Guide to National Implementation of GDPR in Bulgaria

Guide to National Implementation of GDPR in Bulgaria

Bulgaria, like many European countries, has specific laws governing the processing of personal data. However, when it comes to the processing of personal data of deceased persons, the legal landscape is not as explicit.

Under Bulgarian law, procedures for handling deceased persons, such as autopsy and disposal of remains, are mandated when the cause of death is unknown or if foul play is suspected [1]. Yet, there are no explicit mentions of privacy or data protection rules regarding deceased persons’ personal data in the Bulgarian context.

The General Data Protection Regulation (GDPR), which Bulgaria implements, generally does not apply to the personal data of deceased individuals. National law typically fills in this gap with specific rules, but such national provisions for Bulgaria are not clearly outlined.

In terms of general data protection, the Bulgarian Labour Code obliges employers to protect the dignity of employees during employment. Employee personal data can be processed for recruitment, staff, and tax purposes with specific provisions for the necessary documents [2].

Data transfers from public registers are not subject to specific rules under national law [3]. The Inspectorate to the Supreme Judicial Council supervises the processing of personal data by the courts, prosecutors, and investigative bodies when acting in their judiciary functions [4].

The PDPA provides criteria for evaluating the balance between the freedom of expression and the right to information, and the right of personal data protection, particularly in cases of disclosure by transmission, dissemination, or making available the personal data collected for academic, artistic, or literary expression [5].

The Commission for Personal Data Protection (CPDP) is the Bulgarian Data Protection Authority, responsible for enforcing the GDPR, issuing guidelines, rules, and recommendations, and participating in international cooperation on personal data protection issues [6]. Decisions of the CPDP can be appealed under the Administrative Procedure Code within 14 days of receipt [7].

The CPDP has taken enforcement action for breaches of the GDPR, imposing fines for violations of Articles 12, 5, and 6 GDPR, and issuing definitive limitations on processing personal data [8]. The CPDP and the Inspectorate have separate competencies in enforcing the GDPR [9].

It is important to note that there are no not-for-profit bodies specifically mandated to bring claims on behalf of individuals without their specific mandate under Bulgarian law [10].

In summary, while Bulgaria has clear laws for the physical handling of deceased persons, the legal rules regarding the processing of their personal data are not explicitly covered in the search results provided. For detailed rules about personal data processing for deceased persons in Bulgaria, consulting Bulgaria’s personal data protection law (aligned with GDPR) or the Bulgarian Personal Data Protection Commission’s guidance would be advisable.

[1] Bulgarian law on handling deceased persons [2] Bulgarian Labour Code [3] Bulgarian law on data transfers [4] Bulgarian law on judicial data protection [5] Bulgarian PDPA [6] Bulgarian CPDP [7] Bulgarian Administrative Procedure Code [8] CPDP fines for GDPR violations [9] CPDP and Inspectorate competencies [10] Bulgarian legal landscape for not-for-profit bodies

1. White & Case LLP provides a variety of international legal services, including regulatory compliance advice on data protection practices,.
2. In the realm of science, medical-conditions, and health-and-wellness, intellectual property law plays a crucial role in protecting inventions related to innovations and sports.
3. As clients seek knowledge in these areas, White & Case’s publications provide valuable insights and analysis on current legal trends and news.
4. When considering international data protection practices, it's essential to distinguish between the laws governing the processing of personal data of living individuals and those of deceased persons.
5. In Bulgaria, the processing of personal data of deceased persons lacks explicit rules, making it difficult to enforce personal data protection and privacy standards.
6. Despite gaps in national legislation, the General Data Protection Regulation (GDPR) still governs the processing of personal data in Bulgaria, with some exceptions.
7. Employers in Bulgaria have a responsibility to protect the dignity of their employees and must adhere to specific rules when processing their personal data.
8. To fill the gaps in national legislation, the Commission for Personal Data Protection (CPDP), the Bulgarian Data Protection Authority, plays a crucial role in enforcing GDPR, issuing guidelines, and participating in international cooperation on personal data protection issues.
9. It would be advisable for those seeking detailed rules about personal data processing for deceased persons in Bulgaria to consult Bulgaria’s personal data protection law (aligned with GDPR) or the Bulgarian Personal Data Protection Commission’s guidance, as doing so provides a clearer understanding of the current legal landscape.

Read also: