Whistleblower law in Bulgaria #
Bulgaria implemented Directive (EU) 2019/1937 through the Act on the Protection of Persons Reporting Information or Publicly Disclosing Information about Breaches, in force since 4 May 2023. The Bulgarian system is notable because the CPDP acts both as the central external authority and as the data protection authority.
Applicable law #
Who must establish an internal channel #
- All in-scope public-sector bodies (obliged organisations under the Financial Management and Control in the Public Sector Act) — regardless of headcount.
- Private employers with 50 or more workers.
- Phased: public sector and private employers with 250+ workers from 4 May 2023; the 50-249 band from 17 December 2023.
A 2025 amendment (in force May 2025) removed the option to use a shared group-level internal channel — each obligated entity must now establish and maintain its own.
Penalties and enforcement #
Bulgaria’s penalty structure is dual-tier (natural vs. legal person) and escalates on repeat. EUR figures use the fixed peg (1.95583 BGN/€).
| Conduct | Fine | ≈ EUR |
|---|---|---|
| No internal channel — legal person / sole trader, first violation | BGN 5,000–20,000 | ~€2,500–10,000 |
| No internal channel — legal person, repeat violation | BGN 10,000–30,000 | ~€5,000–15,000 |
| No internal channel — natural person | BGN 1,000–5,000 | ~€500–2,500 |
| Retaliation, or initiating proceedings against a reporter to harm them | BGN 2,000–8,000 | ~€1,000–4,090 |
An honest assessment of enforcement. The fines above are what the law provides. In practice, enforcement to date is modest and largely reactive. The CPDP’s official 2024 figures record 97 reports received (35 within the Directive’s scope), seven inspections closed for lack of sufficient evidence, and only one resulting in a sanction, with total sanctions for the year of BGN 17,400 (~€8,900). No company has been publicly named, and none of these is identified as a specific failure-to-establish-channel case. The practical conclusion mirrors the rest of the region: the obligation is real, but the exposure is a report reaching the CPDP with no channel in place — not a large fine.
External reporting authority #
The central external channel is the Commission for Personal Data Protection (CPDP) , which also publishes forms, register guidance and FAQs for obliged entities.
Data protection authority #
The same CPDP is Bulgaria’s GDPR supervisory authority.
Key compliance points #
- Municipalities with fewer than 10,000 inhabitants or fewer than 50 workers may share resources for intake and follow-up.
- Private entities with 50-249 workers may also share resources for receiving and handling reports.
- CPDP’s official materials expect a non-public register of reports and clear public information about how to use the channel.
Official sources #
- Bulgarian whistleblowing act — official CPDP law page
- CPDP — implementation of the protection system
- CPDP — frequently asked questions
- CPDP — complaints and signals
- CPDP — 2024 whistleblower enforcement statistics
- EU Whistleblowing Monitor — Bulgaria
Deploy your reporting channel →
Last updated: