The Commission for Personal Data Protection in Bulgaria has done little for the protection of personal data

Support our work: become a Friend of Statewatch from as little as £1/€1 per month.

These are the findings in a report done by the National Audit Office about the Commission's activities for the period January 1, 2003 - December 31, 2005. The results of the audit report were announced on January 30, 2007. The report finds that the Commission for Personal Data Protection (CPDP) has been busy mainly with buying vehicles and looking for premises for the last three years. The main purposes for which the CPDP was established - protection of citizens' personal data, imposing sanctions in cases of violations, and keeping a register of the personal data administrators - were left behind. Since its establishment in 2002, the CPDP has completed 17 investigations at citizens' complaints. During its existence, CPDP has imposed no sanctions; the register of personal data administrators has not been created.

The audit report on the work of the Bulgarian CPDP can be found on the web site of the National Audit Office at: Unfortunately, it is available only in Bulgarian.

Here follows a translation of the NAO press release about the findings in the audit report:

"Through its activities during the audited period (January 1, 2003 - December 31, 2005), the CPDP and its administration did not ensure adequate protection for the physical bodies in the processing of their personal data. Purposeful, systematized efforts are required for the overcoming of the backwardness and the achievement of efficient protection of personal data.

Despite the legal requirements, the CPDP did not function as a permanent working body since the main part of its staff has predominantly maintained working relations with other employers.

For the three and a half years since its establishment, the CPDP has not actually started its activities for the protection of citizens' personal data, has not adopted a policy, strategy, and the goals for the development of these activities. In practice, it has not respected the law. The CPDP:

- does not exercise effective control over the activities of the personal data administrators. The Register of personal data administrators and the personal data registers which they keep is still not public and contains insignificant number of registered administrators. In 2005, the incoming registration requests of personal data administrators were processed within the legally prescribed timeframes. However, a great number of the requests submitted in 2003 and 2004 was not registered and processed. The problem with the administrators who had sent incomplete or wrong registration forms by mail in 2003 has not been addressed yet.

- no legal provisions regulate the registration procedure, and the CPDP has not adopted written rules, procedures and methodology for exercising control over the activities of the administrators. The objects of control are not explicitly defined, the types of control activities and their scope are not explicitly defined, the powers of the controllers are defined vaguely and incompletely.

- the main emphasis of the control activities is on the investigations after submitted complaints and signals, not on preliminary and current check-ups on risk administrators.

- is not effective and efficient at the review of physical bodies' complaints. The processing of the complaints is delayed and the interested persons are not duly informed about the decisions taken by the CPDP.

- does not apply principles of economy and efficiency in the management and spending of its resources. The development and maintenance of major systems - financial management and control, task assignment and supervision, evaluation of the implementation of the tasks - necessary for the correct management of resources has not been finished. The budget has not been spent economically.

The National Audit Office submitted around 50 recommendations for the improvement of the effectiveness and efficiency of the activities in cases of illegal access to personal data to the Council of Ministers and the Chairperson of the CPDP. Among these are the following:

- To develop policies, goals, and priorities which would include the basic strategies for guaranteeing the protection of citizens' rights when their personal data are being processed, as well as for the administrative capacity building.

- To bring the labour contracts of the members of the CPDP in compliance with the requirements of the Personal Data Protection Act, The Labour Code of Bulgaria, and the Decision of the National Assembly as of May 23, 2002 (on the election of the CPDP members and definition of the amount for their monthly salaries).

- To develop, adopt, and promulgate new Regulations for the activities of the Commission for Personal Data Protection and its administration.

- To develop principles according to which the control activities to be performed, as well as requirements concerning the ways the Commission and its administration would exercise the control activities.

- To develop, adopt, and promulgate regulations about the minimum extent of technical and organizational measures that administrators should undertake to guarantee the effective protection of personal data.

- To adopt regulations for new simplified procedures for: the registration of personal data administrators in the Public Register, kept by the CPDP; the informing of the CPDP in cases when preliminary set conditions have been altered; the review and processing of complaints, requests for official statements and harmonization of draft regulations with other regulations.

- To adopt procedures for: imposing temporary bans for processing personal data; issuing permits or prohibitions for holding processed personal data as anonymous data; issuing preliminary and obligatory instructions.

- To develop adequate system for financial management and control and to ensure conditions for its proper functioning.

- The amount of 20 418 BGN (10 000 Euro) that had been paid with no legal basis for rent of an apartment, to be paid back to the State through the Council of Ministers bank account by the member of the CPDP, who had used the apartment."


As far as the adoption of the Personal Data Protection Act in 2002, Access to Information Programme expressed its concerns about the weakness if the law and the possible problems that might arise in the future, as well as recommendations for their overcoming. AIP experts took part in the working group for the amendments to the PDPA in 2005, when they emphasized the main shortcomings of the law again: the status of the CPDP members, the grave conditions for the registration of personal data administrators, the unclear status of the personal data in the public registers. The insufficient protection of personal data in Bulgaria was criticized in the European Commission monitoring reports in the pre-accession process of the country.

Source: Access to Information Programme, Sofia, Bulgaria
Web site:

Our work is only possible with your support.
Become a Friend of Statewatch from as little as £1/€1 per month.


Spotted an error? If you've spotted a problem with this page, just click once to let us know.

Report error