Privacy International defends the right to privacy across the world, and fights surveillance and other intrusions into private life by governments and corporations. Read more »


III. Privacy topics

Internet and consumer privacy


The Law on Electronic Communication provided for special regulation of the protection of personal data in national electronic networks.

The Electronic Commerce Act, adopted in 2006, transposed the standards set forth by Directive 2000/31/EC on Electronic Commerce.1 According to the Act, commercial communication consists in promotional or other communication designed to present, directly or indirectly, the goods or the image of a person pursuing a commercial or craft activity, or exercising a regulated profession.

Under the Bulgarian Law on Electronic Communication, all calls, messages, or e-mail for the purposes of direct marketing shall be allowed only if the recipient's prior consent has been obtained. Consent may be withdrawn at any time. Prior consent shall not be required when the sender has obtained the recipient's contact details in the context of a commercial transaction or provision of service to customers and the message is sent for the purpose of direct marketing of the undertaking’s own services. In any case where prior consent has not been obtained, any person who sends messages for marketing purposes shall be obliged to offer each recipient the chance to opt outfrom receiving further such messages and respect any refusal to receive messages for marketing purposes. Sending messages for marketing purposes shall be prohibited even when the requirements under the law are fulfilled if the identity of the sender cannot be established, or the message has no valid address to which the recipient may send refusal to receive messages.

At the end of 2009, the National Statistics Institute announced the results of two nationwide surveys: Information and Communication Technologies Usage and E-Commerce in Enterprises 2009 and ICT Usage in Households and by Individuals Aged between 16 and 74.2 The results show that the most active age group regularly using the Internet in 2009 is the group aged 16 to 24 and the proportion of individuals spending their own time on the Internet from this group increased by 41.7 percent in the last five years, reaching 75.1 percent in 2009.


The Penal Code provides for the definition of computer crimes.3 This type of crime encompasses public relations with regard to the proper functioning of computers, computer systems, and computer networks, as well as the lawful generation and exploitation of information. The term "computer crimes" includes illegally accessing, changing, harming, and destroying data or programs, introducing a virus, and disclosing passwords.

Online behavioural marketing and search engine privacy

No specific information has been provided under this section.

Online social networks and virtual communities

No specific information has been provided under this section.

Online youth safety

No specific information has been provided under this section.

Workplace privacy

According to the Labour Code4 and Insurance Code5, employees/workers must provide their employers with their personal data when necessary for the implementation of legal requirements with regard to labour and insurance relations.

Currently, the practice of the CPDP with regard to determining the scope of the right of the employer to process employees' personal data is based on appeals from employees claiming that their employers are processing personal data to a greater extent than necessary, or have illegally transferred personal data to third parties.

Health and genetic privacy

Medical records

The general law regulating the collection and processing of medical information about the citizens is the Law on Health. Processing, using, and keeping anonymised medical data, and exchanges of medical-statistical information, are carried out pursuant to the Regulations of the Minister of Healthcare6, in concert with the National Statistical Institute. A priority for the Bulgarian Government is the establishment of a National Register of Patients with Rare Diseases.

The Executive Agency for Transplantation in Bulgaria is a specialised body whose functions are the management, coordination, and control of transplantation activities. The Agency holds several registers containing sensitive personal data. The disclosure of information that would allow the identification of either donors or recipients is prohibited.

The legal framework regulating the processing of personal data in the sphere of reproductive medicine is provided by the Law of the Transplantation of Organs, Tissues, and Cells. It was adopted in 2007 without public debate. Currently, pursuant to the existing regulations, the registers of donors and recipients of genetic material are maintained by the licenced reproduction medicine clinics. The data from these registers are sent to the Executive Agency for Transplantation. However, they are not processed there. The medical specialists working directly with the genetic material are the only ones allowed to access the data.

According to the Law on Blood, Blood Donation, and Blood Transfusion7 blood transfusion centees should process the data of the blood donors.

In September 2007, Bulgaria started issuing its first electronic health cards as part of the pilot project launched by the Ministry of Health and the National Health Insurance Fund (NHIF) in February 2007. Each e-health card is equipped with a microchip that stores data about the patient and the issuer, including the card number and a security certificate. With this information, the patient's insurance status and his/her assignment to a General Practitioner can be automatically checked. In addition, electronic prescriptions for medications covered by the Bulgarian health insurance fund will be recorded on the chip.8

Genetic identification

No definition of the term "genetic information"is provided by the Bulgarian legislation. The legal framework regulating the collection and processing of such information about Bulgarian citizens is provided by the Law on Health.9 General principles for the protection of citizens from the illegal collection and processing of genetic information are provided by Section IV of the Law on Health – Genetic Health, and Genetic Examination – as well as in the ethical principles with regard to genetic examinationsadopted by the Ethics of Scientific Research Committee at the Medical University, Sofia.

Financial privacy

The relevant legal framework regulating the processing of financial information is provided by the Law for the Credit Institutions10 and the Law for Measures against Money Laundering.11 The framework regulates the collection of personal data when using different types of bank services. The maximum time frames within which the information may be held are also defined. A legislative balance was struck between the protection of citizens' personal data and the prevention of money laundering. The legislation is in line with the requirements of Directive 2005/60/EC of the European Parliament and of the Council on the prevention of the use of the financial system for the purposes of money laundering and terrorist financing.12


The new e-government portal of Bulgaria was officially launched in October 2007.13 It comprises a catalogue of public services provided by the central State Administration and enables citizens and businesses to obtain online information on many public services, as well as forms to download. Some e-government services do require the use of special smart cards containing personal electronic signatures provided by the State-owned company Informatsionno Obsluzhvane (Information Services).14 Among these are the online submission of tenders, personal and corporate tax and VAT declarations, social security declarations, and changes of address, as well as access to the Property Register.15

The Law on Electronic Governance specifies the activity of administrative bodies related to work with electronic documents, the electronic provision of administrative services, and the exchange of electronic documents between the administrative bodies.16 The law shall apply also to the activities of persons charged with public functions and of organisations providing public services. The electronic administrative services shall be the administrative services provided to citizens and organisations by the administrative bodies; the services provided by persons charged with public functions; and thosepublic services that can be requested and/or provided remotely by electronic means. The administrative bodies, the persons charged with public functions, and the organisations providing public services shall be obliged to provide all services within their competence electronically, unless a law provides for a special form for conducting separate actions or issuing relevant acts. The Minister of State Administration and Administrative Reform shall exercise overall control over compliance with this Law.

According to the Bulgarian National Statistical Institute, from the end of 2009,"While 5.9 percent of individuals have downloaded official forms from the Internet and 4.7 percent have filled them in and sent them back to the relevant institutions, the proportion of individuals who have used egovernment services for obtaining information from public authorities' Web sites is 7.9 percent."17