Home » Legislation » Law for Protection of Personal Data

Law for Protection of Personal Data

 
LAW FOR PROTECTION OF PERSONAL DATA
 
Prom. SG. 1/4 Jan 2002, amend. SG. 70/10 Aug 2004, amend.SG. 93/19 Oct 2004, amend. SG. 43/20 May 2005, amend. SG. 103/23Dec 2005, amend. SG. 30/11 Apr 2006, amend. SG. 91/10 Nov 2006,amend. SG. 57/13 Jul 2007, amend. SG. 42/5 Jun 2009, amend. SG. 94/30 Nov 2010, amend. SG. 97/10 Dec 2010, amend. SG. 39/20 May 2011, amend. SG. 81/18 Oct 2011, amend. SG. 105/29 Dec 2011, amend. SG. 15/15 Feb 2013, suppl. SG. 81/14 Oct 2016
 
Chapter One
GENERAL PROVISIONS
Art. 1.
(amend. - SG 103/05)
(1) This Law shall govern the protection of rights of individuals with regard to the processing of their personal data.
(2) The purpose of this law is to guarantee the inviolability of personality and privacy by ensuring protection of individuals in case of unauthorised personal data processing referred to them, in the process of free movement of data.
(3) (new - SG 91/06)This Law shall apply to personal data processing:
1. by automatic means;
2. by non-automatic means, where such data are, or are designed to become, part of a register.
(4) (prev. text of para 3, amend. - SG 91/06) This Law shall apply to personal data processing where the data controller:
1. (amend. - SG 91/06) is established on the territory of the Republic of Bulgaria and processes personal data in connection with its activity within the country;
2. is not established on the territory of the Republic of Bulgaria but is bound to apply this Law by virtue of international public law;
3. (in force as from the date of the Treaty of Accession of the Republic of Bulgaria to the European Union, SG-91/06) is not established on the territory of an European Union Member State, nor in another member country of the European Economic Area but, for the purposes of such processing, uses means located on Bulgarian territory, unless such means are being used exclusively for transit purposes; in such case the data controller must specify a representative that is established on the territory of the Republic of Bulgaria, this, however, shall not relieve it from responsibility.
(5) (prev. text of para 04, amend. - SG 91/06; amend. - SG 81/11) Unless otherwise provided for in a special law, this Law shall be applied also to the personal data processing for the purposes of:
1. the state defence;
2. the national security;
3. the protection of the public order and prevention of crime;
4. the penal proceedings;
5. the enforcement of penalties.
(6) (new - SG 81/11) Where under the police or judicial cooperation, data under para. 5, Items 3, 4 and 5 has been received from or provided to a Member State of the European Union, or to authorities or information systems established pursuant to the Treaty Establishing the European Community and the Treaty on the Functioning of the European Union, it shall be processed under the conditions and order of this Law.
(7) (new - SG 81/11) Processing of data under para. 5 shall be performed under the supervision of the respective state body.
(8) (prev. text of para 5 - SG 91/06, prev. text of para.6 – SG 81/11 ) The terms and procedure for processing uniform personal identification numbers and other identification numbers of general application shall be governed by special laws.
(9) (prev. text of para 06 - SG 91/06; suppl. – SG 57/07, in force as from 13.07.2007, prev. text of para.7 – SG 81/11) This Law shall not apply to personal data processing by individuals for their personal or household activity, nor for information which is stored in the National Archive Fund.
 
Art. 2.
(suppl., - SG 70/04, in force as from 01.01.2005; amend. - SG 103/05)
(1) (amend. - SG 91/06) “Personal data” shall refer to any information relating to a individual who is identified or identifiable, directly or indirectly, by reference to an identification number or to one or more specific features.
(2) Personal data must be:
1. processed in legal compliance and in a bona fide manner;
2. (suppl. - SG 81/11) collected for specific, precisely defined and legal purposes and not be submitted to additional processing in a manner incompatible with such purposes; additional personal data processing for historical, statistical or research purposes shall be allowed provided the data controller has ensured proper protection, guaranteeing that the data are not being processed for any other purposes, except the cases explicitly provided for in this Law;
3. (amend. - SG 91/06) proportionate to the purposes for which they are being processed and not exceeding their scope;
4. accurate, and updated if necessary;
5. deleted or corrected when found to be imprecise or disproportionate to the purposes for which they are being processed;
6. maintained in a form that enables identification of the respective individuals for a period not exceeding the time necessary for the purposes for which such data are being processed; personal data which will be stored for a longer period of time for historical, statistical or research purposes shall be kept in a format precluding the identification of individuals.
(3) (new - SG 81/11) Personal data obtained under Art. 1, para. 6 may be additionally processed for purpose other than those they are collected for, where all of the following conditions have been met:
1. the processing is compatible with the purposes for which the data was collected;
2. legal ground for processing the data for the this other purpose exists;
3. the processing meets the requirements of para 2.
(4) (new - SG 81/11) Any controller that has received data under Art. 1, para. 6 shall notify the individual to whom the data refer for the additional processing under para. 3, except in the cases under Art. 36e, para. 2 or when otherwise is provided for in a special law.
 
Art. 3.
(1) (amend. – SG 103/05; amend. - SG 91/06) “Personal data controller”, hereinafter referred to as “data controller”, shall refer to any individual or legal person, or a central or local government authority which determines separately or jointly with another person the purposes and means personal data processing.
(2) (new – SG 103/05; amend. - SG 91/06) “A controller” shall also refer to any individual or legal person, or a central or local government authority, which determines separately the type of personal data processed, and the purposes and means of processing.
(2) (new – SG 103/05; amend. - SG 91/06) “ A data controller” shall also refer to any individual or legal person, or a central or local government authority processing personal data whose type, purposes and means of processing shall be determined by law. In such cases the data controller or the specific criteria for its determination can be regulated by a legal act.
(3) (prev. text of Para 2 – SG 103/05) A personal data controller shall process the personal data separately or by assignment to a data processor.
(4) (new - SG 103/05) The data controller shall ensure compliance with the requirements laid out in Art. 2 para. (2).
 
Art. 4.
(amend. – SG 103/05)
(1) Personal data may be processed only in cases when at least one of the following conditions is met:
1. processing is necessary for the execution of an obligation of the personal data controller, stipulated by law;
2. the individual to whom such data refer has given his/her explicit consent;
3. (amend. - SG 91/06) processing is necessary for the execution of obligations of a contract to which the individual to whom such data refer is a party, and for actions at the individual’s request and preceding the execution of a contract;
4. processing is necessary in order to protect the life and health of the individual to whom such data refer;
5. processing is necessary for the performance of a task carried out in the public interest;
6. processing is necessary for the execution of competences vested by law in the data controller or in a third party to whom the data are disclosed;
7. processing is necessary for the execution of the legitimate interests of the personal data controller or a third party to whom the data are disclosed, except where such interests have priority over the interests of the individual to whom such data refer.
(2) Personal data processing shall be allowed also in cases when it is performed exclusively for the purposes of journalism, literary or artistic expression provided that such processing does not violate the right of privacy of the person to whom the data refer. In such cases, the provisions of Chapter Three shall not apply.
 
Art. 5.
(amend. – SG 103/05)
(1) It shall be prohibited to process personal data which:
1. reveal racial or ethnic origin;
2. reveal political, religious or philosophical convictions, membership in political parties or organisations, associations having religious, philosophical, political or trade-union goals;
3. refer to health, sexual life or human genome.
(2) Para. (1) shall not apply when:
1. processing is necessary for the purposes of carrying out specific rights and obligations of the data controller in the field of labour legislation;
2. (suppl. - SG 91/06) the individual to whom such data refer has given his/her explicit consent to the processing of such data, except when otherwise provided by a special law;
3. processing is necessary in order to protect the life and health of the individual to whom such data refer, or of another person, and the physical condition of such individual makes him or her incapable of giving his/her consent, or there are legal impediments to doing so;
4. processing is carried out by a non-profit organisation, including such with a political, philosophical, religious or trade-union goal, in the course of its legitimate activities and with appropriate protection, provided that:
(a) such processing refers exclusively to the members of the organisation or to persons who have regular contact with it in connection with its goals;
(b) the data are not disclosed to a third party without the consent of the individual to whom such data refer;
5. such processing refers to data which have been made public by the individual to whom such data refer, or it is necessary for the establishment, exercise or defence of rights through the court;
6. processing of the data is required for the purposes of preventive medicine, medical diagnostics, the provision or management of health-care services provided that such data are processed by a medical professional who is bound by law to professional secrecy, or by another person under a similar obligation of secrecy;
7. processing is performed exclusively for the purposes of journalism, literary or artistic expression provided that it does not violate the right of privacy of the person to whom such data refer.
 
Chapter Two
COMMISSION FOR PERSONAL DATA PROTECTION
Art. 6.
(1) The Commission for Personal Data Protection, hereinafter referred to as “the Commission”, shall be an independent government body ensuring the protection of individuals in the processing of and access to their personal data, as well as the control on observation of this Law.
(2) (New- SG 94/2010) The Commission cooperates by the conducting of the state policy in the personal data protection field.
(3) (suppl. - SG 91/06, in force from 01.01.2007; prev. text of Para 02 – SG 94/10; amend. SG 15/13, in force from 01.01.2014) The commission shall be a legal person at budget support and headquarters in Sofia and shall be a first level budget administrator.
 
Art. 7.
(1) The Commission shall be a collective authority consisting of a President and four members.
(2) (amend. - SG 91/06) The members of the Commission and the President shall be elected by the National Assembly based on a proposal of the Council of Ministers for a five-year mandate and may be re-elected for another mandate.
(3) The President and the members of the Commission shall perform their activities under a contract of employment governed by labour law.
(4) (new - SG 91/06) The members of the Commission shall be paid a basic monthly salary to the amount of 2.5 average monthly salaries of the persons employed under labour contract or in compliance with the provisions the Civil Servant Act in the public sector according to data of the National Statistical Institute. The basic monthly salary shall be recalculated each quarter taking into consideration the average monthly salary for the last month of the preceding quarter.
(5) (new - SG 91/06) The Commission’s President shall be paid a basic monthly salary to the amount of 30 percent higher than the basic monthly salary referred to in para. 4.
(6)(amend. – SG 103/05; prev. text of para 04 - SG 91/06) The Commission shall submit an annual report on its activities to the National Assembly before 31 January each year.
 
Art. 8.
(1) Members of the Commission may be Bulgarian citizens who:
1. have higher education in Information Science or Law or a Master’s degree in Information Technologies;
2. have at least ten years of service in their specialty;
3. (amend. – SG 103/05) have not been convicted to imprisonment for a malicious crime of general nature regardless of whether rehabilitated.
(2) Members of the Commission may not:
1. (amend. – SG 103/05) be persons who are sole trader, managers/procurators or members of management or supervisory bodies of companies, cooperative societies or personal data controllers in compliance with this Law;
2. occupy other paid jobs, except for research activity or teaching.
3. (new- SG 42/09) can’t be persons, who are spouses or have actual cohabitation, lineal relatives, collateral relatives – to fourth degree inclusive or by affinity- to second degree inclusive with other member of the Commission.
(3) A qualified member of the legal profession meeting the requirements laid down in para. 1 and 2 shall be elected as the president of the Commission.
(4) The mandate of the President or a member of the Commission shall be terminated earlier in any of the following cases:
1. death or legal disability;
2. upon a decision of the National Assembly, when:
(a) the person has filed a request to be dismissed from his/her duties;
(b) the person has committed a serious violation of this Law;
(c) the person has committed a malicious crime of general nature for which there is a conviction in force;
(d) it has become impossible for him/her to fulfil his/her duties for a period longer than six months.
(e) (new- SG 42/09, amend. - SG 97/10, in force as from 10.12.2010 ) an act has entered into force, with which is determined conflict of interests under the Conflict of Interests Prevention and Detection Law.
(5) (amend. and suppl. – SG 103/05) In the cases under para. 4, the Council of Ministers shall propose to the National Assembly to elect a new member for a term until the expiration of the original mandate of the respective member of the Commission.
(6) The term of service as a President or a member of the Commission shall be recognized also as length of service according to the provisions of the Civil Servant Act.
 
Art. 9.
(1) The Commission shall be a permanently operating body supported by an administration.
(2) The Commission shall organize its activity and the activity of its administration by regulations and publish these regulations in the State Gazette.
(3) The Commission shall make decisions by the majority of the total number of its members.
(4) The Commission’s meetings shall be public. The Commission may decide that some meetings will be closed.
 
Art. 10.
(1) The Commission shall:
1. analyse and monitor compliance with the legal framework in the field of personal data protection;
2. (suppl. – SG 103/05) keep a register of personal data controllers and the personal data registers kept by them;
3. inspect personal data controllers in connection with its activities under subpara. (1);
4. give opinions and issue permissions in the cases provided for in this Law;
5. issue compulsory instructions to data controllers in connection with personal data protection;
6. suspend, upon prior notification, any personal data processing that violates the provisions for personal data protection;
7. (amend. – SG 103/05) handle complaints against acts issued or any actions of data controllers, which violate the rights of individuals under this Law, as well as third parties’ complaints in relation to their rights under this Law;
8. (amend. – SG 103/05) participate in drawing up and obligatory issuing of opinions with regard to draft laws and regulations in the field of personal data protection;
9. (new - SG 81/11) issue secondary legal acts in the personal data protection field;
10. (new – SG 103/05, in force as from 01.01.2007; prev. text of item 09 - SG 81/11) ensure enforcement of European Commission decisions in the field of personal data protection.
11. (new – SG 94/10; prev. text of item 10 - SG 81/11) participates in the activities carried out by the international organizations on personal data protection matters;
12. (new – SG 94/10; prev. text of item 11 - SG 81/11) participates in the negotiations and conclusion of bilateral or multilateral agreements on matters of its competence;
13.( new – SG 94/10; prev. text of item 12 - SG 81/11)organizes and coordinates the training of personal data controllers in the personal data protection field.
14. (new – SG 105/11, in force from 29.12.2011) issue general and normative administrative acts within its competences, in cases, foreseen in a Law.
(2) (amend. – SG 103/05) The terms and conditions for keeping the register under para. (1), subpara. (2), notifying the Commission, issuing permissions and opinions, handling complaints, and issuing compulsory instructions or imposing temporary prohibitions for personal data processing shall be laid down in the regulations under Art. 9, para. (2).
(3) (suppl. – SG 103/05; amend. - SG 91/06) The Commission shall issue a bulletin to publish information about its activities and decisions. The report referred to in Art. 7, para. (6) shall also be published in the bulletin.
(4) (new – SG 103/05; amend. - SG 91/06) The Commission shall coordinate, by industry branch and by areas of activity, the ethic codes of behaviour of personal data controllers under Art. 22a and in case of ascertaining legal inconsistency it shall issue compulsory instructions.
 
Art. 11.
The president of the Commission shall:
1. organise and administer the activities of the Commission in compliance with the law and the decisions of the Commission, and be responsible for the fulfilment of its duties;
2. represent the Commission before third parties;
3. (suppl. – SG 103/05; amend. - SG 81/11) appoint and dismiss civil servants and conclude and terminate contracts with employees of the administration working under labor agreement.
4. (new – SG 103/05) issue penal decree as provided for in Art. 43, para. (2).
 
Art. 12.
(amend. - SG 91/06)
(1) The president and members of the Commission or officials from the administration authorized by it shall perform monitoring by means of ex-ante, on-going and ex-post inspections for observance of this Law.
(2) An ex-ante inspection shall be carried out in the cases under Art. 17b:
(3) On-going inspections shall be carried out at the request of persons concerned, as well as on the Commission’s initiative based on a monthly control activity plan adopted by it.
(4) Ex-post inspections shall be carried out for implementing a decision or a compulsory instruction of the Commission, and on the Commission’s initiative following receipt of warning about a violation.
(5) The inspectors shall prove their identity by their official cards and the order issued by the Commission’s President for the respective inspection.
(6) In conducting inspections, the persons referred to in para. (1) may assign the preparation of expert reports following the procedure laid down in the Civil Procedure Code.
(7) An inspection shall end in a statement of findings.
(8) In cases when a violation is ascertained with the statement of findings, the latter shall be considered a statement on ascertainment of an administrative violation in the meaning of the Administrative Violations and Sanctions Act.
(9) The terms and procedure for carrying out inspections shall be determined in an instruction of the Commission.
 
Art. 13.
(1) (amend. - SG 103/05) (1) The President and members of the Commission, and its
administration shall be required not to disclose and not to make use, for their own or any third
party’s benefit, of any information constituting a secret protected by a law of which they have
become aware in the performance of their official duties until the term provided for the
protection of such information has expired.
(2) The persons referred to in para. (1) shall submit a declaration concerning their obligations
provided for in para. (1), when appointed in the Commission.
 
Art. 14.
(amend. - SG 103/05)
(1) The data provided for in Art. 18, para. (2) shall be entered in the register referred to in Art. 10, para. (1), subpara. (2).
(2) Data entry in the register referred to in Art. 10, para. (1), subpara. (2) shall be verified by an identification number.
(3) The register referred to in para. (1) shall be public.
 
Art. 15.
(repealed – SG 103/05)
 
Art. 16.
(amend. - SG 103/05; repealed – SG 91/06)
 
Chapter Three
OBLIGATIONS OF PERSONAL DATA CONTROLLERS
(heading amend. – SG 103/05)
Art. 17.
(amend. - SG 103/05; amend. - SG 91/06)
(1) The personal data controller shall be required to submit an application for registration before the beginning of personal data processing.
(2) The Commission shall enter the personal data controller in the register referred to in Art. 10, para 1, subpara. 2, within a 14-day term as from the submission of the application.
(3) The data controller may start processing the data after submission of the application for registration.
(4) (new - SG 81/11) Before terminating the personal data processing, the controller shall file an application for its removal from the register under Art. 10, para. 1, item 2.
(5) (new - SG 81/11) With the application, referred to in para. 4, the controller shall be obliged to provide the Commission with evidences about the performance of its obligations under Art. 25, para 1.
(6) (new - SG 81/11) The conditions and order for the controller’s removal from the register under Art. 10, para. 1, item 2 shall be regulated in the rules under Art. 9, para 2.
 
Art. 17a.
(new - SG 91/06)
(1) Application for registration shall not be submitted when the data controller:
1. keeps a register which is intended to provide public information by virtue of a legal act and:
a) the access to it is free or
b) any person of legal interest has access to it;
2. processes data in the cases referred to in Art. 5, para 2, subpara. 4.
(2) The Commission may also exempt from the obligation for registration data controllers processing data except those referred to in para 1, provided that such processing does not endanger the rights and the legal interests of the individuals whose data are being processed.
(3) The terms and procedure of exemption under para. 2 shall be regulated by the regulations referred to in Art. 9, Para 2 and the Commission shall determine the criteria in compliance with:
1. the purposes personal data processing;
2. the personal data or the categories of personal data subject to processing;
3. the categories of individuals whose data are being processed;
4. the recipients or the categories of recipients to whom the personal data may be disclosed;
5. the term of data storage.
 
Art. 17b.
(new - SG 91/06)
(1) When the data controller has applied for processing of data under Art. 5, para. 1, or of data whose processing according to a Decision of the Commission endangers the rights and the legal interests of individuals, the Commission shall be required to perform an ex-ante inspection before making an entry into the register referred to in Art. 10, para 1, subpara. 2.
(2) The ex-ante inspection shall be performed within two months from submission of the application for registration referred to in Art. 17, para. 1.
(3) After the end of the ex-ante inspection the Commission shall:
1. enter the personal data controller in the register;
2. give compulsory instructions concerning the conditions of personal data processing and maintaining a personal data register;
3. deny the entry.
(4) The data controller may not begin personal data processing before being entered in the register under Art. 10, para 1, subpara. 2 or before fulfilling the compulsory instructions of the Commission.
(5) The failure to make a decision by the Commission within the term referred to in para. 2 shall be considered an implicit denial to enter the administrator into the register.
(6) The operative part of the decision referred to in para. 1 shall be promulgated in the State Gazette.
 
Art. 18.
(amend. – SG 103/05)
(1) (amend. - SG 91/06) (1) Any personal data controller or its representative shall submit a registration application as referred to in Art. 17 and documents in a form approved by the Commission.
(2) The application shall contain:
1. the data identifying the personal data controller and its representative, if any;
2. the purposes of personal data processing;
3. the categories of individuals whose data are processed, and the categories of personal data relating to them;
4. the recipients or categories of recipients to whom the personal data may be disclosed;
5. proposed data transfer to other countries;
6. the general description of measures taken in compliance with Art. 23 allowing the preparation of a preliminary assessment of their advisability.
(3) The data controller shall notify the Commission of any alteration in the data referred to in para. (2) before making such an alteration. In cases where such alteration is provided for by law, notification shall be made within 7 days following the effective date of the respective law.
(4) In cases when the data controller is not entered in the register referred to in Art. 10, para. (1), subpara. (2), he/she shall be required to provide the data referred to in para. (2) to any person upon request.
(5) (new - SG 81/11) The controller shall submit the application under Art. 17, para. 1 on paper or electronically. When the application is submitted electronically, the Law on the Electronic Government shall apply.
 
Art. 19.
(suppl. SG 92/04; amend. - SG 103/05)
(1) (amend. - SG 91/06) When personal data are collected from the individual to whom such data refer, the data controller or its representative shall provide him/her with:
1. the data which identify the data controller and its representative;
2. the purposes for which the data are processed;
3. the recipients or categories of recipients to whom the personal data may be disclosed;
4. the data concerning the compulsory or voluntary nature of data provision and the consequences of a denial to provide them;
5. information about the right of access and the right to rectify the data collected.
(2) The data referred to in para. (1) shall not be provided when the individual to whom they refer already has such data, or if there is an explicit prohibition for providing them in a law.
 
Art. 20.
(amend. - SG 103/05)
(1) (amend. - SG 91/06) When personal data have not been collected from the individual to whom they refer, the data controller or its representative shall provide him/her with:
1. the data which identify the data controller and its representative;
2. the purposes for which the data are being processed;
3. the personal data categories referring to the respective individual;
4. the recipients or categories of recipients to whom the personal data may be disclosed;
5. information about the right of access and the right to rectify the collected data.
(2) The data referred to in para. (1) shall be provided to the individual to whom they refer at the time they are entered in the respective register or, if data are to be disclosed to a third party, not later than their first disclosure.
(3) Para. (1) shall not apply when:
1. processing is performed for statistical purposes or for the purposes of historical or scientific research and the provision of the data referred to in para. (1) is impossible or would require disproportionate efforts;
2. entry or disclosure of data is explicitly laid down by law;
3. the individual to whom such data refer already has the information referred to in para. (1);
4. there is an explicit prohibition for this in a law.
 
Art. 21.
(amend. - SG 103/05)
(1) (amend. - SG 91/06) (1) Any other information beyond that referred to in Art. 19, para.
(1), subpara. 3 – 5, and Art. 20, para. (1), referring to data processing shall be given upon an assessment of the necessity to provide it, in order to ensure fair processing of data with regard to the individual to whom they refer.
(2) The assessment referred to in para. (1) shall be made by the data controller on a case by case basis.
 
Art. 22
(amend. - SG 103/05)
(1) The personal data controller shall be obliged to provide access to registers maintained by him/her for the persons referred to in Art. 12, para. (1), and shall not obstruct the control on the process of personal data processing.
(2) The personal data controller shall be required to provide the information requested by the persons referred to in Art. 12, para. (1) either orally in writing, or on other information carriers.
(3) (new - SG 91/06) The existence of a trade, production or other secret protected by law cannot serve as grounds for the data controller to refuse to cooperate.
(4) (prev. text of para 03 - SG 91/06) The access procedure provided for in the Law on Protection of Classified Information shall apply when the information contains data which is classified information.
(5) (prev. text of para 04 - SG 91/06) All persons engaged in personal data processing shall be required to cooperate with the Commission in the execution of its powers.
 
Art. 22a.
(new - SG 91/06)
(1) Data controllers shall, by industry branch and by area of activity, develop Ethic codes of behaviour, taking into account the specifics of their activity and the rules of morality and good manners.
(2) Ethic codes may be provided to the Commission for consultation prior to their adoption by the data controllers.
 
Chapter Four
PERSONAL DATA PROTECTION
Art. 23.
(amend. - SG 103/05 )
(1) (suppl. - SG 81/11) The personal data controller shall take appropriate technical and organisational measures to protect data against accidental or unlawful destruction, or against accidental loss, unauthorised access, alteration or dissemination, as well as against other unlawful forms of processing. The personal data controller shall determine the time limits for carrying out periodical assessment of the data processing needs and the personal data deletion.
(2) The data controller shall take special protection measures when processing involves the transmission of data by electronic means.
(3) The measures referred to in para. (1) and para. (2) shall take into account the modern technological achievements and ensure a level of security adequate to the risks related to processing, and the nature of the data to be protected.
(4) (suppl. - SG 81/11) The measures and the time limits, referred to in para. (1) and para. (2) shall be determined in an instruction issued by the personal data controller.
(5) The Commission shall specify in an ordinance the minimum level of technical and organisational measures, as well as the admissible type of protection. Such ordinance shall be published in the State Gazette.
 
Art.23a
(new- SG 81/11)
 
(1) When processing personal data received under Art. 1, para. 6, the controller shall block the stored data in order to restrict their future processing, instead of erasing them, if there are sufficient grounds to be concluded that the deletion may affect the legitimate interests of the individual to whom the data refer.
(2) The blocked data shall be processed only for the purpose which has impeded their deletion.
 
Art.23b
(new- SG 81/11)
 
(1) When data are received under Art. 1, para. 6 which were not requested by the controller, it shall immediately check if these data are necessary for the purpose of their submission.
(2) When the controller providing data under Art. 1, para, 6 finds that they are inaccurate or their provision was unlawful, it shall immediately notify the data recipient thereof.
(3) Any controller which has received data under Art. 1, para 6, which is inaccurate or unlawfully obtained, and was notified thereof by the data provider, shall be obliged to take immediate actions for their correction, deletion or blocking.
(4) When the individual to whom the data under Art. 1, para. 6 refer contests their accuracy and the accuracy cannot be checked, the controller may note them as contested, which shall not prevent their future processing.
 
Art. 24.
(1) (amend. - SG 103/05) The data controller may process data separately or by assignment to data processors. When necessary for organisational reasons, the processing may be assigned to more than one data processor, including for the purpose of differentiating their specific duties.
(2) When data processing is not performed by the data controller, the latter shall be required to appoint a data processor and ensure sufficient data protection guarantees.
(3) (repealed - SG 103/05)
(4) (amend. - SG 103/05) The relationship between the data controller and the personal data processor shall be governed by a legal act, a written contract or another act of the data controller, defining the scope of duties assigned by the data controller to the data processor.
(5) (amend. - SG 103/05) The data controller shall be liable jointly and separately for any damages caused to any third party, resulting from any acts of omission and commission of the data processor.
(6) (amend. - SG 103/05) The personal data processor or any person acting under the guidance of the data controller or of the data processor who has access to personal data, may process them only by instructions of the data controller, unless otherwise specified by law.
 
Art. 25.
(1) (amend. - SG 103/05; suppl. - SG 81/11)) After the achievement of the purpose of personal data processing or before the termination of the personal data procesisng, the data controller shall be required:
1. either to destroy the data, or
2. transfer them to another data controller by preliminary notification to the Commission, if such transfer is specified in a law and the purposes of processing are identical.
(2) (suppl. SG 92/04; amend. - SG 103/05) After achieving the intended purpose of personal data processing, the personal data controller shall store data only in the cases provided for by law.
(3) (amend. - SG 103/05) In cases when, after achieving the purpose of processing, the data controller wishes to store the personal data as anonymous data for historical, research or statistical purposes, he/she shall notify the Commission.
(4) The Commission for Personal Data Protection may prohibit the storage of data for the purposes under para. (3), if the data controller has failed to provide sufficient protection of the processed data as anonymous.
(5) (amend. - SG 39/11) The Commission decision under para. 4 shall be subject to appeal before the respective Administrative Court. The decision of the Administrative Court shell not be subject to appeal.The personal data controller shall be required to destroy the data in the cases of rejection of complaint against the Commission decision.
 
Chapter Five
RIGHTS OF INDIVIDUALS
(Heading amended, SG - 103/05)
Art. 26
(1) Any individual shall be entitled to access to personal data referred to him or her.
(2) (amend. SG No. 103/2005) In the cases when the right of access granted to an individual may also lead to disclosure of personal data of third parties, data controllers shall provide the relevant individual with access only to that part of the data that refers to him or her.
Art. 27
(amend. - SG 103/05; repealed – SG 91/06)
 
Art. 28
(amend., SG - 103/05)
(1) When exercising his or her right of access, an individual shall be entitled to request, at any time, from the personal data controller:
1. a confirmation as to whether or not data relating to him/her are being processed, information as to the purposes of such processing, the categories of data concerned, and the recipients or categories of recipients to whom the data are disclosed;
2. a notification to him/her, in an intelligible form, containing his or her personal data which are being processed, and any available information about their source;
3. information concerning the logic involved in any automatic data processing concerning him/her, at least in case of automated decisions referred to in Art. 34b.
(2) (Amend.- SG 94/2010) The personal data controller submits the information referred to in para. (1) free of charge.
(3) In case the individual dies, his or her rights referred to in para. (1) and para. (2) shall be exercised by his or her heirs.
 
Art. 28a
(New, SG - 103/05)
An individual shall be entitled to require, at any time, from the data controller:
1. to erase, rectify or block his or her personal data whose processing does not comply with the provisions of this Law;
2. to notify any third parties to whom his or her personal data have been disclosed of any erasure, rectification, or blocking carried out in compliance with para. (1), unless this is impossible or involves a disproportionate effort.
 
Art. 29
(1) (amend., SG -103/05) The right of access referred to in Art. 26 and the rights referred to in Art. 28a shall be exercised by submitting a written application to the personal data controller.
(2) (amend., SG - 103/05) The application may also be submitted in electronic form under the procedure laid down in the Law on Electronic Documents and Electronic Signature.
(3) (amend., SG - 103/2005) The application referred to in para. (1) shall be filed personally by the individual or by explicitly authorised person with a power of attorney certified by a notary public.
(4) (repealed, SG - 103/05)
 
Art. 30
(amend., SG - 103/05)
(1) The application referred to in Art. 29 shall contain:
1. the name, address and other data necessary for identifying the respective individual;
2. description of the request;
3. preferred form of provision of the information referred to in Art. 28, para. (1);
4. signature, date of submission of the application and mailing address.
(2) In cases when the application is submitted by a duly authorised person, the power of attorney certified by a notary public shall be enclosed to the application.
(3) The personal data controller shall keep a register of the applications referred to in Art. 29.
 
Art. 31
(1) (amend., SG - 103/05) The information referred to in Art. 28, para. (1) may be provided as an oral or written reference, or in the form of the data review by the individual concerned or by another explicitly authorised person.
(2) The individual may request a copy of the personal data processed on a preferred carrier or by electronic means, unless this is prohibited by law.
(3) (amend., SG No. 103/2005) The personal data controller shall be required to take into consideration the preferences stated by the applicant about the form of provision of the information referred to in Art. 28, para. (1).
 
Art. 32
(amend., SG - 103/05)
(1) In the cases referred to in Art. 28, para. (1), the personal data controller or a person explicitly authorised by the former shall consider the application referred to in Art. 29 and shall respond within 14 days from its submission.
(2) (suppl. - SG 81/16, in force from 14.10.2016) The deadline under para 1 can be extended up to 30 days by the administrator or by an official explicitly authorized by him/her in the cases of Art. 28, Para 1, items 1 and 2 when a longer period for gathering all requested data is objectively required, and this will create seriously the activity of the administrator.
(3) (suppl. - SG 81/16, in force from 14.10.2016) Within 14 days term, the administrator or an official explicitly authorized by him/her shall take a decision for providing full or partial information under Art. 28, Para 1 of the applicant or shall motivate a refusal to provide it.
(4) (suppl. - SG 81/16, in force from 14.10.2016) In the cases of Art. 28a, item 1, the administrator or an official explicitly authorized by him/her shall take a decision and execute the respective action within 14 days period from submission of the application under Art. 29 or shall motivate the refusal to provide it.
(5) (suppl. - SG 81/16, in force from 14.10.2016) In the cases of Art. 28a, item 2, the administrator of personal data or an official explicitly authorized by him/her shall take a decision within 14 days period and shall immediately notify the third persons or shall make motivated refusal to perform the notification.
 
 
Art. 33
(1) (amend. - SG 103/05, suppl. - SG 81/16, in force from 14.10.2016) The administrator of personal data or an official explicitly authorized by him/her shall notify in writing the applicant about his decision or refusal according to art. 32, para 3.
(2) The notice under para. (1) shall be delivered personally after signature or by mail with advice of delivery.
(3) (new, SG - 103/05) The absence of notification as referred to in para. (1) shall be considered a denial.
 
Art. 34
(1) (amend., SG - 103/05) The data controller shall deny access to personal data when such data do not exist or their provision is prohibited by law.
(2) (repealed., SG - 103/05)
(3) (new, SG - 93/04, amended, SG - 103/05, amend. and suppl. SG - 91/06) The data controller shall deny to provide fully or partially data to the individual to whom the data refer when such provision would threaten the defence or national security, or the protection of classified information and this is stipulated in a special law.
(4) (new - SG 81/11) The controller may fully or partially refuse provision of data received under Art. 1, para. 6 to the individual to whom they refer, when:
1. this would prejudice the prevention or detection of crimes, the conduct of penal proceedings or the execution of criminal penalties;
2. this is required to protect:
a) the national security;
b) the public order;
c) the individual to whom they refer.
(5) (new - SG 81/11) The controller, which has received the data under Art. 1, para. 6 shall not notify the individual to whom the data refer, if this is explicitly indicated by the data provider.
 
Art. 34a
(new, SG No. 103/2005)
(1) The individual to whom the data refer shall be entitled:
1. to object to the data controller against the processing of his/her personal data on the basis of legitimate grounds; when such objection is justified, the personal data of the relevant individual may no longer be processed;
2. to object against the processing of his or her personal data for the purposes of direct marketing;
3. to be informed before his or her personal data are disclosed for the first time to third parties or used on their behalf for the purposes set out in subpara. (2), and to be given the opportunity to object to such disclosure or use.
(2) The data controller shall inform the individual of his or her rights referred to in para. (1), subpara. (2) and (3).
 
Art. 34b
(new, SG No. 103/2005)
(1) The data controller’s decision shall be inadmissible when:
1. it engenders legal effects or significantly affects the individual, and
2. it is based solely on automated processing of personal data meant to evaluate certain personal aspects of the individual.
(2) Para. (1) shall not apply when the decision is:
1. taken in the course of the execution or performance of a contract, provided that the request for the execution or the performance of such contract submitted by the individual concerned has been satisfied, or provided that there are appropriate measures safeguarding his or her legal interests;
2. is provided for in a law which also lays down measures to safeguard the individual`s legal interests.
(3) The individual shall be entitled to request from the data controller to review any decision made in breach of the provisions of para. (1).
 
Chapter Six
TRANSFER OF PERSONAL DATA TO THIRD PARTIES
Article 35
(amend. SG - 103/05, repealed – SG 91/06 )
 
Article 36
(amend. SG 103/05, in force till the effective date of the Treaty of Accession of the Republic
of Bulgaria to the European Union)
(1) The provision of personal data by the data controller to foreign individuals or legal
persons or to foreign government authorities shall be allowed with the permission of the Commission for Personal Data Protection, if the legislation of the recipient country guarantee a level of data protection that is better or equivalent to that provided by this Law.
(2) In the transfer of personal data in cases referred to in paragraph (1), the requirements of this Law shall apply.
 
Article 36a
(New - SG 103/05), in force as of the effective date of the Treaty of Accession of the Republic of Bulgaria to the European Union)
(1) Transfer of personal data to any Member State of the European Union and to any other member country of the European Economic Area shall be done freely, in compliance with the requirements of this Law.
(2) Transfer of personal data to a third country shall be allowed only if this third country ensures an adequate level of personal data protection within its territory.
(3) The assessment of adequacy of the level of personal data protection in a third country shall be made by the Commission for Personal Data Protection, taking into consideration all the circumstances referred to the data transfer operation or the set of data transfer operations, including the nature of the data, the purpose and duration of their processing, the legal basis and security measures provided in the third country.
(4) (new - SG 81/11) The Commission for Protection of the Personal Data shall assess the adequacy of the level of protection under para. 3 also in cases of provision of personal data under Art. 1, para. 6 to a third country or international organization.
(5) (amend. - SG 91/06; prev. text of para. 4 - SG 81/11) The Commission for Personal Data Protection shall not make an assessment as referred to in para. (3) in the cases when it is necessary to implement a decision of the European Commission, ruling that:
1. the third country where the personal data are transferred provides an adequate level of protection;
2. certain standard contractual clauses provide an adequate level of protection.
(6) (amend. - SG 91/06; prev. text of para 5, amend. - SG 81/11) In the cases referred to in para. (4), subpara. (2), the data controller shall use the standard contractual clauses in transfers of data to a third country.
(7) (prev. text of para. 6, amend. - SG 81/11) Except for the cases referred to in para. (2) and para. (5), the data controller may transfer personal data in a third country if:
1. the individual to whom such data refer has given his/her explicit consent;
2. (amend. - SG 91/06) the transfer is necessary for the execution and performance of obligations under a contract between the individual and the data controller, and also for actions preceding the execution of a contract, undertaken at such individual’s request;
3. (amend. - SG 91/06) the transfer is necessary for the performance of a contract concluded in interest of the individual between the data controller and another data subject;
4. the transfer is necessary or is required by law due to an important public interest, or for the establishment, exercising or defence of rights through the court;
5. the transfer is necessary in order to protect the life and health of the individual to whom such data refer;
6. (amend. - SG 91/06) the source of the data is a public register, the access to which is provided according to terms and procedures laid down in a law.
(8) (prev. text of para. 7 - SG 81/11) The transfer of personal data to third countries shall be admissible in all cases when performed exclusively for the purposes of journalism, literary or artistic expression to the extent to which it does not violate the right to privacy of the person to whom such data refer.
 
Article 36b
(new, SG - 103/05, in force as from the effective date of the Treaty of Accession of the Republic of Bulgaria to the European Union)
(1) Except for the cases stipulated in Article 36a, the transfer of personal data to a third country shall take place upon permission by the Commission for Personal Data Protection provided that both the data controller transferring the data and the data controller receiving the data have given sufficient safeguards for their protection.
(2) ) (suppl. - SG 91/06) The Commission shall notify the European Commission and the competent authorities of the other Member States of the permissions issued under paragraph (1) as well as about the denials to provide such permissions.
 
Article 36c
(new- SG 81/11)
The controller shall keep a register of the data provided and received under Art. 1, para. 6.
 
Article 36d
(new- SG 81/11)
Personal data received under Art. 1, para. 6 may, in accordance with the requirements of Art. 2, para. 3, be further processed only for the following purposes other than those for which they were provided:
1. the prevention or detection of crimes, conduct of penal proceedings or execution of criminal penalties;
2. the prevention of an immediate and serious threat to public order;
3. any other purpose only with the prior consent of the data provider or the individual to whom they refer.
 
Article 36e
(new-SG 81/11)
(1) Where a special law introduces restrictions to the data provider under Art. 1, para. 6 related to data processing, the recipient shall be mandatory notified accordingly by the data provider.
(2) When a controller receiving data under Art. 6, para. 1 is notified by the data provider of such processing related restrictions under his national legislation, the former shall be obliged to comply with those restrictions.
(3) By the provision of data under Art. 1, para. 6, the controller submitting the data may set specific deadlines for data storage or for review of their necessity.
(4) Any controller receiving data under Art. 1, para. 6, shall be obliged to delete or block the data or review their necessity after expiration of the deadlines set by the data provider.
(5) Para. 4 shall not apply, where at the moment of expiration of the storage deadlines the data is needed for pending penal proceedings or execution of criminal penalties.
 
Article 36f
(new-SG 81/11)
(1) Any controller receiving data under Art. 1, para 6 may provide them to a third country competent authority or an international body, only if all the following requirements have been met:
1. it is necessary for the prevention or the detection of a crime, the conduct of penal proceedings or the execution of criminal penalties;
2. the recipient is competent to carry out activities under item 1;
3. the Member State of the European Union from which the data were obtained has given its consent to provide them in compliance with its national law;
4. the recipient ensures an adequate protection level for the intended data processing.
(2) The consent referred to in para. 1, item 3 shall not be required when the data transfer is essential for the prevention of an immediate and serious threat to public order of a Member State of the European Union or a third country and the prior consent cannot be obtained in due time. In such case the data provider shall be informed immediately.
 
Article 36g
(new-SG 81/11)
The Commission for Protection of Personal Data shall not assess the adequacy of the level of protection under Art. 36f, para. 1, item 4 in case one of the following conditions are met:
1. the national legislation of the data provider provides for protection of the legitimate interests of the individual to whom the data refer or for protection of substantial public interest;
2. the data recipient provides adequate safeguards
 
Article 36h
(new-SG 81/11)
(1) Any controller receiving data under Art. 1, para. 6 may provide them to third individual or legal person, only in case:
1. the data provider has consented to their provision;
2. no legitimate interests of the individual to whom the data refer are affected;
3. the provision is essential for:
a) the performance of a statutory obligation of the data provider;
b) the prevention or detection of crimes, conduct of penal proceedings or the execution of criminal penalties;
c) the prevention of an immediate and serious threat to the public order; or
d) the prevention of serious harm to the individual’s constitutional rights.
(2) By the provision of data under para. 1, the data provider shall inform the third individual or legal person of the purposes for which the data may be processed, and these data shall be processed only for these purposes.
 
Article 36i
(new-SG 81/11)
The controller receiving the data under Art. 1, para. 6 shall, on request by the controller, providing the data, immediately inform it in writing about their process
 
Article 37
(repealed, SG - 103/05)
Chapter Seven
APPEAL AGAINST ACTIONS OF PERSONAL DATA CONTROLLERS
Art. 38.
(1) (amend. - SG 103/05; amend. - SG 91/06) In case of infringement of his/her rights under this Law, any individual shall be entitled to approach the Commission for Personal Data Protection within one year from finding out such infringement, but not later than five years from committing the infringement.
(2) (amend. - SG 103/05) The Commission shall pronounce a decision within 30 days after it has been approached and may issue compulsory instructions, set a time limit to abate the infringement or impose an administrative penalty.
(3) (repealed - SG 103/05)
(4) The Commission for Personal Data Protection shall also send a copy of the decision to the individual.
(5) (new - SG 91/06) In the cases referred to in para. 1 when personal data are processed for the needs of defence, national security and public order, as well as for penal proceedings, the Commission’s decision shall contain only findings regarding the lawfulness of the processing.
(6) (amend. - SG 103/05; prev. text of para. 5 - SG 91/06; amend. - SG 39/11) The Commission decision as referred to in para. (2) shall be subject to appeal under the order of the Administrative Procedure Code e within 14 days of its receipt.
 
Art. 39.
(1) (amend. - SG 103/05; amend. - SG 30/06, in force from 12.07.2006; amend. - SG 91/06) Any individual may, in case of an infringement of his or her rights under this Law, appeal against actions and acts of the data controller before the relevant regional court or the Supreme Administrative Court, in compliance with the general jurisdiction rules.
(2) (amend. - SG 103/05) In the proceedings referred to in para. (1), the individual may claim compensation for any suffered damages as a result of unlawful processing of personal data by the data controller.
(3) (new – SG 81/11) In proceedings under para. 1 the controller receiving data under Art. 1, para. 6, which are inaccurate, may not use in its defence the inaccuracy of the received data.
(4) (new - SG 103/05; prev. text of para 03 – SG 81/11) The individual concerned may not approach the court in case of pending proceedings before the Commission concerning the same violation or in case when the Commission’s decision concerning the same violation has been appealed against but there is no court judgement which is not in force yet. The Commission shall verify, at the request of the individual concerned, whether there are pending or not proceedings concerning the same dispute before it.
(5) (prev. text of para= 4 – amend., SG 103/05; amend. - SG 30/06, in force from 12.07.2006; revoked – SG 91/06)
 
Art. 40.
(repealed – SG 103/05)
 
Art. 41.
(repealed – SG 103/05)
 
