Български English Français
Home » Privacy notice

Privacy notice

  Transparency in the processing of personal data
As a data controller, the Commission for Personal Data Protection (CPDP) has an obligation to inform you what to expect when processing your personal data.
Contact with the CPDP:
Address: Sofia 1592, 2 Prof. Tsvetan Lazarov blvd.
Website: www.cpdp.bg
Contact with the Data Protection Officer:
Lyubomir Grancharov
* It is used only for issues concerning the processing of your personal data by CPDP in its capacity of a data controller, as well as for exercising your rights under Art. 1522 of Regulation (EU) 2016/679. For any other general questions concerning the competence of CPDP as a supervisory authority, PLEASE, use kzld@cpdp.bg
The information that may contain your personal data is processed for the following purposes:
· Human Resources;
· Contractors;
· Requests under Access to Public Information Act;
· Video surveillance;
· Visitors;
· Complaints, signals and other requests;
· Exercise of rights under Regulation (EU) 2016/679 before CPDP in its capacity as a data controller;
· Promoting public awareness on issues related to the processing of personal data;
· Promoting the awareness of controllers and processors of their data protection obligations;
· Register of Data controllers and processors who have designated Data Protection Officers;
· Register of Accredited certifying bodies;
· Register of Codes of conduct;
· Internal register of infringements of Regulation (EU) 2016/679 and LPPD;
· Data breach notifications;
· Information Bulletin subscribers.

Human Resources
For the purposes of human resources management, we process personal data of job applicants, current and former employees of CPDP.
In the course of human resources management activities, personal data are processed for identification of individuals, data about education and qualification, health data, contact data and other official data, required on the ground of specific laws regulating the labour and civil servants’ relationships, for tax-insurance purposes, accounting purposes, safe and healthy labour conditions, as well as, for social insurance purpose.
The collected data are used only for the above mentioned purposes and is submitted to third parties only in cases, foreseen in law. In such cases the data can be provided to, for example, the National Revenue Agency, the Bulgarian National Audit Office, General Labour Inspectorate and other public authorities considering their powers and competency. The information is not stored outside EU or EEA. CPDP has ensured the necessary technical and organizational measures for data protection.
With regard to the performance of employment relationships, only personal data required by the law shall be processed and shall be kept within the terms set by labour and social security legislation.
The personnel selection procedures shall comply with the requirements of the special laws governing such activity.
CPDP has determined a period of three years for storage of personal data of participants in personnel selection procedures.
Where a selection procedure requires the submission of originals or notarized copies of documents certifying the physical and mental fitness of the applicant, the required qualification degree and experience for the position, the data subject who has not been approved for appointment may ask in 30 days period of time from the final conclusion of the selection procedure to receive the documents submitted back. The CPDP shall return the documents in the way they were filed.
The results of the personnel recruitment procedures are published on the official website in accordance with the Ordinance on Conducting Competitions for Civil Servants.
CPDP processes and publishes personal data of the liable persons under the Act on Counteracting Corruption and on Seizure of Unlawfully Acquired Property. The declarations are stored in the employee dossier.  
The activities for ensuring healthy and safe working conditions are regulated under a contract with an occupational medicine service under Ordinance № 3 of January 25, 2008 on the conditions and order for performing the activity of the occupational medicine services. 
In carrying out its activities and regarding its powers, CPDP processes personal data of individuals for the execution of the contracts it concludes under the Obligations and Contracts Act, the Public Procurement Act, the Commerce Act etc.
As far as personal data of individuals are processed in connection with the execution of these contracts, the information shall be processed in a minimum volume sufficient for the exact fulfillment of the obligations under the respective contract. Access to this information is provided to third parties only when this is specified in law.
Requests under the Access to Public Information Act
In relation with the handling of APIA requests, information is processed for individual data subjects, which may contain data on the physical, economic, social or other identities of individuals. CPDP provides such information only and insofar as it meets the purposes of APIA.
Video surveillance
CPDP is performing video surveillance with security purpose. The records are stored for 2 months. Access to records is made by certain employees within the scope of their official duties.
The processing of CPDP’s visitors personal data is performed by data processor - a security company, chosen after public procurement procedure. The purpose of collecting personal data is to identify the individuals visiting CPDP’s premises and controlling access.
Complaints, signals and other requests
The complaints, signals and other requests in connection with the exercise of the competences of CPDP as a data protection supervisory authority shall be filed under the terms and conditions of the current legislation.
By the processing of information in the complaints, signals or other requests, deposited before CPDP, are processed only personal data, relevant to the specific case. Data communicated to the Commission, can be submitted to third parties only if it is stipulated in law.
Children personal data processing
As a component of the public awareness raising activity on personal data protection issues, CPDP periodically organizes and conducts competitions for children`s creativity, whose main purpose is to inform children as the most vulnerable group of our society about the dangers/risks of processing personal data.
The participation in the competitions is voluntary and the data (name, age and school) are processed only for the above mentioned purposes, as well as for the promotion of children`s creativity.
CPDP encourages the artistic and creative expression of the children and also ensures balance in data protection.
Exercise of rights under Regulation (EU) 2016/679 before CPDP in its capacity as a data controller:
You can exercise your rights set in Art.15-22 of Regulation (EU) 2016/679 before CPDP, for the personal data that CPDP processes for you.
When applying for the exercise of rights within the meaning of Regulation (EC) 2016/679 before CPDP, you will be asked to identify yourself - by providing an identity document, electronic signature or other methods and means of identification.

