Privacy Policy




The Commission for Protection of Competition (CPC / Commission) is an independent specialized state body that is authorized to implement the Law on Protection of Competition (LPC), the Public Procurement Act (PPA) and the Concessions Act (CP). The Commission is a legal entity based in Sofia and is represented by Ms. Julia Nenkova - Chair. Contact the Commission for Protection of Competition:

bul. "Vitosha" 18, 1000 Sofia Center, Sofia

Email: а[email protected]
Contact the Data Protection Officer at:
[email protected] - Mrs. Lora Hadjieva

This data protection policy is issued on the basis of the Personal Data Protection Act and all applicable by-laws related to data processing and protection, and the General Data Protection Regulation (EU) 2016/679. It concerns the protection of personal data in the context of the implementation of the powers and legal obligations that apply to the CPC as a public body.

As a controller of personal data, the Commission for Protection of Competition has an obligation to inform you regarding the collection, processing, transfer, storage and destruction of personal data relating to data subjects.

Data categories and subjects

The CPC as an administrator collects personal data regarding the following categories of persons:

For the purposes of human resources management and financial activities;

To submit complaints, alerts and other requests to the Commission, within the limits of the powers and competence conferred;

For participants in proceedings before the Commission, incl. participants in public procurement;

Requests under the Access to Public Information Act (APIA);

Subscribers to the Commission's public register;


External visitors in connection with the access regime in the CPC administrative building;

Video surveillance;

For the purposes of human resources management, the CPC processes personal data of former, current employees of the Commission, experts in civil contracts, as well as those of candidates - participants in selection.

The personal data of each person are provided voluntarily by the persons themselves, and the data collected are used only for the above purposes. They are provided to third parties only in cases when it is normatively defined, such as NSSI, NRA, National Audit Office, KPKONPI and other public bodies, in view of their powers and competence. In connection with the implementation of the labor, non-employment and official legal relations of the persons, the Commission processes and stores only the personal data required by law in strict compliance with the labor and social security legislation.

The activities for ensuring healthy and safe working conditions of the employees are regulated by a contract with an occupational medicine service, whose commercial activity is regulated by a number of normative acts with accurate collection of certain personal data for

natural persons and their provision only to a narrow circle of authorized persons and stored for the respective normatively established term.

When issuing primary accounting documents addressed to external recipients, the minimum required information regulated in the Accounting Act shall be entered, including: name or title, address and unique identification code from the Commercial Register or unified identification code according to Bulstat or unified civil number or personal alien number of the issuer and recipient;

The Commission is the national body of the Republic of Bulgaria responsible for the application of national and Community competition law and as such body operates in compliance with the principles of legality, independence, publicity, accessibility and equality of arms.

The proceedings before the CPC are a set of actions of the Commission, the parties and other participants in the administrative proceedings, aimed at collecting and verifying evidence on the subject of the respective investigation. The Commission processes personal data under the terms and conditions of applicable law in accordance with its legal powers and obligations. According to Article 48 of the Law on Protection of Competition, any information collected in the course of the proceedings may be used only for the purposes of the law.

Any person may file a report of a violation of the LPC in writing, in person or through an authorized representative, fax or e-mail, which is registered in the Commission's office. The signals may be used at the discretion of the Commission to initiate self-referral proceedings. In the absence of contact details, it is not possible to send a response, and no proceedings are instituted before the CPC on anonymous signals.

As a public body, most of the inquiries and alerts received concern matters on which the Commission does not have the power to carry out an inquiry and take the necessary measures. In these cases, the CPC forwards the signals and complaints to 3 other state bodies for verification of the case and for an opinion. Further processing of data for other purposes is possible only when they are compatible with the original purpose of data collection or provided by law.

The Commission shall consider and rule on complaints for illegality of decisions, actions and omissions of contracting authorities or grantors in public procurement or concession award procedures in accordance with the provisions of the Public Procurement Act and the Concessions Act. The CPC, in its capacity as an appellate body, has the right to initiate proceedings only after an explicit referral by a person with a legal interest, conducting an investigation and ruling on the legality of decisions, actions and omissions of contracting authorities or grantors only on allegations in the complaint. The information collected in the course of the proceedings is in accordance with the normatively assigned competencies of the Commission and is used only insofar as it meets the objectives of the Public Procurement Act and the Insurance Act.

The acts of the Commission issued are subject to appeal regarding their legality before the Supreme Administrative Court. In these cases, there is a forwarding of documents to the court, when the data are part of the file.

When examining applications and oral requests for access to public information, the Commission may process information on individual data subjects that contains data on the physical, economic, political, social or other identity of individuals. The CPC provides such information in accordance with the provisions of the Law on Access to Public Information in compliance with the principles of transparency and protection of personal data.

Through the official website, the Commission maintains a public register of its activities in the implementation of the Law on Protection of Competition, the Law on Public Procurement and the Law on Concessions. The website allows both a free search in the public register and through a subscription by e-mail and RSS for changes in production, initiation of proceedings, publication of notices, decisions, definitions and orders.

Regardless of whether in the specific case the e-mail address represents personal data or not, the CPC uses the provided e-mail addresses only for the purposes of providing the information necessary for the specific proceedings.

