Personal data

Art. 4 (1) of the GDPR states that personal data reveal information about an identified or identifiable natural person. Personal data include an individual’s name, a picture, a phone number, even a professional phone number, a code, a bank account number, an e-mail address, a fingerprint, etc.

Please visit:


Special category of personal data

‘Special category of personal data’ means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership and data concerning health, sex life or judicial information.

Art. 9 of the GDPR contains rules about Processing of special categories of personal data. Sensitive data is personal data which reveals individual’s racial and ethnic origin, political beliefs, religion, philosophical and moral convictions, trade union affiliation or membership, health, and sexual orientation, and also refers to genetic and biometric data.

Article 9(2) sets out the circumstances in which the processing of special category of personal data which is otherwise prohibited, may take place. These include, among others:

  • Explicit consent of the data subject, unless reliance on consent is prohibited by EU or Member State law
  • Necessary for the carrying out of obligations under employment, social security or social protection law, or a collective agreement
  • Necessary to protect the vital interests of a data subject who is physically or legally incapable of giving consent.

Please visit:



Bulgarian law applies the GDPR definition of ‘consent’, written in Art. 4 (11): “‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.

In November 2018 the Bulgarian Commission for Personal Data Protection released a guideline on the need of consent as a legal ground according to the GDPR. According to it, consent is not a requirement when:

  • There is a legal requirement for data collection based on the provisions of the Labour Code, Health Act, Accountancy Act, Social Insurance Code, etc.
  • Data is collected in the course of providing administrative services by authorities.
  • Data is collected for the purpose of employment relations.
  • The data is necessary for the conclusion or performance of contracts, such as in provision of services.
  • When data is collected, the legitimate interests of the controller prevail over the interests, rights and freedoms of the subject, such as in the case of security and video-surveillance.
  • Data is transferred from one controller to another according to an assignment agreement.
  • Data is transferred from a controller to a processor.
  • Data is collected while photographing or video-recording a public area.
  • The controller relies on legal grounds for the processing of sensitive data (e.g. health data) under Article 9 of the GDPR.

The Commission provides a non-exhaustive list with examples of professional activities when consent is not needed, if data processing takes place in the typical course of such activities (not covering direct marketing where consent should generally be the principal ground for data processing). These include the core activities of:

  • doctors, dentists and pharmacists;
  • lawyers;
  • employers;
  • public authorities;
  • educational institutions (kindergartens, schools and universities);
  • bank and credit institutions;
  • insurers;
  • enterprises providing electronic communication services;
  • courier companies;
  • utility companies;
  • processors of personal data (accountants and occupational medicine providers);
  • hotels and tourist agencies, and others.

Please visit:


Children’s age

According to Bulgarian law people under the age of 14 are minors with no capability to perform legal acts. So, when processing personal data of minors a parental consent is required.

According to the GDPR related bill for amendment of the Bulgarian data protection law (please refer to the next section), in relation to the offer of information society services directly to a child, the processing of the personal data of a child shall be lawful where it is at least 14 years old; otherwise, such processing shall be lawful only if and to the extent consent is given by the holder of parental responsibility over the child.