Chapter Eight
ADMINISTRATIVE PENAL PROVISIONS
Art. 42
(amended, SG - 103/05)
(1) (amend. – SG 81/11) The personal data controller shall be imposed a fine or a property sanction in the amount of BGN 10 000 to BGN 100 000 for violations of the provisions of Art. 2, para. (2) and para. (3) and Art. 4.
(2) The data controller shall be imposed a fine or a property sanction in the amount of BGN 10 000 to BGN 100 000 for violations of the provisions of Art. 5.
(3) (amend. - SG 91/06) The data controller shall be imposed a fine or a property sanction in the amount of BGN 2 000 to BGN 20 000for violations of the provisions of Art. 19, para. (1) and Art. 20, para. (1).
(4) A data controller who has failed to meet its obligation to register as provided for in Art. 17, para. (1), shall be imposed a fine or a property sanction in the amount of BGN 1 000 to BGN 10 000.
(5) (new - SG 91/06) A data controller who has started data processing in violation of Art. 17b, para. (4), shall be imposed a fine or property sanction in the amount of BGN 2 000 to BGN 20 000.
(6) (new - SG 91/06) A data controller, who has failed to meet his/her obligations as provided for in Art. 22, para.s (1) and (2), shall be imposed a fine or property sanction in the amount of BGN 2 000 to BGN 20 000.
(7) (prev. text of para 05 - SG 91/06) A data controller who does not issue an administrative act concerning the application under Art. 29 within the term, shall be imposed a fine or a property sanction in the amount of BGN 1 000 to BGN 20 000, unless he/she is a subject to a more severe sanction.
(8) (prev. text of para 06 - SG 91/06) Persons who refuse to cooperate with the Commission with regard to its control powers, shall be imposed a fine or a property sanction in the amount of BGN 1 000 to BGN 10 000.
(9) (prev. text of para 07 - SG 91/06) The guilty persons shall be imposed a fine or a property sanction in the amount of BGN 500 to BGN 5 000 for any other violation of the provisions of this Law.
 
Art. 42a
(new, SG - 103/05)
In cases of violations under this Law committed as repeated violations, a fine or property sanction shall be imposed in an amount twice higher than the initially imposed penalty.
 
Art. 43
(1) (amend. - SG 103/05) The acts of determining administrative violations shall be constituted by a member of the Commission for Personal Data Protection or by officials authorized by the Commission.
(2) (suppl. - SG 103/05; amend. - SG 91/06) The penal decrees shall be issued by the President of the Commission for Personal Data Protection.
(3) (New - SG 91/06) Property sanctions and fines imposed by penal decrees in force, shall be collected under the order of the Code of Tax and Social Security.
(4) (prev. text of para. 3 - SG 91/06) The determination of the violations, the issuance, the appeal and the execution of the penal decrees shall be carried out in compliance with the Administrative Violations and Sanctions Act.
(5) (new - SG 15/13, in force from 01.01.2014) Amounts gathered from imposed pecuniary sanctions and fines shall be deposited to the Commission`s budget.
 
ADDITIONAL PROVISIONS
§ 1. Within the meaning of this Law:
1. (amend., SG - 103/05; amend. - SG 91/06) “processing of personal data” shall mean any operation or set of operations which can be performed with respect to personal data, whether by automatic means or otherwise, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, provision, transfer or otherwise making available, updating or combination, blocking, deletion or destruction.
2.(amend., SG - 103/05) “personal data register” shall mean any structured set of personal data which is accessible according to specific criteria, whether centralised, decentralised or distributed on a functional or geographical basis.
3.(amend., - 103/05) “personal data processor” shall mean any natural or legal person, a central or local government authority which processes personal data on behalf of the personal data controller.
4. (Repealed. SG - 103/05)
5.“Provision of personal data” shall mean any actions for the full or partial transfer of personal data from one data controller to another or to a third party within the territory of the country or abroad.
6.(amend., SG - 103/05) “anonymous data” shall mean any personal data put in a form which does not allow such data to be connected with the respective individual to whom such data refer.
7. “Blocking” shall mean the storage of personal data with suspended processing.
8. (repealed, SG - 103/05)
9.“Repeated” violation shall mean a violation committed within a year from the entry into force of the penal order, with which was imposed a penalty for the same type of violation.
10. (new, SG - 70/04 – effective 01.01.2005) “Human genome” shall mean the full set of all genes in a single (diploid) set of individual chromosomes.
11. (new - SG 103/05) “Third party” shall mean any natural or legal person, central or local government authority other than the individual to whom the data refer, the personal data controller, the personal data processor and the persons who, under the direct guidance of the controller or the processor, are authorised to process personal data.
12. (new, SG - 103/05) “Recipient” shall mean a natural or legal person, an authority of central or local government to whom personal data are disclosed, whether a third party or not.
Authorities which can receive data in the framework of a particular inquiry shall not be regarded as recipients.
13. (new, SG - 103/05) “Consent of the individual” shall mean any freely given, specific and informed expression of will, by which the individual to whom the personal data refer, states his or her unambiguous consent for processing such data.
14. (new, SG -103/05, in force as of the effective date of the Treaty of Accession of the Republic of Bulgaria to the European Union) “Third country” shall mean any state, which is not a member of the European Union and is not a country signatory to the European Economic Area Agreement.
15. (new, SG No. 103/2005) “Direct marketing” shall mean offering goods and services to individuals by mail, telephone, or in another direct way, and consulting aimed at making a survey regarding the goods and services offered.
16. (new - SG 91/06) “Specific features” shall refer to features relating to physical, physiological, genetic, psychical, psychological, economic, cultural, social and other identity of the individual.
§ 1a. (new - SG 91/06) This Law shall introduce the provisions of Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
 
TRANSITIONAL AND FINAL PROVISIONS
§ 2. (1) The Council of Ministers shall propose the members of the Commission for Personal Data Protection to the National Assembly within a month from the entry into force of this Law.
(2) The National Assembly shall elect the members of the Commission for Personal Data Protection within 14 days from the introduction of the proposal under para. (1).
(3) The Commission for Personal Data Protection shall adopt and promulgate in the State Gazette the Regulations under Art. 9, para. (2) within three months of its election. 
(4) The Council of Ministers shall provide the property and financial resources needed for the Commission to start its work within a month from the entry into force of the decision of the National Assembly under para. (2).
§ 3. (1) Within six months from the entry into force of the Regulations under Art. 9, para.
2, the persons maintaining personal data registers as from the entry into force of this Law, shall adjust them to the requirements of this Law and shall notify the Commission thereof.
(2)The Commission shall make preliminary checks and register or refuse to register as data controllers, persons maintaining personal data registers as of the effective date of this Law and their registers within three months of the receipt of the application under para. (1).
(3)The decisions of the Commission to refuse registration shall be subject to appeal before the Supreme Administrative Court within 14 days.
(4) Upon the entry into force of the decision of the Commission to refuse registration or the judgement of the Supreme Administrative Court confirming the refusal by the Commission, the person maintaining a register unlawfully shall destroy the personal data therein or, with the consent of the Commission, transfer the data to another data controller who has registered its register and processes personal data for the same purposes.
(5) The Commission shall monitor the execution of the obligation under para. (4).
(6) Within three months of their registration, the data controllers under Art. 3, para. (1) shall publish the details under Art. 22, para. (1) in the bulletin of the Commission for Personal Data Protection.
§ 4. The Law on Access to Public Information (SG - 55 of 2000) shall be amended as follows:
1. In Art. 2, para. (3), the words “personal information” shall be replaced by the words “personal data”.
2. § 1, Item 2 shall be amended as follows:
2. “Personal data shall mean the information concerning an individual revealing his or her physical, psychological, mental, marital, economic, cultural or social identity.”
§ 5. This Law shall enter into force on 1 January 2002.
-------------------------
This Law was adopted by 39th National Assembly on 21 December, 2001 and the official seal of the National Assembly was affixed to it.
 
