Notification of a personal data breach to the supervisory authority under Art. 33 of Regulation (EU) 2016/679
In accordance with Art. 33 of Regulation (EU) 2016/679 on notifying the supervisory authority of a personal data breach, the Data Controller (DC) should submit to the Commission for personal data protection (CPDP) a Notification of personal data breach without undue delay and no later than 72 hours after he found out about the breach. The DC has the obligation to inform about any change in the circumstances/data from the Notification.
With regard to the content of the notification, the requirements of Art. 33 (3) of Regulation (EU) 2016/679 should be complied. For additional methodological clarifications, we recommend the use of the “Guidelines on Personal data breach notification under Regulation 2016/679” of Working Party under Art. 29, adopted on 3 October 2017, last revised and adopted on 6 February 2018 (WP250, rev.01), subsequently confirmed by the European Data Protection Board on 25 May 2018. The guidelines are published on the CPDP website here.
Information material on the actions of data controllers in the event of data breach, one of which is the submission of a notification, is published here.
Ways to submit:
The submission of the relevant information by the Data Controller/Data Processor must be translated in Bulgarian and shall be performed in any of the following ways:
1. In person, in the CPDP`s Registry or by sending a letter to the following address: Sofia 1592, 2 Prof. Tsvetan Lazarov blvd., Commission for Personal Data Protection. In this case a filled in, signed and stamped paper notification should be submitted.
2. By CPDP’s email – kzld@cpdp.bg. In this case, the notification should be signed with a qualified electronic signature.
3. Through the Secure Electronic Delivery System, maintained by the Ministry of e-Government. In this case, the notification has to be filled in and the file has to be sent through this system.
