Home » Legislation » Law for Protection of Personal Data

Law for Protection of Personal Data

 

Prom. SG. 1/4 Jan 2002, amend. SG. 70/10 Aug 2004, amend. SG. 93/19 Oct 2004, amend. SG. 43/20 May 2005, amend. SG. 103/23 Dec 2005, amend. SG. 30/11 Apr 2006, amend. SG. 91/10 Nov 2006, amend. SG. 57/13 Jul 2007, amend. SG. 42/5 Jun 2009, amend. SG. 94/30 Nov 2010, amend. SG. 97/10 Dec 2010, amend. SG. 39/20 May 2011, amend. SG. 81/18 Oct 2011, amend. SG. 105/29 Dec 2011, amend. SG. 15/15 Feb 2013, suppl. SG. 81/14 Oct 2016, amend. SG. 85/24 Oct 2017, suppl. SG. 103/28 Dec 2017, amend. SG. 7/19 Jan 2018

  

Chapter one.
GENERAL
 
Art. 1. (amend. - SG 103/05) (1) This Act shall regulate the protection of the rights of natural persons with regard to processing of their personal data.
(2) The objective of the Act is to guarantee the inviolability of the individual and the personal life by providing protection of the individuals in illegal processing of personal data related to them in the process of free movement of the data.
(3) (new - SG 91/06) This Act shall be applied to processing of personal data by:
1. automatic means;
2. non-automatic means provided that the data constitutes or is intended to constitute part of a register.
(4) (prev. text of para 03, amend. - SG 91/06) This Act shall be applied to processing of personal data where the administrator of personal data:
1. (amend. - SG 91/06) is settled on the territory of the Republic of Bulgaria and processes personal data in relation to his activity;
2. (amend. - SG 91/06) is not settled on the territory of the Republic of Bulgaria, but is obliged to apply this Act on the grounds of the international public law;
3. (in force from 01.01.2007; amend. - SG 91/06) is not settled on the territory of a Member State of the European Union, as well as in another state – member of the European Economic Area, but for the purposes of the processing uses means, located on the Bulgarian territory, except these means are used for transit purposes only; in this case the administrator shall point a representative, settled on the territory of the Republic of Bulgaria, without discharging him/her this way from liability.
(5) (prev. text of para 04, amend. - SG 91/06; amend. - SG 81/11) Unless otherwise provided for in a special Act, this Act shall be applied also to the processing of personal data for the needs of:
1. the state defence,
2. the national security;
3. the protection of the public order and prevention of crime;
4. the penal proceedings;
5. the enforcement of penalties.
(6) (new - SG 81/11) Where by virtue of police or judicial cooperation data under Para 5, Items 3, 4 and 5 has been received or made available by a Member State of the European Union, or authorities or information systems established pursuant to the Treaty Establishing the European Union and the Agreement on the Functioning of the European Union, it shall be processed under the conditions and order of this Act.
(7) (new - SG 81/11) Processing of data under Para 5 shall be performed under control by the respective state body.
(8) (prev. text of para 05 - SG 91/06; prev. text of Para 06 - SG 81/11) The terms and procedure for the procession of unified civil number and other identification numbers of general application shall be settled by special laws.
(9) (prev. text of para 06 - SG 91/06; suppl. – SG 57/07, in force from 13.07.2007; prev. text of Para 07 - SG 81/11) This Act shall not be applied for the procession of personal data, performed by natural persons for their personal or household needs, neither for information, being kept in the National archive fund.
 
 
Art. 2. (suppl., - SG 70/04; amend. - SG 103/05) (1) (amend. - SG 91/06) Personal data shall be any information related to a natural person, who is identified or may be identified directly or indirectly by an identification number or though one or more specific indices.
(2) The personal data shall be:
1. processes lawfully and in good faith;
2. (suppl. - SG 81/11) collected for concrete, precisely defined and lawful purposes and shall not be processed additionally in a manner incompatible with these purposed; the additional processing of the personal data for historical, statistic or scientific purposes shall be admissible under the condition that the administrator provides appropriate protection guaranteeing that the data will not be processed for other purposes except the cases explicitly provided for in this Act;
3. (amend. - SG 91/06) proportional, related to and non-exceeding the purposes, which they are processed for;
4. precise and in case of necessity to be updated;
5. deleted or corrected where is found that they are incorrect or not proportional with regard to the purposes for which they are processed;
6. maintained in a status, which allows identification of the respective natural persons for a period not longer for the purposes, for which these data is processed; the personal data, which is kept for a longer period for historical, statistic or scientific purposes, shall be kept in a status, not allowing identification of the natural persons.
(3) (new - SG 81/11) Personal data obtained under Art. 1, Para 6 may be additionally processed for purposes other than those they are collected for, where all of the following conditions have been met:
1. the said processing is compatible with the purposes for which the data was collected;
2. there are valid legal grounds for processing the data for the said other purposes;
3. the processing meets the requirements of Para 2.
(4) (new - SG 81/11) Any administrator that has obtained data under Art. 1, Para 6 shall notify the natural person they concern of any additional processing under Para 3, except in the cases under Art. 36e, Para 2 or where otherwise provided for in a special Act.
 
 
Art. 3. (1) (amend. – SG 103/05; amend. - SG 91/06) Administrator of personal data, referred hereinafter as "administrator", shall be is a natural or legal person, as well as a body of state power or local government, that independently or jointly with another person determines the purposes and means of processing personal data.
(2) (new – SG 103/05; amend. - SG 91/06) Administrator shall also be a natural person or a legal person, as well a body of state power or local government processing personal data the type, the purposes and means of processing of which are determined by a law. In such cases the administrator or the specific criteria of his appointment shall be normatively specified.
(3) (prev. text of Para 2 – SG 103/05) The administrator of personal data shall process the personal data independently or through assignment to a processor of the data.
(4) (new - SG 103/05) The administrator shall provide the observation of the requirements of Art. 2, Para 2.
 
 
Art. 4. (amend. – SG 103/05) (1) The processing of personal data shall be admissible only in the cases, where at least one of the following conditions exist:
1. the procession is needed for execution of a settled by law obligation of the administrator of the personal data;
2. the natural person to whom the data refers has given explicitly his/her consent;
3. (amend. - SG 91/06) the processing is needed for performance of obligations of a contract in which the natural person to whom the data refers is a party as well as for actions preceding the conclusion of a contract and undertaken at his request;
4. the processing is needed to protect the live and health of the natural person to whom the data refers;
5. the procession is needed for fulfillment of a task which is performed in the interest of the public;
6. the processing is needed for exercising of powers assigned by a law to the administrator or to a third person, to whom the data is disclosed;
7. the procession is needed for realization of the legal interests of the administrator of personal data and of a third person, to whom the data is disclosed, except in case the interests of the natural person, whom the data refers to, prevail.
(2) Procession of personal data shall also be admissible in the cases where it is performed only for the purposes of journalistic, literature or artistic expression, as far as this procession does not violate the right of private live of the person whom the data refers to. In these cases the provisions of Chapter Five shall not be applied.
 
 
Art. 5. (amend. – SG 103/05) (1) Prohibited shall be the processing of personal data, which:
1. disclose racial or ethnical origin;
2. disclose political, religious or philosophical convictions, membership in political parties or organizations, associations of religious, philosophical, political or trade-union purposes;
3. are related to the health, sexual live or the human genome;
(2) Para 1 shall not be applied, if:
1. the procession is needed for the purposes of the execution of specific rights and obligations of the administrator in the field of the labour legislation;
2. (suppl. - SG 91/06) the natural person whom the data refers to has explicitly given his/her consent for their procession, except in a special Act provided otherwise;
3. the procession is needed for the protection of live and health of the natural person whom the data refers to, or to another person and the status of the natural person does not allow to give consent or legal obstacles exist for this;
4. the procession is performed by a non-profit organization, including religious, philosophical, political or trade-union purpose, within its lawful activity and with appropriate protection, under the condition that:
a) the procession is connected only with the members of this organization or with persons, who maintain regular contacts with it in relation to its purposes;
b) the data is nor disclosed to third persons without the consent of the natural person whom the data refers to;
5. the processing is related to data, publicly announced by the natural person or this is needed for the finding, exercising and the protection of rights under court procedure;
6. the processing is needed for the purposes of the preventive medicine; the medical diagnostics, the providing and management of medical services, under the condition that the data is processed by a medical expert, obliged by an Act to keep the professional secret or by another person, bound with a similar obligation to keep secret;
7. the processing is performed only for the purposes of journalistic, literature or artistic expression, as far as this procession does not violate the right of private live of the person whom the data refers to.
  

Chapter two.
COMMISSION FOR PROTECTION OF THE PERSONAL DATA
 
Art. 6. (1) The Commission for protection of the personal data, called hereinafter "the commission" is an independent state body carrying out protection of the individuals in processing their personal data and in providing the access to these data, as well as the control over the observance of this Act.
(2) (new – SG 94/10) The Commission shall assist the implementation of the state policy in the field of protection of personal data
(3) (suppl. - SG 91/06, in force from 01.01.2007; prev. text of Para 02 – SG 94/10; amend. SG 15/13, in force from 01.01.2014) The commission shall be a legal person at budget support and headquarters in Sofia and shall be a first level budget administrator.
 
 
Art. 7. (1) The commission is a college body and consists of a chairman and 4 members.
(2) (amend. - SG 91/06) The members of the commission and its chairman shall be elected by the National Assembly upon proposal of the Council of Ministers for a period of 5 years and they can be re-elected for another mandate.
(3) The chairman and the members of the commission shall carry out their activity under legal terms of employment.
(4) (new - SG 91/06) The members of the Commission shall receive basic monthly salary equal to 2,5 average monthly working salaries of the persons employed under employment or official relationship in the public sector according to data of the National Statistical Institute. The basic monthly salary shall be recalculated each quarter taking into consideration the average monthly working salary for the last month of the preceding quarter.
(5) (new - SG 91/06) The Chairman of the Commission shall receive monthly salary exceeding by 30 percent the basic monthly salary referred to in Para 4.
(6) (amend. – SG 103/05; prev. text of para 04 - SG 91/06) The commission, by January 31 every year, shall present an annual report on its activity to the National Assembly.
 
 
Art. 8. (1) As members of the commission can be elected Bulgarian citizens who:
1. have higher education on informatics, law or who are masters on information technologies;
2. have time of service on the speciality no less than 10 years;
3. (amend. – SG 103/05) have not been convicted to imprisonment for deliberate indictable offences, not depending on if they have been rehabilitated;
(2) Members of the commission cannot be:
1. (amend. – SG 103/05) persons who are sole entrepreneurs, managers/procurators or members of managing or control bodies of trade companies, co-operations or administrators of personal data in the meaning of this Act;
2. persons who occupy another paid position except when they practice scientific or lecturing activity;
3. (new – SG 42/09) persons who are souses or in factual cohabitation, relatives of direct lineage, of peripheral lineage of up to fourth degree or a relative-in-law – up to second degree inclusive, with another member of the commission.
(3) Elected as chairman of the commission shall be a qualified lawyer who meets the requirements of para 1 and 2.
(4) The mandate of the chairman or of a member of the commission shall be terminated ahead of term:
1. for reason of death or placing under judicial disability;
2. by a decision of the National Assembly when:
a) he has filed for release;
b) he has committed a gross infringement of this Act;
c) he has committed a deliberate indictable offence for which a conviction has been enforced;
d) existing inability to fulfil his obligations for a period longer than six months;
e) (new – SG 42/09; amend. – SG 97/10, in force from 10.12.2010, amend. - SG 7/18) if a conflict of interest has been found by an act that has come into effect pursuant to the Act on Counteracting Corruption and on Seizure of Illegally Acquired Property.
(5) (amend. and suppl. – SG 103/05) In the cases under para 3 the Council of Ministers shall propose to the National Assembly to elect a new member for the period until the end of the initial mandate of the respective member of the commission.
(6) The time during which the person has worked as chairman or a member of the commission shall be acknowledged as official time of service according to the Civil Servants Act.
(7) (new - SG 103/17, in force from 01.01.2018) The circumstances under par. 1, item 3 shall be established ex officio by the body making the proposal.
 
 
Art. 9. (1) The commission is a permanently functioning body assisted by an administration.
(2) The commission shall settle by regulations its activity and the activity of its administration and shall promulgate it in the State Gazette.
(3) The decisions of the commission shall be taken by a majority of the total number of its members.
(4) The meetings of the commission shall be open. The commission can decide individual meetings to be closed.
 
 
Art. 10. (1) The commission shall:
1. analyse and exercise an overall control over the observance of the normative acts in the sphere of protection of the personal data;
2. (suppl. – SG 103/05) keep register of the administrators of personal data and of the kept by them registers of personal data;
3. carry out inspections of the administrators of personal data in connection with its activity under item 1;
4. express opinion and give permits in the cases stipulated by this Act;
5. issue obligatory prescriptions for the administrators in connection with the protection of the personal data;
6. impose, upon prior notice, temporary prohibition of processing personal data which violates the norms of protection of the personal data;
7. (amend. – SG 103/05) consider claims against acts and actions of the administrators by which the rights of the natural persons are violated under this Act, as well as of appeals of third persons in connection with their rights according to this Act;
8. (amend. – SG 103/05) participate in the working out and obligatory give statements on drafts acts and secondary legislation acts in the field of the protection of personal data.
9. (new - SG 81/11) issue acts of secondary legislation in the field of personal data protection;
10. (new – SG 103/05, in force from 01.01.2007; prev. text of Item 09 - SG 81/11) provide the application of the decisions of the European Commission in the field of the protection of the personal data.
11. (new – SG 94/10; prev. text of Item 10 - SG 81/11) participate in the activities of international organisations in the field of personal data protection;
12. (new – SG 94/10; prev. text of Item 11 - SG 81/11) participate in the negotiations and conclusion of bilateral or multilateral agreements in the field of its competency;
13. (new – SG 94/10; prev. text of Item 09 - SG 81/11) organise and coordinate the training of personal data administrators in the field of personal data protection;
14. (new – SG 105/11, in force from 29.12.2011) issue general and normative administrative acts within its competences, where provided for in an Act.
(2) (amend. – SG 103/05) The order of keeping the register under Para 1, item 2 for notifying the commission for giving permits and expressing opinions. for considering the complaints, as well as for issuance of obligatory prescriptions and imposing temporary prohibition of processing personal data shall be determined by the regulations under art. 9, para 2.
(3) (suppl. – SG 103/05; amend. - SG 91/06) The Commission shall issue a bulletin publishing information for its activity and for the taken decisions. The report of Art. 7, Para 6 shall be published in the bulletin.
(4) (new – SG 103/05; amend. - SG 91/06) The Commission shall coordinate according to branches and fields of activity the codes of ethics of behaviour of the administrators of personal data referred to in Art. 22a and upon finding incompliance with the normative order shall issue normative instructions.
 
 
Art. 11. The chairman of the commission shall:
1. organise and manage the activity of the commission according to the law and the decisions of the commission and shall be responsible for the fulfilment of its obligations;
2. represent the commission before third persons;
3. (suppl. – SG 103/05; amend. - SG 81/11) appoint and release the civil servants and conclude and terminate the employment contracts of the employees working under legal terms of employment in the administration.
4. (new – SG 103/05) issue penal decrees under Art. 43, Para 2.
 
 
Art. 12. (amend. - SG 91/06) (1) The chairman and the members of the commission or persons from the administration authorised by it shall carry out control by preliminary, current and subsequent inspections for observation of this Act.
(2) Preliminary inspection shall be performed in the cases referred to in Art. 17b.
(3) Current inspections shall be performed upon request of interested persons, as well as by the initiative of the commission, on the grounds of a monthly plan for control activity adopted by it.
(4) Subsequent inspections shall be performed for performance of a decision or a compulsory instruction of the Commission as well as under its initiative upon submitted notification.
(5) The inspecting persons shall legitimate themselves by an official’s card and order by the chairman of the commission for the respective inspection.
(6) At carrying out inspections, the persons of Para 1 may assign performance of expertises under the procedure of the Civil Procedure Code.
(7) The inspection shall end by an act of findings.
(8) In the cases where with the act referred to in Para 7 an offence was found, the act of findings shall be considered to be an act of finding administrative offence in the sense of the Administrative Violations and Penalties Act.
(9) The conditions and the order of performing the control shall be determined by an Instruction of the Commission.
 
 
Art. 13. (1) (amend. - SG 103/05) The chairman and the members of the commission and the employees of its administration shall be obliged not to make public and not to use for their or somebody’s else benefit the information representing a secret protected by law for the administrators of personal data which has become known to them in fulfilment of their activity, till the elapse of the period pf its protection.
(2) In taking office persons under Para 1 shall file declarations for their obligations under para 1 and 2.
 
 
Art. 14. (amend. - SG 103/05) (1) In the register under Art. 10, para 1, item 2 shall inscribed the d under Art. 18, Para 2.
(2) The inscription in the register under Art. 10, Para 1, item 2 shall be certified by identification number.
(3) The register under para 1 shall be public
 
 
Art. 15. (revoked – SG 103/05)
 
 
Art. 16. (amend. - SG 103/05; revoked – SG 91/06)
  

Chapter three.
OBLIGATIONS OF THE ADMINISTRATOR OF PERSONAL DATA (TITLE AMEND. – SG 103/05)
 
Art. 17. (amend. - SG 103/05; amend. - SG 91/06) (1) The administrator of personal data shall be obliged to submit an application for registration before starting to process personal data.
(2) Within a term of 14 days from submission of the application the Commission shall enter the administrator of personal data in the register referred to in Art. 10, Para 1, Item 2.
(3) The administrator may start processing of the data after submission of the application for registration.
(4) (new - SG 81/11) Before discontinuing the processing of personal data the administrator shall file an application for his removal from the register under Art. 10, Para 1, Item 2.
(5) (new - SG 81/11) With the application referred to in Para 4 the administrator shall also file with the Commission evidence about performing his obligations under Art. 25, Para 1.
(6) (new - SG 81/11) The conditions and order for removal of the administrator from the register under Art. 10, Para 1, Item 2 shall be set out in the regulations under Art. 9, Para 2.
 
 
Art. 17a. (new - SG 91/06) (1) Application for registration shall not be submitted if the administrator:
1. keeps a register which according to a normative act is intended to provide public information and:
a) the access to it is free or
b) access to it has any person of legal interest;
2. processes data in the cases referred to in Art. 5, Para 2, Item 4.
(2) The Commission may exempt form obligation for registration also administrators processing data besides those referred to in Para 1, provided that the processing does not endanger on the rights and the legal interests of the persons whose data is being processed.
(3) The conditions and the order of exemption under Para 2 shall be established by the Regulation referred to in Art. 9, Para 2 and the Commission shall determine the criteria in compliance with:
1. the purposes of processing personal data;
2. the personal data or the categories personal data subject to processing;
3. the categories natural persons whose data is being processed;
4. the recipients or the categories recipients to whom the personal data may be revealed;
5. the term of storage of the data.
 
 
Art. 17b. (new - SG 91/06) (1) Where the administrator has applied for processing of data under Art. 5, Para 1 or data processing of which according to a Decision of the Commission endangers the rights and the legal interests of natural persons, the Commission shall obligatorily perform a preliminary inspection before entering into the register referred to in Art. 10, Para 1, Item 2.
(2) The preliminary inspection shall be performed within a term of two months from submission of the application for registration referred to in Art. 17, Para 1.
(3) After the end of the preliminary inspection the Commission shall:
1. enter the administrator of personal data into the register;
2. give compulsory instructions concerning the conditions of processing of personal data and keeping a register of personal data;
3. reject the entrance.
(4) The administrator may not start processing of personal data before being entered into the register under Art. 10, Para 1, Item 2 or before performing the compulsory instructions of the Commission.
(5) The absence of pronouncement by the Commission within the term referred to in Para 2 shall be considered tacit refusal to enter the administrator into the register.
(6) The dispositive part of the Decision referred to in Para 1 shall be promulgated in the State Gazette.
 
 
Art. 18. (amend. – SG 103/05) (1) (amend. - SG 91/06) The administrator or a representative of the administrator shall submit application for registration under Art. 17, Para 1 and documents as per form, approved by the commission.
(2) The application shall contain:
1. the data identifying the administrator of personal data and his/her representative, if such exists;
2. the purposes of the personal data processing;
3. the categories natural persons whose data is processed and the categories of personal data related to them;
4. the receivers or the categories of receivers, to whom the personal data can be disclosed;
5. offered providing of personal data in other countries;
6. the general description of the measures, undertaken as per Art. 23, allowing to make out a preliminary assessment of their expedience;
(3) The administrator shall notify the commission about each change in the data under Para 2 before its execution. In the cases where such change is provided by a law, the notification shall be performed within 7-days term from the entering in force of the relevant law.
(4) In the cases where the administrator is not inscribed in the register under Art. 10, Para 1, item 2 he/she shall be obliged to provide the data under Para 2 to every person upon request.
(5) (new - SG 81/11) The administrator shall file the application under Art. 17, Para 1 on paper or electronically. Where the application is filed electronically, the Electronic Government Act shall apply.
 
 
Art. 19. (suppl. SG 92/04; amend. - SG 103/05) (1) (amend. - SG 91/06) In the cases where the personal data is collected by the person they refer to, the administrator or his representative shall provide to him/her:
1. the data which identifies the administrator and his/her representative.
2. the purpose and the resources for their processing;
3. the recipients or the categories of recipients to whom the data can be submitted and the sphere of their using;
4. the obligatory or voluntary nature of submission of the data and the consequences from a refusal of submission;
5. the right to access and to correction of the gathered data,
(2) The information under para 1 shall not be provided, if the natural person the data refers to, already has it or an Act provides for explicit prohibition to provide it.
 
 
Art. 20. (amend. - SG 103/05) (1) (amend. - SG 91/06) Where the personal data is not obtained from the natural person whom they refer to, the administrator or a representative of the administrator shall provide to him:
1 the data which identifies the administrator and his/her representative.
2. the purpose and the resources for their processing;
3. the recipients or the categories of recipients to whom the data can be submitted and the sphere of their using;
4. the obligatory or voluntary nature of submission of the data and the consequences from a refusal of submission;
5. the right to access and to correction of the gathered data,
(2) The data under Art. 1 shall be provided to the person whom they refer to, at the moment of its inscription in the respective register, or if the disclosure of the data is provided to a third person – not later than the moment of the disclosure for the first time.
(3) Para 1 shall not be applied if:
1. the processing is for statistical, historical or scientific purpose and providing the data under Para 1 is impossible or requires excessive efforts;
2. the inscription or disclosure of data are explicitly stipulated by law;
3. the natural person whom the data refers has already the information under Para 1;
4. an explicit prohibition exists in this Act.
 
 
Art. 21. (amend. - SG 103/05) (1) (amend. - SG 91/06) The information under Art. 19, Para 1, Items 3 – 5, Art 20, Para 1, Items 3 – 5 as well as any other information connected with the processing of the data, shall be provided after assessment of the necessity of the providing the data in order to guarantee the fair processing of the data with regard to the natural person, whom it refers to.
(2) The assessment under Para 1 shall be performed by the administrator about each concrete case.
 
 
Art. 22 (amend. - SG 103/05) (1) The administrator of personal data shall be obliged to provide access of the persons under Art. 12, Para 1 to the kept by him/her registers and to embarrass the control over the process of processing of personal data.
(2) The administrator of personal data shall be obliged to provide to the persons under Art. 12, Para 1 the required information in oral or in written, or on other information carriers.
(3) (new - SG 91/06) The presence of commercial, production or other secret protected by the Law may not be a reason for refusal of cooperation by the administrator.
(4) (prev. text of para 03 - SG 91/06) Where the information contains data, presenting classified information, the Protection of Classified Information Act shall be applied.
(5) (prev. text of para 04 - SG 91/06) All persons, who process personal data shall be obliged to provide assistance to the commission at exercising of its powers.
 
 
Art. 22a. (new - SG 91/06) (1) The administrators in branches and fields of activity may prepare codes of ethics for behaviour taking into consideration the specifics of their activity and the rules of the moral and the good mores.
(2) The codes of ethics may be presented before the Commission for coordination before being adopted by the administrators.
  

Chapter four.
PROTECTION OF THE PERSONAL DATA
 
Art. 23. (amend. - SG 103/05) (1) (suppl. - SG 81/11) The administrator of personal data shall undertake the necessary technical and organisational measures for the protection of the data against accidental or illegal destruction or accidental loss, unlawful access, change or dissemination, as well as against other illegal forms of processing. The administrator of personal data shall determine the time limits for carrying out periodical assessment of the need of data processing and deletion of personal data.
(2) The administrator shall undertake special measures for protection when the processing includes transmitting of the data by electronic way.
(3) The measures under Para 1 and 2 shall be coordinated with the contemporary technological achievements and shall provide a level of protection, which is relevant to the risks, connected with the processing and to the nature of the data which shall be protected.
(4) (suppl. - SG 81/11) The measures and time limits under Para 1 and 2 shall be determined by instruction of the administrator of personal data.
(5) The commission shall determine by an ordinance the minimal necessary level of technical and organisational measures, as well as the admissible type of protection. The ordinance shall be promulgated in the State Gazette.
 
 
Art. 23a. (new - SG 81/11) (1) When processing personal data received under Art. 1, Para 6, the administrator shall block the stored data in order to restrict its future processing instead of deleting it, where there are sufficient grounds to conclude that its deletion may affect the legitimate interests of the natural person concerned by the data.
(2) The blocked data shall be processed only for the purpose of its collection.
 
 
Art. 23b. (new - SG 81/11) (1) Where the data received under Art. 1, Para 6 was not requested by the administrator, he shall immediately check if it is required for the purpose of their provision.
(2) Where the administrator providing data under Art. 1, Para 6 finds that its inaccurate or its provision was unlawful, he shall immediately notify the data recipient thereof.
(3) Any administrator who has received data under Art. 1, Para 6, which is inaccurate or unlawfully obtained, and was notified thereof by the data provider, shall be obliged to take immediate actions for their correction, removal or blocking.
(4) Where the person to whom the data under Art. 1, Para 6 relates contests its accuracy and their accuracy cannot be checked, the administrator may note it as contested, which shall not prevent its future processing.
 
 
Art. 24. (1) (amend. - SG 103/05) The administrator can process the data independently or through assignment to a person processing the data. When organisational reasons require the processing can be assigned to more than one person processing the data, including for the purpose of differentiating their concrete obligations.
(2) In the cases when the processing of the data is not carried out by the administrator he shall be obliged to appoint a person processing the data and to provide enough guarantees for their protection.
(3) (revoked – SG 103/05)
(4) (amend. - SG 103/05 ) The relations between the administrator and the person processing personal data shall be settled by a normative act, written contract or another act of the administrator, in which the volume of obligations assigned by the administrator shall be determined.
(5) (amend. - SG 103/05 ) For damaging third persons by actions or inactions of the person processing personal data, the administrator shall bear jointly liability.
(6) (amend. - SG 103/05 ) The person processing personal data as well as every person acting under the ruling of the administrator or the processing person, who has access to personal data may process the data only under instruction of the administrator, except otherwise provided by law.
 
 
Art. 25. (1) (amend. - SG 103/05; suppl. - SG 81/11) Upon achieving the task of the processing or before discontinuance processing of personal data the administrator shall be obliged:
1. destroy them, or
2. transfer them, to another administrator if, notifying the commission about this, if the transfer is stipulated by an Act and identity of the purposes of the processing is present.
(2) (suppl. SG 92/04; amend. - SG 103/05) Upon achieving the task of the processing of personal data the administrator shall store them only in the cases stipulated by an Act.
(3) (amend. - SG 103/05) In the cases where upon achieving the task of the processing of personal data the administrator shall wants to store the processed personal data as anonymous data for historic, scientific or statistical purposes he must inform about that the Commission.
(4) The Commission for protection of the personal data can prohibit the storing for the purposes under para 3 if the administrator has not provided enough protection of the processed data as anonymous data.
(5) (amend., SG 39/11) The decision of the commission under para 4 shall be subject to appeal before the relevant administrative court. The decision of the administrative court is not subject to appeal. In the cases of rejection of the complaint against the decision of the Commission the administrator of personal data shall be obliged to destroy them.
 
 
Chapter five.
RIGHTS OF THE NATURAL PERSONS (TITLE –AMEND. SG 103/05)
 
Art. 26. (1) Every individual shall have the right to access to personal data related to him.
(2) (amend. - SG 103/05) In the cases when, in exercising the right to access, disclosed to the individual can also be personal data regarding a third person the administrator shall be obliged to provide to the respective individual access to the part of them related only to him.
 
 
Art. 27. (amend. - SG 103/05; revoked – SG 91/06)
 
 
Art. 28. (amend. – SG 103/05) (1) When exercising of his/her right of access the natural person shall have right at any time to require from the administrator of personal data:
1. confirmation if the data referring to him/her are processed, information about the purpose of this processing, about the category of the data and the recipients or the categories of recipients to whom the data shall be disclosed;
2. a message to him/her in comprehensible form, containing his/her personal data, which are processed as well as any available information about their source;
3. information about the logic of each automated processing of personal data referring to him/her, at least in the cases of automated decisions under Art. 34b.
(2) (amend. – SG 94/10) The personal data administrator shall provide the information under Para 1 free of charge.
(3) In event of death of the natural person his/her rights shall be exercised by his/her heirs.
 
 
Art. 28a. (new – SG 103/05) The natural person shall have the right at any time of require from the administrator to:
1. delete, correct or block his/her personal data, processing of which does not meet the requirements of this Act;
2. notify the third persons to whom his/her personal data has been disclosed about any deletion, correction or blocking performed in accordance with item 1, except in the cases where this is impossible or is connected with excessive efforts.
 
 
Art. 29. (1) (amend. - SG 103/05) The right of access under Art. 26 and the rights under Art. 28a shall be exercises by a written application to the administrator of personal data.
(2) (amend. - SG 103/05, amend. - SG 85/17) Application can also be filed by electronic means signed with an advanced electronic signature, an advanced electronic signature based on a qualified electronic signature certificate or qualified electronic signature, according to the Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (OB, L 257/73 of 28 August 2014) and the Electronic Document and Electronic Trust Services Act.
(3) (amend. - SG 103/05) The application under Para 1 shall be filed personally by the Individual or by a person explicitly authorised by him by notary certified authorisation.
(4) (revoked – SG 103/05)
 
 
Art. 30. (1) (amend. - SG 103/05)The application under Art. 29 shall contain:
1. name, address and other data for identification of the respective individual;
2. description of the request;
3. preferred form of submission of the information under Art. 28, Para 1;
4. signature, date of filing the application and correspondence address.
(2) In filing application by an authorised person, the respective notary certified authorisation shall also be enclosed.
(3) The applications under Art. 29 shall be registered in a register by the administrator.
 
 
Art. 31. (1) (amend. - SG 103/05) The information under Art. 28, Para 1can be provided in the form of verbal or written reference or review of the data by the respective individual or by another person explicitly authorised by him.
(2) The individual can request a copy of the processed personal data on a preferred carrier or submission by electronic way, except in the cases when this is prohibited by an Act.
(3) (amend. - SG 103/05)The administrator of personal data, shall be obliged to comply with the preferred by the applicant form of providing the information of Art. 28, Para 1.
 
 
Art. 32. (1) In the cases of Art. 28, Para 1 the administrator of personal data or explicitly authorised person shall consider the application of Art. 29 and shall take a decision on it within 14 days.
(2) (suppl. - SG 81/16, in force from 14.10.2016) The deadline under para 1 can be extended up to 30 days by the administrator or by an official explicitly authorized by him/her in the cases of Art. 28, Para 1, items 1 and 2 when a longer period for gathering all requested data is objectively required, and this will create seriously the activity of the administrator.
(3) (suppl. - SG 81/16, in force from 14.10.2016) Within 14 days term, the administrator or an official explicitly authorized by him/her shall take a decision for providing full or partial information under Art. 28, Para 1 of the applicant or shall motivate a refusal to provide it.
(4) (suppl. - SG 81/16, in force from 14.10.2016) In the cases of Art. 28a, item 1, the administrator or an official explicitly authorized by him/her shall take a decision and execute the respective action within 14 days period from submission of the application under Art. 29 or shall motivate the refusal to provide it.
(5) (suppl. - SG 81/16, in force from 14.10.2016) In the cases of Art. 28a, item 2, the administrator of personal data or an official explicitly authorized by him/her shall take a decision within 14 days period and shall immediately notify the third persons or shall make motivated refusal to perform the notification.
 
 
Art. 33. (1) (amend. - SG 103/05, suppl. - SG 81/16, in force from 14.10.2016) The administrator of personal data or an official explicitly authorized by him/her shall notify in writing the applicant about his decision or refusal according to art. 32, para 3.
(2) The notification under para 1 shall be personal against signature or by return mail.
(3) (new – SG 103/05) Lack of notification under Para 1 shall be considered as a refusal.
 
 
Art. 34. (1) (amend. - SG 103/05) The administrator of personal data shall refuse access to personal data when the data do not exist or providing is forbidden by an Act.
(2) (revoked – SG 103/05)
(3) (new – SG 92/04; amend. and suppl. - SG 91/06) The administrator shall refuse full or partial conceding of data to the person the data refers to would occur danger for the defence or the national security or for the preservation of the classified information and that is provided by a special Act.
(4) (new - SG 81/11) The administrator may fully or partially refuse provision of data received under Art. 1, Para 6 to the person it relates to, where:
1. this would prejudice the prevention or detection of crimes, the conduct of penal proceedings or the execution of criminal penalties;
2. required to protect:
a) the public security;
b) the public order;
c) the person it relates to.
(5) (new - SG 81/11) The administrator, who has received the data under Art. 1, Para 6 shall not notify the person the data relates to, where explicitly instructed by the data provider.
 
 
Art. 34a (new – SG 103/05) (1) The natural person whom the data refers to shall have the rights to:
1. object before the administrator against the processing of his/her personal data if legal ground for this exists; where the objection is grounded, the personal data of the respective natural person may not be processed any longer;
2. objects against the processing of his/her personal data for the purposes of the direct marketing;
3. be notified before his/her personal data is discloses for the first time to third persons or used on their behalf for the purposes of item 2 and opportunity to object against such disclosure of usage shall be provided to him/her.
(2) The administrator shall notify the natural person about his/her rights under Para 1, items 2 and 3.
 
 
Art. 34b. (new – SG 103/05) (1) The decision of the administrator shall be inadmissible, if:
1. legal or other significant consequences for the natural person exist, and
2. is grounded only on automated processing of personal data, designed to assess personal characteristics of the natural person.
(2) Para 1 shall not be applied, if the decision is:
1. taken during a conclusion or execution of a contract, under the condition that the submitted by the respective application for concluding or execution of the contract has been satisfied or other appropriate measures exist, guarantying his/legal interests;
2. settled by an Act, providing measures for protection of the legal interests of the person;
(3) The natural person shall have the right to require from the administrator to revise the decision adopted in offence of Para 1.
 
 
Chapter six.
SUBMISSION OF PERSONAL DATA TO THIRD PERSONS
 
Art. 35. (amend. - SG 103/05; revoked – SG 91/06)
 
 
Art. 36. (amend. - SG 103/05, shall be applied till the Pre-accession Agreement of the Republic Bulgaria with the European Union enters in force) (1) Providing personal data by the administrator to foreign natural or legal persons or to foreign state bodies shall be admitted with permission of the Commission for Protection of the Personal Data, if the legislation of the recipient country guarantee better or equal to the provided by this Act protection of the data.
(2) During the transfer of personal data in the cases under Para 1, the requirements of this Act shall be observed.
 
