Bulgaria - Data Breach Guide

Bulgaria (1)

Yes, in case of a data breach which is likely to result in a risk to the rights and freedoms of data subjects, the Bulgarian Commission for Personal Data Protection (the "Commission") and the Inspectorate to the Supreme Judicial Council (the "Inspectorate") must be notified.

If the data breach is likely to result in a high risk to the rights and freedoms of data subjects, the affected individuals shall be notified of the breach as well.

1.2 Under what conditions must such notification(s) be given, including a) what types of data must be breached to trigger notification; and b) whether the entity must be a data controller or data processor in your country for such obligations to apply?

The controller must notify the authorities and/or the affected individuals in case of a data breach. A data breach has occurred in case of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

The data processor has the obligation to notify the data controller after becoming aware of a personal data breach.

The data subjects do not have to be notified of the breach in case any of the following conditions are met:

1. the controller has implemented appropriate technical and organizational protection measures, and those measures were applied to the personal data which was affected by the breach. More precisely, those are measures which render the personal data unintelligible to any person who does not have the right to access said data (for example by encryption);
2. the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialize;
3. the notification would involve a disproportionate effort. In such case, there must be instead a public communication or a similar measure whereby the data subjects are informed in an equally effective manner.

In case the controller has not notified the data subject of the breach, but the Commission or, respectively, the Inspectorate, having considered the likelihood of the breach resulting in a high risk, may still require the controller to notify the data subject.

The controller is required to notify the Commission or, respectively, the Inspectorate of the breach without undue delay but not later than 72 hours after becoming aware of the breach. If the notification is sent after this deadline, it must state the reasons for the delay.

The processor must notify the controller without undue delay but not later than 72 hours after becoming aware of a personal data breach.

The controller must notify the data subject of the breach within 7 days after the breach has been ascertained.

There is no standard form, however, the minimum required information by law, which the controller is required to send to the Commission or, respectively, to the Inspectorate is the following:

1. description of the personal data breach, including, when possible, the categories and approximate number of the data subjects concerned and the categories and the approximate number of personal data records affected;
2. the name and contact details of the data protection officer or other contact point where more information can be obtained;
3. description of the likely consequences of the personal data breach;
4. description of the measures taken or proposed by the controller to address the personal data breach, including, where appropriate, measures to mitigate the possible negative effects.

If it is not possible to provide all the above information at the same time, the information should be provided in phases without further undue delay.

The notification sent to the data subject must describe in clear and plain language the personal data breach and must contain the information in clauses 1.3.2, 1.3.3, and 1.3.4 above as a minimum.

Generally, the notifications may be sent by regular mail.

A fine or a pecuniary penalty may be imposed on the controller or the processor for infringements of the above-mentioned procedures in the amounts of administrative fines up to EUR 10,000,000, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.

1.5 Even if there is no current legal obligation to do so, or if there is no "data controller" or "data processor" located in your country, is notification to individuals recommended in the event of a data breach affecting residents in your country (such as in credit card data breaches)?

Not applicable.

1.6 What are the applicable (data protection) laws or guidelines within your country?

• General Data Protection Regulation (Regulation (EU) 2016/679);
• Personal Data Protection Act;
• Electronic Communications Act;
• Rules on the activity of the Commission for Personal Data Protection and its administration.

1. 7.1 Commission for Personal Data Protection

1. .7.2 Inspectorate to the Supreme Judicial Council

For more information, contact:

1 Bulgaria is a member state of the European Union. Please also refer to the section on the European Union for the general requirements according to the General Data Protection Regulation (Regulation (EU) 2016/679, GDPR).