 
TRANSITIONAL AND FINAL PROVISIONS
of the LAW ON PRIVATE ENFORCEMENT AGENTS
(Published, SG No. 43 of 2005)
§ 23. This Law shall enter into force on 1 September 2005.
 
TRANSITIONAL AND FINAL PROVISIONS
of the LAW AMENDING THE LAW FOR PROTECTION OF PERSONAL DATA.
(SG No. 103/2005; AMEND. - SG 91/06)
§ 50. The provision of § 38, concerning Art. 36 shall apply until the Treaty of Accession of the Republic of Bulgaria to the European Union takes effect.
§ 51. The provisions of § 1, concerning Art. 1, para. (4), subpara. (3), § 8, item (1), section (c), concerning Art. 10, para. (1), subpara. (9), § 39, concerning Art. 36a, § 40, concerning Art. 36b, and § 48, item (5), concerning item (14) of the Additional Provision shall take force as of the effective date of the Treaty of Accession of the Republic of Bulgaria to the European Union.
§ 52. Within three months following the effective date of the Law, the Commission for Personal Data Protection shall adopt the Code of Ethics referred to in Art. 10, para. (4), and the regulations referred to in Art. 23, para. (5).
 
TRANSITIONAL AND FINAL PROVISIONS
of the ADMINISTRATIVE PROCEDURE CODE
(PROM. – SG 30/06, IN FORCE FROM 12.07.2006)
§ 142. The code shall enter into force three months after its promulgation in the State Gazette, with the exception of:
1. division three, § 2, item 1 and § 2, item 2 – with regards to the repeal of chapter third, section II "Appeal by court order", § 9, item 1 and 2, § 15 and § 44, item 1 and 2, § 51, item 1, § 53, item 1, § 61, item 1, § 66, item 3, § 76, items 1 – 3, § 78, § 79, § 83, item 1, § 84, item 1 and 2, § 89, items 1 - 4§ 101, item 1, § 102, item 1, § 107, § 117, items 1 and 2, § 125, § 128, items 1 and 2, § 132, item 2 and § 136, item 1, as well as § 34, § 35, item 2, § 43, item 2, § 62, item 1, § 66, items 2 and 4, § 97, item 2 and § 125, item 1 – with regard to the replacement of the word "the regional" with the "administrative" and the replacement of the word "the Sofia City Court" with "the Administrative Court - Sofia",
which shall enter into force from 1 May, 2007;
2. para. 120, which shall enter into force from the 1 January, 2007;
3. para. 3, which shall enter into force from the day of the promulgation of the code in State Gazette.
 
TRANSITIONAL AND FINAL PROVISIONS
of the LAW AMENDING THE LAW FOR PROTECTION OF PERSONAL DATA
(PROM. - SG 91/06)
§ 31. The provision of Para. 6, regarding Art. 6, Para 2 shall enter into force from 1 January 2007.
§ 32. Within a term of two months from the entry into force of this Law, the Commission for Personal Data Protection shall adopt the instruction referred to in Art. 12, Para 9.
§ 33. Within a term of three months from the entry into force of this Law, the data controllers subject to registration shall submit an application for registration.
 
TRANSITIONAL AND FINAL PROVISIONS
of the LAW OF THE NATIONAL ARCHIVE FUND
(PROM. - 57/07, IN FORCE FROM 13.07.2007)
§ 23. The Law shall enter into force from the day of its promulgation in the State Gazette.
 
 
TRANSITIONAL AND FINAL PROVISIONS
of THE LAW ON AMENDMENT AND SUPPLEMENTATION OF THE LAW ON PREVENTION AND DISCLOSURE OF CONFLICTS OF INTERESTS
(PROM. - SG 97/10, IN FORCE FROM 10.12.2010)
§ 61. The Law shall enter into force from the day of its promulgation in the State Gazette except:
1. paragraphs 11 regarding Art. 22a – 22e, which shall enter into force from 1 January 2011;
2. paragraphs 7, 8, 9 § 11 regarding Art. 22f – 22i and § 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22 and 23, which shall enter into force from 1 April 2011.
 
ADDITIONAL PROVISIONS
of THE LAW ON AMENDMENT AND SUPPLEMENTATION OF THE LAW ON THE PERSONAL DATA
(PROM. - SG 81/11)
§ 15. This Law shall implement the requirements of Council Framework Decision 2008/977/JHA of 27 November 2008 on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters (OJ L 350/60 of 30 December 2008).
 
TRANSITIONAL AND FINAL PROVISIONS
of THE LAW ON AMENDMENT AND SUPPLEMENTATION OF THE LAW ON ELECTRONNIC COMMUNICATIONS
 
(PROM. - SG 105/11, IN FORCE FROM 29.12.2011)
§ 220. This Law shall enter into force from the date of its promulgation in the State Gazette.
 
TRANSITIONAL AND CONCLUDING PROVISIONS
TO THE PUBLIC FINANCE ACT

(PROM. SG 15/13, IN FORCE FROM 01.01.2014)
§ 123. This Act shall enter into force on 1 January 2014 with the exception of § 115, which enters into force on January 1, 2013, and § 18, § 114, § 120, § 121 and § 122, which came into force on 1 February in 2013.
 
Relevant acts of the European legislation
DIRECTIVE 95/46/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data
REGULATION (EEC) No 2380/74 OF THE COUNCIL of 17 September 1974 adoptingprovisions for the dissemination of information relating to research programmes for the European Economic Community
REGULATION (EC) No 45/2001 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCILof 18 December2000on the protection of individuals with regard to the processing of personal data by the Communityinstitutions and bodies and on the free movement of such data
COMMISSION DECISION of 15 June 2001 on standard contractual clauses for the transfer of personal data to third countries, under Directive 95/46/EC (2001/497/EC)
COMMISSION DECISION of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data provided in Switzerland (2000/518/EC)
COMMISSION DECISION of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data provided in Hungary (2000/519/EC)
    
Transitional and concluding provisions
TO THE ACT AMENDING AND SUPPLEMENTING THE MINISTRY OF INTERIOR ACT
(PROM. - SG 81/16, IN FORCE FROM 01.01.2017)
§ 102. This Act shall enter into force on January 1, 2017, except for:
1. paragraphs 6-8, § 12, items 1, 2 and 4, § 13, § 14, § 18-20, § 23, § 26-31, § 32, items 1 and 4, § 33-39, § 41-48, § 49 on Art. 187, para. 3, first sentence, § 50-59, § 61-65, § 81-85, § 86, item 4 and 5, § 87, item 3, § 90, item 1, § 91, item 2 and 3, § 92, § 93 and § 97-101, which shall enter into force from the day of the Act’s promulgation in the State Gazette.
2. paragraph 32, item 2 and 3, § 49 on Art. 187, para. 3, new second sentence, § 69-72, § 76 concerning persons under § 70, § 78 with respect to employees under § 69 and § 70, § 79 regarding employees under § 69 and § 70, § 91, item 1 and § 94, which shall enter into force on February 1, 2017.
 

Download files

Law for Protection of Personal Data (DOC)
Law for Protection of Personal Data (PDF)


Commission for Personal Data Protection, Sofia, 2 Prof. Tsvetan Lazarov Blvd.