Skip to main content Required by EU law for organizations with 50+ employees

Whistleblower law in Bulgaria #

Bulgaria implemented Directive (EU) 2019/1937 through the Act on the Protection of Persons Reporting Information or Publicly Disclosing Information about Breaches, in force since 4 May 2023. The Bulgarian system is notable because the CPDP acts both as the central external authority and as the data protection authority.

Applicable law #

Who must establish an internal channel #

A 2025 amendment (in force May 2025) removed the option to use a shared group-level internal channel — each obligated entity must now establish and maintain its own.

Penalties and enforcement #

Unlike most member states, Bulgaria fixes an explicit fine for failing to establish a channel — Article 41 (Чл. 41 ) penalises any entity that does not fulfil the channel-establishment duty under Article 13(1)–(2). The structure is dual-tier (natural vs. legal person) and escalates on repeat. EUR figures use the fixed peg (1.95583 BGN/€).

ConductArticleFine≈ EUR
No internal channel — legal person / sole trader, first violationЧл. 41(2)BGN 5,000–20,000~€2,500–10,000
No internal channel — legal person, repeat violationЧл. 41(3)BGN 10,000–30,000~€5,000–15,000
No internal channel — natural personЧл. 41(1)BGN 1,000–5,000~€500–2,500
Obstructing a report or failing to act on / report follow-upЧл. 42BGN 400–4,000~€200–2,045
Retaliation against a reporter, or malicious proceedingsЧл. 43BGN 2,000–8,000~€1,000–4,090

Verbatim, Art. 41(1)–(2): “Наказва се с глоба в размер от 1000 до 5000 лв. … лице, което не изпълни задължение по чл. 13, ал. 1 и 2. … Когато нарушението … е извършено от юридическо лице или едноличен търговец, се налага имуществена санкция в размер от 5000 до 20 000 лв.”

An honest assessment of enforcement. The fines above are what the law provides. In practice, enforcement to date is modest and largely reactive. The CPDP’s official 2024 figures record 97 reports received (35 within the Directive’s scope), seven inspections closed for lack of sufficient evidence, and only one resulting in a sanction, with total sanctions for the year of BGN 17,400 (~€8,900). No company has been publicly named, and none of these is identified as a specific failure-to-establish-channel case. The practical conclusion mirrors the rest of the region: the obligation is real, but the exposure is a report reaching the CPDP with no channel in place — not a large fine.

External reporting authority #

The central external channel is the Commission for Personal Data Protection (CPDP) , which also publishes forms, register guidance and FAQs for obliged entities.

Data protection authority #

The same CPDP is Bulgaria’s GDPR supervisory authority.

Key compliance points #

Official sources #


Deploy your reporting channel →

Last updated: