Personal Data Protection Act

PERSONAL DATA PROTECTION ACT

 

Prom. SG. 1/4 Jan 2002, amend. SG. 70/10 Aug 2004, amend. SG. 93/19 Oct 2004, amend. SG. 43/20 May 2005, amend. SG. 103/23 Dec 2005, amend. SG. 30/11 Apr 2006, amend. SG. 91/10 Nov 2006, amend. SG. 57/13 Jul 2007, amend. SG. 42/5 Jun 2009, amend. SG. 94/30 Nov 2010, amend. SG. 97/10 Dec 2010, amend. SG. 39/20 May 2011, amend. SG. 81/18 Oct 2011, amend. SG. 105/29 Dec 2011, amend. SG. 15/15 Feb 2013, suppl. SG. 81/14 Oct 2016, amend. SG. 85/24 Oct 2017, suppl. SG. 103/28 Dec 2017, amend. SG. 7/19 Jan 2018, amend. and suppl. SG. 17/26 Feb 2019, amend. SG. 93/26 Nov 2019, amend. and suppl. SG. 11/2 Feb 2023, amend. SG. 84/6 Oct 2023, amend. SG. 70/20 Aug 2024

Chapter one.
GENERAL

Art. 1. (amend. – SG 103/05, amend. – SG, 17/19) (1) This Act shall provide for public relations, relating to the protection of rights of natural persons with regard to the processing of their personal data, insofar as they are not covered by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 1 of 4 May 2016), hereinafter referred to as “Regulation (EU) 2016/679”.

(2) This Act shall also establish rules on the protection of natural person with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offenses or the execution of penalties, including the prevention of threats to public order and security and their prevention.

(3) The purpose of this Act is to ensure the protection of natural persons with regard to the processing of personal data in accordance with Regulation (EU) 2016/679, as well as in relation to processing of personal data by the competent authorities for the purposes of Para. 2.

(4) This Act shall also provide for:

1. the status of the Commission for Personal Data Protection as the supervisory body, responsible for protecting the fundamental rights and freedoms of natural persons with regard to the processing and facilitation of the free movement of personal data in the European Union;
2. the powers of the Inspectorate to the Supreme Judicial Council in the supervision of the processing of personal data in the cases under Art. 17;
3. the means for legal defense;
4. accreditation and certification in the field of personal data protection;
5. special cases of personal data processing.

(5) This Act shall not apply to the processing of personal data for the purposes of national defense and national security, unless otherwise provided in a special Act.

(6) This Act shall not apply to the processing of personal data of deceased persons, except in the cases under Art. 25f.

(7) In processing of personal data under Art. 2 of Regulation (EU) 2016/679, the states, which are parties to the European Economic Area Agreement and the Swiss Confederation shall be on an equal footing with the Member States of the European Union. All other states shall be third states.

(8) In processing of personal data for the purposes of Art. 42, Para. 1, the states, participating in the implementation, application and development of the Schengen acquis shall be on an equal footing with the Member States of the European Union. All other states shall be third states.

Art. 2. (Suppl., SG, 70/04, in force as of 01.01.2005, amend., SG, 103/05, repealed – SG, 17/19

Art. 3. (Repealed, – SG, 17/19)

Art. 4. (amend. SG 103/05, repealed SG, 17/19)

Art. 5. (amend. SG 103/05, repealed SG, 17/19)

Chapter two.
COMMISSION FOR PERSONAL DATA PROTECTION

Art. 6. (1) (Amend., SG, 17/19) The Commission for Personal Data Protection, hereinafter referred to as “the Commission”, shall be a permanently functioning independent supervisory body, which shall carry out protection of the persons in processing their personal data and in the access to such data, as well as control over compliance with Regulation (EU) 2016/679 and this Act.

(2) (new SG 94/10) The Commission shall assist the implementation of the state policy in the field of protection of personal data.

(3) (Suppl., SG, 91/06, in force from 01.01.2007, previous Para. 2“ SG, 94/10, amend., SG, 15/13. in force from 01.01.2014, amend., SG, 17/19) The Commission shall be a legal person on a budget support with headquarters in Sofia, and its Chairman shall be a first-level budget spending unit.

Art. 7. (1) The Commission is a college body and consists of a Chairman and 4 members.

(2) (Amend. – SG 91/06, suppl.  SG, 17/19) The members of the Commission and its Chairman shall be elected by the National Assembly upon proposal of the Council of Ministers for a period of 5 years and they may be re-elected for another mandate. The Chairman and the members of the Commission shall exercise their functions after expiry of their term of office until the election of the new Chairman and members.

(3) The Chairman and the members of the Commission shall carry out their activity under legal terms of employment.

(4) (New – SG 91/06, suppl. – SG 11/23, in force from 04.05.2023) The members of the Commission shall receive basic monthly salary equal to 2,5 average monthly working salaries of the persons employed under employment or official relationship in the public sector according to data of the National Statistical Institute, increased by 20 percent. The basic monthly salary shall be recalculated each quarter taking into consideration the average monthly working salary for the last month of the preceding quarter.

(5) (new – SG 91/06) The Chairman of the Commission shall receive monthly salary exceeding by 30 percent the basic monthly salary referred to in Para 4.

(6) (amend. SG 103/05; prev. text of para 04 – SG 91/06, amend. SG, 17/19). The Commission, by March 31 every year, shall present an annual report on its activity to the National Assembly.

Art. 8. (1) As members of the Commission can be elected Bulgarian citizens who:

1. have higher education on informatics, law or who are masters on information technologies;
2. have time of service on the speciality no less than 10 years;
3. (amend. SG 103/05) have not been convicted to imprisonment for deliberate indictable offences, not depending on if they have been rehabilitated;

(2) Members of the Commission cannot be:

1. (amend. SG 103/05) persons who are sole entrepreneurs, managers/procurators or members of managing or control bodies of trade companies, co-operations or controllers of personal data in the meaning of this Act;
2. persons who occupy another paid position except when they practice scientific or lecturing activity;
3. (new SG 42/09) persons who are spouses or in factual cohabitation, relatives of direct lineage, of peripheral lineage of up to fourth degree or a relative-in-law – up to second degree inclusive, with another member of the Commission.

(3) Elected as Chairman of the Commission shall be a qualified lawyer who meets the requirements of para 1 and 2.

(4) The mandate of the Chairman or of a member of the Commission shall be terminated ahead of term:

1. for reason of death or placing under judicial disability;
2. by a decision of the National Assembly when:
3. a) he has filed for release;
4. b) he has committed a gross infringement of this Act;
5. c) he has committed a deliberate indictable offence for which a conviction has been enforced;
6. d) existing inability to fulfil his obligations for a period longer than six months;
7. e) (new SG 42/09; amend. SG 97/10, in force from 10.12.2010, amend. – SG 7/18, amend. – SG 84/23, in force from 06.10.2023) if a conflict of interest has been found by an act that has come into effect pursuant to the Act on Counteracting Corruption.

(5) (amend. and suppl. SG 103/05) In the cases under para 3 the Council of Ministers shall propose to the National Assembly to elect a new member for the period until the end of the initial mandate of the respective member of the Commission.

(6) The time during which the person has worked as Chairman or a member of the Commission shall be acknowledged as official time of service according to the Civil Servants Act.

(7) (new – SG 103/17, in force from 01.01.2018) The circumstances under par. 1, item 3 shall be established ex officio by the body making the proposal.

Art. 9. (1) (Amend., SG, 17/19) In carrying out its activity, the Commission shall be assisted by an administration.

(2) (Amend., SG, 17/19) The Commission shall regulate in Rules its activity, the activity of its administration and the procedure for examining the proceedings before it and shall promulgate it in the State Gazette.

(3) The decisions of the Commission shall be taken by a majority of the total number of its members.

(4) The meetings of the Commission shall be open. The Commission can decide individual meetings to be closed.

(5) (New – SG 11/23, in force from 04.05.2023) The meetings of the Commission, at which decisions are made in implementing the Whistleblowers Act, shall be closed.

Art. 10. (1) (New, SG,17/19) The Commission shall carry out the tasks under Art. 57 of Regulation (EU) 2016/679.

(2) (Repealed, Para 1, amend., SG, 17/19) Apart from the tasks under Para. 1, the Commission shall:

1. analyze and carry out overall supervision and shall ensure the observance of Regulation (EU) 2016/679, of this Act and of the legislative acts in the field of personal data protection, except in the cases under Art. 17;
2. issue legislative and normative acts in the field of personal data protection;
3. ensure the implementation of the European Commission’s decisions on the protection of personal data and the implementation of binding decisions of the European Data Protection Board under Art. 65 of Regulation (EU) 2016/679;
4. participate in international cooperation with other data protection authorities and international organizations on personal data protection issues;
5. participate in the negotiation and conclusion of bilateral or multilateral agreements on matters of its competence;
6. organize, coordinate and conduct training in the field of personal data protection;
7. issue general and normative administrative acts, related to its powers in the cases, provided for by the law.

(3) (suppl. SG 103/05; amend. – SG 91/06) The Commission shall issue a bulletin publishing information for its activity and for the taken decisions. The report of Art. 7, Para 6 shall be published in the bulletin.

(4) (new SG 103/05; amend. – SG 91/06, repealed SG, 17/19)

Art. 10a. (New, SG, 17/19) (1) The Commission shall exercise the powers under Art. 58 of Regulation (EU) 2016/679.

(2) The Commission shall have the following powers:

1. Refers to the court for breach of Regulation (EU) 2016/679;
2. provides guidance, issues guidelines, recommendations and best practices in relation to the protection of personal data.

Art. 10b. (New, SG, 17/19, amend. – SG 11/23, in force from 04.05.2023) (1) The Commission shall perform the functions of a central authority for whistleblowing from outside within the meaning of the Whistleblowers Act.

(2) The Commission may be assigned other tasks and powers by virtue of a law only.

Act. 10c. (New, SG, 17/19) (1) The Commission shall participate in the coordination mechanism under Art. 63 of Regulation (EU) 2016/679 and cooperate with the lead or with the supervisory authorities of the Member States of the European Union, including by exchanging information, providing or seeking mutual assistance or participating in joint operations under Regulation (EU) 2016/679.

(2) The forms of participation in the co-ordination mechanism, granting and request for mutual assistance and participation in joint operations, as well as the procedures under which they are implemented, shall be determined by the Rules under Art. 9, Para. 2.

Art. 10d. (New, SG, 17/19) While exercising its tasks and powers in respect of controllers or processors of personal data, which are micro-enterprises, small and medium-sized enterprises within the meaning of Art. 3 of the Small and Medium-Sized Enterprises Act, the Commission shall take into account their special needs and available resources.

Art. 11. The Chairman of the Commission shall:

1. organise and manage the activity of the Commission according to the law and the decisions of the Commission and shall be responsible for the fulfilment of its obligations;
2. represent the Commission before third persons;
3. (suppl. SG 103/05; amend. – SG 81/11) appoint and release the civil servants and conclude and terminate the employment contracts of the employees working under legal terms of employment in the administration.
4. (new SG 103/05, amend. SG, 17/19) issue penal decrees under Art. 87, Para 3.

Art. 12. (amend. – SG 91/06) (1) (Amend. SG, 17/19) The Chairman and the members of the Commission or persons from the administration authorized by it shall carry out control by preliminary, consultations, inspections and joint operations for observation of Regulation (EU) 2016/679 and this Act.

(2) (Amend., SG, 17/19) Apart from the cases under Art. 36, Para. 1 of Regulation (EU) 2016/679, prior consultation shall also be performed, when processing personal data in the performance of a public interest task, including treatment in relation to social protection and public health. In this case, the Commission may authorize processing before the expiration of the term under Art. 36, Para. 2 of Regulation (EU) 2016/679.

(3) (Amend., SG, 17/19) The preliminary consultations shall be carried out according to Art. 36, Para. 2 and 3 of Regulation (EU) 2016/679.

(4) (Amend., SG, 17/19) Inspections shall be carried out at the initiative of the Commission upon a complaint by interested parties or upon a signal.

(5) The inspecting persons shall legitimate themselves by an officials card and order by the Chairman of the Commission for the respective inspection.

(6) At carrying out inspections, the persons of Para 1 may assign performance of expertise under the procedure of the Civil Procedure Code.

(7) The inspection shall end by an act of findings.

(8) (Amend., SG, 17/19) When an administrative violation is found in the course of an investigation, administrative penal proceedings shall be instituted.

(9) (New, SG, 17/19) Regardless of the administrative punishment, a compulsory administrative measure under Chapter Nine may be imposed, in case of found administrative violation.

(10) (Former Para. 9, SG, 17/19) The conditions and procedure for carrying out control shall be determined by an instruction of the Commission.

(11) (New, SG, 17/19) Joint operations with supervisory authorities of other Member States of the European Union, pursuant to Art. 62 of Regulation (EU) 2016/679 shall be carried out as appropriate for joint investigations and joint implementation measures and shall involve, in addition to the persons referred to in Para. 1, also members or authorized representatives of the supervisory authority of the respective Member State of the European Union.

Art. 12a. (New, SG, 17/19) (1) Upon request, the controller and the personal data processor shall assist the Commission in carrying out its tasks and powers.

(2) Where, in exercising the powers of the Commission under Art. 58, Para. 1. letters “e” and “f” of Regulation (EU) 2016/679, an obligation of the controller or of the processor of personal data for keeping professional secrecy may be broken, or other obligation for keeping secrecy, deriving from the law, the controller or the personal data processor shall refuse to provide or access only to the information, protected as a secret.

(3) Where the information contains data, classified as classified information, the access procedure under the Classified Information Protection Act shall apply.

Art. 13. (1) (amend. – SG 103/05) The Chairman and the members of the Commission and the employees of its administration shall be obliged not to make public and not to use for their or somebody’s else benefit the information representing a secret protected by law for the controllers of personal data which has become known to them in fulfilment of their activity, till the elapse of the period pf its protection.

(2) In taking office persons under Para 1 shall file declarations for their obligations under para 1 and 2.

(3) (New, SG, 17/19) The Chairman, the members of the Commission and the employees of the administration, appointed under an employment relationship shall be entitled annually to representative clothing, worth up to two minimum salaries, the funds being provided by the budget of the Commission. The individual amount of the funds shall be determined by the Chairman of the Commission under conditions and procedure, determined by the Rules under Art. 9, Para. 2.

Art. 14. (Amend., SG, 17/05, amend. SG, 17/19) (1) The Commission shall perform accreditation of certification bodies in accordance with Regulation (EU) 2016/679 on the basis of requirements, as defined by it or by the European Data Protection Supervisor.

(2) The accreditation shall be issued according to Art. 3, Para. 2 of Regulation (EU) 2016/679 for a period of 5 years and may be renewed.

(3) The Commission shall withdraw the accreditation of a certifying authority, where the accreditation conditions are not met or when actions, taken by the certifying authority violate this Act or Regulation (EU) 2016/679.

(4) The decisions of the Commission for the withdrawal of accreditation under Para. 3 may be appealed in accordance with the Administrative Procedure Code.

(5) The conditions, including the requirements under Para. 1, and the procedure for accreditation and withdrawal of the accreditation shall be determined by an Ordinance, adopted by the Commission. The Ordinance shall be promulgated in the State Gazette.

(6) Criteria, mechanisms and procedures for certification, stamps and markings shall be determined by an Ordinance, adopted by the Commission. The Ordinance shall be promulgated in the State Gazette.

Art. 14a. (New, SG, 17/19) (1) The Commission shall approve draft codes of conduct for sectors and fields of activity, pursuant to Art. 40 of Regulation (EU) 2016/679. The conditions, the procedure and the criteria for approving the codes of conduct shall be determined by the Rules under Art. 9, Para. 2.

(2) The Commission shall carry out accreditation of bodies for the monitoring of approved codes of conduct under Para. 1 in accordance with Art. 41 of Regulation (EU) 2016/679.

(3) The accreditation requirements under Para. 2 and the procedure for accreditation and withdrawal of the accreditation shall be determined by an Ordinance, adopted by the Commission. The Ordinance shall be promulgated in the State Gazette.

(4) The Commission shall withdraw the accreditation of a monitoring authority of approved codes of conduct, where the accreditation requirements have not been met or where the actions, taken by the authority violate this Act or Regulation (EU) 2016/679.

(5) The decisions of the Commission for withdrawal of accreditation under Para. 4 may be appealed in accordance with the Administrative Procedure Code.

Art. 15. (repealed SG 103/05, new SG, 17/19) (1) The Commission shall keep the following public registers:

1. a register of controllers and personal data processors, who have appointed data protection officers;
2. register of the accredited under Art. 14 certification bodies;
3. register of codes of conduct under Art. 40 of Regulation (EU) 2016/679.

(2) The Commission shall keep the following registers, which are not public:

1. a register of violations of Regulation (EU) 2016/679 and of this Act, as well as of the measures, taken in compliance with the exercise of the powers under Art. 58, Para. 2 of Regulation (EU) 2016/679;
2. register of the notifications for violations of the security of the personal data under Art. 33 of Regulation (EU) 2016/679 and under Art. 67.

(3) The procedure for creation and maintenance of the registers under Para. 1 and 2 and the access to them shall be determined in compliance with the E-Government Act, and their content – with the Rules under Art. 9, Para. 2.

Art. 16. (amend. – SG 103/05; revoked SG 91/06, new – SG, 17/19) (1) The terms and procedure for conducting training under Art. 10, Para. 2, p. 6 shall be determined by the Rules under Art. 9, Para. 2.

(2) The Commission shall issue a certificate to persons, who have undergone training under Para. 1 after a successful exam. The certificate shall be issued for a period of three years. After expiry of the term under sentence two, the certificate shall be renewed after a successful examination under conditions and procedure, determined by the Rules under Art. 9, Para. 2.

(3) The presence of a certificate under Para. 2 may not be a mandatory condition for the appointment or the performance of the functions of a data protection officer.

(4) For the training under Para. 1, charges shall be collected, except in the case of training, organized and conducted at the initiative of the Commission. Fees shall be determined by a tariff, approved by the Council of Ministers on a proposal by the Commission.

Chapter three.
INSPECTORATE TO THE SUPREME JUDICIAL COUNCIL (TITLE AMEND. SG 103/05, AMEND.  SG, 17/19)

Art. 17. (Amend., SG, 103/05, amend., SG, 19/06, amend., SG, 17/19) (1) The Inspectorate of the Supreme Judicial Council, called hereinafter the “Inspectorate”, shall supervise and ensure compliance with Regulation (EU) 2016/679, this Act and the legislative acts in the field of protection of personal data in personal data processing by:

1. the court during performance of its functions as a body of the judiciary, and
2. the prosecuting authorities and the investigative bodies in the performance of their functions as a body of the judiciary for the purposes of preventing, investigating, detecting or prosecuting criminal offenses or executing penalties.

(2) The procedure for carrying out the activity under Para. 1, including for carrying out inspections and for examining the proceedings before the Inspectorate, shall be determined by the Rules under Art. 55, Para. 8 of the Judiciary System Act.

(3) In carrying out the supervision under Para. 1, Art. 12a shall also apply.

Art. 17a. (new – SG 91/06, amend. – SG, 17/19) (1) When supervising the processing of personal data by the court in the performance of its functions as a body of the judiciary, except for the processing of personal data for the purposes of Art. 42, Para. 1, the Inspectorate shall:

1. fulfil the tasks pursuant points (a) to (i), (l), (u) and (v) of Article 57 (1) and Article 57 (2) and (3) of Regulation (EU) 2016/679;
2. exercise the powers pursuant points (a), (b), (d), (e), (f) of Article 58 (1), points (a) to (g), (i) and (j) of Article 58 (2) and points (a), (b) and (c) of Article 58 (3) of Regulation (EU) 2016/679;
3. apply the list, drawn up by the Commission under Art. 35, Para. 4 of Regulation (EU) 2016/679 in relation to the requirements for impact assessment over the data protection;
4. refer the court for violation of Regulation (EU) 2016/679.

(2) Apart from the tasks and power under Para. 1 the Inspectorate shall:

1. participate in international cooperation with other data protection authorities and international organizations on personal data protection issues;
2. provide instructions, issue guidelines, recommendations and the best practices in relation to the personal data protection.

(3) While exercising supervision over the processing of personal data for the purposes of Art. 42, Para. 1 by the court, the prosecutor’s office and the investigative bodies in performing their functions of judiciary bodies, the Inspectorate shall perform the tasks and exercise the powers under Chapter Eight.

Art. 17b. (New, SG, 91/06, amend., SG, 17/19) (1) The Inspectorate shall carry out preliminary consultations:

1. in the cases under Art. 36, Para. 1 of Regulation (EU) 2016/679;
2. in processing of personal data in the performance of a task in the public interest; in this case, the Inspectorate may authorize the processing before the expiration of the term under Art. 36, Para. 2 of Regulation (EU) 2016/679.

(2) The preliminary consultation shall be conducted in accordance with Art. 36 Para. 2 and 3 of Regulation (EU) 2016/679.

Art. 18. (amend. SG 103/05, amend. – SG, 17/19) (1) In carrying out the supervision under Art. 17, Para. 1, the Inspectorate shall carry out inspections, provided for in its annual program or on signals. As signal shall also be accepted a publication in the mass media.

(2) The inspection shall be carried out by the Chief Inspector or by an inspector, assisted by experts, on the basis of an order from the Chief Inspector.

Art. 19. (suppl. SG 92/04; amend. – SG 103/05, amend. – SG 17/19) (1) The inspection shall be completed by an act with results, which shall record the findings made and, where appropriate, make recommendations.

(2) When an inspection reveals a violation of Regulation (EU) 2016/679 and this Act, depending on the nature and extent of the violation, the measures under Art. 58, Para. 2, letters a) to (g) and (j) of Regulation (EU) 2016/679 or Art. 80, Para. 1, p. 3, 4 and 5 and / or administrative penalties shall be imposed in accordance with Art. 83 of Regulation (EU) 2016/679, as well as under Chapter Nine.

(3) The measures under Art. 58, Para. 2, letters (a) to (g) and (j) of Regulation (EU) 2016/679 and Art. 80, Para. 1, p. 3, 4 and 5 shall be applied by decision of the Inspectorate upon proposal of the inspector, who carried out the inspection.

Art. 20. (amend. – SG 103/05, amend. – SG, 17/19, amend., SG, 17/19) The chief inspector, the inspectors and the judicial staff in the administration of the Inspectorate shall be obliged not to disclose or to take advantage of for their own benefit or for others, from the information, constituting a secret, protected by the law, which has become known to them in the course of their activity under this Act, until expiry of the term for its protection.

Art. 21. (amend. – SG 103/05) Art. 21, amend., SG, 17/19) (1) The Inspectorate shall keep the following registers which shall not be public:

1. a register of violations of Regulation (EU) 2016/679 and of this Act, as well as of the measures, taken in compliance with the exercise of the powers under Art. 58, Para. 2, letters (a) to (g), (i) and (j) of Regulation (EU) 2016/679;
2. register of the notifications for violations of the security of personal data under Art. 33 of Regulation (EU) 2016/679 and under Art. 67.

(2) The procedure for creation and maintenance of the registers under Para. 1 and the access to them shall be determined in accordance with the E-Government Act, and their content – with the Rules under Art. 55, Para. 8 of the Judiciary System Act.

Art. 22. (Amend. SG, 103/05, repealed SG, 17/19)

Art. 22a. (New SG, 91/06, repealed SG, 17/19)

Chapter four.
PROTECTION OF THE PERSONAL DATA (REPEALED, – SG, 17/19)

Art. 23. (amend. – SG 103/05, repealed, – SG, 17/19).

Art. 23a. (New – SG 81/11, repealed, – SG, 17/19).

Art. 23b. (new – SG 81/11, repealed SG, 17/19).

Art. 24. (Repealed, – SG, 17/19).

Art. 25. (Repealed, – SG, 17/19).

Chapter four “a”.
GENERAL RULES FOR PROCESSING OF PERSONAL DATA. SPECIAL CASES OF PROCESSING PERSONAL DATA (NEW, SG, 17/19)

Art. 25a. (New, SG, 17/19) Where personal data are provided by the data subject to a controller or processor of personal data without a legal basis under Art. 6, Para. 1 of Regulation (EU) 2016/679 or contrary to the principles under Art. 5 of that Regulation, within one month of becoming aware, the controller, or the data processor shall return them, and if this is impossible or requires disproportionate effort, shall erase or destroy them. Deletion and destruction shall be documented.

Art. 25b. (New, SG, 17/19) The controller and the personal data processor shall notify the Commission about the names, the UCN or the personal number of a foreigner or other analogous identifier, also for the contact details of the data protection officer, as well as about subsequent changes thereto. The form and content of the notification and the procedure for its submission shall be determined by the Rules under Art. 9, Para. 2.

Art. 25c. (New, SG, 17/19) Processing of data of a data subject – a person who has not completed 14 years, based on consent in the meaning of Art. 4, p. 11 of Regulation (EU) 2016/679, including in cases of direct supply of information society services, within the meaning of Art. 1, Para. 3 of the Electronic Commerce Act shall be lawful only if the consent is given by the parent or by the guardian of the data subject.

Art. 25d. (New, SG, 17/19) A controller or the personal data processor may copy an identity document, a driving license or a residence document only if this is provided for by the law.

Art. 25e. (New, SG, 17/19) (1) The controller or the personal data processor shall adopt and apply rules for the large-scale processing of personal data or systematically large-scale surveillance of publicly accessible areas, including through video surveillance, introducing appropriate technical and organizational measures to protect the rights and freedoms of data subjects. The rules for systematically large-scale monitoring of publicly accessible areas shall contain the legal bases and objectives for setting up a monitoring system, the territorial scope of surveillance and the means of monitoring, the period of storage of information records and their deletion, the right of access by the monitored persons, informing the public about the monitoring carried out, as well as restrictions in provision of access to the information to third parties.

(2) The Commission shall give directions to the controllers and to the personal data processors in fulfillment of their obligation under Para. 1, which shall be published on its website.

Art. 25f. (New, SG, 17/19) (1) The controller or the personal data processor may process personal data of deceased persons only if there is a legal basis for this. In such cases, the controller or the personal data processor shall take appropriate measures to prevent the unfavorable impairment of the rights and freedoms of other persons, or public interest.

(2) (Suppl. – SG 11/23, in force from 04.05.2023) The Controller shall provide, upon request, access to the personal data of a deceased person, including a copy thereof, to his heirs or other persons with legal interest, within the terms under Art. 12, paragraphs 3 and 4, and under the terms of paragraphs 5 and 6 of Regulation (EU) 2016/679, unless otherwise provided by law.

Art. 25g. (New, SG, 17/19) (1) Free public access to information, containing a UCN, or personal number of a foreigner shall not be admitted, unless the law provides otherwise.

(2) Controllers, providing electronic services shall take appropriate technical and organizational measures, that prevent the UCN. or the personal number of a foreigner to be the only means of identifying the user in providing remote access to the respective service.

(3) For the purpose of providing electronic administrative services under the terms of the E-Governance Act, the controller shall ensure, that the data subject can be identified by a procedure, provided by the law.

Art. 25h. (New, SG, 17/19) (1) Processing of personal data for journalistic purposes, as well as for academic, artistic or literary expression, shall be lawful, when it is performed for the realization of the freedom of expression and the right to information, while respecting privacy of personal life.

(2) (Declared unconstitutional by a CCD No 8 of 2019 – SG 93/19) In the case of disclosure by transmission, dissemination or other means, by which personal data, collected for the purposes of Para. 1, become available, the balance between freedom of expression and the right to information and the right to the protection of personal data shall be assessed on the basis of the following criteria, in so far as they are relevant:

1. the nature of the personal data;
2. the impact, that disclosure of personal data or public disclosure would have on the privacy of the data subject and his reputation;
3. the circumstances, in which the personal data have become known to the controller;
4. the nature and essence of the statement, by which the rights under Para. 1 are exercised;
5. the importance of the disclosure of personal data or public disclosure of the matter in order to clarify a matter of public interest;
6. reporting, whether the data subject is a person, who holds a post under Art. 6 of the Act on Counteracting Corruption and Seizure of the Illegally Acquired Property, or is a person who, his or her role in public life is more degraded to protect their privacy or whose actions have an impact on society;
7. reporting whether the data subject with his/he activity has contributed to the disclosure of his or her personal data and / or information about his or her personal and family life;
8. the purpose, content, form and consequences of the statement, by which the rights under Para. 1 are exercised;
9. the conformity of the statement, through which the rights under Para. 1 are exercised, with the fundamental rights of citizens;
10. other circumstances, referable to the concrete case.

(3) While processing personal data for the purposes of Para. 1:

1. Art. 6, 9, 10, 30, 34 and Chapter Five of Regulation (EU) 2016/679, as well as Art. 25c shall not apply;
2. the controller or the personal data processor may refuse, in whole or in part, the exercise of the rights to the data subjects under Art. 12-21 of Regulation (EU) 2016/679.

(4) Exercising the powers of the Commission under Art. 58, Para. 1 of Regulation (EU) 2016/679 shall not lead to disclosure of the confidentiality of the source of information.

(5) In processing personal data for the purposes of creating a photographic or audiovisual work by filming a person in the course of his public or public activity, Art. 6, Art. 12 – 21, Art. 30 and 34 of Regulation (EU) 2016/679 shall not apply.

Art. 25i. (New, SG, 17/19) (1) Employer or appointing authority, acting in its capacity as controller of personal data, shall adopt rules and procedures for:

1. using a system for reporting of violations;
2. restrictions in using internal information resources;
3. introducing control systems of the access, working time and work discipline.

(2) The rules and procedures under Para. 1 shall contain information on the scope, obligations and methods for their implementation in practice. They take into account the subject activity of the employer or the appointing authority and the related nature of the work and shall not limit the rights of the data subjects under Regulation (EU) 2016/679 and this Act.

(3) Employees and civil servants shall be informed about the rules and procedures under Para. 1.

Art. 25j. (New SG, 17/19) (1) Employer or appointing authority, as a personal data controller of, shall set a term for the storage of personal data of participants in recruitment and selection procedures, may not be longer than 6 months, unless the applicant has given his or her consent for storage for a longer period. Upon expiry of this period, the employer or appointing authority shall delete or destroy the stored personal data, unless a special Act provides otherwise.

(2) When in procedure under Para. 1 the employer or the appointing authority has requested, that original or notarized copies of documents to be provided, attesting to the applicant’s physical and mental fitness, the required qualification degree and probationary experience, he shall return those documents to the data subject, who is not approved for appointment, within 6 months of the final conclusion of the procedure, unless a special Act provides otherwise.

Art. 25k. (New, SG, 17/19) Processing of personal data for the purposes of the National Archival Fund of the Republic of Bulgaria shall be considered processing in the public interest. In these cases, Art. 15, 16, 18, 19, 20 and 21 of Regulation (EU) 2016/679 shall not apply.

Art. 25l. (New, SG, 17/19) In processing personal data for statistical purposes, Art. 15, 16, 18 and 21 of Regulation (EU) 2016/679 shall not apply.

Art. 25m. (New, SG, 17/19) Personal data, initially collected for another purpose, may be processed for the purposes of the National Archival Fund, for purposes of scientific or historical research or for statistical purposes. In such cases, the controller shall implement appropriate technical and organizational measures that ensure the rights and freedoms of the data subject in accordance with Art. 89, Para. 1 of Regulation (EU) 2016/679.

Art. 25n. (New, SG, 17/19) Processing of personal data for humanitarian purposes by public authorities or humanitarian organizations, as well as the processing in case of disasters within the meaning of the Disaster Protection Act, shall be lawful. In this case, Art. 12 – 21 and Art. 34 of Regulation (EU) 2016/679 shall apply.

Chapter five.
RIGHTS OF THE NATURAL PERSONS (TITLE AMEND. SG 103/05, REPEALED, SG, 17/19)

Art. 26. (Amend., – SG, 103/05, repealed SG, 91/06

Art. 27. (amend. – SG 103/05; revoked SG 91/06)

Art. 28. (amend. SG 103/05, repealed, – SG, 17/19)

Art. 28a. (new SG 103/05, repealed SG, 17/19)

Art. 29. (Repealed SG, 17/19)

Art. 30. (Amend. SG, 103/05, repealed SG, 17/19)

Art. 31. (Repealed, – SG, 17/19).

Art. 32. (Amend. SG, 103/05, repealed SG, 17/19)

Art. 33. (repealed SG, 17/19)

Art. 34. (repealed SG, 17/19)

Art. 34a. (New SG 103/05, repealed SG, 17/19)

Art. 34b. (New SG 103/05, repealed SG, 17/19)

Chapter six.
SUBMISSION OF PERSONAL DATA TO THIRD PERSONS (REPEALED SG, 17/19)

Art. 35. (amend. – SG 103/05; revoked SG 91/06)

Art. 36. (amend. – SG 103/05, in force to 01.01.2007, repealed SG, 17/19)

Art. 36a. (new SG 103/05 in force to 01.01.2007, repealed SG, 17/19)

Art. 36b. (new SG 103/05 in force 01.01.2007, repealed SG, 17/19)

Art. 36c. (new – SG 81/11, repealed SG, 17/19).

Art. 36d. (new – SG 81/11, repealed SG, 17/19)

Art. 36e. (new SG 81/11, repealed SG, 17/19)

Art. 36f. (new SG 81/11, repealed SG, 17/19)

Art. 36g. (new SG 81/11, repealed SG, 17/19)

Art. 36h. (new SG 81/11, repealed SG, 17/19)

Art. 36i. (new SG 81/11, repealed SG, 17/19)

Art. 37. (revoked SG 103/05)

Chapter seven.
EXERCISING THE RIGHTS OF DATA SUBJECTS. MEANS OF LEGAL PROTECTION (TITLE, AMEND. – SG 17/19)

Art. 37a (New, SG, 17/19) (1) The controller or the personal data processor may completely or partially refuse the exercise of the rights of the data subjects under Art. 12 – 22 of Regulation (EU) 2016/679, as well as not fulfill its obligation under Art. 34 of Regulation (EU) 2016/679, where the exercise of the rights or the fulfillment of the obligation would create a risk for:

1. the national security;
2. defense
3. public order and security;
4. prevention, investigation, detection, or prosecution of criminal offenses, or investigation, or prosecution of criminal offenses or the enforcement of sanctions, including the prevention and prevention of threats to public order and security;
5. other important objectives in the broader public interest, and in particular an important economic or financial interest, including monetary, budgetary and fiscal issues, public health and social security;
6. protection of independence of judiciary and judicial proceedings;
7. prevention, investigation, disclosure and prosecution of breaches of ethical codes in regulated professions;
8. the protection of the data subject or the rights and freedoms of other persons;
9. implementation of civil legal claims.

(2) The terms and procedure for application of Para. 1 shall be determined by an Act and in accordance with Art. 23, Para. 2 of Regulation (EU) 2016/679.

Art. 37b. (New SG, 17/19) (1) The data subject shall exercise the rights under Art. 15-22 of Regulation (EU) 2016/679 by means of a written application to the personal data controller or by another method, specified by the controller.

(2) An application may also be filed electronically under the terms of the Electronic Document and Electronic Trust Services Act, the Electronic Government Act and the Electronic Identification Act.

(3) An application may also be submitted through actions in the user interface of the information system, that processes the data, after the person has been identified with the identification means corresponding to the information system.

Art. 37c. (New SG, 17/19). (1) The application under Art. 37b shall contain:

1. name, address, UIN, or personal identification number of a foreigner, or other analogous identifier, or other identification data of the natural person, designated by the controller in relation to his / her activity;
2. description of the request;
3. preferred form of receiving of information while exercising the rights under Art. 15-22 of Regulation (EU) 2016/679;
4. signature, data of submission of the application and correspondence address.

(2) At submission of an application by an authorized person to the application shall also be applied the power of attorney.

Art. 38. (1) (amend. – SG 103/05; amend. – SG 91/06, amend., SG, 17/19) In the event of a violation of its rights under Regulation (EU) 2016/679 and under this Act, the data subject shall have the right to refer the matter to the Commission within 6 months of awareness of the violation, but not more than 2 years after it was committed.

(2) (New, SG, 17/19) The Commission shall inform the complainant of the progress of the examination of the complaint or of its outcome within three months of its referral.

(3) (Amend., SG, 103/05, former Para 2, amend., SG, 17/19) The Commission shall pronounce by decision, and may apply the measures under Art. 58, Para. 2, letters (a) to (h) and (j) of Regulation (EU) 2016/679 or Art. 80, Para. 1, p. 3, 4 and 5 and, in addition to these measures, or instead of them to impose an administrative penalty in accordance with Art. 83 of Regulation (EU) 2016/679 as well as under Chapter Nine.

(4) (New, SG, 17/19) Where the appeal is manifestly unfounded, or excessive, the appeal may be abandoned by a decision of the Commission.

(5) Previous Para 4, SG, 17/19) The Commission shall send a copy of its decision and to the data subject.

(6) (New, SG, 91/06, former Para 5, amend., SG 17/19) In the cases under Para. 1, when processing personal data for the purposes of Art. 42, Para. 1, the Commission’s decision shall contain only a statement about the lawfulness of the processing.

(7) (New – SG 11/23, in force from 04.05.2023) Complaint under Para. 1 may be withdrawn until the expiry of the period for appealing the decision of the Commission under Para. 3 and 4.

(8) (Amend. – SG, 103/05, previous Para. 5 – SG, 91/06, amend. – SG, 39/11, previous Para. 6, amend. – SG, 17/19, previous Para. 7 – SG 11/23, in force from 04.05.2023) The decision of the Commission under Para. 3 and 4 shall be subject to appeal under the Administrative Procedure Code within 14 days of its receipt.

Art. 38a. (New, SG, 17/19) (1) The complaint to the Commission may be filed by letter, by fax or by electronic means in accordance with the Electronic Document and Electronic Trust Services Act.

(2) Anonymous complaints, as well as complaints, not signed by the sender or by his legal representative or proxy, shall not be considered.

Art. 38b. (New, SG, 17/19) (1) In case of violation of its rights under Regulation (EU) 2016/679 and under this Act, in the processing of personal data by the court while performing its functions as a body of the judiciary and by the prosecuting and investigative bodies, while performing their functions as a body of the judiciary, for the purpose of preventing, investigating, detecting or prosecuting criminal offenses or executing penalties, the data subject shall be entitled to lodge a complaint in the Inspectorate, within 6 months of becoming aware of the infringement, but not later than two years from its execution.

(2) In the cases under Para. 1, Art. 38a shall apply correspondingly.

Art. 38c. (New, SG, 17/19) (1) The appeal under Art. 38b, Para. 1 shall be examined by an inspector, appointed on a random basis by the Chief Inspector.

(2) When reviewing the complaint, data, relating to the alleged violation, including information from the controller, or the personal data processor, shall be collected.

(3) The complainant shall be informed of the progress in examining the complaint or of its outcome within three months of the referral to the Inspectorate.

(4) When the appeal is unfounded, the inspector shall pronounce with a decision, which shall be subject to appeal under the Administrative Procedure Code within 14 days of its receipt.

(5) Where the appeal is well founded, the inspectorate shall pronounce with a decision upon proposal by the inspector. The decision shall be subject to appeal under the Administrative Procedure Code within 14 days of its receipt.

(6) Where the complaint is manifestly unfounded or excessive, the inspector may leave it without examination.

Art. 38d. (New, SG, 17/19) (1) Where in the proceedings under Art. 38c, violation of Regulation (EU) 2016/679 and this Act has been established, depending on the nature and extent of the violation, the measures under Art. 58, Para. 2, letters (a) to (g) and (j) of Regulation (EU) 2016/679 or Art. 80, Para. 1, p. 3, 4 and 5 and / or administrative penalties shall be imposed in accordance with Art. 83 of Regulation (EU) 2016/679 as well as under Chapter Nine.

(2) The measures under Art. 58, Para. 2, letters (a) to (g) and (j) of Regulation (EU) 2016/679 and Art. 80, Para. 1, p. 3, 4 and 5 shall be applied by a decision of the Inspectorate upon a proposal by the inspector who has considered the complaint under Art. 38b, Para. 1.

Art. 39. (1) (Amend. SG, 103/05, amend. – SG, 30/06, in force from 01.03.2007, amend. – SG, 91/06, amend. SG, 17/19) In case of violation of its rights under Regulation (EU) 2016/679 and under this Act, the data subject may appeal actions and acts of the controller and of the processor of personal data before the court in accordance with the Administrative Procedure Code.

(2) (amend. – SG 103/05, amend. and suppl. – SG, 17/19) In the proceedings under Para. 1 the data subject may claim compensation for the damage, suffered as a result of the unauthorized processing of personal data by the controller, or the data processor.

(3) (new SG 81/11, repealed SG, 17/19)

(4) (new – SG 103/05; prev. text of Para 3 SG 81/11, amend. SG 17/19). The data subject shall not bring a case before the court, where there is pending proceedings before the Commission for the same violation, or a decision on the same violation has been appealed and there is no court decision in force. Upon request of the data subject or the court, the Commission shall verify the absence of pending proceedings before it on the same dispute.

(5) (prev. text of Para 4 amend., SG 103/05; amend. – SG 30/06, in force from 12.07.2006; revoked SG 91/06, new, SG 17/19) Para. 4 shall also apply in case of pending proceedings before the Inspectorate.

Art. 40. (Repealed – SG 103/05, new – SG 17/19) When the decision under Art. 38, Para. 3 has been adopted in implementation of a binding decision of the European Data Protection Supervisor, Art. 263 and 267 of the Treaty on the Functioning of the European Union shall apply.

Art. 41. (revoked SG 103/05)

Chapter eight.
RULES ON THE PROTECTION OF NATURAL PERSONS WITH REGARD TO THE PROCESSING OF PERSONAL DATA BY THE COMPETENT AUTHORITIES FOR THE PURPOSES OF PREVENTION, INVESTIGATION, DISCLOSURE OR PENALTIES OF CRIMES, OR EXECUTION OF PENALTIES, INCLUDING PROTECTION FROM THREATS FOR THE PUBLIC ORDER AND SECURITY, AND THEIR PREVENTION (TITLE, AMEND. SG, 17/19)

Section I.
General provisions (New SG, 17/19)

Art. 42. (Amend., SG, 103/05, amend. SG, 17/19) (1) The rules of this Chapter shall apply to the processing of personal data by competent authorities for the purpose of prevention, investigation, detection or prosecution of criminal offenses or execution of penalties, including prevention from threats to public order and security and their prevention.

(2) Personal data, collected for the purposes of Para. 1 shall not be processed for other purposes, unless the law of the European Union or the legislation of the Republic of Bulgaria provides otherwise.

(3) When the competent authorities under Para. 1 process personal data for purposes, other than those under Para. 1, as well as in the cases under Para. 2, Regulation (EU) 2016/679 and the relevant provisions of this Act which implement measures for its implementation, shall apply.

(4) Competent authorities under Para. 1 are the state bodies, which have the authority to prevent, investigate, detect or prosecute criminal offenses or enforce penalties, including the prevention from threats to public security and their prevention.

(5) Unless otherwise provided by the law, a controller within the meaning of this Chapter, while processing personal data for the purposes of Para. 1 shall be a competent body under Para. 4 or the relevant administrative structure, part of which is that body, which, alone or jointly with other authorities, define the purposes and means of processing personal data.

Art. 42a. (new SG 103/05, repealed SG, 17/19)

Art. 43. (1) (Amend., SG, 103/05, amend., SG, 17/19) The rules of this Chapter shall apply to processing of personal data in whole or in part by automated means, as well as to processing with other means of personal data, which are part of a register of personal data or are intended to form part of such a register.

Art. 44. (New, SG, 17/19) The exchange of personal data between the competent authorities of the Member States of the European Union, where such exchange is required by the law of the European Union or by the legislation of the Republic of Bulgaria shall not be limited, or banned for reasons, related to the protection of natural persons, with regard to processing of personal data.

Art. 45. (New, SG, 17/19) (1) In processing personal data for the purposes of Art. 42, Para. 1, the personal data must:

1. be processed in a lawful and conscientious manner;
2. be collected for specific, explicit and legitimate purposes and not processed in a manner inconsistent with those purposes;
3. be appropriate, relevant and not go beyond what is necessary in relation to the purposes for which the data are being processed;
4. be accurate and, if necessary, kept up-to-date; all necessary measures must be taken to ensure the timely erasure or correction of inaccurate personal data, taking into account the purposes for which they are processed;
5. be kept in a form, which permits identification of the data subject for a period, no longer than is necessary for the purposes for which they are being processed;
6. be processed in such a way, as to ensure an adequate level of security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or deterioration, by applying appropriate technical or organizational measures.

(2) The processing of personal data by a controller, who originally collected them or by another controller for any of the purposes under Art. 42, Para. 1, other than the purpose for which the personal data are collected, shall be permitted provided that:

1. the controller is authorized to process personal data for such purpose in accordance with European Union law or the legislation of the Republic of Bulgaria;
2. processing is necessary and proportionate to this different purpose in accordance with European Union law or the legislation of the Republic of Bulgaria.

(3) The processing by a controller under Para. 2 may include archiving in the public interest, scientific, statistical or historical use of the data for the purposes of Art. 42, Para. 1, when applying appropriate safeguards for the data subject’s rights and freedoms.

(4) The controller shall be responsible for compliance with Para. 1, 2 and 3 and must be able to prove it.

Art. 46. (New, SG, 17/19) (1) Where the deadlines for the deletion of personal data or periodic verification of the need for their storage have not been legally established, they shall be determined by the controller.

(2) Performing a periodic inspection under Para. 1 shall be documented and the decision to continue the storage of the data shall be motivated.

Art. 47. (New, SG, 17/19) The controller shall, where applicable and as far as possible, make a clear distinction between the personal data of different categories of data subjects, for example:

1. persons, for whom there are serious grounds for believing, that they have committed or will commit a crime;
2. persons, committed for a crime;
3. persons, who have suffered a crime or persons, in respect of whom, certain facts give reason to believe that they may have been victims of crime, and
4. other third parties in relation to a crime, such as persons, who might be called upon to testify in criminal investigations or in criminal proceedings, persons who can provide information about crimes or related persons.

Art. 48. (New, SG, 17/19) (1) The competent authority shall, as far as possible, make a distinction between personal data, based on facts and personal data, based on personal assessments.

(2) The competent authority shall take the necessary measures to ensure that personal data, which are inaccurate, incomplete or no longer up to date are not transmitted. To this end, each competent authority shall, as far as possible, verify the quality of the personal data, prior to its transmission. As far as possible, each transmission of personal data shall include the necessary information to enable the receiving competent authority to assess the degree of accuracy, completeness and reliability of personal data and to what extent they are up to date.

(3) Where the transmitted personal data are inaccurate or have been transmitted unlawfully, the recipient shall be notified immediately. In this case, the transmitting competent authority and the recipient shall correct, delete or restrict the processing of personal data.

Art. 49. (Amend., SG,17/19) The processing of personal data shall be lawful when it is necessary for the exercise of powers by a competent authority for the purposes of Art. 42, Para. 1 and is provided for in European Union law or in a legal act, specifying the purposes of the processing and the categories of personal data, being processed.

Art. 50. (New, SG, 17/19) (1) Where the European Union law or the legislation of the Republic of Bulgaria, applicable to the transmitting competent authority provides for specific conditions for the processing of personal data, the body shall inform the recipient of the data about these conditions and his obligation to observe them.

(2) The transmission of personal data to recipients in other Member States of the European Union or to European Union agencies, offices and bodies, set up pursuant to Chapters 4 and 5 of Title V of the Treaty on the Functioning of the European Union shall be carried out under the same conditions, which apply in the event of such transmission in the Republic of Bulgaria.

Art. 51. (New, SG, 17/19) (1) Processing of personal data, revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, membership in trade unions, processing of genetic data, biometric data in order to uniquely identification of the natural person, data relating to the state of health or sexual life and sexual orientation of the person shall be permitted, where absolutely necessary, adequate safeguards for the rights and freedoms of the data subject exist and it is provided for in the EU law, or in the legislation of the Republic of Bulgaria.

(2) When the processing under Para. 1 is not provided for in the law of the European Union, or in the legislation of the Republic of Bulgaria, the data under Para. 1 may be processed when absolutely necessary, there are appropriate safeguards for the rights and freedoms of the data subject and:

1. processing is to protect the vital interests of the data subject or another natural person, or
2. if processing refers to data, that is obviously made public by the data subject.

(3) When processing data under Para. 1, appropriate measures and safeguards shall be applied to ensure, that natural persons are not discriminated against.

Art. 52. (New, SG, 17/19) (1) Taking of a decision, based solely on automated processing, including profiling, which causes or significantly impinges on the data subject shall be prohibited, except when it is provided for in European Union law or in the legislation of the Republic of Bulgaria, and adequate safeguards for the data subject’s rights and freedoms are provided, at least human interference in the relevant decision by the controller.

(2) The decisions under Para. 1 shall not be based on the categories of personal data under Art. 51, Para. 1, unless appropriate measures are in place to protect the rights and freedoms and legitimate interests of the data subject.

(3) In the cases under Para. 1 and 2 the controller shall carry out an impact assessment under Art. 64.

(4) Profiling is prohibited, which leads to discrimination of natural persons, based on the categories of personal data under Art. 51, Para. 1.

(5) The data subject shall have the right to obtain information about the processing under Para. 1, to express its opinion, to obtain an explanation for the decision under Para. 1, taken as a result of such processing, as well as appeal against the decision.

Section II.
Rights of the data subject (New SG, 17/19)

Art. 53. (New, SG, 17/19) (1) The controller shall take necessary measures to provide the data subject with the information under Art. 54 and for correspondence with it in connection with Art. 52, Para. 5, Art. 55-58 and 68 on processing of personal data in a concise, understandable and easily accessible form, using clear and simple language. The controller shall provide the information as to the way, the request was received. Where this is not possible or requires disproportionate effort, the information shall be provided by another appropriate means, including electronically.

(2) The controller shall facilitate the exercise of the rights of the data subject under Art. 52, Para. 5 and Art. 55 – 58.

(3) The controller shall respond to the data subject’s request or inform him / her in writing of the actions, taken in relation to his / her request, within two months of receipt of the request. The time limit may be extended by another month when this is due to the complexity or the number of requests.

(4) The information under Art. 54 and the correspondence or actions, taken pursuant to Art. 52, Para. 5, Art. 55 to 58 and 68 shall be free. Where requests from a data subject are clearly unreasonable or excessive, in particular because of its repeatability, the controller may:

1. charge a fee, amounting to the administrative costs of providing information or of communicating with the data subject, or of taking action on the request, or
2. refuse to undertake actions on the request.

(5) The controller shall bear the burden of proving the apparently unfounded or excessive nature of the request.

(6) Where the controller has reasonable doubts as to the identity of the natural person, submitting a request under Art. 55 or 56, he may request the provision of additional information, necessary to verify the identity of the data subject. The term under Para. 3 shall start to run from receiving this additional information.

Art. 54. (New, SG, 17/19) (1) The controller shall provide to the data subject at least the following information:

1. the data, that identify the controller and the contact details of the controller;
2. the contact details of the data protection officer, where applicable;
3. the purposes, for which the personal data are processed;
4. the right of appeal to the Commission, respectively the Inspectorate, and their contact details;
5. the right to require from the controller access, correcting, supplementation or deletion of personal data and restriction of the processing of personal data, relating to the data subject;
6. the possibility of refusal under Para. 3, under Art. 55, Para. 3 and 4 and Art. 56, Para. 6 and 7 to exercise his rights through the Commission, respectively through the Inspectorate.

(2) Besides the information under Para. 1, the controller shall, at the request of the data subject, or on his own initiative, provide the data subject, in specific cases and in order to enable him to exercise his rights, the following additional information:

1. the legal ground for the processing;
2. the term, for which the personal data will be stored, and if this is impossible, – the criteria, used for defining that term;
3. where applicable, recipients or categories of recipients of personal data, including in third states or international organizations;
4. where necessary, other additional information, in particular in cases, where personal data are collected without the knowledge of the data subject.

(3) The controller may delay or refuse all, or part of the provision of the information under Para. 2 where this is necessary to:

1. not prevent the obstruction of official or statutory inspections, investigations or procedures;
2. not be admitted adverse effect on the prevention, detection, investigation or prosecution of criminal offenses or execution of penalties;
3. be protected public order and security;
4. to be protected the national security;
5. be protected rights and freedoms of other persons.

(4) After dropping out the circumstance under Para. 3, the controller shall provide without delay the requested information, within the term under Art. 53, Para. 3.

(5) When making a decision under Para. 3 the controller shall take into account the fundamental rights and legitimate interests of the natural person concerned.

Art. 55. (New, SG, 17/19) (1) The data subject shall have the right to obtain from the controller a confirmation, whether personal data concerning him / her are being processed and, if so, to have access to them, as well as information about:

1. the circumstances under Art. 54, Para. 1, p. 3 – 5 and Para. 2, p. 1 to 3;
2. the processed categories of personal data;
3. personal data, that are being processed and any available information on their origin, unless it is a secret, protected by the law.

(2) The controller shall provide the information under Para. 1 within the term under Art. 53, Para. 3.

(3) The right of access to the data and information under Para. 1 may be limited in whole or in part, taking into account the fundamental rights and legitimate interests of the affected natural person, in the cases under Art. 54, Para. 3. In these cases Art. 54, Para. 4 shall apply.

(4) In the cases under Para. 3, the controller shall inform in writing within the term under Art. 53, Para. 3, the data subjects about each refusal of access or for limiting access and the reasons for it. This information may not be provided when its disclosure would impede the achievement of any of the objectives under Art. 54, Para. 3. The controller shall inform the data subject about his or her right of appeal to the Commission, the Inspectorate, or to seek protection in a judicial procedure.

(5) The controller shall document the factual or legal grounds for the decision. This information shall be provided to the Commission, respectively the Inspectorate.

Art. 56. (New, SG, 17/19) (1) The data subject shall have the right to request the controller to correct the inaccurate personal data related to him / her. Given the purpose of the processing, the data subject shall be entitled to request that incomplete personal data be supplemented, including by providing a further application.

(2) The controller under Para. 1 shall be obliged to delete the personal data and the data subject shall have the right to ask the controller to delete the personal data, that concern him, when the processing violates the provisions of Art. 45, 49 or 51, or when the personal data must be deleted in order to comply with a legal obligation by the controller.

(3) The controller shall correct or supplement the data under Para. 1 or delete the data, in the cases under Para. 2 within the term under Art. 53, Para. 3.

(4) The controller shall limit the processing of personal data without deleting it where:

1. the accuracy of the personal data is disputed by the data subject and cannot be verified, or
2. the personal data must be retained for evidential purposes.

(5) In the cases under Para. 4, p. 1, the controller shall inform the data subject before removing the limitation of the processing.

(6) The correction, supplementation, deletion or limitation of the processing of personal data may be waived, taking into account the fundamental rights and legitimate interests of the affected natural person, in the cases under Art. 54, Para. 3. In these cases Art. 54, Para. 4 shall apply. The controller shall inform in writing the subject of the data on the refusal, as well as the reasons for it within the time limit under Art. 53, Para. 3.

(7) The controller may not inform the data subject about the refusal under Para. 6 in the cases under Art. 54, Para. 3, pursuant to Art. 54, Para. 4 and 5.

(8) The controller shall inform the data subject about his / her right of appeal to the Commission, the Inspectorate, and to seek protection in a judicial procedure.

(9) The controller shall inform the competent authority, from which the inaccurate personal data has been received, about their correction.

(10) When personal data is corrected, completed, deleted or their procession is limited, the controller shall notify its recipients, who respectively shall correct, supplement, delete or restrict their processing.

Art. 57. (New, SG, 17/19) (1) In the cases under Art. 54, Para. 3, Art. 55, Para. 3 and 4 and Art. 56, Para. 6 and 7, the data subject may exercise his rights through the Commission, or through the Inspectorate. In such cases, the Commission, respectively the Inspectorate, shall check the lawfulness of the refusal.

(2) In the cases under Para. 1, the Commission, respectively the Inspectorate, shall inform the data subject at least that all necessary inspections or inquiries have been performed, as well as his right to seek protection in a judicial procedure.

Art. 58. (New, SG,17/19) The exercise of the rights under Art. 54, 55 and 56, where the personal data are contained in a judicial decision, document or material in a case, drawn up in criminal proceedings, shall be without prejudice and shall not be contrary to the provisions of the Penal Procedure Code.

Section III.
Personal data controller and personal data processor (New, SG, 17/19)

Art. 59. (New, SG, 17/19) (1) The personal data controller shall, taking into account the nature, scope, context and purposes of the processing, as well as the risks to the rights and freedoms of natural persons, shall apply appropriate technical and organizational measures to ensure and be able to prove, that the processing is carried out in accordance with this Act. Where necessary, these measures shall be reviewed and updated.

(2) Where this is proportionate to the processing operations, the measures under Para. 1 shall include the application of appropriate data protection policies by the controller.

(3) By measures under Para. 1 the controller shall ensure the protection of personal data at the design stage, taking into account the achievements of technical progress, implementation costs and the nature, scope, context and purposes of processing of personal data, as well as risks to the rights and freedoms of natural persons in processing. The measures must comply with the requirements of Art. 45, they are planned at the time of determination of the means for the processing personal data and are applied during the processing itself. Measures may include aliasing, minimizing data and introducing necessary safeguards in processing personal data.

(4) Through measures under Para. 1 the controller shall ensure, that by default only personal data, that is required for each specific processing purpose shall be processed. This obligation relates to the volume of personal data collected, the extent of processing, the duration of their storage and their accessibility. These measures shall ensure, that by default, without interference on behalf of the natural person, the personal data are not accessible to an unlimited number of natural persons.

Art. 60. (New, SG, 17/19) (1) Where two or more data controllers jointly determine the purposes and means of processing, they shall be joint controllers.

(2) The joint controllers under Para. 1 shall define in a transparent manner their rights and obligations under this Chapter, in particular those, relating to the exercise of the rights of the data subject and to provision of information under Art. 54, through joint rules, except where their rights and obligations have been provided for in European Union law or in the legislation of the Republic of Bulgaria. The rules shall define the contact point for the data subjects, where the joint controllers may indicate which of them acts as a single contact point.

(3) Notwithstanding the provisions of Para. 1, the data subject may exercise his rights under this Chapter with respect to any of the controllers under Para. 1.

Art. 61. (New, SG, 17/19) (1) A personal data controller may assign processing of personal data on his / her behalf, only to the personal data processers, who provide sufficient guarantees, that they will apply appropriate technical and organizational measures in such a way, that the processing complies with the requirements of this Chapter and to ensure the protection of the rights of the data subject.

(2) The personal data processor may not include in the processing any other processer of personal data without a prior specific or general written authorization of the controller, under Para. 1. In case of a general written authorization, the processor of personal data shall inform the controller about any planned changes to include or replace other processing personal data, where the controller may object to those changes.

(3) Processing by the processor of personal data shall be governed by a contract or another legal act, in accordance with the European Union law, or the legislation of the Republic of Bulgaria, which shall bind the processor of personal data with the controller under Para. 1 and regulate the subject and term of the processing, the nature and purpose of the processing, the type of personal data and the categories of data subjects, the obligations and rights of the controller. That contract or other legal act shall provide in particular, that the processor of personal data shall:

1. act only after instructions of the controller;
2. ensure, that the persons, authorized to process personal data, have a confidentiality obligation, or are legally bound to observe confidentiality;
3. assist the controller by all appropriate means to ensure that the rights of the data subject have been respected;
4. at the option of the controller, delete or return to the controller all personal data after termination of the provision of data processing services and delete existing copies, unless the European Union law or the legislation of the Republic of Bulgaria requires storage of the personal data;
5. provide the controller with all the information, necessary to demonstrate compliance with this Article;
6. observe the conditions under p. 1 – 5 and Para. 2 to include another processer of personal data.

(4) The contract or the other legal act, referred to in Para. 3, shall be made in writing, including in electronic form.

(5) Where a processor of personal data determines, in violation of the rules of this Chapter, the purposes and means of processing, he / she shall be considered to be the controller of personal data with respect to such processing.

(6) The personal data processor and any person, acting under his direction or under the direction of the controller under Para. 1, who has access to the personal data, shall process such data only under the direction of the controller, except when the conditions and procedure for processing have been provided for in the European Union law or in the legislation of the Republic of Bulgaria.

Art. 62. (New, SG, 17/19) (1) The personal data controller shall keep a register of the categories of personal data processing activities, which shall contain:

1. the name and contact details of the controller and, where applicable, the joint controllers and the data protection officer;
2. the purposes of the personal data processing;
3. the categories of recipients, to whom the personal data have been, or will be disclosed, including recipients in third states or international organizations;
4. a description of the categories of data subjects and categories of personal data;
5. where applicable, information on whether profiling is being carried out;
6. where applicable, the categories of transfer of personal data to a third state, or international organization;
7. the legal basis for the processing operation, including the transmission of the data, for which the personal data have been intended;
8. when possible, the deadlines for deletion of the different categories of personal data;
9. where possible, a general description of the technical and organizational security measures under Art. 66.

(2) The personal data processor shall maintain a register of the categories of processing activities, performed on behalf of a controller, which shall contain:

1. the name and contact details of the processor or the processors of personal data, of each personal data controller, on whose behalf the data processor operates and of the data protection officer, where applicable;
2. the categories of processing of personal data, performed on behalf of each controller;
3. where applicable, the transfer of personal data to a third state, or to an international organization, where there is an explicit instruction from the controller, including the name of the third state or the international organization;
4. where possible, a general description of the technical and organizational security measures under Art. 66.

(3) The registers under Para. 1 and 2 shall be kept in writing, including in electronic format.

(4) Upon request, the controller and the personal data processor shall provide access to the registers for the Commission, respectively for the Inspectorate.

Art. 63. (New, SG, 17/19) (1) In the automated processing systems, maintained by the controller and the personal data processor, logbooks shall be maintained, at least for the following processing operations – collection, modification, references, disclosure, including transmission, combining, and deletion.

(2) When making a consultation or disclosure of data, the logbooks under Para. 1 must enable establishment of the reason, date and time of these operations – and as far as it is possible, the identity of the person, who made the reference, or disclosed the personal data and the data, identifying the recipients of that personal data.

(3) The logbooks of Para. 1 shall be used only for the verification of the lawfulness of processing, for self-control, for ensuring the integrity and security of the personal data and for criminal proceedings.

(4) The personal data controller shall set appropriate storage periods, including archiving of the logbooks under Para. 1.

(5) Upon request, the controller and the personal data processor shall provide the logbooks under Para. 1 to the Commission, respectively to the Inspectorate.

Art. 64. (New, SG, 17/19) (1) Where it is likely, that a particular type of processing, in particular where new technologies are used and given the nature, scope, context and purpose of the processing, to lead to a high risk for the rights and freedoms of natural persons, before the processing is carried out, the personal data controller shall assess the impact of the processing operations, envisaged on the protection of personal data.

(2) The assessment under Para. 1 shall contain at least a general description of the processing operations envisaged, an assessment of the risks to the data subjects’ rights and freedoms, the measures, envisaged to address those risks, safeguards, security measures and mechanisms to ensure the protection of personal data and for proving compliance with the rules of this Chapter, taking into account the rights and legitimate interests of the data subjects and other affected persons.

