Home/Blog/GDPR Handbook for Business

GDPR in Bulgaria — A Practical Handbook for Business (2026)

What every Bulgarian company must do to be GDPR compliant — from the records of processing activities to the 72-hour breach notification. A practical plan based on over 300 projects delivered by our specialised GDPR team at gdprbg.com (site in Bulgarian).

Legal framework and CPDP

The General Data Protection Regulation — Regulation (EU) 2016/679 (GDPR) — has been in force since 25 May 2018 and is directly applicable in all Member States, including Bulgaria. It is complemented at national level by the Personal Data Protection Act (PDPA), which regulates procedural matters, the supervisory authority and national specifics.

The competent supervisory authority in Bulgaria is the Commission for Personal Data Protection (CPDP)cpdp.bg. CPDP handles complaints from data subjects, conducts inspections and imposes sanctions. For a detailed analysis of the framework and current CPDP guidance, visit our specialised resource gdprbg.com (site in Bulgarian) — the only Bulgarian site entirely dedicated to personal data protection.

GDPR applies to any company processing personal data of individuals in the EU — regardless of whether it is established in Bulgaria, another Member State or outside the EU (extraterritorial scope under Article 3). A small Bulgarian online store selling to German customers is therefore subject to exactly the same obligations as a large multinational.

Core obligations of controllers

GDPR imposes a specific set of obligations on data controllers. The table below summarises the ten key duties every Bulgarian company must cover regardless of size:

ObligationGDPR Article
Information to data subjectsArt. 13–14
Records of processing activitiesArt. 30
Data protection impact assessment (DPIA)Art. 35
Data protection officer (DPO)Art. 37
Breach notificationArt. 33–34
Privacy by design & by defaultArt. 25
Processor agreementsArt. 28
International transfersArt. 44–49
Right to erasureArt. 17
Right to portabilityArt. 20

Our team at gdprbg.com (site in Bulgarian) prepares all of these documents on a turnkey basis — from the Article 30 records to consent policies, privacy notices and data processing agreements. We offer packages for both SMEs and corporate clients.

Data Protection Officer (DPO) — when is it mandatory

Under Article 37 GDPR, appointing a DPO is mandatory in three scenarios:

  • Public authorities and bodies — except courts acting in their judicial capacity;
  • Systematic and large-scale monitoring — large-scale CCTV, online tracking (adtech), profiling;
  • Special categories of data at scale — health, biometric, criminal convictions, data on sexual life and orientation.

Even when not mandatory, appointing a DPO is considered good practice — especially for e-commerce, SaaS, marketing agencies and any business dependent on processing customer data. Many of our clients use DPO as a Service from gdprbg.com (article in Bulgarian) — a monthly subscription with guaranteed compliance, without an internal appointment or training costs.

The service includes registration with CPDP, maintenance of the records of processing, responding to data subject requests, annual audits and representation in inspections.

Data Protection Impact Assessment (DPIA)

A DPIA is a formalised risk assessment required by Article 35 GDPR when processing "is likely to result in a high risk to the rights and freedoms of natural persons". Typical cases include rolling out a new CRM with large volumes of data, workplace CCTV, AI-based customer profiling, biometric identification.

The process has four stages:

  1. Description of the processing and its purposes;
  2. Assessment of necessity and proportionality;
  3. Identification of measures to mitigate risk;
  4. Consultation with CPDP where residual risk remains high.

For detailed methodology, see our DPIA guide on gdprbg.com (in Bulgarian) — with sample templates, real case studies and a step-by-step process valid before CPDP.

CCTV deserves special attention — it is a frequent source of violations and many sanctions. See our article CCTV and GDPR on gdprbg.com (in Bulgarian) for a full list of requirements and common mistakes.

The 72-hour breach notification deadline

When a personal data breach occurs, the controller must under Article 33 GDPR notify CPDP "without undue delay and, where feasible, not later than 72 hours after having become aware of it". Missing the deadline is a separate violation for which CPDP imposes a standalone fine.

If the breach creates a high risk to the rights of data subjects, the controller must also inform them — directly or through a public communication (Art. 34). For electronic communications providers the deadline is shorter — 24 hours under the sectoral regime.

What to do in the first 72 hours? Read our detailed playbook at gdprbg.com — Personal data breach: the first 72 hours (in Bulgarian) and keep a notification template ready. Our incident response team is on call 24/7 for retainer clients.

GDPR sanctions — EU framework and Bulgarian practice

Maximum fines under Article 83 GDPR are severe — up to EUR 20 million or 4% of global annual turnover, whichever is higher. These, however, are caps applied only to the most serious breaches.

In Bulgaria, CPDP's actual practice is more moderate for most cases — sanctions start around EUR 510 and reach a few thousand euros for typical violations. There are extreme examples, however: in 2019 CPDP imposed a fine of EUR 2,607,000 on the National Revenue Agency (NRA) following a large-scale data leak. This remains the largest sanction ever issued by the Bulgarian supervisory authority.

Our GDPR audits via gdprbg.com (site in Bulgarian) have helped over 200 companies identify risks in advance and avoid similar sanctions. An audit takes between 2 and 6 weeks depending on organisation size and concludes with a report containing prioritised recommendations.

9 practical steps to compliance

If you are only starting the process, here is the recommended sequence:

  1. Records of processing activities — inventory of all personal data, purposes, retention periods.
  2. Risk assessment — identifying critical processes.
  3. Policies and procedures — data protection policy, data subject request handling, breach response, retention.
  4. Appointing a DPO — if mandatory or recommended.
  5. Processor agreements — a DPA with every vendor (hosting, SaaS, accounting).
  6. Staff training — annually, with proof of attendance.
  7. Incident response plan — roles, templates, 72-hour workflow.
  8. DPIA for high-risk activities.
  9. Annual review and audit — internal or external.

Our team at gdprbg.com (site in Bulgarian) delivers all nine steps as a package — see our services for full implementation or individual modules.

Related regulations — NIS2, DORA, AI Act

GDPR no longer stands alone. The European regulatory landscape is expanding quickly and requires compliance with several overlapping regimes:

  • NIS2 — Directive (EU) 2022/2555 on cybersecurity of operators of critical and important infrastructure. Transposed in Bulgaria through the Cybersecurity Act. Details in our article NIS2 in Bulgaria on gdprbg.com (in Bulgarian).
  • DORA — Regulation (EU) 2022/2554 on digital operational resilience for financial entities, in force from January 2025. It affects banks, insurers, investment firms and critical ICT providers.
  • AI Act — Regulation (EU) 2024/1689 introducing a risk-based approach for AI systems. For high-risk applications it overlaps with GDPR (automated decision-making, profiling). Details in AI Act + GDPR: business preparation 2026 on gdprbg.com (in Bulgarian).
  • Whistleblowing — the Bulgarian Whistleblower Protection Act requires internal reporting channels. GDPR applies fully to the processing of whistleblower data. See Whistleblowing and GDPR on gdprbg.com (in Bulgarian).

A comprehensive assessment of these regimes requires specialised expertise — the gdprbg.com team (site in Bulgarian) offers integrated audits covering all applicable regimes at once.

Frequently asked questions

Does my small company need to comply with GDPR?
Yes. GDPR obligations do not depend on headcount but on the type and volume of personal data processed. Even a sole trader with a customer email list is a controller within the meaning of the Regulation.
What is the role of CPDP?
CPDP is the independent supervisory authority for GDPR and the PDPA in Bulgaria. It handles data subject complaints, conducts scheduled and unannounced inspections, imposes fines and issues binding guidance.
Do I need a DPO?
Mandatory in three scenarios under Article 37 — public authority, systematic large-scale monitoring, special categories of data at scale. Outside these scenarios it is recommended as good practice, especially for online businesses.
What are the real fines in Bulgaria?
They range from around EUR 510 for minor violations to over EUR 2.6 million in extreme cases (e.g. the NRA). Average business fines are in the low thousands of euros.
What is the deadline for breach notification?
72 hours from becoming aware — notification to CPDP under Art. 33, and to affected data subjects under Art. 34 where the risk is high. Telecom operators have 24 hours.
Can I use an external DPO?
Yes. Many Bulgarian companies use DPO as a Service — an external expert on subscription. See the service at gdprbg.com (in Bulgarian).
How do I start the compliance process?
We recommend an initial GDPR audit that maps the current state and identifies gaps. Book a free consultation at gdprbg.com (site in Bulgarian).

Need a GDPR audit or DPO service?

Innovires Legal has a dedicated GDPR team with over 300 clients and more than 200 completed audits. For a full package — audit, documentation, training, DPO-as-a-Service, incident response and CPDP representation — visit our specialised site gdprbg.com (site in Bulgarian).

Visit gdprbg.com →

Or submit an enquiry directly via the form below and we will get back to you within one business day: