Home » Submission of notifications
Submission of notifications
1. Notification of a personal data breach to the supervisory authority under Art. 33 of Regulation (EU) 2016/679
In accordance with Art. 33 of Regulation (EU) 2016/679 on notifying the supervisory authority of a personal data breach, the Data Controller (DC) should submit to the Commission for personal data protection (CPDP) a Notification of personal data breach without undue delay and no later than 72 hours after he found out about the breach. The DC has the obligation to inform about any change in the circumstances/data from the Notification.
With regard to the content of the notification, the requirements of Art. 33 (3) of Regulation (EU) 2016/679 should be complied. For additional methodological clarifications, we recommend the use of the “Guidelines on Personal data breach notification under Regulation 2016/679” of Working Party under Art. 29, adopted on 3 October 2017, last revised and adopted on 6 February 2018 (WP250, rev.01), subsequently confirmed by the European Data Protection Board on 25 May 2018. The guidelines are published on the CPDP website here.
Information material on the actions of data controllers in the event of data breach, one of which is the submission of a notification, is published here.
Data Breach Notification Form pursuant Article 33 of the Regulation (EU) 2016/679 or Article 67 of the Personal Data protection Act (PDF)
Data Breach Notification Form pursuant Article 33 of the Regulation (EU) 2016/679 or Article 67 of the Personal Data protection Act (DOCX)
2. Notification of CPDP for a designated Data Protection Officer under Art. 37, para. 7 of Regulation (EU) 2016/679
Pursuant to Art. 37, para. 7 Regulation (EU) 2016/679 on informing the supervisory authority about the designated Data Protection Officer, CPDP accepted an example of a notification, which the Controller/Processor shall fill and submit to CPDP. Instructions on how to fill the form are present in the notification itself.
3. Ways to submit:
The submission of the relevant information under point 1 and point 2 of the Data Controller/Data Processor must be translated in Bulgarian and shall be performed in any of the following ways:
1. In person, in the CPDP`s Registry or by sending a letter to the following address: Sofia 1592, 2 Prof. Tsvetan Lazarov blvd., Commission for Personal Data Protection. In this case a filled in, signed and stamped paper notification should be submitted.
2. By CPDP’s email - firstname.lastname@example.org. In this case, the notification should be signed with a qualified electronic signature.
3. Through the Secure Electronic Delivery System, maintained by the Ministry of e-Government. In this case, the notification has to be filled in and the file has to be sent through this system.
4. Only for the notification set out in point 2 - through the CPDP`s information system (the system works only in Bulgarian). The controller/processor should have a qualified electronic signature for identification in the system and in order to obtain access to perform the operations with it`s own information.