June 30, 2023

Bulgarian DPA Enforces Resource-intensive Procedures in Case of Data Breach Notifications

The Bulgarian DPA started implementing on a regular basis new detailed and resource-intensive procedures in case of data breach notifications. These involve complex questionnaires exceeding the scope of the breach and closer to full audit of the data processing activities of the controller and extensive requests for provision of documents and information within short deadlines.

I. Data Breach Procedure in Bulgaria

The Bulgarian Data Protection Authority (the Commission for Personal Data Protection – CPDP) started enforcing burdensome procedures in cases of data breach notification.  

Data Breach Notification

Notification of data breaches in Bulgaria is carried out by using a form published by the CPDP which, in addition to the information required under Art. 33 of GDPR, includes an assessment whether the data breach can lead to high risk for the rights and freedoms of the data subjects. First the CPDP examines the information provided in this form.

Methodology for Measuring the Level of Risk

The CPDP uses a Methodology for measuring the level of risk for the rights and freedoms of the data subjects. According to this methodology, the level of risk is assessed based on:

  1. severity of impact
  2. likelihood of the impact to occur.

Based on the result of the assessment the CPDP determines what measures to undertake after a data breach notification. According to the CPDP’s internal instruction in cases of:

- low level of risk the CPDP sends a notice that it accepted the data breach notification ‘for information’,

- middle level of risk the CPDP starts a documentation check,

- high level of risk the CPDP conducts an audit on-site. As a note, according to the CPDP’s Rules of Procedure an on-site audit may be carried out in all cases.


The part of the data breach procedure which affects controllers the most is that the CPCP published and started implementing voluminous questionnaires for controllers. It sends them in cases of data breach notifications if it assesses that the level of risk is middle or high.

The main points of concern are:

  • Based on the methodology described above the CPDP sometimes may decide that the risk is middle or high even in cases where from a practical point of view the impact of the breach on data subjects is quite small. Sometimes even if small amounts of data or a limited number of data subjects are affected, the CPDP may still request filling of the questionnaires and sending additional information and documents.
  • The scope of the questionnaires usually exceeds the scope of the data breach and contains tens of general questions, and the procedure resembles more a full audit of the controller than a data breach check.

The questionnaire requires detailed information not only on the activities concerned by the data breach, but general information on the main activities and structure of the controller, as well as what records under Art. 30 GDPR it maintains, the legal grounds for processing it applies, the categories of data it processes, the assignment of processing activities under Art. 28, data exchange between controllers, data transfers and others. A whole part of the questionnaire is dedicated to the implemented technical and organizational measures, including concrete questions regarding specific measures for physical, personal and documental protection and protection of the automatic information systems and/or networks and encryption protection. Example: the questionnaire contains a question requesting a description of the established computer network and the information systems used for the processing of personal data.

  • The CPDP provides a really short deadline for getting back to them with all the information, usually seven days.
  • The CPDP may send additional questions after receiving the first batch of information and provide again a short deadline for their addressing.  
  • The CPDP may request numerous additional documents, such as a risk analysis carried out by the controller, a notification received from a data processor, and others.
  • All the information needs to be provided in Bulgarian, which additionally encumbers international companies.

II. Key Takeaways

CPDP’s practices concern all controllers with activities in Bulgaria and their legal counsels in case of data breach notification to the Bulgarian authority. In addition, although for the moment we at DPC do not have such cases, in accordance with the CPDP’s internal instruction it is possible for the authority to start sending questionnaires also in cases of complaints or alerts for data protection infringements.

*This text was first published in the Newsletter for Google Hubs prepared by Traple Konarski Podrecki i Wspólnicy.

Related insights

Innovative solutions and customer care.
Get in touch