In relation to the entry into force of the APPRIPDIB, from 4 May 2023, the Commission for Personal Data Protection as a central authority for external information reporting and protection of the persons referred to in Article 5 of this Act provides the following information under Article 21:
1. Protection under the APPRIPDIB is provided in the following cumulative conditions:
1.1. Whistleblower capacity: a natural person who submits an information report or publicly discloses information about a breach that has become known to him/her in his/her capacity as:
1. a worker, employee, civil servant or other person who performs wage labour, regardless of the nature of the work, the method of payment and the source of financing;
2. a person who works without an employment relationship and/or exxercises a liberal profession and/or craft activity;
3. a volunteer or intern;
4. a partner, shareholder, sole owner of the capital, member of the managing or supervisory body of a commercial company, member of the audit committee of an enterprise;
5. a person who works for a natural or legal person, subcontractors or suppliers thereof;
6. a job applicant who has participated in a competition or other form of selection for employment and in this capacity has received information about a breach;
7. a worker or an employee, when the information has been obtained within the framework of an employment or service relationship which has been terminated at the time of filing the information report or of the public disclosure;
8. any other whistleblower who reports a breach that has became known to him/her in a work context.
1.2. Subject area of whistleblowing:
The reports must refer to breaches of the Bulgarian legislation or acts of the European Union specified in the Appendix to Article 3, paragraphs 1 and 3 of the APPRIPDIB – Part I and Part II:
1. in the field of:
(а) public procurement;
(b) financial services, products and markets and the prevention of money laundering and financing of terrorism;
(c) product safety and compliance;
(d) transport safety;
(e) environmental protection;
(f) radiation protection and nuclear safety;
(g) food and feed safety, animal health and animal welfare;
(h) public health;
(i) consumer protection;
(k) the protection of privacy and personal data;
(l) the security of networks and information systems;
2. violations that affect the financial interests of the European Union within the meaning of Article 325 of the Treaty on the Functioning of the European Union;
3. violations of the rules of internal market within the meaning of Article 26 (2) of the Treaty on the Functioning of the European Union, including the rules of the European Union and Bulgarian legislation on competition and state aid;
4. violations related to cross-border tax schemes, the purpose of which is to obtain a tax advantage that is contrary to the subject matter or purpose of the applicable law in the field of corporate taxation;
5. a committed indictable crime, for which a person referred to in Article 5 has learned in connection with the performance of his/her work or in the performance of his/her official duties.
6. violations of Bulgarian legislation in the field of:
(а) the rules for payment of due public state and municipal receivables;
(b) labour legislation;
(c) the legislation related to the performance of public service.
AND
They should not refer to violations:
1. of the rules for awarding public contracts in the field of defence and national security, when they fall within the scope of Article 346 of the Treaty on the Functioning of the European Union;
2. of the protection of classified information within the meaning of Article 1, paragraph 3 of the Classified Information Protection Act;
3. which have become known to persons exercising a legal profession and for whom there is a legal obligation to protect professional secrecy;
4. of the confidentiality of health information within the meaning of Article 27 of the Health Act;
5. of the secrecy of judicial conference;
6. of the rules of criminal procedure.
1.3. The whistleblower should have reported a breach through an internal or external channel under the terms and conditions and in accordance with the procedure of the APPRIPDIB and should have had good reason to believe that the information submitted by him/her was correct at the time of filing the report.
1.4. Protection under the APPRIPDIB is also provided for:
(а) persons who assist the whistleblower in the information reporting process;
(b) persons who are related to the whistleblower and who may be subject to repressive retaliatory actions because of the information reporting;
(c) legal persons in which the whistleblower owns an equity interest, works for or is otherwise associated with in a work context;
(d) persons who publicly disclose information about breaches and for which information has been received by the CPDP or protection has been requested from the respective person who disclosed the information.
2. The contact details for using an external information reporting channel are as follows:
2.1. in writing:
by e-mail whistleblowing@cpdp.bg
by mail to the address: Sofia 1592, 2 Prof. Tsvetan Lazarov Blvd.