Art. 65. (New, SG, 17/19) (1) The controller or the personal data processor shall consult with the Commission, respectively the Inspectorate before processing of personal data, which shall be part of a new register of personal data, which is to be created, when:

1. according to the impact assessment under Art. 64, the processing will generate a high risk, despite the undertaken measures by the controller for restricting the risk, or
2. the type of processing, particularly when using new technologies, mechanisms or procedures, involves a high degree of risk for the data subjects’ rights and freedoms.

(2) In drafting laws and legislative instruments, containing processing measures, the Commission, respectively the Inspectorate, shall be consulted.

(3) The Commission shall adopt and publish a list of processing operations, for which prior consultation under Para. 1 shall be mandatory. The Inspectorate shall apply, respectively, the list under sentence one.

(4) The controller shall provide to the Commission, respectively, the Inspectorate, the impact assessment under Art. 64 and upon request, any other information, that would enable them to assess the compliance of the processing, and in particular, the risks for the protection of personal data and the relevant safeguards for such protection.

(5) Where the Commission, respectively, the Inspectorate considers, that the planned processing under Para. 1 would breach the provisions of this Chapter, in particular, where the controller has not sufficiently identified or limited the risk, they shall, within 6 weeks of receipt of the request for consultation, make a written statement to the controller and, where applicable, to the data processor. This deadline may be extended by another month, depending on the complexity of the planned processing. Within one month of receipt of the request for consultation, the Commission, respectively, the Inspectorate, shall notify the controller and, where applicable, the personal data processor about the extension of the time limit, including about the reasons for the delay.

(6) Providing a written statement under Para. 5 shall not affect the possibility of the Commission, respectively of the Inspectorate, to exercise its powers under Art. 80 to the controller, or the personal data processor.

Art. 66. (New, SG, 17/19) (1) The controller and the personal data processor, taking into account the achievements of the technical progress, the implementation costs and the nature, scope, context and purposes of the processing, as well as the risks to the rights and freedoms of natural persons, shall apply appropriate technical and organizational measures to ensure a level of security that is appropriate to that risk, in particular, with regard to the processing of categories of personal data under Art. 51, Para. 1.

(2) In relation to automated processing, the controller, or the data processor shall, following the risk assessment, apply measures aimed at:

1. access to equipment control – to give unauthorized persons access to the equipment, used for processing of personal data;
2. control over data carriers to prevent the reading, copying, modification or removal of data carriers by unauthorized persons;
3. control over the storage – to prevent personal data from being entered by unauthorized persons as well as to carry out checks, modification or deletion of stored personal data by unauthorized persons;
4. control over users to prevent the use of automated processing systems by unauthorized persons, through using data transmission equipment;
5. control of access to data – to ensure that persons, authorized to use an automated processing system have access only to the personal data, covered by their access authorization;
6. control over communication to ensure the possibility of verifying and identifying which bodies have been or may be transmitted personal data or which authorities have access to personal data through data transmission equipment;
7. data entry control to ensure the possibility of subsequent verification and identification of what personal data were entered into the automated processing systems, as well as when and by whom they were entered.
8. transfer control to prevent reading, copying, modification or deletion of personal data by unauthorized persons in transmission of personal data or in transfer of data carriers;
9. recovery – to ensure the possibility of restoring of installed systems in the event of system failures;
10. reliability to ensure the performance of system functions and reporting of defects, appearing in the functions;
11. integrity – to ensure, that personal data stored is not compromised by malfunctioning of the system.

Art. 67. (New, SG, 17/19) (1) In the case of a personal data breach, that is likely to endanger the rights and freedoms of the data subjects, the controller shall without undue delay, but not later than 72 hours after he / she becomes aware of the violation, shall inform the Commission, respectively the Inspectorate, about it. Where the notification is submitted after the time limit, referred to in sentence one, it shall state the reasons for the delay.

(2) The personal data processor shall notify the controller without undue delay, but no later than 72 hours after he / she has detected a breach of the personal data security.

(3) The notification under Para. 1 shall contain at least:

1. a description of the personal data breach, including, where possible, the categories and approximate numbers of data subjects and categories concerned and the approximate number of personal data records, concerned;
2. the name and contact details of the data protection officer or other contact point, from which more information may be obtained
3. a description of the possible consequences from the breach of personal data security;
4. a description of the measures, taken or proposed by the controller to address the personal data breach, including, where appropriate, measures to mitigate the possible adverse effects.

(4) Where it is not possible to submit the information at the same time, it may be submitted in stages, without further unnecessary delay.

(5) The controller shall document any violation of the security of personal data under Para. 1, including the facts, related to the violation, its consequences and the actions taken to deal with it.

(6) Where the personal data security breach affects personal data, that is sent by, or to a controller from another Member State of the European Union, the information under Para. 3 shall be communicated to this controller, without undue delay, but no later than 7 days after the breach has been established.

Art. 68. (New, SG, 17/19) (1) Where the violation of the security of personal data under Art. 67, Para. 1 may lead to a high risk for the rights and freedoms of data subjects, the data controller shall also notify the data subject about the breach, not later than 7 days after its establishment.

(2) In the notification under Para. 1 in a clear and comprehensible language, a description of the violation and at least the information and measures under Art. 67, Para. 3, p. 2, 3 and 4 shall be indicated.

(3) The data subject shall not be notified of about an offense under Para. 1, if one of the following conditions has been met:

1. the controller has taken appropriate technical and organizational protection measures and these measures have been applied to the personal data, affected by the breach, in particular, measures, that make personal data incomprehensible to any person, not entitled to access such as, for example, encryption;
2. the controller has subsequently taken measures to ensure, that the high risk for the rights and freedoms of data subjects is no longer likely to occur;
3. notification would lead to disproportionate efforts; in this case, a public communication or other similar measure shall be taken, so that the data subjects are equally effectively informed.

(4) Where the controller has not notified the data subject of the personal data about the breach under Para. 1, the Commission, respectively the Inspectorate, after considering the likelihood of the violation to cause a high risk, may require the controller to notify the data subject.

(5) In the cases under Art. 54, Para. 3 the controller may not notify the data subject about the violation under Para. 1, to notify it after the term under Para. 1, as well as to limit the information under Para. 2.

Art. 69. (New, SG, 17/19) (1) The controller of personal data shall appoint a data protection officer on the grounds of his professional qualities and in particular on the basis of his expert knowledge in legislation and practices in the field of the protection of personal data and its ability to perform the tasks under Art. 70.

(2) A data protection officer may be designated jointly for several controllers, taking into account their organizational structure and scale.

(3) The controller shall properly disclose the contact details of the data protection officer and notify the Commission under Art. 25b.

(4) Data protection officers, designated by the judiciary bodies, do not fulfill the tasks under Art. 70 in the processing of personal data for the purposes of Art. 42, Para. 1 by the court, the prosecutor’s office and the investigative bodies in performance of their functions of bodies of the judiciary.

Art. 70. (New, SG, 17/19) (1) The personal data controller shall ensure, that the data protection officer takes an appropriate and timely role in handling of all matters, related to the protection of personal data.

(2) The controller shall assign to the data protection officer at least the following tasks:

1. to inform and advise the controller and the officers, performing the processing about their obligations under this Act and other statutory requirements for the protection of personal data;
2. to monitor compliance with this Act and other regulatory requirements for the protection of personal data and the controller’s policies, with respect to the protection of personal data, including assignment of responsibilities, awareness-raising and training of personnel, involved in processing operations and relevant checks;
3. upon request, provide advice on the impact assessment under Art. 64 and monitor its implementation;
4. to cooperate with the Commission, respectively with the Inspectorate;
5. to act as a contact point with the Commission, including for the purposes of the prior consultation under Art. 65 and, if necessary, to consult the Commission, respectively the Inspectorate on the issues, related to the processing of personal data.

(3) The controller shall provide the data protection officer technically and organizationally, including the necessary resources, access to personal data and processing operations, as well as the maintenance of his expertise.

Art. 71. (New, SG, 17/19) The competent authorities shall establish appropriate procedures to enable their employees to report directly and confidentially to the relevant administrative unit in the structure of the controller or the Commission, the Inspectorate respectively about violations under this Chapter.

Section IV.
Transfer of personal data to third countries or international organizations (New, SG, 17/19)

Art. 72. (New SG, 17/19) (1) A competent authority may transfer personal data, which are being processed or intended to be processed after their transmission to a third country or to an international organization, including for subsequent transmission to another third country, or international organization, provided that the transfer is in accordance with this Act and any of the following conditions has been met:

1. the transfer is necessary for the purposes of Art. 42, Para. 1;
2. the personal data have been transferred to an controller in a third state or an international organization, that is competent for the purposes of Art. 42, Para. 1;
3. when transfer personal data, received from another Member State of the European Union, that Member State has given its prior authorization for tranfer in accordance with its national law;
4. where:
5. a) The European Commission has decided, that the third state, territory or one or more specific sectors concerned in that third state, or the relevant international organization provides an adequate level of protection, or
6. b) in the absence of a decision under letter “a”, appropriate safeguards have been provided, or are in place under Art. 74, or
7. c) in the absence of a decision under letter “a” and appropriate guarantees under letter “b”, the transmission of the personal data is necessary in the cases under Art. 75;
8. upon subsequent transfer of personal data to another third state, or international organization, the competent authority, that has carried out the original transmission, or another competent authority in the Republic of Bulgaria authorizes the subsequent transmission of data, after having duly taken into account all relevant factors, including the seriousness of the offense, the purpose of the initial transmission of personal data and the level of protection of personal data in the other third state or international organization to which the subsequent transfer of personal data has been performed.

(2) Transmission of personal data without the prior authorization of the other Member State of the European Union, under Para. 1, p. 3 shall be permitted only if the transfer is necessary for prevention of an imminent and serious threat to the public order and security of a Member State of the European Union or of a third state, or of the essential interests of a Member State of the European Union and the prior authorization cannot be obtained in a timely manner. In such cases, the authority of the Member State of the European Union, having provided the personal data, which is competent to give prior authorization under Para. 1, p. 3 shall be immediately notified.

Art. 73. (New, SG, 17/19) Where the European Commission repeals, amends or suspends a decision under Art. 72, Para. 1, item 4 (a), the transfer of personal data to the third state concerned, to the territory, or to one or more specific sectors in that third state, or to the relevant international organization may take effect under the conditions of Articles 74 and 75.

Art. 74. (New, SG, 17/19) (1) In the absence of a decision of the European Commission under Art. 72, Para. 1, p. 4, item 4 (a), the transfer of personal data to a third state, or an international organization may take place when:

1. in the legislation of the third state, or in the Statute of the international organization, or in an enforced international treaty, to which the Republic of Bulgaria is a party, or in another legally binding act, adequate safeguards in relation to the protection of personal data have been provided;
2. the controller has made an assessment of the circumstances, surrounding the transfer of personal data and has considered, that there are appropriate safeguards with regard to the protection of personal data.

(2) The controller shall document the transmission in the cases under Para. 1, p. 2, including the date and time of transmission, the information on the receiving competent authority, the justification of the transmission and the personal data transmitted.

(3) The controller shall inform the Commission, respectively the Inspectorate about the transmission categories under Para. 1, p. 2 and upon request, he shall grant access to the documentation under Para. 2.

Art. 75. (New, SG, 17/19) (1) In the absence of a decision of the European Commission under Art. 72, Para. 1, p. 4, letter “a”, or of appropriate guarantees under Art. 74, transmission of personal data to a third state, or international organization may only take place, if the transmission is necessary:

1. in order to protect the vital interests of the data subject or of another person;
2. in order to protect the legitimate interests of the data subject, when the legislation of the Republic of Bulgaria so provides;
3. to prevent an imminent and serious threat to the public order and security of a Member State of the European Union or of a third state;
4. in individual cases for the purposes under Art. 42, Para. 1, or
5. in individual cases for the establishment, exercise or protection of legal claims, related to the purposes of Art. 42, Para. 1.

(2) Personal data may not be transmitted, if the transmitting competent authority decides that the fundamental rights and freedoms of the data subject outweigh the public interest from the transmission under Para. 1, p. 4 and 5.

(3) The transmission of data under para. 1 shall be documented and the documentation shall be provided to the Commission, respectively the Inspectorate, upon request, including the date and time of transmission, information on the receiving competent authority, the justification of the transmission and the personal data transmitted.

