KEY TAKEAWAYS FROM THE MOST SIGNIFICANT GDPR PERSONAL DATA BREACHES IN THE REPUBLIC OF BULGARIA

Authors

  • Martin Zahariev Faculty of Information Sciences, National Security Department, University of Library Studies and Information Technologies
  • George Dimitrov Faculty of Information Sciences, Computer Sciences Department, University of Library Studies and Information Technologies
  • Daniela Pavlova Faculty of Information Sciences, Computer Sciences Department, University of Library Studies and Information Technologies
  • Panayot Gindev Information Systems and Technologies Department, University of Library Studies and Information Technologies
  • Vyara Savova University of Library Studies and Information Technologies
  • Radoslava Makshutova Institute for the State and the Law, Bulgarian Academy of Sciences

DOI:

https://doi.org/10.17770/etr2025vol5.8482

Keywords:

Bulgarian organizations, data breach, GDPR, gaps

Abstract

The present research paper focuses on the most significant personal data breaches under the EU General Data Protection Regulation 2016/679 (GDPR) that took place in the Republic of Bulgaria since the GDPR became applicable in 2018. These include inter alia the data breaches that affected the National Revenue Agency, the Bulgarian Posts, one of the Bulgarian banks and other organizations from the public and the private sector. The analysis of these cases is important, because they had an impact on thousands and sometimes millions of people and resulted in severe sanctions reaching thousands and sometimes millions of Bulgarian leva. This problem is especially relevant in the modern information society where the collection and processing of data are fundamental for the economic growth and societal well-being. By examining the available public documentary sources on these cases such as the practice of the Bulgarian Commission for Personal Data Protection Commission the authors aim to derive key takeaways regarding the reasons for these data breaches, the gaps in the data protection and information security practices of the affected organizations and possibly to synthesize recommendations and advice for the future how such breaches could be avoided or at least mitigated. These results will play a valuable part in a broader scientific research project dedicated to management of the data breach response reaction processes of the Bulgarian organizations funded by the Bulgarian Science Fund with the Ministry of Education where the authors form the research team.


References

Official Journal of the European Union, L 119, pp. 1–88, May 4, 2016. [Online]. Available: https://eur-lex.europa.eu/eli/reg/2016/679/oj. [Accessed: Feb. 20, 2025].

P. Voigt and A. von dem Bussche, The EU General Data Protection Regulation (GDPR): A Practical Guide. Springer International Publishing AG, 2017, p. 65.

S. Room, "Security of Personal Data," in European Data Protection: Law and Practice, 3rd ed., E. Ustaran, Ed. Hyde Park Publishing Services: IAPP, 2023, p. 228.

Commission for Personal Data Protection, Penal Order No 004/28.08.2019.

Commission for Personal Data Protection, Decision No PPN-02-399/22.08.2019.

Lex News, The court refused for the second time the agreement of the prosecution with Christian Boykov for “NRA Leaks”, 01.11.2024 [Online]. Available: https://news.lex.bg. [Accessed: Feb. 20, 2025].

Administrative Court Sofia City, Motion Order of 14.05.2021 rendered in Case 1037/2021, V Department.

Commission for Personal Data Protection, Information Bulletin, vol. 5, no. 80, Sept. 2019. [Online]. Available: https://cpdp.bg/userfiles/file/Bulletin/KZLD_Bulletin_5_80_September_2019.pdf. [Accessed: Feb. 20, 2025].

Sofia District Court, Decision of 26.10.2023, rendered in Case No 14811/2019.

Administrative Court Sofia City, Decision No. 1247/26.02.2024, rendered in administrative case No. 12334/2023.

Administrative Court Sofia City, Decision No. 565/02.02.2023, rendered in administrative case No. 10477/2019.

Supreme Administrative Court, Decision No. 1398 of 07.02.2024 in administrative case No. 3781/2023, V Department.

Supreme Administrative Court, Decision No. 9399 of 13.09.2021 in administrative case No. 11029/2020, II Department, Decision No. 9414 of 15.09.2021 in administrative case No. 9871/2020, III Department, Decision No. 9417 of 15.09.2021 in administrative case No. 11283/2020, III Department, Decision No. 9420 of 15.09.2021 in administrative case No. 10793/2020, III Department, Decision No. 9421 of 15.09.2021 in administrative case No. 8825/2020, III Department.

