Personal Data Breaches – Obligations, Sanctions and Rights under GDPR

What should you do in the event of a personal data breach? What are the obligations of controllers and what fines does the PDPC impose? Examples from real cases.

Approximate reading time: 2m 42s

Personal data breaches: what you need to know according to GDPR and Bulgarian practice

Sign up today for the Personal Data Protection Course and be prepared, if you want to learn more about rights and obligations under GDPR, including in the workplace context.

What is a personal data breach?

A data breach (or "data breach") is any security violation that leads to accidental or unlawful:

destruction;
loss;
alteration;
unauthorized disclosure of or access to personal data.

This can include:

sending an email with a data list to the wrong recipient;
a hacker attack on databases;
a lost laptop with sensitive information;
data leakage through an internal employee ("insider threat").

According to Art. 33 of GDPR, upon establishing such a breach, the data controller is obliged to notify the supervisory authority (in Bulgaria – the PDPC) within 72 hours.

What are the controller's obligations in the event of a breach?

The personal data controller must:

Report the incident to the PDPC within 72 hours of discovering the breach;
Assess the risk to the rights and freedoms of data subjects;
Notify the affected individuals if there is a high risk to them (e.g. theft of personal ID number, bank or health data);
Document everything – including the cause, the type of data, the number of affected persons, and the measures taken.

Failure to act or late notification leads to sanctions, even when the breach itself is not the controller's fault.

The largest breach in Bulgaria: the case of the NRA

In 2019, Bulgaria experienced the largest known personal data breach – more than 6 million citizens were affected by a breach in the NRA's servers. Data such as personal ID numbers, income, insurance records, addresses, and bank transactions appeared in the public domain.

After an inspection, the PDPC imposed a fine of BGN 5.1 million on the NRA, citing insufficient technical and organizational protection measures. The administration appealed, but the Supreme Administrative Court upheld the liability.

Conclusion: Even a state institution is not protected from sanctions when it has not complied with the requirements of Articles 32 and 33 of GDPR.

What should you know as a citizen?

If you learn that your personal data has been leaked, you have the right:

to be notified without undue delay;
to file a complaint with the PDPC (Commission for Personal Data Protection);
to seek compensation through legal action if you have suffered damages (material or non-material);
to receive information about what data has been affected and what measures have been taken.

Example: If a bank has sent a bank statement to the wrong email address, and you find out that a third party has had access to it, it is obliged to inform you and notify the PDPC.

What sanctions does GDPR and the PDPC provide?

Up to EUR 10 million or 2% of annual turnover for lack of internal documentation, late notification, or failure to take measures;
Up to EUR 20 million or 4% of turnover in the case of a serious breach and high risk to citizens' rights.

In Bulgaria, the most common reasons for fines are:

failure to notify the PDPC on time;
lack of risk assessment;
use of unsecured systems without encryption or access control.

What are the good practices for protection against a breach?

Regular vulnerability tests of IT systems;
Restricting access to personal data to employees who actually use it;
Training staff to recognize phishing and social engineering;
Introducing two-factor authentication and encryption;
Keeping a register of processed data and activities.

Role of the PDPC in incident management

The PDPC publishes forms and guidelines for breach notifications, and also regularly publishes summaries in its bulletins.

Bulletin No. 3/2025 states that the most common breaches are caused by human error, lack of control, and weak IT security. Numerous complaints and inspections have been recorded, including subsequent sanctions.

Conclusion: prevention is key

Every personal data controller – from a small company to a state institution – must treat data protection as an ongoing process, not a one-time measure.

If you work with personal data, make sure you have a clear procedure for responding to an incident.

If you are a citizen – monitor what happens to your data and react in time if you suspect a breach.

Learn how to build a GDPR-compliant security system and how to respond to an incident:

Sign up today for the Personal Data Protection Course and be prepared, if you want to learn more about rights and obligations under GDPR, including in the workplace context.