Privacy International defends the right to privacy across the world, and fights surveillance and other intrusions into private life by governments and corporations. Read more »


Chapter: 

I. Legal framework

Constitutional privacy and data protection framework

The Bulgarian Constitution of 1991 recognises rights of privacy, secrecy of communications, and access to information.1 Article 32 states, "(1) The private life of citizens shall be inviolable. Everyone shall be entitled to protection against any illegal interference in his private or family affairs and against encroachments on his honor, dignity and reputation. (2) No one shall be followed, photographed, filmed, recorded or subjected to any other similar activity without his knowledge or despite his express disapproval, except when such actions are permitted by law." Article 33 states, "(1) The home shall be inviolable. No one shall enter or stay inside a home without its occupant's consent, except in the cases expressly stipulated by law. (2) Entry into, or staying inside, a home without the consent of its occupant or without the judicial authorities' permission shall be allowed only for the purposes of preventing an immediately impending crime or a crime in progress, for the capture of a criminal, or in extreme necessity."

Article 34 states, "(1) The freedom and confidentiality of correspondence and all other communications shall be inviolable. (2) Exceptions to this provision shall be allowed only with the permission of the judicial authorities for the purpose of discovering or preventing a grave crime." The right to freedom of expression is also protected by Article 39 of the Bulgarian Constitution, which states, "(1) Everyone shall be entitled to express an opinion or to publicise it through words, written and oral, sound or image, or in any other way. (2) This right shall not be used to the detriment of the rights and reputation of others, or for the incitement of a forcible change of the constitutionally established order, the perpetration of a crime, or the incitement of enmity or violence against anyone." Article 41 states, "(1) Everyone shall be entitled to seek, obtain and disseminate information. This right shall not be exercised to the detriment of the rights and reputation of others, or to the detriment of national security, public order, public health and morality. (2) Citizens shall be entitled to obtain information from state bodies and agencies on any matter of legitimate interest to them which is not a state or other secret prescribed by law and does not affect the rights of others."

The Constitution provides equality and protection against discrimination for the rights of the citizens.2 However, discrimination still exists, particularly against women and Roma.

Privacy and data protection laws and regulations

Comprehensive law

The Law for Protection of Personal Data (LPPD) was adopted by the National Assembly in December 2001 and came into effect in January 2002.3 The law's adoption was a key part of the administrative reforms that were undertaken in preparation for accession to the European Union (EU), which occurred on 1 January 2007.4 The law closely follows the EU Data Protection Directive. It sets out rules for the fair and responsible handling of personal information by the public and private sectors. Personal information is defined as any informationthat makes it possibleto identify an individual directly (e.g. through a personal ID number)or indirectly through one or more specific characteristics related to hisphysical, physiological, psychological, genetic,economic, cultural,or social identity.Entities collecting personal information must inform people why their personal information is being collected and what it is to be used for; allow people reasonable access to information about themselves and the right to correct it if it is wrong; ensure that the information is securely held and cannot be tampered with, stolen, or improperly used; and limit the use of personal information for purposes other than the original one without the consent of the person affected, or in certain other circumstances. Sensitive information, including information concerning racial or ethnic origin, political or religious affiliation, health, sexual life, and beliefs, is given special protection and can only be processed with the express written consent of the individual.5

During the years since, the regulation of personal data protection has changed.LPPD was amended in 2004, 2005, and 2006; each time, parts of the textwerechanged in contradictory directions. For example, the law's original text introduced the requirement that a wide range of data controllers register with the Personal Data Protection Commission. In 2005, the range of data controllers was narrowed; in 2006 it was expanded again. In 2005, after a public debate between the first and second readings, Parliament rejected the suggestion to repeal Art. 35 of the Law, which guaranteed free access to personal data as long as they are part of a public register or are contained in public documents. In 2006, however, Art. 35 was repealed, which meant that access to such data would be regulated by the general regime covering access to information and that the consent of the data subject would be required. Decision No. 7 of 1996 of the Bulgarian Constitutional Court on case No. 1 established that public figures should be subject to increased scrutiny as compared to other citizens. At the same time, Art. 4 paragraph 1 item 5 of the LPPD allows for the processing of personal data when data controllers act in the public interest.The provisions of Art. 35 gave data controllers some clarity, though can only be fully restored with the establishment of good practices.6 Other amendments to the LPPDwere made in 2007 and 2009.

