Bulgaria’s government announced plans to introduce additional protocols under the EU General Data Protection Regulation (GDPR), affecting employment practices, data protection officers (DPOs), and data protection impact assessments.

Data Protection Officers

Bulgaria-based organizations would be required to designate a DPO if processing personal data of more than 10,000 individuals. Organizations must establish corporate rules and procedures regarding procedural safeguards and conduct self-initiated data protection impact assessments.

Employee Data Protection

Employers cannot maintain personal employee information unless Bulgarian law explicitly permits it. New internal policies must address whistleblowing systems, acceptable resource usage, and workplace monitoring systems including access to work premises, hours worked and work orders.

Organizations must obtain prior written consent by the employee before collecting or processing any employee data unrelated to the employment relationship.

Recruitment Data

Recruitment companies face time limits on data retention under these new standards.