of
the data subject does not outweigh the public interest which the transfer in
this particular case;
3. the transmitting competent authority considers that the transfer to a body which is
competent in the third country for the purposes under Art. 42, para. 1, is ineffective or
inappropriate, in particular as the transmission cannot take place on time;
4. the body of the third state, which is competent for the purposes under art. 42, para. 1, e
notified without undue delay, unless ineffective or inappropriate;
5. the transmitting competent authority notifies the recipient of the specific purpose or
purposes for which the recipient may process personal data only, provided that
such processing is necessary.
(2) An international agreement under para. 1 is any bilateral or multilateral
an international agreement in force between the Member States of the European
Union, and third countries in the field of judicial cooperation in criminal matters
issues and police cooperation.
(3) The competent authority transmitting the personal data shall document each transfer
under para. 1 and notifies the commission, respectively the inspectorate, about it.
Art. 77. (New, SG No. 17/2019) With respect to third countries and
international organizations, the commission shall take appropriate measures to:
1. development of mechanisms for international cooperation in order to
supporting the effective implementation of personal protection legislation
data;
2. providing international mutual assistance in the implementation of
legislation on personal data protection, including by notification,
forwarding of complaints, assistance in investigations and exchange of information, provided that
there are adequate safeguards for the protection of personal data and other fundamental rights; and
freedom;
3. involvement of the relevant stakeholders in discussions and activities,
aimed at further deepening international cooperation for
the implementation of personal data protection legislation;
4. promoting the exchange and documentation of legislation and practices in
the field of personal data protection, including in connection with disputes concerning
competence with third countries.
Section V.
Supervision of compliance with data protection rules. Funds for
legal protection (New, SG No. 17/2019)
Art. 78. (New, SG No. 17/2019) (1) The supervision under this Chapter during processing
of personal data for the purposes under Art. 42, para. 1 shall be carried out by the commission, except in the cases
under para. 2.
(2) The supervision under this chapter in processing of personal data for the purposes of art. 42,
al. 1 by the court, the prosecution and the investigative bodies in the performance of their functions on
bodies of the judiciary are exercised by the inspectorate.
Art. 79. (New, SG No. 17/2019) (1) In exercising the supervision under this
head of the commission, respectively the inspectorate performs the following tasks:
1. monitor and ensure the application of the provisions of this Chapter;
2. promote public awareness and understanding of risks, rules,
guarantees and rights related to the processing of personal data;
3. raises the awareness of the administrators and the processors of personal data
for their duties;
4. provide information to each data subject in connection with the exercise
of his rights upon request and, if necessary, cooperate to that end with
supervisory authorities in other Member States of the European Union;
5. consider complaints submitted by a data subject under the conditions and by the order of
chapter seven;
6. check the legality of the processing in the cases under art. 57 and
inform the data subject of the result of the verification within three months of
the referral or the reasons why the inspection was not carried out;
7. carry out cooperation with other supervisory bodies, including through
exchange of information, and provide them with mutual assistance with a view to providing
the coordinated application and enforcement of the rules for the protection of personal data
data;
8. carry out research in the field of personal data protection, including
on the basis of information received from another supervisory or public authority;
9. monitor the development of information and communication technologies with
in view of their impact on the protection of personal data.
(2) In addition to the tasks under para. 1, the commission in carrying out the supervision under this
Chapter also performs the tasks under Art. 10, para. 2, as well as participates in the activities of
European Data Protection Board.
(3) In the performance of the tasks under par. 1 no fee shall be collected from the subject of
data and by the data protection officer.
(4) The administrator and the processor of personal data shall cooperate upon request with
the commission, respectively with the inspectorate, in the performance of their tasks.
Art. 80. (New, SG No. 17/2019) (1) In carrying out the supervision under this
head of the commission, respectively the inspectorate has the authority to:
1. receives from the administrator or from the processor of personal data access to
all personal data that are processed;
2. receives from the administrator or from the personal data processor the whole
information necessary for the performance of the tasks under Art. 79;
3. sends warnings to the administrator or to the personal processor
data when the planned data processing operations are likely to
violate the provisions of this chapter;
4. order the administrator or the processor of personal data to bring
data processing operations in accordance with the provisions of this Chapter,
including ordering the correction, addition, deletion of personal data or
the restriction of their processing according to art. 56;
5. impose temporary or permanent restriction, including prohibition, of
data processing;
6. give opinions to the administrator and to the processor of personal data in
in accordance with the procedure for preliminary consultation under Art. 65;
7. give opinions on its own initiative or upon request on projects of
laws and other regulations, as well as administrative measures related to
the protection of personal data of individuals;
8. give opinions on its own initiative or upon request on issues,
related to the protection of personal data.
(2) In addition to the powers under para. 1, the commission, respectively the inspectorate shall exercise
and the powers under Art. 10a, para. 2, item 2, respectively under Art. 17a, para. 2, item 2.
(3) The commission, respectively the inspectorate may refer to the court for violations under
this chapter.
Art. 81. (New, SG No. 17/2019) (1) The Commission, respectively its inspectorate
cooperate with the relevant supervisory authorities of the other Member States
European Union, including through the exchange of information and the transmission and implementation of
requests for consultations, inspections and investigations. Requests should contain the entire
necessary information, including the purpose and grounds of the request. Exchanged
information is used only for the purposes for which it was requested.
(2) The Commission, respectively the inspectorate shall undertake all necessary and
appropriate measures to respond to the request of another supervisory authority without undue redundancy
delay and no later than one month after receipt of the request.
(3) The commission, respectively the inspectorate may refuse a request under para. 1, as
motivate his refusal when:
1. is not competent as to the subject of the request or the measures required
to perform, or
2. the execution of the request would violate the legislation of the Republic
Bulgaria or the law of the European Union.
(4) The Commission, respectively the inspectorate shall inform the requesting supervisory body for
the results or, as the case may be, the progress of the response measures taken
of the request.
(5) The forms of cooperation and mutual assistance between the commission, respectively
the inspectorate, and the supervisory authorities of other Member States of the European Union, and
the procedures by which they are carried out shall be determined by the regulations under Art. 9, para. 2,
respectively with the regulations under Art. 55, para. 8 of the Judiciary Act.
Art. 82. (New, SG No. 17/2019) (1) In case of violation of his rights under this
chapter the data subject has the means of redress and can search
liability for damages caused to him under Chapter Seven.
(2) In the cases under art. 38, para. 1 and Art. 38b, para. 1 commission, respectively
the inspectorate facilitates the filing of a complaint by a data subject by providing
form.
Art. 83. (New, SG No. 17/2019) (1) The data subject shall have the right to assign
of a non - profit legal entity that has statutory objectives of public interest and
develops activity in the field of protection of the rights and freedoms of individuals under
regarding the protection of their personal data, to lodge a complaint on its behalf and to
exercise on his behalf the rights under Art. 38, para. 1 and 6, Art. 38b, para. 1, art. 38c, para. 4 and 5 and Art.
39, para. 1.
(2) The data subject may not assign to a person under para. 1 to exercise the right
his compensation under Art. 39, para. 2.
Chapter nine.
COMPULSORY ADMINISTRATIVE MEASURES. ADMINISTRATIVE CRIMINAL
PROVISIONS (NEW, SG No. 17/2019)
Art. 84. (New, SG No. 17/2019) (1) The measures under Art. 58 (2) (a)
- "h" and "j" of Regulation (EU) 2016/679 and the measures under Art. 80, para. 1, items 3, 4 and 5 are
coercive administrative measures within the meaning of the Administrative Act
violations and penalties.
(2) The measures under par. 1 shall be applied by a decision of the commission, respectively of
the inspectorate, which is subject to appeal under the Administrative Procedure Code
code within 14 days of receipt.
Art. 85. (New, SG No. 17/2019) (1) For violations under Art. 25c on
the controller or processor of personal data is fined or property
sanction in the amounts under Art. 83 (4) of Regulation (EU) 2016/679.
(2) For violations under Art. 12a, para. 2, Art. 25g, para. 1 and 2, Art. 25h, para. 1 and 2, Art. 25i,
Art. 25k and Art. 25n the controller or the processor of personal data shall be fined or
property sanction in the amounts under Art. 83 (5) of Regulation (EU) 2016/679.
(3) For violations under Art. 45, Art. 49, Art. 51, Art. 53 - 56 and Art. 80, para. 1, items 1 and 2 of
the controller or processor of personal data is fined or property
sanction in the amounts under Art. 83 (5) of Regulation (EU) 2016/679.
(4) For violations under Art. 59, para. 3 and 4, Art. 62 and 64 - 70 of the administrator or
the processor of personal data shall be imposed a fine or property sanction in the amounts under Art.
83 (4) of Regulation (EU) 2016/679.
(5) For non-execution of a decision under art. 84, para. 2, with which they are
applied coercive administrative measures under Art. 80, para. 1, items 4 and 5, at
the controller or processor of personal data is fined or property
sanction in the amounts under Art. 83 (5) of Regulation (EU) 2016/679.
(6) The dimensions of the ones provided in para. 1 - 5 administrative penalties are
determined in accordance with the provisions of Art. 83 (2) of Regulation (EU) 2016/679
criteria and are imposed in their lev equivalent.
Art. 86. (New, SG No. 17/2019) (1) For other violations under this law of
a controller or processor of personal data imposes a fine or pecuniary sanction
up to BGN 5,000
(2) For violation under par. 1, committed repeatedly, a fine or
a pecuniary sanction in double the amount originally imposed.
Art. 87. (New, SG No. 17/2019) (1) Outside the cases under Art. 38, para. 1,
the establishment of infringements of Regulation (EU) 2016/679 or of this law,
the issuance, appeal and execution of penal decrees are carried out
under the Administrative Violations and Penalties Act.
(2) The acts for establishment of the administrative violations shall be drawn up by
member of the commission or by officials authorized by the commission, respectively by
persons authorized by an order of the Chief Inspector.
(3) The penal decrees shall be issued by the chairman of the commission,
respectively by the Chief Inspector or by inspectors authorized by him.
(4) The property sanctions and the fines under entered into force decisions under art. 38, para. 3
and penal decrees are collected by the order of the Tax-insurance procedural
code.
(5) The collected sums from property sanctions and fines imposed by the commission
come from the budget of the commission.
(6) The amounts collected from property sanctions and fines imposed by the inspectorate
come from the budget of the judiciary.
Additional provisions
§ 1. (Amended, SG No. 17/2019) Within the meaning of this Act:
1. "Personal data" is the term under Art. 4, item 1 of Regulation (EU) 2016/679.
2. "Administrator", with the exception of the administrator under Chapter Eight, is the term
under Art. 4, item 7 of Regulation (EU) 2016/679.
3. "Personal data processor" is the term under Art. 4, item 8 of Regulation (EU)
2016/679.
4. "Processing" is the term under Art. 4, item 2 of Regulation (EU) 2016/679.
5. "Restriction of processing" is the concept under Art. 4, item 3 of Regulation (EU)
2016/679.
6. "Profiling" is the concept under Art. 4, item 4 of Regulation (EU) 2016/679.
7. "Pseudonymization" is the concept under Art. 4, item 5 of Regulation (EU) 2016/679.
8. "Register with personal data" is the concept under art. 4, item 6 of Regulation (EU)
2016/679.
9. "Recipient" is the term under Art. 4, item 9 of Regulation (EU) 2016/679. State
or a local authority, as well as a structure whose main activity is related to the spending of
public funds that can receive personal data within a specific
investigation in accordance with the law are not considered recipients within the meaning of Chapter
eighth. The processing of personal data by these authorities or bodies corresponds to
the applicable data protection rules according to the purposes of the processing.
10. "Violation of the security of personal data" is the concept under Art. 4, item 12 of
Regulation (EU) 2016/679.
11. "Genetic data" is the term under Art. 4, item 13 of Regulation (EU) 2016/679.
12. "Biometric data" is the term under Art. 4, item 14 of Regulation (EU) 2016/679.
13. "Data related to the health condition" is the concept under art. 4, item 15
of Regulation (EU) 2016/679.
14. "International organization" is the concept under art. 4, item 26 of Regulation (EU)
2016/679.
15. "Large-scale" is the monitoring and / or processing of personal data of significant
or an unlimited number of data subjects or a volume of personal data when the main
activities of the controller or processor, including the means of
their implementation consist in such operations.
16. "Risk" is the possibility of occurrence of property or non-property
harm to the data subject under certain conditions, assessed in terms of
its severity and probability.
17. "Public body" is a state or local body, as well as a structure, whose
main activity is related to spending public funds.
18. "Deletion" is an irreversible deletion of the information from the respective
carrier.
19. "Destruction" is irreversible physical destruction of material
Information carrier.
20. "Repeated" is the violation committed within one year from the entry into
force of the decision of the commission or of the penal decree by which
the violator is punished for the same type of violation.
§ 1a. (New, SG No. 91/2006, amended, SG No. 17/2019) This Act
provides for measures to implement Regulation (EU) 2016/679 of the European Parliament and
Decision of 27 April 2016 on the protection of individuals with regard to
the processing of personal data and on the free movement of such data and for
repealing Directive 95/46 / EC (General Data Protection Regulation) (OJ, L
119/1 of 4 May 2016) and introduces the requirements of Directive (EU) 2016/680 of
European Parliament and of the Council of 27 April 2016 on the protection of
natural persons in connection with the processing of personal data by the competent authorities
for the purposes of prevention, investigation, detection or criminalization
prosecution of crimes or the execution of sentences and on freedom
movement of such data, and repealing Council Framework Decision 2008/977 / JHA
(OJ L 119/89, 4 May 2016).
Transitional and Final Provisions
§ 2. (1) Within one month from the entry into force of this law the Ministerial
Council proposes to the National Assembly the composition of the Commission for Personal Protection
data.
(2) Within 14 days from the submission of the proposal under para. 1 The National Assembly
elects the composition of the Commission for Personal Data Protection.
(3) Within 3 months from its election, the Commission for Personal Data Protection
adopts and promulgates in the State Gazette the regulations under Art. 9, para. 2.
(4) The Council of Ministers within one month from the entry into force of the decision
of the National Assembly under para. 2 provides the necessary property and financial resources
to start the work of the commission.
§ 3. (1) Within 6 months from the entry into force of the regulations under art. 9, para. 2
the persons who at the moment of entry into force of the law maintain registers with personal
data, bring them in line with the requirements of the law and notify about it
the commission.
(2) The commission shall carry out preliminary inspections, register or refuse to
registers as administrators persons who maintain registers at the time of entry
in force of the law, as well as the registers kept by them within 3 months from the receipt of
the application under para. 1.
(3) The decisions of the commission for refusal of registration shall be subject to appeal
before the Supreme Administrative Court within 14 days.
(4) With the entry into force of the decision of the commission for refusal of registration or
of the decision of the Supreme Administrative Court confirming the refusal of
the commission, the person who illegally keeps a register, is obliged to destroy personal
data contained in its register or with the consent of the commission to transfer them
of another administrator who has registered his register and processes personal data for
the same goals.
(5) The Commission shall exercise control over the fulfillment of the obligation under para.
4.
(6) Within 3 months from the registration the administrator under art. 3, para. 1 is obliged
to publish in the bulletin of the Commission for Personal Data Protection the information under Art. 22,
al. 1.
§ 4. In the Law for access to public information (SG, issue 55 of 2000) shall be
make the following changes:
1. In Art. 2, para. 3 the words "personal information" shall be replaced by "personal data".
2. In § 1 item 2 is amended as follows:
"2." Personal data "are information about a natural person, which reveals his
physical, psychological, mental, family, economic, cultural or social
identity. "
§ 5. The law enters into force on January 1, 2002.
------------------------The law was adopted by the XXXIX National Assembly on December 21, 2001 and is
stamped with the official seal of the National Assembly.

Transitional and Final Provisions
TO THE LAW ON PRIVATE BAILIFFS
(Promulgated - SG, issue 43 of 2005, in force since 01.09.2005)
§ 23. The law enters into force on September 1, 2005.

Transitional and Final Provisions
TO THE LAW AMENDING THE LAW FOR PROTECTION OF
PERSONAL DATA
(Promulgated - SG, issue 103 of 2005, amended - SG, issue 91 of 2006)
§ 50. The provision of § 38, regarding art. 36, shall apply until the entry into force of
The Treaty of Accession of the Republic of Bulgaria to the European Union.
§ 51. (Amended, SG No. 91/2006) The provisions of § 1, concerning Art. 1, para. 4, item 3,
§ 8, item 1, letter "c", regarding art. 10, para. 1, item 9, § 39, regarding art. 36a, § 40, regarding art.
36b, and § 48, item 5, regarding item 14 of the additional provision, shall enter into force from the date of
entry into force of the Treaty of Accession of the Republic of Bulgaria to the European
union.
§ 52. Within three months from the entry into force of the law, the Commission for Protection of
the personal data is accepted by the Code of Ethics under Art. 10, para. 4 and the ordinance under Art. 23, para. 5.

Transitional and Final Provisions
TO THE ADMINISTRATIVE PROCEDURE CODE
(Promulgated, SG No. 30/2006, EFFECTIVE FROM 12.07.2006)
§ 142. The Code shall enter into force three months after its promulgation in the State
newspaper ", with the exception of:
1. Title three, § 2, item 1 and § 2, item 2 - concerning the repeal of Chapter Three, Section II
"Appeal in court", § 9, items 1 and 2, § 11, items 1 and 2, § 15, § 44, items 1 and 2, § 51, item 1, §
53, item 1, § 61, item 1, § 66, item 3, § 76, items 1 - 3, § 78, § 79, § 83, item 1, § 84, items 1 and 2 , § 89, item 1 4, § 101, § 1, § 102, § 1, § 107, § 117, §§ 1 and 2, § 125, § 128, §§ 1 and 2, § 132, §§ 2 and 136,
item 1, as well as § 34, § 35, item 2, § 43, item 2, § 62, item 1, § 66, items 2 and 4, § 97, item 2 and § 125, item 1 on the replacement of the word "district" by "administrative" and the replacement of words
"Sofia City Court" with "Administrative Court - Sofia", which enter into force on
March 1, 2007;
2. paragraph 120, which shall enter into force on 1 January 2007;
3. paragraph 3, which shall enter into force on the day of promulgation of the Code in
"State Gazette".

