Skip to main content

Can data protection rules affect the assignment of receivables in Bulgaria?


For many years, a common practice in Bulgaria is debtors to submit complains to the Bulgarian DPA for unlawful processing of their personal data due to performed assignement of their debts to a new creditor (cession). As a result a non-consistent practice has been formed of the DPA through the years where quite often the consent of the deptor for the processing of his/her personal data is sought as a condition for the assignement of the debt/ the receivables to a new creditor. However, after GDPR Bulgarian DPA undertaken certain changes in their interpetation on whether consent is required for the processing of personal data of a debtor when a creditor assign/ transfer a debt to a new creditor (e.g. in case of cession).

Pursuant to the assignment of receivables (cession) agreement the creditor under a certain receivable (assignor) assigns it to a third party (assignee). Since the debtor is not a party tot he cession agreement quite often in the practice the debtor complaint for not been asked for permission his/ her personal data to be provided to the new creditor and/ or for not being aware that a third party will process his/her data.

Under Bulgarian legislation the debtor is not a party to the assignment agreement and their consent is not required for the transaction to take effect. However, as the effective performance of an assignment agreement requires and involves the provision of all the documentation regarding the reveivables to the new creditor and thus, the provision of the personal data of the debtor to the new creditor. Thus, the question on what legal basis applies to such provision of personal data has been subject to numerous disputes before Bulgarian DPA and in the past quite often a consent from the debtor was sought for the provision of their personal data to the new creditor.

However, the consent is an inappropriate legal basis for personal data processing under assignment agreements. This is explained by the fact that if processing is based on consent, it would allow the debtor to block the creditor from disposing of their receivables by preventing the creditor from processing the personal data contained in the debt documentation or debt related documents – information about who the debtor is and what his contact details are, where his obligation arises from, what is its amount and maturity, etc.

Therefore, other legal grounds may serve as basis for processing the debtor’s personal data.

The assignor may base its data processing activation on compliance with a legal obligation as the law obliges the assignor to provide the assignee with the debt documentation and thus, to perform the related processing of the personal data contained in this documentation. In addition, the assignor has a legitimate interest to dispose of its receivable as it deems appropriate.

The assignee, on the other hand, a legitimate interest to collect their receivable. In addition, the performance of a contract to which the data subject is a party also may serve as a legal basis, since the data subject is a party ynder the contract under which the assigned receivables have arisen. However, the last legal basis will apply if the assignment has lead an action against the debtor by notification under Art. 99, Para. 3 and 4 of the Contracts and Obligations Act.

According to more recent practical guidance by the Commission for Personal Data Protection (CPDP), the legal fact which makes the personal data processing admissible is the assignment of the receivable, not the notification of the debtor. This means that the assignee may lawfully process the debtor’s personal data even prior to this notification.

Finally, a key requirement to be fulfilled in case of an assignment is the notification of the debtor of the processing of their personal data. In case of cession the new data controller – assignee obtains the personal data not directly from the data subject, but from another source – the assignor. In order to ensure transparent data processing, the data subject needs to be provided with information under Art. 14 of the GDPR.


Article provided by: Desislava Krusteva and Martin Zahariev (Dimitrov, Petrov & Co., Bulgaria)



Discover more about INPLP, the INPLP-Members and the GDPR-FINE database

Dr. Tobias Höllwarth (Managing Director INPLP)

Cloud Privacy Check (CPC). Data Privacy Compliance in the Cloud Made Easy

Understand Cloud and Data Protection Law in only 4 easy steps. Plus highly relevant legal information for 33 countries. Provided by EuroCloud and 53 European lawyers.


About Us

EuroCloud is an independent non-profit organization and consists of a two-tier setup where organisations form all European countries can apply to participate in as long as they respect the EuroCloud Statutes.

To act as a true European player, all programs that are developed are intended to be European activities. These European programs are the strength of EuroCloud as a whole. Respect to local cultures along with the will to promote a real European spirit.