The personal data processed with regard to the handling of specific requests will be used only for the purpose of exercising the above mentioned rights. Thusthe personal data may be provided to third parties only if it is foreseen in law.

Promoting awareness of issues related to the processing of personal data

The  Commission for Personal Data Protection provides various channels of communication with controllers, processors and individuals (data subjects), one of which is a telephone line for consultations on the application of Regulation (EU) 2016/679 and national data protection legislation.
The provision of consultations through this channel is in fulfillment of its official tasks arising from Art. 57(1)(b) and (d) of Regulation (EU) 2016/679. In order to exercise control and handle complaints and alerts against the quality of the administrative services provided in this order, the calls by phone 02/91-53-519 and 02/91-53-555 are recorded. The records are stored for a period of 30 days after which they are automatically deleted. In case of a complaint or alert against received administrative service by phone during this period, the record of the conversation will be kept for the period necessary for the final resolution of the dispute. In case you do not want to be recorded and taking into account the direct effect of the constitutional ban on recording of a person without his knowledge or despite his explicit disagreement, except when such actions are permitted by law, you have the opportunity to take advantage of other channels of communication with us - to come to CPDP on site, to submit you request by post, fax or e-mail by signing the e-mail with a qualified electronic signature or through the Secure Electronic Delivery System maintained by the State e-Government Agency.
Register of Data controllers and processors who have designated Data Protection Officers. Register of Accredited certifying bodies. Register of Codes of Conduct. Internal register of infringements of Regulation (EU) 2016/679 and LPPD. Data Breach Notifications.
These registers are maintained in conjunction with the requirements of Regulation (EU) 2016/679 and the Law for Protection of Personal Data. Insofar as personal data are contained in these registers, the special order for maintaining the particular register and the procedure for access to it, according to theRules on the activity of CPDP and its administration, shall apply to them.
Data subjects who use our call center
When calling the CPDP telephone line, we collect Calling Line Identification (CLI) information. We use it to enhance the line’s efficiency.
Information Bulletin subscribers
CPDP issues an Information Bulletin with news about its work, useful opinions on the protection of personal data and information on the Commission’s practice as a supervisory authority.
In order to receive the Information Bulletin, right after its publishing, you have to register by submitting your e-mail address to the supervisory authority. Whether in the specific case the e-mail address is personal data or not, CPDP will use the provided e-mail addresses only for the purpose of delivering the Information Bulletin.
The individuals have the right to opt-out at any time from the receipt of the Bulletin via e-mail, without pointing out any reasons.
Personal data collection for provision of services, required by the user
When submitting a complaint or ask a question via the forms provided on the institutional site, as well as, when you are subscribed for the CPDP’s Information Bulletin, you provide your personal information that is necessary for the performance of the relevant service. This information is recorded in a database, located on a secure server in a room, situated in CPDP’s premises. The Commission uses the information only for the performance of the requested service (submission of a complaint in CPDP or receiving a reply to a question asked by you). CPDP does not provide this information to third parties.
Use of cookies
A Cookie” is a small amount of data, stored by the website on the visitor`s computer or mobile device.
Our website uses cookies” necessary for its functioning. The used cookies serve to distinguish sessions, to define new sessions, to submit queries, as well as for functioning the cookie consent banner.
More detailed information about the cookies we use - HERE.
By properly setting up your browser, you can always turn off both our cookies and cookies from third parties. In this case, you may lose some of the functionality of some of the services.
In case you use link which forwards you to another site, it will have its own cookies and security policy, over which we have no control.
Log files
Like most websites, CPDP’s site collects log files data. This information includes your IP, which browser you use (such as Mozzilla, IE, Chrome etc.), the operational system (Linux, Windows, iOS), when you have visited our website, the pages visited. We retain our right to use the IP addresses of the users to disclose their identity in cases where this is necessary to comply with the law. This information is retained on our web server, located in a server hall in the CPDP’s premises.
Links to other websites
This privacy policy does not cover links in the CPDP’s site to other websites. We encourage you to read the privacy statements of the other websites you visit.
Changes in the privacy policy
We retain the right to make changes in our privacy policy.
If you have any questions regarding the processing of your personal data by CPDP, please contact us at: dpo@cpdp.bg *
* It is used only for issues concerning the processing of your personal data by CPDP in its capacity of a data controller, as well as for exercising your rights under Art. 1522 of Regulation (EU) 2016/679. For any other general questions concerning the competence of CPDP as a supervisory authority, PLEASE, use kzld@cpdp.bg

Commission for Personal Data Protection, Sofia, 2 Prof. Tsvetan Lazarov Blvd.