GDPR Enforcement in Bulgaria

Trend: Have the national data protection authorities in Bulgaria focused on certain types of non-compliance with data protection law so far or have the authorities announced that they will investigate certain types of non-compliance more closely in the future (e.g. incorrect use of cookie banners, monitoring of employees - possibly also due to - Covid related home office, etc.)? Do you see a focus on certain industries/sectors? If so, which ones?

Proceedings before the Bulgarian Commission for Personal Data Protection (“CPDP”) are usually initiated on the basis of complaints and reports, rather than as part of targeted campaigns by the supervisory authority. Therefore, we do not believe that the CPDP deliberately focuses on certain types of violations. It can be observed that most of the punitive proceedings have been held due to violation of the principles of the processing of personal data (Article 5 GDPR), an insufficient legal basis for data processing (Article 6 GDPR) or an inappropriate level of security (Article 32 GDPR), as well as matters related to failure on the part of controllers to respond in compliance with the statutory requirements to data subjects' requests to exercise their rights. There is an increase in the proceedings concerning the type and volume of personal data processed and the correctness of the processing, and in the measures to protect the personal data located on servers in different EU Member States and abroad.

The CPDP’s Activity Report for 2024 shows that complaints and notifications currently predominantly concern the sectors of electronic communications, postal operators, online betting, fast crediting, private enforcement and direct marketing. There is a growing trend of alerts concerning online job-search and job-offer platforms, as well as unauthorised access to social media accounts and other electronic platforms.

The politically unstable situation in recent years and the frequent parliamentary elections have given rise to numerous competing impulses concerning the political processes in the country.

Overall, what was the most significant fine in Bulgaria to date (please specify recipient, amount, type of violation, sector, brief summary)? Has the fine been challenged in court? If yes: With success or what is the status of the proceedings?

The highest GDPR fine in Bulgaria to date was imposed on the Bulgarian National Revenue Agency ("NRA"). The main government revenue authority was fined approx. EUR 2,550,000 by the CPDP in August 2019 for failing to implement appropriate technical and organisational measures for the protection of personal data. This resulted in the unauthorised access to and dissemination of 6,074,140 individuals' personal data. The NRA appealed the decision before the Sofia City Administrative Court, which finally dismissed the case due to expiration of the absolute statute of limitations.

A number of the affected data subjects brought claims against the state of Bulgaria for damages resulting from the data leakage. Most of the proceedings on these claims are now delayed as the Bulgarian Supreme Administrative Court referred the matter to the Court of Justice of the European Union (“CJEU”) with a request for a preliminary ruling on questions related to the liability for violation of the GDPR in case of a data breach which results from criminal activity (Case C‑340/21). On 14 December 2023, the CJEU issued its judgement on the case, ruling, among other things, that Articles 24 and 32 of the GDPR must be interpreted as meaning that unauthorised disclosure of personal data or unauthorised access to those data by a “third party”, within the meaning of Article 4(10) of that regulation, is not sufficient, in itself, for it to be held that the technical and organisational measures implemented by the controller in question were not “appropriate”, within the meaning of Articles 24 and 32. The appropriateness of the technical and organisational measures implemented by the controller must be assessed by the national courts concretely by taking into account the risks associated with the processing concerned and by assessing whether the nature, content and implementation of those measures are appropriate to those risks.

How is the data protection authority organised in Bulgaria? In particular: What is the annual budget? How many staff are employed? Is the authority assigned to a specific ministry? If so, which one?

The CPDP is the supervisory authority responsible for the rightful application of the GDPR and compliance with the Bulgarian Personal Data Protection Act.

• The CPDP (https://cpdp.bg/) is an independent supervisory authority with its own budget.
   
• The CPDP consists of a chairman and four members. The CPDP is supported by a special staff and a general administration staff. The total number of staff is 117 people, including the chairman and members of the CPDP.
   
• The chairman and members of the CPDP are elected by the National Assembly, following a nomination by the Council of Ministers, for a term of five years.
   
• The CPDP is organised into five directorates. These include the general administration directorate: Resource Management and Administrative Legal Services Directorate, and four specialised directorates: Legal Affairs and International AffairsDirectorate, Legal Proceedings and Supervision Directorate, Legal Analysis, Information and Control Activities Directorate and the Channel for Internal Whistleblowing Directorate.
   
• The annual budget of the CPDP for 2024 was BGN 6,403,403 (approx. EUR 3,274,008).