2.2. orally – on site at the CPDP at the address: Sofia 1592, 2 Prof. Tsvetan Lazarov Blvd.
3. Applicable procedures for reporting breaches:
3.1. If desired by the whistleblower – by using the sample Form for registering an information report about breaches according to the APPRIPDIB. The form is not mandatory for filling in by the whistleblower. In case the whistleblower decides to use it, however, the person should only fill in Parts I – V inclusive and sign it: when sending the form by post – with a handwritten signature; when sending by e-mail – with a qualified electronic signature. The sample Form can be found here.
3.2. Through a personal meeting with an employee of the CPDP in charge of handling reports, who will document the submitted information report on the spot by filling in a Form for registering an information report about breaches according to the APPRIPDIB. The filling of the form by the CPDP employee who is in charge of handling the report is mandatory. A meeting can be held every Tuesday and Thursday in the CPDP building at the address: Sofia 1592, 2 Prof. Tsvetan Lazarov Blvd, from 10:00 to 12:00 and from 13:30 to 15:30.
3.3. When the whistleblower does not use the sample form for registration of information reports about breaches under the APPRIPDIB, he may file the report in writing in any other way he/she chooses (e.g. through the Secure Electronic Delivery System, maintained by the Ministry of e-Government). In such cases, the employee in charge of handling the report will contact the whistleblower for the purpose of filling in a Form for registering an information report about breaches according to the APPRIPDIB.
4. Privacy mode:
Only the relevant CPDP employee/employees, who is/are in charge of handling the respective report in compliance with the “need to know” principle in performing functional duties and/or a specifically assigned task, shall have access to the personal data contained in the reports of breaches. Reports shall be processed in compliance with the obligation of confidentiality arising from Article 31 and Article 32 of the APPRIPDIB. Personal data that are clearly not relevant to the consideration of the specific report shall not be collected, and if they are accidentally collected, they shall be deleted (Article 32, paragraph 2 of the APPRIPDIB).
5. Follow-up actions:
The actions that CPDP undertakes in relation to the consideration of a specific report are regulated in detail in Article 25a and Chapter Five of the Rules on the Activity of the CPDP and its Administration. According to the nature of the report and for the purpose of clarifying specific circumstances, the employee/employees in charge of handling the report have an obligation to keep contact with the whistleblower and provide him with feedback abot the actions taken. In any case, according to the nature of the alleged breach, the CPDP shall forward the received reports immediately, but not later than 7 days after their receipt, to the relevant competent authority under Article 20 of the APPRIPDIB.
6. Possibilities to receive confidential counseling:
Through an in-person meeting with a CPDP employee in charge of handling reports, who will advise the person who considers filing an information report. A meeting can be held every Tuesday and Thursday from 10:00 to 12:00 and from 13:30 to 15:30 in the CPDP building at the address: Sofia 1592, 2 Prof. Tsvetan Lazarov Blvd.
7. Conditions for protection against liability in case of breach of confidentiality under Article 31:
Whistleblowers shall be relieved of liability under the conditions of Article 36 of the APPRIPDIB, as follow
7.1. the person falls within the scope of the persons referred to in Article 5, paragraph 2 and paragraph 3 of the APPRIPDIB;
7.2. the report refers to a breach under Article 3 of the APPRIPDIB;
7.3. when the acquisition of the information about the alleged breach or the access to it does not constitute an independent crime;
7.4. have had a good reason to believe that the filing of the report or public disclosure of information was necessary for the detection of the breach, regardless of the presence of restrictions on the disclosure of the relevant information, including cases where such information contains a commercial secret.
The purpose of this information material is to provide clarifications on fundamental issues regarding the application of the Act on Protection of Persons, Reporting Information, or Publicly Disclosing Information about Breaches. It does not claim to be exhaustive. Taking into account the development of the practice in the application of the Act, the CPDP will update and supplement the information material in a timely manner.