Administrative sanctions in the form of fines for violations of the LPPD range from BGN10,000 (approx. €€5,000) to BGN100,000 (approx. €50,000). In particular: violation of the fundamental rights of the physical bodies – a fine ranging from BGN10,000 to BGN100,000 (approx. €5,000 to 50,000); illegal processing of sensitive data – a fine ranging from BGN10,000 to BGN100,000 (approx. €5,000 to 50,000); violation of the obligation for registration in the register – a fine ranging from BGN2,000 to BGN20,000 (approx. €1,000 to 50,000); and incorrect processing of data – a fine ranging from BGN2,000 to BGN20,000 (approx. €1,000 to 10,000). Data controllers are liable for any damage caused to an individual as a result of unlawful processing or from breaching the technical requirements of data protection. The data controller is also liable for any damage caused by a data processor acting on behalf of the data controller.7

The transfer of personal data from data controllers to foreign individuals or legal persons or to foreign government authorities shall be allowed, with the permission of the Commission for Personal Data Protection, only if the legislation of the recipient country guarantees a level of data protection that is equivalent to or better than that provided by Bulgarian law. The assessment of adequacy of the level of personal data protection in a third country shall be made by the Commission for Personal Data Protection, taking into consideration all the circumstances of the data transfer operation or the set of data transfer operations, including the nature of the data, the purpose and duration of their processing, the legal basis, and the security measures provided in the third country.8

Sector-based laws

The LPPD sets forth the general minimum standard that must be met with regard to the processing of personal data in all spheres of public relations. Different, sector-based laws contain provisions that guarantee lawful processing of personal data in specific spheres. Parts of these sector-based laws refer to the general provisions of the LPPD.

However, there are also sector-based laws that set forth more detailed regulation with regard to the processing and protection of personal data. Among these laws are: the Law on Health;9 the Electronic Document and Electronic Signature Law (EDESL);10 the Electronic Commerce Act (ECA);11 the Law on Electronic Communications;12 the recently-approved Law for Providing Services;13 the Law for the Credit Institutions (LCI);14 the Law for Measures against Money Laundering (LMAML);15 the Access to Public Information Act;16 the Law on Prevention and Disclosure of Conflict of Interests;17 the Law for Publicity of the Property of Persons Occupying High State Positions;18 the Law on Access and Disclosure of Documents and on Announcement of Affiliation of Bulgarian Citizens to the State Security and the Intelligence Services of the Bulgarian National Army;19 the Ministry of the Interior Act, in force from 24 February 2006; the Bulgarian Special Investigation Devices Act.20

The Family Code provides adequate protection of personal data for birth parents, adopted children, and adoptive parents. The regulation creates two new registers, one containing information about children available for adoption, the other about parents wishing to adopt children. Both registers contain information about the subjects' health and family status and property, as well as various details about the personal and family lives of the individuals concerned.

Data protection authority

The LPPD establishes an independent public authority, the Commission for Personal Data Protection (CPDP or the Commission) to supervise compliance and implementation, maintain a national register of data controllers, examine complaints, and take legal action for violations.21 It is an independent, jointly governed authority, and consists of a chairperson and four members. The members of the Commission and its chairperson are proposed by the Council of Ministers and elected by the Parliament for a term of five years. They may be re-elected for another mandate. The Commission was established by decision of the Parliament on 23 May 2002.

In compliance with the Rules on the Activity of the Commission for Personal Data Protection and its Administration the total number of the staff is 81 full-time positions (including five elective positions).22 The administration is organised in five Directorates whose powers are stipulated in the regulations, and the functional relations of the units are regulated by internal rules adopted by the Commission.

In compliance with the LPPD the Commission shall: analyse and exercise overall control of the observance of the normative acts in the sphere of protection of personal data; keep a register of personal data controllers and of the registers of personal data the controllers keep; carry out inspections of personal data controllers; express opinions and give permits in the cases stipulated by the law; issue obligatory prescriptions for administrators in connection with the protection of the personal data; impose, upon prior notice, temporary prohibitions from processing personal data that violate the norms of personal data protection; consider claims against the actions of data controllers that have violated the rights of the natural persons as well as of the appeals of third persons in connection with their rights; participate in obligatory consultations on the drafts of primary and secondary legislation in the field of personal data protection; and apply the decisions of the European Commission in the field of personal data protection.23

The Commission publishes a bulletin providing information on its activity and decisions taken24 as well as annual reports on its activities.25

The Commission also wrote an Ethics Code of Behavior of Data Controllers, which sets out specific legal obligations and attempts to "balance the interests of the persons and the interests of the data controllers within the framework of the law on adequate measures for personal data protection."26

Major privacy and data protection case law

The relevant case law concerning privacy and data protection is discussed infra in the text and categorised under the corresponding section.27

Footnotes

  • 1. Constitution of the Republic of Bulgaria of 13 July 1991, State Gazette (SG) No. 56, 13 July 1991 (effective 13 July 1991), amended and supplemented, SG No. 85 of 6 September 2003, SG No. 18 of 25 February 2005, SG No. 27 of 31 March 2006, Decision No. 7 of the Constitutional Court of the Republic of Bulgaria of 13 September 2006 - SG No. 78 of 26 September 2006, SG No. 12 of 6 February 2007, available in English at http://www.vks.bg/english/vksen_p04_01.htm.
  • 2. Id., at article 6(2).
  • 3. Law for Protection of Personal Data, SG No. 1 of 4 January 2002, amend. SG No. 70 of 10 August 2004, SG No. 93 of 19 October 2004, SG No. 43 of 20 May 2005, SG No. 103 of 23 December 2005, SG No. 30 of 11 April 2006, SG No. 91 of 10 November 2006, SG No. 57 of 13 July 2007, SG No. 42 of 5 June 2009, available in English at http://www.cpdp.bg/en/index.php?p=element&aid=128.
  • 4. Europa Press Release, "Two New Members Join the EU Family," 28 December 2006, available at http://europa.eu/rapid/pressReleasesAction.do?reference=IP/06/1900.
  • 5. Law for Protection of Personal Data, supra Artt. 2-5.
  • 6. Access to Information ProgrammeFoundation (AIP), "Access to Information in Bulgaria 2006," at 19, available at http://www.aip-bg.org/pdf/report2006-en-end.pdf.
  • 7. Law for Protection of Personal Data, supra Artt. 41 and 42. See also http://www.investnet.bg/bulgarian-economy/LegalFramework/CommercialLawOverview/Regulatory/DataProtection.aspx.
  • 8. Id., Art. 36.
  • 9. Law on Health, SG No. 70 of 10 August 2004, in force as of 01 January 2005, amend. SG No. 46 of 03 June 2005, SG No. 76 of 20 September 2005, SG No. 85 of 25 October 2005, SG No. 88 of 04 November 2005, SG No. 94 of 25 November 2005, SG No. 103 of 23 December 2005, SG No 18 of 28 February 2006, SG No. 30 of 11 April 2006, SG No 34 of 25 April 2006, SG No 59 of 21 July 2006, SG No 71 of 01 Sepember 2006, SG No 75 of 12 September 2006, SG No. 81 of 06 October 2006, SG No 95 of 24 November 2006, SG No. 102 of 19 December 2006, SG No 31 of 13 April 2007, SG No. 41 of 22 May 2007, SG No. 46 of 12 June 2007, SG No. 59 of 20 July 2007, SG No. 82 of 12 October 2007, SG No. 95 of 20 November 2007, SG No. 13 of 08 February 2008, SG No. 102 of 28 November 2008, SG No. 110 of 30 December 2008, SG No. 36 of 15 May 2009, SG No. 41 of 02 June 2009, SG No. 74 of 15 September 2009, SG No. 82 of 16 October 2009, SG No. 93 of 24 November 2009, SG No. 99 of 15 December 2009, SG No. 101 of 18 December 2009, SG No. 41 of 01 June 2010, SG No. 42 of 04 June 2010, SG No. 50 of 02 July 2010, SG No. 59 of 31 July 2010, SG No. 62 of 10 August 2010.
  • 10. Electronic Document and Electronic Signature Law, SG.No. 34 of 06 April 2001, in force from 6 October 2001, amend. SG No. 112 of 29 December 2001, SG No. 30 of 11 April 2006, SG No. 34 of 25 April 2006, SG No. 38 of 11 May 2007.
  • 11. Electronic Commerce Act,SG No. 51 of 23 June 2006, in force from 24 December 2006, amend. SG No. 105 of 22 December 2006, SG No. 41 of 22 May 2007, SG No. 82 of 16 October 2009.
  • 12. Law on Electronic Communicationsin SG No. 41 of 22 May 2007, amend. SG No. 109 of 20 December 2007, SG No. 36 of 04 April 2008, SG No. 43 of 29 April 2008, SG No. 69 of 05 August 2008, SG No. 17 of 06 March 2009, SG No. 35 of 12 May 2009, SG No. 37 of 19 May 2009, SG No. 42 of 05 June 2009, SG No. 45 of 16 June 2009, SG No. 82 of 16 October 2009, SG No. 89 of 10 November 2009, SG No. 93 of 24 Novemer 2009, SG No. 12 of 12 December 2010, SG No. 17 of 02 March 2010, SG No. 27 of 09 April 2010.
  • 13. Law for Providing Services in SG No. 15 of 23 February 2010,in force from23February 2010.
  • 14. Law for the Credit Institutionsin SG No. 59 of 21 July 2007,in force from1January 2007, amend. SG No. 105 of 22 December 2006, SG No. 52 of 29 June 2007, SG No. 59 of 20 July 2007, SG No. 109 of 20 December 2007, SG No. 69 of 05 August 2008, SG No. 23 of 27 March 2009, SG No. 24 of 31 March 2009, SG No. 44 of 12 June 2009, SG No. 93 of 24 November 2009, SG No. 95 of 01 December 2009, SG No. 94 of 30 November 2010.
  • 15. Law for the Measures against Money Laundering in SG No. 85 of 24July 1998amend. SG No. 1 of 02 January 2001, SG No. 31 of 04 April 2003, SG No. 103 of 23 December 2005, SG No. 105 of 29 December 2005, SG No. 30 of 11 April 2006, SG No. 54 of 04 July 2006, SG No. 59 of 21 July 2006, SG No. 82 of 10 October 2006, SG No. 108 of 29 December 2006, SG No. 52 of 29 June 2007, SG No. 92 of 13 November 2007, SG No. 109 of 20 December 2007, SG No. 16 of 15 February 2008, SG No. 36 of 04 April 2008, SG No. 67 of 29 July 2008, SG No. 69 of 05 August 2008, SG No. 22 of 24 March 2009, SG No. 23 of 27 March 2009, SG No. 93 of 24 November 2009, SG No. 88 of 09 November 2010.
  • 16. In SG No. 55 of 7.07.2000, subsequently amended SG No. 1 of 4 January 2002, SG No. 45 of 30 April 2002, SG No. 103 of 23 December 2005, SG No. 24 of 21 March 2006, SG No. 30 of 11 April 2006, SG No. 59 of 21 July 2006, SG No. 49 of 19 June 2007, SG No. 57 of 13 July 2007, SG No. 104 of 05 December 2008.
  • 17. In SG No. 94 of 31 October2008 г., in force from 1 January 2009 г., amended SG No. 10 of 6 February 2009, in force from 31 March 2009, amended SG No. 26 of 7 April 2009,, amended SG No. 101 of 18 December 2009 г.
  • 18. In Official SG No. 38 of 9 May 2000, amended SG No. 28 of 19 March 2002, amended SG No. 74 of 30 July 2002, amended SG No. 8 of 28 January 2003, in force from 1 March 2003, amended SG No. 38 of11 May 2004, amended SG No. 105 of 29 December 2005, in force from 1 January 2006, amended SG No. 38 of 9 May 2006, amended SG No. 73 of 5 September 2006, in force from 1 January 2007, amended, SG No. 109 of 20 December 2007, in force from 1 January 2008, amended SG No. 33 of 28 March 2008, SG No. 69 of 5 August 2008, amended SG No. 94 of 31 October 2008, in force from 1 January 2009, amended SG No. 93 of 24 November 2009, in force from 25 December 2009, SG. No. 18 from 5 March 2010, in force from 5 March 2010.
  • 19. In SG No. 102 of 19 December 2006, amended SG 41 of 22 May 2007, amended SG No. 57 of 13 July 2007, amended SG No. 109 of 20 December 2007, in force from 1 August 2008, amended SG No. 69 of 5 August 2008, amended SG No. 25 of 3 April 2009, amended SG No. 35 of 12 May 2009,, amended SG No. 42 of 5 June 2009, amended, SG No. 82 of 16 October 2009, amended SG No. 93 of 24 November 2009, amended SG No. 18 of 5 March 2010, in force from 5 March 2010, amended, SG No. 54 of 16 July 2010.
  • 20. In SG No. 95 of 21 October 1997 г., amended SG No. 70 of 6 August 1999 г., in force from 1 January 2000 г., amended SG No. 49 of 16 June 2000 г., in force from 16 June 2000 г., amended, SG No. 17 of 21 February 2003 г., amended, SG No. 86 of 28.10.2005 г., in force from 29 April 2006 г., amended SG No. 45 of 2 June 2006 г., amended SG No. of 10 October 2006 г., amended, SG No. No. 109 of 20 December 2007 г., in force from 1 January 2008 г., amended SG No. 43 of 29 April 2008 г. amended SG No. 109 of 23 December 2008 г., amended SG No. 88 of 6 November 2009 г., amended SG No. 93 of 24 November 2009 г., amended, SG No. 103 of 29 December 2009 г., amended SG No. 32 of 27 April 2010 г., in force from 28 May 2010 г.
  • 21. See CPDP official website at http://www.cpdp.bg/en/index.php.
  • 22. Rules on the Activity of the Commission for Personal Data Protection and its Administration, promulgated SG No. 11 of 10 February 2009, available at http://www.cpdp.bg/en/index.php?p=element&aid=36. "The necessity of the elaboration and adoption of the Rules of 2009 was based on the new priorities adopted by the Commission for Personal Data Protection in its capacity of an independent supervisory authority in the field of personal data processing. This regulatory act aims at synchronising the activity of the administrative units of the Commission while exercising overall control on the observance of the regulatory acts in the field of personal data protection in the course of personal data processing. The regulations set out in the Rules allowed the Commission to achieve flexibility when adopting decisions, which inevitably results in raising the efficiency of the activity of the Commission as a whole." See Annual Report for the Activity of the Commission for Personal Data Protection in 2009, available in English at http://www.cpdp.bg/en/index.php?p=element&aid=249.
  • 23. Law for Protection of Personal Data, supra Art. 10.
  • 24. For the time being, the Information Bulletin is published only in Bulgarian and is available at http://www.cpdp.bg/index.php?p=home&aid=0.
  • 25. Available in English at http://www.cpdp.bg/en/index.php?p=rubric&aid=14.
  • 26. Bulgaria Data Protection Commissioner Annual Report 2006, available at http://www.cpdp.bg/otcheti/annual_report2006.pdf.
  • 27. Cfr. Sections "Wiretapping, access to, and interception of communications," "Data retention,""Cybercrime," "Bodily Privacy," "Open Government," infra in this Report.