The Bulgarian Commission for Personal Data Protection (CPDP) has issued new guidance on the use of artificial intelligence and automated decision-making systems, building on GDPR requirements and the EU AI Act. Organizations operating in Bulgaria must review their AI deployments for compliance.
New Requirements
- AI impact assessments: Mandatory data protection impact assessments (DPIAs) for all AI systems processing personal data, with enhanced requirements for high-risk systems
- Transparency obligations: Clear disclosure when individuals are subject to automated decision-making, including meaningful information about the logic involved
- Right to human review: Strengthened rights for individuals to obtain human intervention in automated decisions with legal or significant effects
- Algorithmic auditing: Periodic audits required for AI systems used in employment, credit scoring, and public services
Sector-Specific Guidance
The CPDP has issued specific guidance for financial services, healthcare, and employment sectors. Companies using AI in these areas face additional compliance requirements, including bias testing and model documentation obligations.
Enforcement Trends
The CPDP has signaled increased enforcement activity around AI compliance, with several investigations already underway. Fines for non-compliance can reach up to EUR 20 million or 4% of annual worldwide turnover.
Our TMT practice provides comprehensive advice on AI governance, data protection compliance, and technology regulation. Contact us to schedule a compliance review.