The website for electronic services of the Commission for Protection of Competition provides an opportunity to submit notifications, requests and complaints under the LPC, the PPL and the LC. The use of these services requires registration on the site with a universal electronic signature (UES). In this way, personal data is collected in order to provide services requested by the user. This information is recorded in a database and the Commission uses the information provided only to perform the requested service, in view of its powers, without providing it to third parties.

When visiting the institutional site, it is possible to store or retrieve user information in the form of cookies.

Cookies are small amounts of data that a website stores on an Internet access device (computer, tablet or mobile device) and are intended for use by web pages. Usually the information cannot be personally related to the visitor. The cookies used by the Commission's website and in particular the Sofia Competition Forum section are related to its operation, as well as to the collection of 4 statistics for analysis, for which we use Google Analytics. Cookies are also used to identify the session. By adjusting the user's browser accordingly, they can be turned off at any time. In this case, it is possible to lose some of the functionality of some of the services on our site.

Third-party services used on the Commission's website may set various cookies when visiting the site. These sites and services may have different security policies. All resources located outside the domain of the CPC website should be considered as third party services. The Commission's website collects data in log files on its web server. This service information contains the IP address of the visitor, when the site was visited, pages visited. The CPC does not provide this information to third parties.

 The CPC processes data of persons in the context of contractual relations in connection with its needs. The Commission most often concludes contracts with companies. Insofar as in connection with the implementation of these contracts personal data of individual individuals are processed, information about them is processed in a minimum amount - before the conclusion of the contract, for payments under the contract, for contacts on operational and other issues, ie. sufficient only for the exact fulfillment of the obligations under the respective contract.

Further processing of data is possible only when it is necessary to comply with legal requirements applicable to the Commission as a public body, to properly store information and documents, to comply with the requirement for accountability in inspections of public spending.

The CPC processes data on external visitors during the implementation of the access regime in the administrative building of the Commission at the address Sofia, 18 Vitosha Blvd. by virtue of a concluded contract for security activity. Access control was introduced in order to ensure security and safety, prevent and prevent terrorist and criminal acts, theft and encroachment on property and property, maintaining order and security in the area of ​​the administrative building, as well as ensuring a normal work process for employees.

Access to the building of external visitors is limited to submitting and / or receiving documents in the office, payment in cash of production fees and issuing invoices, acquaintance with materials on files of participants in the proceedings or stakeholders, participation in open meetings of Commission, workshops, etc.

The security guard on duty issues a pass to the external visitor, and the data that are processed are: the three names of the visitor; a Commission official to be visited; the purpose of the visit; the date and time of entry and exit from the building.

The information about the personal data is provided by the natural persons-visitors before the access to the administrative building of the CPC is provided. This information is received and entered into the access control system. An external visitor who has refused to identify himself shall not be granted access.

The permanent video surveillance in the CPC is part of the established technical security systems. Video surveillance recordings are stored for a period of 12 days. Access to this data is limited and is limited to persons within the scope of their official duties.

When processing data, including personal data, the CPC and its administration take the necessary organizational and technical measures to comply with all legal requirements, to protect the rights and freedoms of individuals. Pursuant to Art. 55 of the LPC, the data contained in the materials of the files shall be used for the protection of the production, trade or other secret protected by law.

The information made known to the Commission and its administration in connection with the performance of their official duties shall be processed in compliance with the principles of personal data protection and the necessary measures shall be taken to prevent and prevent breaches of the security of this information. Numerous measures for physical, personal, documentary protection and protection of information systems have been taken for data protection.

When storing documents submitted to the Commission, the CPC complies with the deadlines provided by current legislation and applicable regulations, the requirements for keeping the institutional archive, and the deadlines within which legal claims may be filed. After the expiration of the term for their storage, the information carriers (paper and electronic), which are not subject to transfer to the National Archive Fund, may be destroyed.

Rights of data subjects

Right of access

Every person has the right to receive confirmation from the CPC whether personal data related to him are processed and, if so, to have access to the data and information related to the processing.

Right of adjustment. The data subject has the right to request from the CPC to correct inaccurate personal data related to him and to provide additional data.

Right to delete. The data subject has the right to request from the CPC the deletion of the personal data related to him

data, except in cases where there is a reason for their processing.

Right to limit processing. The data subject has the right to request from the CPC to limit the processing in

the following situations:

the accuracy of personal data is disputed by the data subject for a period that

allows the CPC to check their accuracy;

the processing is unlawful, but the data subject does not wish the personal data to be deleted, but instead requests that their use be restricted;

The CPC no longer needs personal data for the purposes of processing, but the data subject requires them for the establishment, exercise or protection of legal claims;

The data subject objected to the processing pending verification of whether the CPC's legal grounds took precedence over the data subject's interests.

The data subject has the right to receive personal data concerning him and which he has provided to the CPC in a structured, widely used and machine-readable format and has the right to transfer this data to another controller without hindrance by the CPC. When exercising its right of portability, the data subject shall be entitled to receive a direct transfer of personal data from one controller to another where this is technically feasible.

Right to object

The data subject has the right to object to the processing of personal data relating to him, which is based on the performance of a task of public interest, exercise of official powers and processing for the purposes of the legitimate interests of the CPC.

Right of appeal, The data subject has the right to file a complaint to the Commission for Personal Data Protection in connection with violations of the requirements for personal data protection. You can also contact the CPC Personal Data Protection Officer on all issues related to the protection of your personal data.

This policy has been approved by the Chairman of the CPC and has been in force since May 25, 2018.

The Commission reserves the right to change and update it.