Whistleblower law in Bulgaria #
Bulgaria implemented Directive (EU) 2019/1937 through the Act on the Protection of Persons Reporting Information or Publicly Disclosing Information about Breaches, in force since 4 May 2023. The Bulgarian system is notable because the CPDP acts both as the central external authority and as the data protection authority.
Applicable law #
Who must establish an internal channel #
Private employers with 50 or more workers are in scope. The 50-249 band became subject to the internal-channel rules from 17 December 2023. Public-sector obliged entities were generally in scope from 4 May 2023.
External reporting authority #
The central external channel is the Commission for Personal Data Protection (CPDP) , which also publishes forms, register guidance and FAQs for obliged entities.
Data protection authority #
The same CPDP is Bulgaria’s GDPR supervisory authority.
Key compliance points #
- Municipalities with fewer than 10,000 inhabitants or fewer than 50 workers may share resources for intake and follow-up.
- Private entities with 50-249 workers may also share resources for receiving and handling reports.
- CPDP’s official materials expect a non-public register of reports and clear public information about how to use the channel.
Official sources #
- Bulgarian whistleblowing act — official CPDP law page
- CPDP — implementation of the protection system
- CPDP — frequently asked questions
- CPDP — complaints and signals
Deploy your reporting channel →
Last updated: