Obligations of Foreign Entrepreneurs Processing Personal Data in Bulgaria (GDPR)

Tsanko Kalchev
vor 1 Tag
2 Min. Lesezeit

Introduction

Foreign entrepreneurs targeting the Bulgarian market or processing personal data of individuals in Bulgaria must carefully navigate the European data protection framework. The General Data Protection Regulation (GDPR) applies directly in Bulgaria, complemented by the Bulgarian Personal Data Protection Act (PDPA).

Importantly, the GDPR has extraterritorial reach, meaning that even companies established outside the EU may be subject to its requirements if they offer goods or services to individuals in the EU or monitor their behavior.

1. When Do Foreign Companies Fall Under Bulgarian GDPR Rules?

Foreign entrepreneurs must comply if they:

Offer goods or services to individuals in Bulgaria
Monitor behavior (e.g. tracking, profiling, analytics)
Operate through an establishment in the EU

In such cases, GDPR applies fully—even without a local office.

2. Key Roles: Controller vs Processor

Businesses must determine their role:

Controller: decides purposes and means of processing
Processor: processes data on behalf of a controller

Both roles carry direct obligations under GDPR.

3. Core Compliance Obligations

a) Lawful Basis & Transparency

Companies must:

Identify a lawful basis (consent, contract, legal obligation, etc.)
Inform individuals about how their data is used
Limit processing to specific purposes

GDPR requires transparency, purpose limitation, and data minimization.

b) Data Subject Rights

Foreign businesses must enable:

Access to personal data
Rectification and erasure (“right to be forgotten”)
Data portability
Objection to processing

These rights are enforceable in Bulgaria.

c) Record-Keeping

Controllers and processors must maintain records of processing activities, even though prior notification to authorities is no longer required.

d) Data Breach Notification

In case of a breach:

Notify the Bulgarian authority within 72 hours
Inform affected individuals where risks exist

Failure may lead to heavy fines.

e) Appointment of an EU Representative or DPO

Foreign companies without an EU establishment must:

Appoint an EU representative (with limited exceptions)

Additionally, a Data Protection Officer (DPO) is required where:

Processing is large-scale
Sensitive data is involved
Monitoring is systematic

4. International Data Transfers

Transfers outside the EU require:

Adequacy decisions, or
Standard contractual clauses (SCCs), or
Other safeguards

Following the Schrems II decision, companies must carefully assess third-country transfers.

5. Supervision and Sanctions

The Bulgarian Commission for Personal Data Protection (CPDP) is the main authority overseeing compliance.

Penalties may reach:

Up to €20 million, or
4% of global annual turnover

Conclusion

Foreign entrepreneurs cannot treat Bulgaria as a “light-touch” jurisdiction. GDPR applies fully, and enforcement is active. Businesses should implement a structured compliance framework, appoint the necessary representatives, and ensure ongoing monitoring of legal developments. For an overview of upcoming changes, see our article on the EU Digital Omnibus and the future of GDPR.