Skip to main content

Bulgarian DPA Introduce Deep Audits as a Standard Practice in Cases of Data Breaches


Bulgarian DPA is currently applying on a regular basis a new procedure in cases of data breach notifications which includes complex questionnaires covering all the data processing activities of the data controller and extensive requests for provision of documents and information within short deadlines.

Since 2022 the Bulgarian DPA has adopted and started to implement a specific methodology in cases where they receive notifications for data breaches. This methodology includes collecting information regarding the data breach (via the notification and via additional sets of questions), an assessment of the level of risk of the occurred data breach based on a specific criterias adopted by the Bulgarian DPA and additional audits/ inspections based on the determined level of risk.

The levels of risk could be low, medium or high. However, it is important to note that the thresholds for determining medium or even high risk are very low and thus, even in cases where small amounts of data or a limited number of data subjects are affected, the DPA may still treat the data breach as “medium” or “high” level of risk.

In this respect, upon submitting a notification for a data breach a data controller may expect to receive approx. about 2 consecutive requests for additional information from the DPA.  At a "medium" level of risk, the data controller can expect an inspection/ audit based by documents to be performed with the second set of questions. This is performed via thorough questionnaire (of approx. 70 questions) which covers all personal data processing activities of the data controller, not only those affected by the data breach. Along with this questionnaire and questions related to the data breach the DPA usually requires to receive the “full” set of documentation of the controller related to its data protection compliance (such us privacy notices, consent forms, policies and procedures, etc.). The questionnaire covers all the key aspects of the performed activities as categories of data subjects, categories of data, involved data processors, recipients of personal data, retention periods, legal grounds for the performed processing activities, the topics related to the performed data transfers and very thorough sections dedicated to the applied technical and organizational for security and protection of the data.

Usually, 7 calendar days are granted for responding to the questions and the questionnaire. Besides the above, all documents that are presented to the DPA need to be in Bulgarian or accompanied with a Bulgarian translation.
In case the DPA determine that the data breach is of a “high” level of risk, an on-premises inspection could also be performed as well.

The above described practice seems to be currently established as a standard procedure for the DPA and concerns all controllers with activities in Bulgaria.


Article provided by INPLP member: Desilava Krusteva (Dimitrov, Petrov & Co, Bulgaria)



Discover more about the INPLP and the INPLP-Members

Dr. Tobias Höllwarth (Managing Director INPLP)

Cloud Privacy Check (CPC). Data Privacy Compliance in the Cloud Made Easy

Understand Cloud and Data Protection Law in only 4 easy steps. Plus highly relevant legal information for 33 countries. Provided by EuroCloud and 53 European lawyers.


About Us

EuroCloud is an independent non-profit organization and consists of a two-tier setup where organisations form all European countries can apply to participate in as long as they respect the EuroCloud Statutes.

To act as a true European player, all programs that are developed are intended to be European activities. These European programs are the strength of EuroCloud as a whole. Respect to local cultures along with the will to promote a real European spirit.