Privireal Home Page Privacy in Research, Ethics and Law
"examining the implementation of the Data Protection Directive 95/46/EC
in relation to medical research and the role of ethics committees"

Bulgaria - Data Protection

History of Data Protection in BULGARIA

The Bulgarian law on data protection, the Personal Data Protection Act, was adopted on 21 December 2001, and entered into force on 1 January 2002.

The Bulgarian Personal Data Protection Act is modelled on Directive 95/46/EC. Bulgaria is aiming to join the EC at the earliest possible opportunity, and the Act, which aims to offer the same level of data protection in Bulgaria as in EU member states, is an statement of intent in this regard.

Summary of Data Protection in BULGARIA

Title of Data Protection Legislation Personal Data Protection Act
Name of supervisory authority Bulgarian Commission for Personal Data Protection (not official site)
General Powers of supervisory authority Article 6(1) of the Act states that the Commission is charged with controlling adherence to the law. Article 10(1) sets out the general functions of the Commission: It states that the Commission
1.Analyzes and controls the observing of the rules in the sphere of the protection of the personal data;
2.Writes a register of the administrators of personal data;
3.Checks the work of the administrators of personal data;
4.Gives opinions and permissions;
5.Publishes obligatory rules;
6.Can forbid the processing of the personal data;
7.Deals with the requests and reports against the administrators when physical persons have been denied access to their personal data;
8.Takes part in writing of the rules regarding the protection of the personal data".
Who has standing to notify the supervisory authority of breaches? The data subject and any "other persons concerned". See Article 10(1)(7) and Article 12(1)(3).
What are the penalties for data controllers if they breach the law? The penalty for controllers that breach the law Personal Data Protection Act is a fine. Article 42 of the Act sets out the fines applicable in different situations.
Have any provisions been made for the processing of a national identification number or a general identifier, as per Article 8(7)? No
Is it necessary to obtain consent before processing personal data, or are alternatives available even when obtaining consent would not be impracticable or inappropriate? It is probably sufficient to use alternatives to consent even when it is not impracticable or inappropriate to obtain it.
Does the Data Protection Legislation cover the deceased? No
Who is able to indirectly identify the data subject? Probably anybody

Laws and Regulations

Institutions