How does a fine procedure work in Bulgaria? In particular: can the authority itself impose fines? How does the procedure work (e.g., notification as to the opening of proceedings (public/addressed to the company alone?), notification as to the intention to impose a fine (public/addressed to companies alone?), formal penalty notice)? What legal remedies are possible against an imposed fine?

• Administrative sanctions (including fines) are imposed directly by the CPDP as part of its administrative proceedings.
   
• Administrative proceedings are governed by general national law, in particular the Bulgarian Administrative Violations and Penalties Act and the Bulgarian Administrative Procedure Code, as well as some specific provisions of the Bulgarian Personal Data Protection Act. The authority will initiate proceedings at the request of a data subject or may initiate proceedings on its own merits. If the facts of the case require more clarification, the CPDP may request that the involved parties provide additional proof/information. The respective data controller or data processor may provide its views on both factual and legal aspects of the case. The authority must carefully consider these before reaching its decision.
   
• Companies may appeal the decisions of the CPDP with the competent administrative courts within 14 days of being notified.

When fines are imposed by the data protection authority: Where does the money go? (e.g., the state treasury, the authority's budget)?

The proceeds from fines imposed by the CPDP are credited to the budget of the CPDP.

Is there a common, official calculation methodology for fines in Bulgaria (such as the fining models in the Netherlands or Germany)?

There is no publicly available common calculation methodology. The CPDP refers to the Art. 29 Working Party’s WP 253 Guidelines on the application and setting of administrative fines.

Can public authorities be fined in Bulgaria? If they can: Where does this money go?

Yes, public authorities may be fined in Bulgaria. The money is credited to the budget of the CPDP.

In Bulgaria, does the data protection authority publish information on cases involving individual fines, including fines imposed or other procedural steps (e.g. on its website or in its annual report)? Are the affected companies identifiable in such publications?

There is a section on the CPDP’s website where selected decisions are made publicly available. However, there is a tendency of decreasing the number of the published decisions and during 2024 no decisions were published. Information on some decisions of the CPDP is published in the CPDP’s bimonthly newsletter, which is available online.

A summary of the CPDP’s decisions, as well as more detailed information on some more notable cases, is included in its annual report. The parties involved are generally not identifiable, unless the case is of public interest.

If no information on individual fine cases is published: does the data protection authority provide aggregated information on the total number of cases and/or the total amount of fines? What were the annual figures from 2019?

• The CPDP provides aggregated information on the total number of cases reviewed in its annual reports. In 2024 the CPDP received 637 notifications and complaints, while in 2023, the number was 925. The number of notifications and complaints in 2022 was about 770 complaints and in 2021 it was about 840.
   
• The total amount of the fines imposed amount to: in 2024 – BGN 74,700 (approx. EUR 38,194), in 2023 – BGN 90,900 (approx. EUR 46,500); in 2022 – BGN 247,500 (approx. EUR 126,545); in 2021 – BGN 112,150 (approx. EUR 57,340); in 2020 – BGN 87,063 (approx. EUR 44,515); in 2019 – BGN 6,106,000 (approx. EUR 3,121,950) (this higher annual amount is due to the financial sanction imposed on the National Revenue Agency in 2019 and another significant sanction imposed on a Bulgarian bank in 2019).

Does Bulgaria have model declaratory proceedings/class actions in data protection law, i.e., are several data subjects able to join forces and take legal action together against the data controller?

• Class actions have been a possibility under the Bulgarian Civil Procedure Code since March 2008. Within class action proceedings, it is possible to obtain a decision establishing the fact of the infringement. Such a judgment makes it much easier for claimants to pursue their individual claims for compensation, as they do not need to prove the fact of the infringement and the fact that the controller is at fault. Nevertheless, class actions are not common in Bulgaria. There is a tendency towards seeking compensation through individual claims rather than filing a class action.
   
• There are a few rulings of Bulgarian courts related to the leakage of personal data from the databases of the NRA, in which the courts have dismissed the review of class actions brought based on the opinion that class actions can only be brought in relation to equality (i.e., in civil proceedings) and not in subordination (i.e., relations with public bodies such as the NRA).

What is more relevant in Bulgaria: fines from authorities or court proceedings such as claims for damages or injunctions? Can a trend be discerned for the coming years?

Court proceedings related to claims for damages are less common. This is most likely due to litigation costs, lengthy proceedings, as well as a lack of established common/uniform judicial practice in this area.

Fines imposed by the CPDP are more common, mostly due to the gravity of the fines and their general preventive effect.

Based on how actively the CPDP pursues data protection infringements, it can be assumed that its role in enforcing the GDPR will continue to be crucial in the foreseeable future.