Lex News, The court gave the go-ahead to a class action lawsuit against the NRA over the data leak, 27.11.2024 [Online]. Available: https://news.lex.bg. [Accessed: Feb. 20, 2025].

Sofia District Court, Order No 348 of 10.01.2023, rendered in Case No 13344/2021, Appelate Court Sofia, Order No 549 of 28.02.2023, rendered in Case No 473/2023,

Court of Justice of the European Union, Judgment of the Court (Third Chamber) of 14 December 2023 (request for a preliminary ruling from the Varhoven administrativen sad – Bulgaria) – VB v Natsionalna agentsia za prihodite, Case C-340/21, Natsionalna agentsia za prihodite.

Commission for Personal Data Protection, Annual Report 2022. Sofia, Bulgaria: CPDP, 2022. [Online]. Available: https://cpdp.bg/wp-content/uploads/2023/11/Annual-report_2022_CPDP.pdf. [Accessed: Feb. 20, 2025].

Administrative Court Sofia City, Court Decision No. 505/18.01.2024, rendered in administrative case No. 9929/2022.

Commission for Personal Data Protection, Annual Report 2019. Sofia, Bulgaria: CPDP, 2019. [Online]. Available: https://cpdp.bg/userfiles/file/Annual%20Reports/Annual_Report_2019_CPDP.pdf. [Accessed: Feb. 20, 2025].

W. S. Admass, Y. Y. Munaye, and A. A. Diro, "Cyber security: State of the art, challenges and future directions," Cyber Security and Applications, vol. 2, 100031, 2024. [Online]. Available: https://doi.org/10.1016/j.csa.2023.100031. [Accessed: Mar. 25, 2025].

Administrative Court Sofia City, Court Decision No. 300/11.01.2024, rendered in administrative case No. 11485/2023.

J. Martins, H. S. Mamede, and J. Correia, "Risk compliance and master data management in banking – A novel BCBS 239 compliance action-plan proposal," Heliyon, vol. 8, no. 7, e09627, 2022. [Online]. Available: https://doi.org/10.1016/j.heliyon.2022.e09627. [Accessed: Mar. 25, 2025].

Lex News, A cyberattack has crashed the information system of all administrative courts, Jan. 27, 2025. [Online]. Available: https://news.lex.bg. [Accessed: Feb. 3, 2025].

Lex News, A hacker group announced that it has the data leaked from the Supreme Administrative Court – publishing a portion as proof, Feb. 20, 2025. [Online]. Available: https://news.lex.bg. [Accessed: Feb. 22, 2025].

Commission for Personal Data Protection, Annual Report 2019. Sofia, Bulgaria: CPDP, 2019. [Online]. Available: https://cpdp.bg/userfiles/file/Annual%20Reports/Annual_Report_2019_CPDP.pdf. [Accessed: Feb. 3, 2025].

Commission for Personal Data Protection, Annual Report 2023. Sofia, Bulgaria: CPDP, 2023. [Online]. Available: https://cpdp.bg/wp-content/uploads/2024/03/Annual-report_2023_CPDP.pdf. [Accessed: Feb. 3, 2025].

Downloads

Published

08.06.2025

Issue

Vol. 5 (2025): Environment. Technology. Resources. Proceedings of the 16th International Scientific and Practical Conference. Volume 5

Section

Defence and security technologies

License

Copyright (c) 2025 Martin Zahariev, George Dimitrov, Daniela Pavlova, Panayot Gindev, Vyara Savova, Radoslava Makshutova

Creative Commons License

This work is licensed under a Creative Commons Attribution 4.0 International License.

How to Cite

KEY TAKEAWAYS FROM THE MOST SIGNIFICANT GDPR PERSONAL DATA BREACHES IN THE REPUBLIC OF BULGARIA. (2025). ENVIRONMENT. TECHNOLOGY. RESOURCES. Proceedings of the International Scientific and Practical Conference, 5, 353-361. https://doi.org/10.17770/etr2025vol5.8482