Transitional and Final Provisions
TO THE LAW AMENDING THE LAW FOR PROTECTION OF
PERSONAL DATA
(Promulgated, SG No. 91/2006)
§ 31. The provision of § 6 regarding art. 6, para. 2 shall enter into force on 1 January 2007.
§ 32. Within two months from the entry into force of this law, the Protection Commission
of the personal data accepts the instruction under art. 12, para. 9.
§ 33. Within three months from the entry into force of this law the administrators,
who are subject to registration shall submit an application for registration.

Transitional and Final Provisions
TO THE LAW ON THE NATIONAL ARCHIVAL FUND
(Promulgated - SG, issue 57 of 2007, in force since July 13, 2007)
§ 23. The law shall enter into force on the day of its promulgation in the State Gazette.

Transitional and Final Provisions
TO THE LAW AMENDING THE LAW ON PREVENTION
AND DISCLOSURE OF CONFLICT OF INTEREST
(Promulgated - SG, issue 97 of 2010, in force since December 10, 2010)
§ 61. The law shall enter into force on the day of its promulgation in the State Gazette, p
except for:
1. paragraph 11 regarding art. 22a - 22e, which shall enter into force on 1 January 2011;
2. paragraphs 7, 8, 9, § 11 regarding art. 22e - 22i and § 12, 13, 14, 15, 16, 17, 18, 19,
20, 21, 22 and 23, which shall enter into force on 1 April 2011.

Additional provisions
TO THE LAW AMENDING THE LAW FOR PROTECTION OF
PERSONAL DATA
(Promulgated - SG, issue 81 of 2011)

§ 15. This law introduces the requirements of Framework Decision 2008/977 / JHA of
Council of 27 November 2008 on the protection of personal data processed in the framework of
of police and judicial cooperation in criminal matters (OJ L 350 /
60 of 30 December 2008).

Transitional and Final Provisions
TO THE LAW AMENDING THE LAW ON ELECTRONIC
MESSAGES

Page 3

Cookie Settings

(Promulgated - SG, issue 105 of 2011, in force since December 29, 2011)
§ 220. The law shall enter into force on the day of its promulgation in the State Gazette.

Transitional and Final Provisions
TO THE LAW ON PUBLIC FINANCE
(Promulgated - SG, issue 15 of 2013, in force since 01.01.2014)
§ 123. The law enters into force on 1 January 2014, with the exception of § 115, which
enters into force on 1 January 2013, and § 18, § 114, § 120, § 121 and § 122, which enter into force
of 1 February 2013

Transitional and Final Provisions
TO THE LAW AMENDING THE LAW ON THE MINISTRY
OF INTERNAL AFFAIRS
(Promulgated - SG, issue 81 of 2016, in force since 01.01.2017)
§ 102. The law enters into force on January 1, 2017, except for:
1. paragraphs 6 - 8, § 12, items 1, 2 and 4, § 13, § 14, § 18 - 20, § 23, § 26 - 31, § 32, item
1 and 4, §§ 33 - 39, § 41 - 48, § 49 concerning Art. 187, para. 3, sentence one, § 50 - 59, § 61 65, § 81 - 85, § 86, §§ 4 and 5, § 87, § 3, § 90, § 1, § 91, §§ 2 and 3, § 92, § 93 and § 97 - 101,
which enter into force on the day of promulgation of the law in the State Gazette;
2. paragraph 32, items 2 and 3, § 49 regarding art. 187, para. 3, new sentence two, § 69 72, § 76 concerning the persons under § 70, § 78 in respect of the employees under § 69 and § 70, § 79
in respect of employees under § 69 and § 70, § 91, items 1 and § 94, which shall enter into force on 1
February 2017

Transitional and Final Provisions
TO THE LAW AMENDING THE LAW RESTRICTING THE LAW
ADMINISTRATIVE REGULATION AND ADMINISTRATIVE CONTROL OVER
ECONOMIC ACTIVITY
(Promulgated - SG, issue 103 of 2017, in force since 01.01.2018)
§ 68. The law enters into force on January 1, 2018.

Transitional and Final Provisions
TO THE LAW AMENDING THE LAW FOR PROTECTION OF
PERSONAL DATA
(Promulgated - SG, issue 17 of 2019)
§ 44. (1) Formed until May 25, 2018 and not completed until the entry into force of
this law proceedings for violations of the law are completed according to the current order.
(2) For violations of the law and Regulation (EU) 2016/679, committed until
the entry into force of this law, the term for referral to the commission under Art. 38 is one year
from the knowledge of the violation, but not later than 5 years from its commission.
§ 45. The automated processing systems used by the competent authorities
bodies under Art. 42, para. 4 for the purposes of prevention, investigation, detection or
the prosecution of crimes or the execution of sentences,
including the protection against threats to public order and security and theirs
prevention, established before May 6, 2016, are brought in line with Art. 63,
al. 1 and 2 until May 6, 2023.
...................................
§ 120. Within one year from the entry into force of this law the Commission for
protection of personal data adopts the ordinances under Art. 14, para. 5 and 6 and under Art. 14a, para. 3.

Relevant acts of European legislation
Directives:
DIRECTIVE (EU) 2016/680 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27
April 2016 on the protection of individuals with regard to the processing of
personal data from the competent authorities for the purposes of prevention, investigation,
the detection or prosecution of crimes or the execution of
penalties both for the free movement of such data and for the annulment of Ramkovo
Council Decision 2008/977 / JHA
DIRECTIVE 2002/58 / EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 12 July
2002 concerning the processing of personal data and the protection of the rights of
privacy in the electronic communications sector (Directive
on the right to privacy and electronic communications)
DIRECTIVE 95/46 / EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 24 October
1995 for the protection of individuals with regard to the processing of personal data and for
free movement of this data (canceled)
Regulations:
REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27
April 2016 on the protection of individuals with regard to the processing of
personal data and on the free movement of such data and repealing a Directive
95/46 / EC (General Data Protection Regulation)
REGULATION (EU) № 910/2014 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 23
July 2014 on electronic identification and certification services at
electronic transactions in the internal market and repealing Directive 1999/93 / EC
REGULATION (EC) (45/2001 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 18
December 2000 on the protection of individuals with regard to the processing of
personal data of Community institutions and bodies and on the free movement of such persons
data
COUNCIL REGULATION (EEC) № 2380/74 of 17 September 1974
adoption of provisions for the dissemination of information related to
research programs for the European Economic Community
Solutions:
COUNCIL FRAMEWORK DECISION 2008/977 / JHA of 27 November 2008 on the
the protection of personal data processed in the framework of the police and the judiciary
cooperation in criminal matters ( repealed )
COMMISSION DECISION 2001/497 / EC of 15 June 2001 on common
contractual clauses for the transfer of personal data to third parties under the Directive
95/46 / EC (notified under document number C (2001) 1539)
COMMISSION DECISION 2000/518 / EC of 26 July 2000 pursuant to
Directive 95/46 / EC of the European Parliament and of the Council on the adequate protection of
personal data provided in Switzerland (notified under document number C (2000) 2304)

Downloads
Personal Data Protection Act
Personal Data Protection Act

print

Links

Site Map

Accessibility

Commission for Personal Data Protection, Sofia 1592, Prof. Tsvetan Lazarov ”№ 2