Art. 76. (New, SG, 17/19) (1) In certain and specific cases, a competent body may, without the condition under Art. 72, para. 2 and without prejudice to an international treaty, transmit personal data directly to recipients, established in third states, only if the provisions of this Chapter have been observed and any of the following conditions have been met:

1. without the transmission, cannot be fulfilled or seriously hinders the fulfillment of a task of the transmitting competent authority, deriving from the European Union law or from the legislation of the Republic of Bulgaria, for the purposes of Art. 42, Para. 1;
2. the transmitting competent authority decides, that the fundamental rights and freedoms of the data subject do not outweigh the public interest, that imposes transmission in the specific case;
3. the transmitting competent authority considers, that the transmission to an authority, that is competent in the third state for the purposes of Art. 42, para. 1 is inefficient or inappropriate, in particular as the transmission cannot take place on time;
4. the authority of the third state, which is competent for the purposes of Art. 42, para. 1 is notified without undue delay, unless it is ineffective or inappropriate;
5. the transmitting competent authority notifies the recipient of the specific purpose or purposes only for which the recipient may process the personal data, provided that such processing is necessary.

(2) An international treaty under para. 1 shall be any bilateral or multilateral international agreement in force between the Member States of the European Union and third states in the field of judicial cooperation in criminal matters and police cooperation.

(3) The competent authority, transmitting the personal data shall record each transmission under para. 1 and shall notify the Commission, respectively the Inspectorate, of it.

Art. 77. (New, SG, 17/19) As regards third states and international organizations, the Commission shall take appropriate measures to:

1. developing mechanisms for international cooperation to support the effective implementation of data protection legislation;
2. providing international assistance in the application of data protection legislation, including through notification, referral of complaints, assistance in investigations and exchange of information, provided that there are appropriate safeguards for the protection of personal data and other fundamental rights and freedoms;
3. including relevant stakeholders in discussions and activities, aimed at further deepening international cooperation on the implementation of data protection legislation;
4. promotion of the exchange and documentation of legislation and practices in the area of personal data protection, including in relation to competence disputes with third countries.

Section V.
Supervision of compliance with the rules for personal data protection. Remedies (New – SG, 17/19)

Art. 78. (New, SG, 17/19) (1) The supervision under this Chapter in the processing of personal data for the purposes of Art. 42, para. 1 shall be performed by the Commission, except in the cases under para. 2.

(2) The supervision under this Chapter in processing of personal data for the purposes of Art. 42, para. 1 by the court, the prosecution and investigative bodies in the performance of their functions of bodies of the judiciary shall be carried out by the Inspectorate.

Art. 79. (New, SG, 17/19) (1) In carrying out the supervision under this Chapter, the Commission, respectively the Inspectorate shall perform the following tasks:

1. monitor and ensure the implementation of the provisions of this Chapter;
2. promote public awareness and understanding of the risks, rules, safeguards and rights, associated with processing of personal data;
3. raise the awareness of controllers and processors of personal data for their duties;
4. provide information to any data subject in connection with the exercise of its rights upon request and, where needed, cooperate with supervisors in other Member States of the European Union for this purpose;
5. examine complaints, submitted by a data subject under the terms and conditions of Chapter Seven;
6. verify the lawfulness of processing in cases under Art. 57 and inform the data subject of the results of the inspection within three months of the referral or of the reasons why the inspection has not been carried out;
7. cooperate with other supervisors, including through exchange of information, and provide them with mutual assistance with a view to ensuring the coherent application and enforcement of data protection rules;
8. conduct research in the area of protection of personal data, including on the basis of information, obtained from another supervisory or public authority;
9. monitor the development of information and communication technologies, with a view to their impact on the protection of personal data.

(2) Besides the tasks under Para. 1, the Commission, while performing the supervision under this Chapter, shall also perform the tasks under Art. 10, Para. 2, as well as participate in the activities of the European Data Protection Board.

(3) In performing the tasks under Para. 1, no fee shall be collected from the data subject and from the data protection officer.

(4) The controller and the personal data processor shall cooperate upon request with the Commission, respectively the Inspectorate, in the performance of their tasks.

Art. 80. (New, SG, 17/19) (1) While carrying out the supervision under this Chapter, the Commission, respectively the Inspectorate shall have the power to:

1. receive from the controller, or the personal data processor access to all personal data, which are processed;
2. receive from the controller, or the personal data processor all the information, necessary for the fulfillment of the tasks under Art. 79;
3. send warning to the controller, or the personal data processor when the planned data processing operations are likely to violate the provisions of this Chapter;
4. order to the controller, or the personal data processor to bring the data processing operations in accordance with the provisions of this Chapter, including ordering the correction, supplementation, deletion of personal data or the limitation of their processing under Art. 56;
5. impose a temporary or definitive restriction, including prohibition, on the processing of data;
6. provide opinions to the controller and to the processor of personal data in accordance with the prior consultation procedure under Art. 65;
7. deliver opinions on its own initiative or upon request on draft acts and other legal instruments, as well as on administrative measures, related to the protection of personal data of natural persons;
8. issue opinions on own initiative or on request on personal data protection issues.

(2) In addition to the powers under Para. 1, the Commission, respectively the Inspectorate exercises the powers under Art. 10a, Para. 2, p. 2, respectively under Art. 17a, Para. 2, p. 2.

(3) The Commission, respectively the Inspectorate, may appeal to the court for violations under this Chapter.

Art. 81. (New SG, 17/19) (1) The Commission or the Inspectorate shall cooperate with the respective supervisory authorities of the other Member States of the European Union, including through exchange of information and sending and executing requests for consultations, inspections and investigations. Requests should contain all the necessary information, including the purpose and the grounds for the request. The information exchanged shall be used only for the purposes, for which it was requested.

(2) The Commission or the Inspectorate shall take all necessary and appropriate measures to respond to the request of another supervisory authority, without undue delay and no later than one month after receiving the request.

(3) The Commission, respectively the Inspectorate may refuse a request under Para. 1, motivating his refusal when:

1. is not competent in relation to the subject matter of the request or measures required to do so, or
2. the execution of the request would violate the legislation of the Republic of Bulgaria or the law of the European Union.

(4) The Commission, respectively the Inspectorate, shall inform the requesting supervising body of the results or, as the case may be, of the progress of the measures taken in response to the request.

(5) The forms of cooperation and mutual assistance between the Commission, respectively the Inspectorate and the supervisory authorities of other Member States of the European Union, and the procedures, under which they are implemented shall be determined by the Rules under Art. 9, Para. 2, respectively with the Rules under Art. 55, Para. 8 of the Judiciary System Act.

Art. 82. (New, SG, 17/19) (1) In the event of violation of his rights under this Chapter, the data subject shall have the legal defense means and may claim responsibility for the damages, caused to him under Chapter Seven.

(2) In the cases under Art. 38, Para. 1 and Art. 38b, Para. 1 the Commission, respectively the Inspectorate, shall facilitate filing of a complaint by a data subject through providing a form.

Art. 83. (New SG, 17/19) (1) The data subject shall have the right to assign to a non-profit legal person, which has established general interest objectives and develops activity in the field of protection of the rights and freedoms of natural persons, in respect of the protection of their personal data, to file a complaint on its behalf and to exercise on its behalf the rights under Art. 38, Para. 1 and 6, Art. 38b, Para. 1, Art. 38c, Para. 4 and 5 and Art. 39, Para. 1.

(2) The data subject shall not assign to a person under Para. 1 to exercise his right to compensation under Art. 39, Para. 2.

Chapter nine.
COMPULSORY ADMINISTRATIVE MEASURES. ADMINISTRATIVE PENALTY PROVISIONS (NEW, SG 17/19)

Art. 84. (New, SG, 17/19) (1) The measures under Art. 58, Para. 2, letters items (a) to (g) and (j) of Regulation (EU) 2016/679 and the measures under Art. 80, Para. 1, p. 3, 4 and 5 shall be compulsory administrative measures, within the meaning of the Administrative Violations and Penalties Act.

(2) The measures under Para. 1 shall be implemented by a decision of the Commission, respectively of the Inspectorate, which shall be subject to appeal under the procedure of the Administrative Procedure Code within 14 days of its receipt.

Art. 85. (New, SG, 17/19) (1) For violations under Art. 25c of the controller or the personal data processor shall be imposed a fine or proprietary sanction in the amounts under Art. 83, Para. 4 of Regulation (EU) 2016/679.

(2) (Amend. – SG 11/23, in force from 04.05.2023) For violations under Art. 12a, Para. 1, Art. 25d, Art. 25f, Para. 2, Art. 25g, Para. 1 and 2, Art. 25h, Para. 1 and 2, Art. 25i, Art. 25k and Art. 25n, the controller or the personal data processor shall be imposed a fine or proprietary sanction in the amounts under Art. 83, Para. 5 of Regulation (EU) 2016/679.

(3) For violations under Art. 45, Art. 49, Art. 51, Art. 53-56 and Art. 80, Para. 1, p. 1 and 2, the controller or the personal data processor shall be imposed a fine or proprietary sanction in the amounts under Art. 83, Para. 5 of Regulation (EU) 2016/679.

(4) For violations under Art. 59, Para. 3 and 4, Art. 62 and 64 – 70, the controller or the personal data processor shall be imposed a fine or a proprietary sanction in the amounts under Art. 83, Para. 4 of Regulation (EU) 2016/679.

(5) For non-fulfillment of an enforced decision under Art. 84, Para. 2, which has applied compulsory administrative measures under Art. 80, Para. 1, p. 4 and 5, the controller or the personal data processor shall be subject to a fine or proprietary sanction in the amounts under Art. 83, Para. 5 of Regulation (EU) 2016/679.

(6) (Amend. – SG 70/24[*]) The amounts, provided for in Para. 1-5, administrative penalties shall be determined according to the indication criteria of Art. 83, Para. 2 of Regulation (EU) 2016/679.

(7) (New – SG 11/23, in force from 04.05.2023) For a violation under Para. 2 may also/or be imposed enforced administrative measure under Art. 58, paragraph 2, letters “a” – “h” and “j” of Regulation (EU) 2016/679.

Art. 86. (New, SG, 17/19) (1) For other violations under this Act, an controller or personal data processor shall be liable to a fine or a proprietary sanction of up to BGN 5,000.

(2) For a repeated violation under Para. 1, shall be imposed a fine or a proprietary sanction in double of the amount, initially imposed.

Art. 87. (New, SG, 17/19) (1) Apart from the cases under Art. 38, Para. 1, the establishment of violations of Regulation (EU) 2016/679 or this Act, the issuance, appeal and enforcement of punitive decrees shall be carried out under the procedure of the Administrative Violations and Penalties Act.

(2) The acts for establishing the administrative violations shall be drawn up by a member of the Commission or by officials, authorized by the Commission, respectively by persons, authorized by an order of the Chief inspector.

(3) Penalty decrees shall be issued by the Chairman of the Commission, respectively by the Chief inspector or by authorized by him inspectors.

(4) The property sanctions and fines under the enacted decisions under Art. 38, Para. 3 and penal decrees shall be collected under the Tax-insurance Procedure Code.

(5) The amounts, collected from property sanctions and fines, imposed by the Commission shall come into the Commission’s budget.

(6) The collected amounts of property sanctions and fines imposed by the Inspectorate shall come into the budget of the judiciary.

Additional provisions

• 1. (Amend. SG, 17/19) In the meaning of this Act:

1. “Personal data” is the notion under Art. 4, p. 1 of Regulation (EU) 2016/679.
2. “Controller”, with the exception of the controller under Chapter Eight, is the term under Art. 4, p. 7 of Regulation (EU) 2016/679.
3. “Personal data processor” is the notion under Art. 4, p. 8 of Regulation (EU) 2016/679.
4. “Processing” is the notion under Art. 4, p. 2 of Regulation (EU) 2016/679.
5. “Restriction of processing” is the notion under Art. 4, p. 3 of Regulation (EU) 2016/679.
6. “Profiling” is the notion under Art. 4, p. 4 of Regulation (EU) 2016/679.
7. Pseudonymisation” is the notion under Art. 4, p. 5 of Regulation (EU) 2016/679.
8. “Filing system” is the term under Art. 4, p. 6 of Regulation (EU) 2016/679.
9. “Recipient” is the term under Art. 4, p. 9 of Regulation (EU) 2016/679. A state or local authority, as well as a body whose main activity is related to the spending of public funds, that may receive personal data of a concrete investigation in compliance of a specific act, shall not be considered as recipients within the meaning of Chapter Eight. Processing of personal data by those authorities or structures, shall comply with the applicable data protection rules, according to the purpose of the processing.
10. “Personal data breach” is the notion under Art. 4, p. 12 of Regulation (EU) 2016/679.
11. “Genetic data” is the notion under Art. 4, p. 13 of Regulation (EU) 2016/679.
12. “Biometric data” is the notion under Art. 4, p. 14 of Regulation (EU) 2016/679.
13. “Health related data” is the notion under Art. 4, p. 15 of Regulation (EU) 2016/679.
14. “International organization” means the concept under Art. 4, p. 26 of Regulation (EU) 2016/679.
15. “Large-scale” is the monitoring and / or processing of personal data of a significant or unlimited number of data subjects or a volume of personal data, where the main activities of the controller, or processor of personal data, including the means of their execution, consist of such operations.
16. “Risk” is the possibility of material or non-material damage, occurring to the data subject under certain conditions, assessed in terms of its severity and likelihood.
17. “Public authority” is a state or local authority, as well as a structure, whose main activity is related to spending of public funds.
18. “Deleting” is an irreversible deletion of the information on the relevant media.
19. “Destruction” is the physical destruction of the material carrier of information.
20. “Repeated” is the violation, committed within one year of the entry into force of the Commission’s decision or of the penalty decree, by which the offender is punished for the same type of offense.

• 1a. (New, SG, 91/06, amend., SG, 17/19) This Act shall provide measures for the implementation of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing personal data and on the free movement of such data and repealing Directive 95/46 / EC (General Data Protection Regulation) (OJ L 119/1 of 4 May 2016) and shall introduce the requirements of Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by the competent authorities for the purposes of the prevention, investigation, detection or prosecution of crimes, or the enforcement of penalties and on the free movement of such data and repealing Council Framework Decision 2008/977 / JHA (OJ L 119/89 of May 4, 2016).

Transitional and concluding provisions

• 2. (1) Within one month from the enactment of this Act the Council of Ministers shall propose to the National Assembly the members of the Commission for Personal Data Protection.

(2) Within 14 days from the presentation of the proposal under para 1 the National Assembly shall elect the members of the Commission for Personal Data Protection.

(3) Within 3 months from its election the Commission for Personal Data Protection shall adopt and promulgate in the State Gazette the regulations under art. 9, para 2.

(4) Within one month from the enactment of the decision of the National Assembly under para 2 the Council of Ministers shall provide the necessary property and financial resources for the commencement of the work of the Commission.

• 3. (1) Within 6 months from the enactment of the regulations under art. 9, para 2 the persons who, by the moment of entry into force of the Act, maintain registers of personal data, shall bring them in compliance with the requirements of the law and shall notify the Commission about that.

(2) The Commission shall carry out preliminary inspections, shall register or refuse to register as controllers persons who maintain registers by the moment of entry into force of the Act, as well as the registers kept by them within 3 months from the receipt of the application under para 1.

(3) The decisions of the Commission for refusal of registration shall be subject to appeal before the Supreme Administrative Court within 14 days.

(4) Upon the enactment of the decision of the Commission for refusal of registration or of the decision of the Supreme Administrative Court which confirms the refusal of the Commission the person who unlawfully keeps a register shall be obliged to destroy personal data contained in his register or, upon the consent of the Commission, to transfer them to another controller who has registered his register and processes personal data for the same purposes.

(5) The Commission shall exercise control over the fulfilment of the obligation under para 4.

(6) Within 3 months from the registration the controller under art. 3, para 1 shall be obliged to publish in the bulletin of the Commission for Personal Data Protection the information under art. 22, para 1.

• 4. The following amendments are introduced to the Access to Public Information Act (SG 55/2000):

1. In art. 2, para 3 the words “personal information” are replaced by “personal data”.
2. In § 1, item 2 is amended as follows:

“2. “Personal data” are information for an individual disclosing his physical, psychological, mental, marital, economic, cultural or public identity.”

• 5. The Act shall enter into force on January 1, 2000.

 

The Act was adopted by the 39th National Assembly on December 21, 2001 and was affixed with the official seal of the National Assembly.

Transitional and concluding provisions
TO THE ACT ON AMENDMENT AND SUPPLEMENTATION OF THE PROTECTION OF PERSONAL DATA ACT

(PROM. – SG 103/05; AMEND. – SG 91/06)

• 50. The provision of § 38 regarding Art. 36, shall be applied till the Pre-accession Agreement of the Republic Bulgaria with the European Union enters in force
• 51. (amend. – SG 91/06) The provisions of § 1 regarding Art. 1, Para 4, item 3, § 48, item 5 regarding item 14 of the additional provision shall enter in force from the Pre-accession Agreement of the Republic Bulgaria with the European Union enters in force.
• 52. Within three months term from the Act on the Commission for Personal Data Protection enters in force, the Ethics Code under Art. 10, Para 4 and the ordinance of Art. 23, Para 5 shall be adopted.

Transitional and concluding provisions
TO THE ADMINISTRATIVE PROCEDURE CODE

(PROM. SG 30/06, IN FORCE FROM 12.07.2006)

• 142. The code shall enter into force three months after its promulgation in State Gazette, with the exception of:

1. division three, § 2, item 1 and § 2, item ?”2“ with regards to the repeal of chapter third, section II “Appeal by court order”, § 9, item 1 and 2, § 15 and § 44, item 1 and 2, § 51, item 1, § 53, item 1, § 61, item 1, § 66, item 3, § 76, items 1, 3, § 78, § 79, § 83, item 1, § 84, item 1 and 2, § 89, items 1 – 4§ 101, item 1, § 102, item 1, § 107, § 117, items 1 and 2, § 125, § 128, items 1 and 2, § 132, item 2 and § 136, item 1, as well as § 34, § 35, item 2, § 43, item 2, § 62, item 1, § 66, items 2 and 4, § 97, item 2 and § 125, item 1 with regard to the replacement of the word “the regional” with the “administrative” and the replacement of the word “the Sofia City Court” with “the Administrative court – Sofia”, which shall enter into force from the 1st of May 2007;
2. paragraph 120, which shall enter into force from the 1st of January 2007;
3. paragraph 3, which shall enter into force from the day of the promulgation of the code in State Gazette.

Transitional and concluding provisions
TO THE ACT ON AMENDMENT AND SUPPLEMENTATION OF THE PERSONAL DATA PROTECTION ACT

(PROM. – SG 91/06)

• 31. The provision of Paragraph 6 regarding Art. 6, Para 2 shall enter into force from 1 January 2007.
• 32. The Commission for Personal Data Protection shall adopt the instruction referred to in Art. 12, Para 9 within a term of two months from the entrance into force of this Act.
• 33. Within a term of three months from the entrance into force of this Act the controllers subject to registration shall submit an application for registration.

Transitional and concluding provisions
TO THE NATIONAL ARCHIVE FUND ACT

(PROM. – 57/07, IN FORCE FROM 13.07.2007)

• 23. The Act shall enter into force from the day of its promulgation in the State Gazette.

Transitional and concluding provisions
TO THE ACT ON AMENDMENT AND SUPPLEMENTATION OF THE ACT ON PREVENTION AND FINDINGS OF CONFLICT OF INTERESTS

(PROM. – SG 97/10, IN FORCE FROM 10.12.2010)

• 61. The Act shall enter into force from the day of its promulgation in the State Gazette except:

1. paragraphs 11 regarding Art. 22a to 22e, which shall enter into force from 1 January 2011;
2. paragraphs 7, 8, 9 § 11 regarding Art. 22f to 22i and § 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22 and 23, which shall enter into force from 1 April 2011.

Additional provisions
TO THE ACT ON AMENDMENT AND SUPPLEMENTATION OF THE PERSONAL DATA ACT

(PROM. – SG 81/11)

• 15. This Act shall implement the requirements of Council Framework Decision 2008/977/JHA of 27 November 2008 on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters (OJ L 350/60 of 30 December 2008).

Transitional and concluding provisions
TO THE ACT ON AMENDMENT AND SUPPLEMENTATION OF THE ELECTRONIC COMMUNICATIONS ACT

(PROM. – SG 105/11, IN FORCE FROM 29.12.2011)

• 220. This Act shall enter into force from the date of its promulgation in the State Gazette.

Transitional and concluding provisions
TO THE PUBLIC FINANCE ACT

(PROM. SG 15/13, IN FORCE FROM 01.01.2014)

• 123. This Act shall enter into force on 1 January 2014 with the exception of § 115, which enters into force on January 1, 2013, and § 18, § 114, § 120, § 121 and § 122, which came into force on 1 February in 2013.

Transitional and concluding provisions
TO THE ACT AMENDING AND SUPPLEMENTING THE MINISTRY OF INTERIOR ACT

(PROM. – SG 81/16, IN FORCE FROM 01.01.2017)

• 102. This Act shall enter into force on January 1, 2017, except for:

1. paragraphs 6-8, § 12, items 1, 2 and 4, § 13, § 14, § 18-20, § 23, § 26-31, § 32, items 1 and 4, § 33-39, § 41-48, § 49 on Art. 187, para. 3, first sentence, § 50-59, § 61-65, § 81-85, § 86, item 4 and 5, § 87, item 3, § 90, item 1, § 91, item 2 and 3, § 92, § 93 and § 97-101, which shall enter into force from the day of the Act’s promulgation in the State Gazette.
2. paragraph 32, item 2 and 3, § 49 on Art. 187, para. 3, new second sentence, § 69-72, § 76 concerning persons under § 70, § 78 with respect to employees under § 69 and § 70, § 79 regarding employees under § 69 and § 70, § 91, item 1 and § 94, which shall enter into force on February 1, 2017.

Transitional and concluding provisions
TO THE ACT AMENDING AND SUPPLEMENTING THE ACT ON LIMITATION OF THE ADMINISTRATIVE REGULATION AND THE ADMINISTRATIVE CONTROL OVER THE BUSINESS ACTIVITY

(PROM. – SG 103/17, IN FORCE FROM 01.01.2018)

• 68. The Act shall enter into force on 01 January 2018.

Transitional and concluding provisions
TO THE ACT AMENDING AND SUPPLEMENTING THE PERSONAL DATA PROTECTION ACT

(PROM. SG, 17/19)

• 44. (1) Procedures for violations of the Act, which have been formed before 25 May 2018 and which have not been completed before the enactment of this Act, shall be completed according to the current procedure.

(2) For violations of the Act and of Regulation (EU) 2016/679, committed prior to the entry into force of this Act, the deadline for referral of the Commission under Art. 38 is one year from the knowledge of the violation, but no later than 5 years from the time it was committed.

• 45. The automated processing systems, used by the competent authorities under Art. 42, Para. 4, for the purposes of the prevention, investigation, detection or prosecution of crimes, or the execution of penalties, including the prevention of threats to public order and security and their prevention, established before 6 May 2016, shall be brought into line with Art. 63, Para. 1 and 2 to 6 May 2023.

…………………………………………………

• 120. Within one year of the entry into force of this Act, the Personal Data Protection Commission shall adopt the Ordinances under Art. 14, Para. 5 and 6 and under Art. 14a, Para. 3.

Concluding provisions
TO THE WHISTLEBLOWERS’ PROTECTION ACT

(PROM. – SG 11/23, IN FORCE FROM 01.07.2024)

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

• 7. The Commission for Personal Data Protection shall give instructions on the application of the act to all obliged entities, and shall supervise them implementing the act’s provisions.
• 8. Within a period of three months from the promulgation of this act in the State Gazette, the Commission for Personal Data Protection shall bring its rules of procedure into line with it.
• 9. Within 6 months of the promulgation of this act in the State Gazette, the Commission for Personal Data Protection shall adopt the ordinance under Art. 19, Para. 1, item 3 and the instructions to the obliged entities under Art. 12, Para. 1, shall develop a register for reports and a template form for a report, which are made available free of charge for use by all obliged entities.
• 10. The act shall enter into force three months after its promulgation in the State Gazette, whereby Chapter Two, Section I with Art. 12 – 18 apply in relation to employers in the private sector who have between 50 and 249 workers or employees, from 17 December 2023 onwards.

Transitional and concluding provisions
TO THE COUNTERACTING THE CORRUPTION ACT

(PROM. SG, 83/23, IN FORCE FORM 06.10.2023)

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

• 79. The Act enters into force on the day of its promulgation in the State Gazette, with the exception of § 9, which enters into force on March 1, 2024.

Transitional and concluding provisions
TO THE ACT ON ADOPTING THE EURO IN THE REPUBLIC OF BULGARIA

(PROM. – SG 70 OF 2024)

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

• 5. (1) [*] Current legal acts, which regulate obligations to pay fees, sanctions, fines and other public obligations to the state and municipalities in Bulgarian levs, continue to be applied in accordance with the rules for currency conversion provided for in this Act.

(2) When the monetary amount in BGN is specified in a law or in a normative act as a result of the introduction into the Bulgarian legislation of a legal act of the European Union, in which a corresponding amount in euros is explicitly stated, upon amendment of the law, respectively of the normative act, indicates the amount in euros of the legal act of the European Union.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

• 60. Paragraph 5, Para. 1, § 8 – 36, § 37, items 1 – 12 and 14 – 20 and § 38 – 59 shall enter into force from the date specified in the Decision of the Council of the European Union on the adoption of the Euro by the Republic of Bulgaria, adopted in accordance with Art. 140, paragraph 2 of the Treaty on the Functioning of the European Union and Regulation of the Council of the European Union, adopted in accordance with Art. 140, paragraph 3 of the Treaty on the Functioning of the European Union.