 
Art. 36a. (new – SG 103/05 in force from the Pre-accession Agreement of the Republic Bulgaria with the European Union enters in force) (1) Providing of personal data to a Member State of the European Union as well as to another member state of the European Economic Space shall be performed free and observing the requirements of this Act.
(2) Providing personal data to a third country shall be admitted only it provides an adequate level of protection of the personal data on its territory.
(3) The assessment of the adequacy of the level of protection of the personal data in a third country shall be performed by the Commission for Protection of the Personal Data, taking in view all circumstances connected with the actions or the set of activities of providing the data, including the nature of the data, purpose and duration of their processing, their legal regulation and measures of protection provided in the third country.
(4) (new - SG 81/11) The Commission for Protection of the Personal Data shall assess the adequacy of the level of protection under Para 3 also in cases of provision of personal data under Art. 1, Para 6 to a third country or international organisation.
(5) (amend. - SG 91/06; prev. text of Para 04 - SG 81/11) The Commission for Protection of the Personal Data shall not perform assessment under Para 3 in the cases where performance of a Decision of the European Commission is necessary ruling that:
1. the third country where the personal data is provided provides adequate level of protection;
2. certain standard contractual clauses provide adequate level of protection.
(6) (amend. - SG 91/06; prev. text of Para 05, amend. - SG 81/11) In the cases of Para 5, Item 2 the administrator shall use standard contractual clauses when providing data in third country.
(7) (prev. text of Para 06, amend. - SG 81/11) Except the cases of Para 2 and 5, the administrator may provide personal data in a third country, if:
1. the person whom the data refers to has given explicit consent for this;
2. (amend. - SG 91/06) providing is needed for performance of obligations of a contract between the natural person and the administrator as well as for actions preceding conclusion of a contract and undertaken by request of the natural person;
3. (amend. - SG 91/06) providing is necessary for conclusion and performance of obligations of a contract concluded in interest of the natural person between the administrator and another person;
4. providing is necessary or is required by law due to a significant public interest or for exercising and the defence of rights under a court procedure;
5. providing is necessary to protect the live and the health of the person, whom the data refers to;
6. (amend. - SG 91/06) source of the data is a public register the access to which is provided according to conditions and order determined by an Act.
(8) (prev. text of Para 07 - SG 81/11) Providing of personal data in third countries is admissible in all cases if it is performed for the purposes of journalistic activity, the literature or artistic expression, as far as this processing does not injure the right of private life of the person, whom the data refers to.
 
 
Art. 36b. (new – SG 103/05 in force from the Pre-accession Agreement of the Republic Bulgaria with the European Union enters in force) (1) Besides the cases of Art. 36a, providing of personal data in a third country shall be executed after a permission of the Commission for Protection of the Personal Data, under the condition that the administrator providing the data and the administrator accepting the data, present enough guarantees for its protection.
(2) (suppl. - SG 91/06) The Commission shall notify the European Commission and the competent bodies of the other Member States about the permissions granted under Para 1 as well as about the refusals to provide such permissions.
 
 
Art. 36c. (new - SG 81/11) The administrator shall keep a register of the data provided and received under Art. 1, Para 6.
 
 
Art. 36d. (new - SG 81/11) Personal data received under Art. 1, Para 6 may, in accordance with the requirements of Art. 2, Para 3, be further processed only for the following purposes other than those for which they were provided:
1. the prevention or detection of crimes, conduct of penal proceedings or execution of criminal penalties;
2. the prevention of an immediate and serious threat to public security;
3. any other purpose only with the prior consent of the data provider or the person it relates to.
 
 
Art. 36e. (new – SG 81/11) (1) Where a special Act introduces restrictions to the provider of data under Art. 1, Para 6 related to data processing, the recipient shall be notified accordingly by the data provider.
(2) Where an administrator receiving data under Art. 6, Para 1 is notified by the data provider of such processing related restrictions under his national legislation, the former shall be obliged to conform to those restrictions.
(3) In case of provision of data under Art. 1, Para 6 the administrator providing such data may set a specific term for storage of data or for review of the need thereof.
(4) Any administrator receiving data under Art. 1, Para 6 shall be obliged to remove or block such data or review the need thereof after expiration of the terms set by the data provider.
(5) Para 4 shall not apply, where at the moment of expiration of the storage term the data is needed for pending penal proceedings or execution of criminal penalties.
 
 
Art. 36f. (new – SG 81/11) (1) Any administrator receiving data under Art. 1, Para 6 may provide it to the competent authority of a third country or an international body, provided that the following requirements have been met:
1. it is necessary for the prevention or the detection of a crime, the conduct of penal proceedings or the execution of criminal penalties;
2. the recipient is competent to carry out activities under Item 1;
3. the Member State of the European Union from which the data were obtained has given its consent to provide in compliance with its national law;
4. recipient ensures an adequate level of protection for the intended data processing.
(2) The consent referred to in Para 1 shall not be required only if transfer of the data is essential for the prevention of an immediate and serious threat to public order of a Member State of the European Union or a third country or the prior consent cannot be obtained in good time. In such cases the data provider shall be informed without delay.
 
 
Art. 36g. (new – SG 81/11) The Commission for Protection of Personal Data shall not assess the adequacy of the level of protection under Art. 36f, Para 1, Item 4 in case of any of the following conditions:
1. the national legislation of the data provider so provides for protection of the legitimate interests of the person the data relates to or for protection of especially important public interests;
2. the data recipient provides adequate safeguards.
 
 
Art. 36h. (new – SG 81/11) (1) Any administrator receiving data under Art. 1, Para 6 may provide it to third natural or legal persons, where:
1. the data provider has consented to its provision;
2. no legitimate specific interests of the person the data relates to are affected;
3. the provision is essential for:
a) the performance of a task lawfully assigned to it;
b) the prevention or detection of crimes or conduct of penal proceedings or the execution of criminal penalties;
c) the prevention of an immediate and serious threat to the public order; or
c) the prevention of serious harm to the constitutional rights of natural persons.
(2) At the provision of data under Para 1 the data provider shall inform the natural or legal person of the purposes for which the data may be processed, and the data shall be processed for such purposes only.
 
 
Art. 36i. (new – SG 81/11) The administrator receiving the data under Art. 1, Para 6 shall, on request by the administrator providing the data, inform him about their processing.
 
 
Art. 37. (revoked – SG 103/05)
  

Chapter seven.
APPEALING ACTIVITIES OF THE ADMINISTRATOR OR PERSONAL DATA
 
Art. 38. (1) (amend. - SG 103/05; amend. - SG 91/06) In event of violation of the rights under this Act, every natural person shall have the rights to approach the Commission for Protection of the Personal Data within a period of one year from learning about the violation, but not later than five year from its occurrence.
(2) (amend. - SG 103/05) The Commission for protection of the personal data shall take decision within 30 days from the approaching and can give obligatory prescriptions and to determine a deadline for rectification of the offence or to impose administrative penalty.
(3) (revoked – SG 103/05)
(4) The Commission for protection of the personal data shall send a copy of its decision to the individual.
(5) (new - SG 91/06) In the cases referred to in Para 1 where personal data for the needs of the Defence, the National Security and the Public Order as well as for the needs of the Penal Proceedings is processed, the Decision of the Commission shall contain only findings regarding the lawfulness of the processing.
(6) (amend. - SG 103/05; prev. text of para 05 - SG 91/06; amend., SG 39/11) The decision of the commission under para 2 shall be subject to appeal by the order of the Administrative Procedure Code within 14 days from its receipt.
 
 
Art. 39. (1) (amend. - SG 103/05; amend. - SG 30/06, in force from 12.07.2006; amend. - SG 91/06) In the cases of injure of his/her rights under this Act, every natural person shall have the right to appeal actions and acts of the administrator following the court procedure the before the respective administrative court or before the Supreme Administrative Court under the general rules of jurisdiction.
(2) (amend. - SG 103/05) Within the procedure under Para 1 the natural person may demand compensation for the suffered by him/her damages due to the unlawful processing of personal data by the administrator.
(3) (new – SG 81/11) In proceedings under Para 1 the administrator receiving data under Art. 1, Para 6, which are inaccurate, may not cite in its defence the inaccuracy of such data.
(4) (new - SG 103/05; prev. text of Para 03 – SG 81/11)The natural person mat not approach the court if there are pending proceedings before the Commission for the same violation or its decision concerning the same violation has been appealed and there is no enacted court decision. Upon a request of the natural person, the Commission shall certify the lack of pending procedure before it for the same dispute.
(5) (prev. text of Para 4 – amend., SG 103/05; amend. - SG 30/06, in force from 12.07.2006; revoked – SG 91/06)
 
 
Art. 40. (revoked – SG 103/05)
 
 
Art. 41. (revoked – SG 103/05)
  

Chapter eight.
ADMINISTRATIVE PENAL PROVISIONS
 
Art. 42. (amend. - SG 103/05) (1) (amend. – SG 81/11) For offences under Art. 2, Para 2 and 3 and Art. 4 the administrator of personal data shall be punished by a fine or property sanction of 10 000 to 100 000 BGN.
(2) For offences under Art. 5 the administrator shall be punished by a fine or property sanction of 10 000 to 100 000 BGN.
(3) (amend. - SG 91/06) For offences under Art. 20. Para 1, the administrator shall be punished by a fine or property sanction of from 2 000 to 20 000 BGN.
(4) An administrator who does not fulfil his obligation for registration under Art. 17, Para 1 shall be punished by a fine or property sanction of 100 to 3000 BGN.
(5) (new - SG 91/06) Any administrator who commences processing of personal data in violation of Art. 17b, Para 4 shall be punished by a fine or proprietary sanction in amount from 2000 to 20 000 BGN.
(6) (new - SG 91/06) Any administrator who does not perform his obligations under Art. 22, Para 1 and 2 shall be punished by a fine or proprietary sanction in amount from 1000 to 20 000 BGN.
(7) (prev. text of para 05 - SG 91/06) An administrator who does not pronounce on the application of Art. 29 within the term, shall be punished by a fine or property sanction of 1000 to 20 000 BGN, if is not subject to a more severe punishment.
(8) (prev. text of para 06 - SG 91/06) For a refusal to assist the commission in connection with its controlling powers, the persons shall be punished by a fine or a property sanction from 1000 to 10 000 BGN.
(9) (prev. text of para 07 - SG 91/06) For other offences of this Act the guilty persons shall be punished by a fine or property sanction of 500 to 1000 BGN.
 
 
Art. 42a. (new – SG 103/05) Where the offences of this Act are repeatedly perpetrated, a fine or property sanction in doubled amount of the initially imposed shall be imposed.
 
 
Art. 43. (1) (amend. - SG 103/05) The acts for establishing the administrative offences shall be drawn up by a member of the Commission for protection of the personal data or by officials authorised by the commission.
(2) (suppl. - SG 103/05; amend. - SG 91/06) The penal decrees shall be issued by the chairman of the Commission for protection of the personal data.
(3) (new - SG 91/06) Proprietary sanctions and fines imposed by punitive decrees in force shall be collected under the order of the Tax-Insurance Procedure Code.
(4) (prev. text of para 03 - SG 91/06) The establishing of the offences, the issuance, the appeal and the fulfilment of the penal decrees shall be carried out by the order of the Administrative Violations and Penalties Act.
(5) (new - SG 15/13, in force from 01.01.2014) Amounts gathered from imposed pecuniary sanctions and fines shall be deposited to the Commission`s budget.
 
 

Additional provisions

§ 1. In the context of this Act:
1. (amend. - SG 103/05; amend. - SG 91/06) "Processing of personal data" is every action or a set o factions which may be performed with regard to the personal data by automated or other means, such as gathering, entry, organising, storing, adaptation or change, recovery, consulting, using, combining, freezing, disclosing by handing, disseminating, updating or combining, blocking or destructing.
2. (amend. - SG 103/05) "Register of personal data" shall be each structured set of personal data, accessible by e definite criteria, centralised or de-centralized or distributed per functional or geographic principle.
3. (amend. - SG 103/05) "Person processing personal data" is an individual or a corporate body or a body of state power or a body of local government, which is processing personal data on behalf of the administrator of personal data.
4. (revoked. - SG 103/05)
5. "Submission of personal data" are activities on the entire or partial transfer of personal data from one administrator to another or to a third person on the territory of the country or out of it.
6. (amend. - SG 103/05) "Anonymous data" is data, brought in a form which does not allow to refer it to the relevant natural person, whom it refers to.
7. "Freezing" is the storing of personal data with temporary suspension of their processing.
8. (revoked – SG 103/05)
9. "Repeated" is the offence committed within one year from the enforcement of the penal decree which imposes a punishment for the same type of offence.
10. (new, SG 70/04) "Human genome" is the combination of all genes in a single (diploid) complex of chromosomes of a person.
11. (new – SG 103/05) "Third person" is a natural or a legal person, body of state power or a body of local government, different than the natural person whom the data refers to, than the administrator of personal data, than the person processing personal data and than the persons who under the direct ruling of the administrator or of the person processing the data have the right to process personal data.
12. (new – SG 103/05) "Recipient" shall be a natural or a legal person, body of state power or a body of local government, to which the personal data is disclosed, not depending if they are a third person or not The bodies which may obtain data within the frames of a concrete research shall not be considered recipients.
13. (new – SG 103/05; suppl. - SG 91/06) "Consent of the natural person" shall be each free expressed, concrete and informed act of expression of will, by which the natural person whom the data refers to agrees the data shall be processed.
14. (new – SG 103/05, in force from the Pre-accession Agreement of the Republic Bulgaria with the European Union enters in force) "Third country" shall be each country, which is not a Member State and is not a party to the Agreement on the European Economic Area.
15. (new – SG 103/05) "Direct marketing" shall be offering of goods and services to natural persons by mail, telephone or in other direct manner, as well as questioning with the purpose of research with regard to the offered goods and services.
16. (new - SG 91/06) “Specific indices” means indices related to the physical, physiological, genetic, psychical, psychological, economical, cultural, social and other identity of the person.
 
 
§ 1a. (new - SG 91/06) This Act shall implement the provisions of Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
 
 
Transitional and concluding provisions
 
§ 2. (1) Within one month from the enactment of this Act the Council of Ministers shall propose to the National Assembly the members of the Commission for protection of the personal data.
(2) Within 14 days from the presentation of the proposal under para 1 the National Assembly shall elect the members of the Commission for protection of the personal data.
(3) Within 3 months from its election the Commission for protection of the personal data shall adopt and promulgate in the State Gazette the regulations under art. 9, para 2.
(4) Within one month from the enactment of the decision of the National Assembly under para 2 the Council of Ministers shall provide the necessary property and financial resources for the commencement of the work of the commission.
 
 
§ 3. (1) Within 6 months from the enactment of the regulations under art. 9, para 2 the persons who, by the moment of entry into force of the Act, maintain registers of personal data, shall bring them in compliance with the requirements of the law and shall notify the commission about that.
(2) The commission shall carry out preliminary inspections, shall register or refuse to register as administrators persons who maintain registers by the moment of entry into force of the Act, as well as the registers kept by them within 3 months from the receipt of the application under para 1.
(3) The decisions of the commission for refusal of registration shall be subject to appeal before the Supreme Administrative Court within 14 days.
(4) Upon the enactment of the decision of the commission for refusal of registration or of the decision of the Supreme Administrative Court which confirms the refusal of the commission the person who unlawfully keeps a register shall be obliged to destroy personal data contained in his register or, upon the consent of the commission, to transfer them to another administrator who has registered his register and processes personal data for the same purposes.
(5) The commission shall exercise control over the fulfilment of the obligation under para 4.
(6) Within 3 months from the registration the administrator under art. 3, para 1 shall be obliged to publish in the bulletin of the Commission for protection of the personal data the information under art. 22, para 1.
 
 
§ 4. The following amendments are introduced to the Access to Public Information Act (SG 55/2000):
1. In art. 2, para 3 the words "personal information" are replaced by "personal data".
2. In § 1, item 2 is amended as follows:
"2. "Personal data" are information for an individual disclosing his physical, psychological, mental, marital, economic, cultural or public identity."
 
 
§ 5. The Act shall enter into force on January 1, 2000.
 
The Act was adopted by the 39th National Assembly on December 21, 2001 and was affixed with the official seal of the National Assembly.
  

Transitional and concluding provisions
TO THE ACT ON AMENDMENT AND SUPPLEMENTATION OF THE PROTECTION OF PERSONAL DATA ACT
 
(PROM. – SG 103/05; AMEND. - SG 91/06)
 
§ 50. The provision of § 38 regarding Art. 36, shall be applied till the Pre-accession Agreement of the Republic Bulgaria with the European Union enters in force
 
 
§ 51. (amend. - SG 91/06) The provisions of § 1 regarding Art. 1, Para 4, item 3, § 48, item 5 regarding item 14 of the additional provision shall enter in force from the Pre-accession Agreement of the Republic Bulgaria with the European Union enters in force.
 
 
§ 52. Within three months term from the Act on the Commission for Protection of the Personal Data enters in force, the Ethics Code under Art. 10, Para 4 and the ordinance of Art. 23, Para 5 shall be adopted.
 
 
Transitional and concluding provisions
TO THE ADMINISTRATIVE PROCEDURE CODE
 
(PROM. – SG 30/06, IN FORCE FROM 12.07.2006)
 
§ 142. The code shall enter into force three months after its promulgation in State Gazette, with the exception of:
1. division three, § 2, item 1 and § 2, item 2 – with regards to the repeal of chapter third, section II "Appeal by court order", § 9, item 1 and 2, § 15 and § 44, item 1 and 2, § 51, item 1, § 53, item 1, § 61, item 1, § 66, item 3, § 76, items 1 – 3, § 78, § 79, § 83, item 1, § 84, item 1 and 2, § 89, items 1 - 4§ 101, item 1, § 102, item 1, § 107, § 117, items 1 and 2, § 125, § 128, items 1 and 2, § 132, item 2 and § 136, item 1, as well as § 34, § 35, item 2, § 43, item 2, § 62, item 1, § 66, items 2 and 4, § 97, item 2 and § 125, item 1 – with regard to the replacement of the word "the regional" with the "administrative" and the replacement of the word "the Sofia City Court" with "the Administrative court - Sofia", which shall enter into force from the 1st of May 2007;
2. paragraph 120, which shall enter into force from the 1st of January 2007;
3. paragraph 3, which shall enter into force from the day of the promulgation of the code in State Gazette.
 
 
Transitional and concluding provisions
TO THE ACT ON AMENDMENT AND SUPPLEMENTATION OF THE PROTECTION OF PERSONAL DATA ACT
 
(PROM. - SG 91/06)
 
§ 31. The provision of Paragraph 6 regarding Art. 6, Para 2 shall enter into force from 1 January 2007.
 
 
§ 32. The Commission for Protection of the Personal Data shall adopt the instruction referred to in Art. 12, Para 9 within a term of two months from the entrance into force of this Act.
 
 
§ 33. Within a term of three months from the entrance into force of this Act the administrators subject to registration shall submit an application for registration.
 
 
Transitional and concluding provisions
TO THE NATIONAL ARCHIVE FUND ACT
 
(PROM. - 57/07, IN FORCE FROM 13.07.2007)
 
§ 23. The Act shall enter into force from the day of its promulgation in the State Gazette.
  

Transitional and concluding provisions
TO THE ACT ON AMENDMENT AND SUPPLEMENTATION OF THE ACT ON PREVENTION AND FINDINGS OF CONFLICT OF INTERESTS
 
(PROM. - SG 97/10, IN FORCE FROM 10.12.2010)
 
§ 61. The Act shall enter into force from the day of its promulgation in the State Gazette except:
1. paragraphs 11 regarding Art. 22a – 22e, which shall enter into force from 1 January 2011;
2. paragraphs 7, 8, 9 § 11 regarding Art. 22f – 22i and § 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22 and 23, which shall enter into force from 1 April 2011.
 

Additional provisions
TO THE ACT ON AMENDMENT AND SUPPLEMENTATION OF THE PERSONAL DATA ACT
 
(PROM. - SG 81/11)
 
§ 15. This Act shall implement the requirements of Council Framework Decision 2008/977/JHA of 27 November 2008 on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters (OJ L 350/60 of 30 December 2008).
  

Transitional and concluding provisions
TO THE ACT ON AMENDMENT AND SUPPLEMENTATION OF THE ELECTRONIC COMMUNICATIONS ACT
 
(PROM. - SG 105/11, IN FORCE FROM 29.12.2011)
§ 220. This Act shall enter into force from the date of its promulgation in the State Gazette.
 

Transitional and concluding provisions
TO THE PUBLIC FINANCE ACT
 
(PROM. SG 15/13, IN FORCE FROM 01.01.2014)
 
§ 123. This Act shall enter into force on 1 January 2014 with the exception of § 115, which enters into force on January 1, 2013, and § 18, § 114, § 120, § 121 and § 122, which came into force on 1 February in 2013.
  

Transitional and concluding provisions
TO THE ACT AMENDING AND SUPPLEMENTING THE MINISTRY OF INTERIOR ACT
 
(PROM. - SG 81/16, IN FORCE FROM 01.01.2017)
§ 102. This Act shall enter into force on January 1, 2017, except for:
1. paragraphs 6-8, § 12, items 1, 2 and 4, § 13, § 14, § 18-20, § 23, § 26-31, § 32, items 1 and 4, § 33-39, § 41-48, § 49 on Art. 187, para. 3, first sentence, § 50-59, § 61-65, § 81-85, § 86, item 4 and 5, § 87, item 3, § 90, item 1, § 91, item 2 and 3, § 92, § 93 and § 97-101, which shall enter into force from the day of the Act’s promulgation in the State Gazette.
2. paragraph 32, item 2 and 3, § 49 on Art. 187, para. 3, new second sentence, § 69-72, § 76 concerning persons under § 70, § 78 with respect to employees under § 69 and § 70, § 79 regarding employees under § 69 and § 70, § 91, item 1 and § 94, which shall enter into force on February 1, 2017.
 

Transitional and concluding provisions
TO THE ACT AMENDING AND SUPPLEMENTING THE ACT ON LIMITATION OF THE ADMINISTRATIVE REGULATION AND THE ADMINISTRATIVE CONTROL OVER THE BUSINESS ACTIVITY
 
(PROM. - SG 103/17, IN FORCE FROM 01.01.2018)
§ 68. The Act shall enter into force on 01 January 2018.



Download files

Law for Protection of Personal Data (DOC)
Law for Protection of Personal Data (PDF)


Commission for Personal Data Protection, Sofia, 2 Prof. Tsvetan Lazarov Blvd.