Legislation

EU Data Protection Legal Framework (applicable from May 2018)

• • General Data Protection Regulation (Regulation (EU) 2016/679)
  • Directive on Data Protection in Police and Criminal Justice Activities (Directive (EU) 2016/680)

National Legal Framework

• • Constitution of the Republic of Bulgaria 
  • Personal Data Protection Act
  • Act on Protection of Persons, Reporting Information, or Publicly Disclosing Information about Breaches (Whistleblowers Protection Act)
  • Rules on the Activity of the Commission for Personal Data Protection and its Administration
  • Ordinance № 1 of 27 July 2023 on the keeping of the register of reports under Аrticle 18 of the Act on Protection of Persons, Reporting Information, or Publicly Disclosing Information about Breaches and on Forwarding Internal Reports to the Commission for Personal Data Protection
  • Methodological Guidelines № 1 οn receiving, registering and handling reports received at the obliged subjects under the Act on Protection of Persons, Reporting Information, or Publicly Disclosing Information about Breaches
  • Ordinance № 1 dated 30 January 2013 on the minimum level of technical and organizational measures and the admissible type of personal data protection – repealed as of 25 May 2018

Other International and European Acts

• • The universal declaration of human rights 
  • Convention for the protection of human rights and fundamental freedoms 
  • Convention 108 for the protection of individuals with regard to automatic processing of personal data 
  • Charter of Fundamental Rights of the European Union 
  • Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector 
  • Regulation (EU) 2021/1232 14 July 2021 on a temporary derogation from certain provisions of Directive 2002/58/EC Directive (EU) 2016/681 on the Use of Passenger Name Record Data 
  • Regulation (EU) 2019/788 on the citizens’ initiative 
  • Commission Regulation (EU) 611/2013 on the measures applicable to the notification of personal data breaches under Directive 2002/58/EC of the European Parliament and of the Council on privacy and electronic communications 
  • Regulation (EU) 2022/868 (Data Governance Act)
  • Regulation (EU) 2022/1925 (Digital Markets Act) 
  • Regulation (EU) 2022/2065 (Digital Services Act) 
  • Schengen Acquis  
  • Directive (EU) 2019/1937 on the protection of persons who report breaches of Union law