Home » Privacy » data » Data Retention Law In Bulgaria

Data Retention Law In Bulgaria

Disclosure: All information on this site is harmless and purely for educational purposes which is why we post only authentic, unbiased information! The affiliate links are really there for discounts for our readers and for us to earn small commissions that help us stay afloat! Thanks!

After broad open counsels and discourses in parliament, Bulgarian legislators passed corrections to the Personal Data Protection Act. It actualizes the EU’s General Data Protection Regulation (GDPR) with a couple of nearby exclusions. The Act was proclaimed into the Bulgarian State Gazette on February 26 and went into power on March 2. 

Business connections

New necessities contained in the Act incorporate guidelines concerning work connections, for example, 

  • Businesses are permitted to decide alone the maintenance time frame for the individual information of employment candidates. This period, be that as it may, may not surpass a half year. 
  • Managers, in their ability as controllers, receive standards and strategies. i.e. in regards to whistleblowing, impediments on the utilization of an association’s interior assets, get to controls, working time and work discipline. 

The Bulgarian Personal Data Protection Commission (PDPC)

The PDPC, as main supervisory power, will screen and encourage the handling and development of individual information. In charge of the accreditation of bodies checking sets of principles, the PDPC will in consistence with the GDPR guarantee bodies, which issue, audit and pull back information assurance affirmation, seals and stamps. 

The PDPC will likewise favour sets of standard rules in specific parts. Necessities and methods for accreditation and confirmation controls in auxiliary enactment received inside two months after the requirement of the Act. 

Different duties of the PDPC incorporate leading workshops and training of information security officials (DPOs). Also, all information controllers or processors who have delegated a DPO must tell the PDPC of the DPO’s character and contact subtleties. 

Rather than an information controller’s register, the PDPC will keep up discrete records for: 

  • controllers and processors who have designated DPOs; 
  • authorize affirming bodies; 
  • codes of conduct; 
  • breaks of the GDPR and the Act with the measures actualized (inner register); 
  • warnings of an individual information break (an internal record). 

The Inspectorate to the Supreme Judicial Council

As the new supervisory authority inside the legal executive, the Inspectorate will get all objections, demands and flag identified with the handling of individual information inside the courts, examination and investigator’s office. The information handling grievances inside the legal executive will never again record to the PDPC. Therefore, Inspectorate, similar to the PDPC, is qualified for force sanctions for GDPR encroachments of up to EUR 20 million. 

Other significant handy issues include: 

  • Information controllers and processors are not permitted to duplicate ID cards, driving licenses or habitation grants, aside from if generally accommodated by law. One particular case incorporates into the Anti-Money Laundering Measures Act, which obliges substances gathering data for hostile to illegal tax avoidance anticipation to make duplicates of the ID cards of lawful agents of customers which are legitimate elements. 
  • The base age for substantial consent is 14 years when utilizing data society administrations. Something else, parental consent is required. 
  • At the point when information handling performs without legitimate grounds, the controller or processor must restore the individual information to the information subject or wreck the data inside one month of learning of the illicit preparing. 
  • The individual distinguishing proof number or a specific number of an outsider can’t be freely available except if generally given by law. The particular distinctive proof number or a different number of an outsider can’t be the primary identifier for an information subject utilizing electronic open administrations. 
  • In an information subject’s privileges are damaged under the GDPR or the Act, the information subject is qualified for document an intrigue inside a half year of getting to be mindful of the infringement, yet no later than two years from the date of the breach. The conspiracy records with the PDPC, Inspectorate or the courts. 

For more data on this Act and information security in Bulgaria, please visit:




Unlock the power of online security with our in-depth reviews and expert insights. Discover the best VPNs, password managers, and privacy tools to safeguard your digital world.