Policy on Transparency and Personal Data Protection

Pursuant to the regulatory requirements, the Bulgarian National Audit Office is obliged to inform you what to expect when we process your personal data.

Who is the controller of processed personal data?

The National Audit Office of the Republic of Bulgaria is the Supreme Audit Institution tasked to control the reliability and authenticity of the financial statements of budget organizations and the lawful, effective, efficient and economical management of public resources and activities.  Within the meaning of the Regulation on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), the National Audit Office is the controller of personal data, because:

 “Personal data”

means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, psychological, genetic, mental, economic, cultural or social identity of that natural person;


means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;


means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by the Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

What type of personal data do we process?

In enforcing our statutory role, we need to collect, use, store and transfer various personal data, which we have grouped as follows: 

  • Data on your identity, which may include names, personal identity number, nationality and gender, education, criminal record and other data in view of the legal requirements in employment/work relations;
  • Contact data: address, email, phone numbers;
  • Data on employment: information on your activities in the audited organization, or in an organization related to it (including an international one); information on your role in projects you have been part of; correspondence between you and the colleagues within the organization or between you and the people interacting with this organization;
  • Personal data concerning health: information on the physical and psychological health of employees and applicants for a certain job position;
  • Financial data: data on bank accounts, salaries, tax and social security information, data on compensations paid and the justification for those payments, reports on payments made to you and from you, attachment of earnings orders, insurances and other data needed to perform our legal obligations;
  • Technical data: Internet protocol address (IP), the data on entry to our Internet and Facebook accounts; type and version of your browser, settings, location and time zone; language used, types and versions of the operation system. (Annex I to this document contains detailed information on the use of cookies);
  • Data on your systems for video surveillance and access control used in administrative buildings.

In the course of the audits, special categories of personal data may need to be processed as part of administrative-penal proceedings or following other regulatory obligations, as set in Art. 9 of the General Data Protection Regulation. This may happen in rare cases, such as:

  • When information on salaries is being processed, which may include details on payments made to a trade union that you have asked to be deducted from your monthly remuneration;
  • When we audit a political party or initiate proceedings to establish administrative offences under the Electoral Code or the Political Parties Act, your political views may become known to us;
  • When we examine the effectiveness of organizations – providers of services in the context of criminal proceedings, we may gain access to criminal records in the course of the audit.

How do we process your personal data? 

We process your personal data:

  • lawfully, fairly and in a transparent manner;
  • for specified, explicit and legitimate purposes;
  • adequately, relevantly and limited to what is necessary in relation to the purposes for which the personal data are processed;
  • accurately and taking every reasonable step to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
  • in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;
  • in a manner that ensures appropriate security of personal data.

 To whom do we disclose your personal data?

We disclose your personal data to:

  • the competent authorities which are authorized by law to request such information;
  • counterparties who process personal data on our behalf and with whom we have signed a contract under Art. 28, p. 3 of the General Data Protection Regulation.

We require all third parties to comply with the security rules concerning your personal data, to process them in accordance with the law and only pursuant to the agreed conditions and purposes.

How do we ensure data security?

We have introduced appropriate measures for the organizational and technical protection of your personal data, in order to prevent the accidental loss, use or access to your personal data from unlawful use or disclosure. Moreover, we limit the access to your personal data for other employees, in strict compliance with the “need to know” principle. They process your personal data only subject to a legitimate basis and in compliance with the obligation of confidentiality.

We have adopted a procedure to deal with breaches of your personal data. In case of risk to your rights and freedoms, you and the competent supervisory authority (the Commission for Personal Data Protection) will be duly informed.

How long do we store your personal data?

We process your personal data for as long as it is necessary to fulfil the purposes for which they were collected, including for legal, accounting or reporting purposes.

In determining the appropriate period for storage of your personal data, we take into account:

  • the existence of a specified legal period for storage, or
  • the nature and sensitivity of data, potential risk of damage in case of unauthorized use or disclosure of data, the purposes for which the personal data is processed and whether it is possible the fulfill those purposes through other means, in accordance with the applicable regulatory requirements.

What are your rights?

In accordance with the provisions of the General Data Protection Regulation and the Personal Data Protection Act, you have:

  • the right to be informed;
  • the right of access to the processed data;
  • the right to rectification;
  • the right to erasure;
  • the right to restriction of processing;
  • the right to data portability;
  • the right to object;
  • the right to automated individual decision-making and profiling.

If you wish to exercise any of these rights, please contact us at the following address:

37, Ekzarh Yosif St., Sofia

Office of the President:
phone number: +359 2 980 36 90
е-mail: president@bulnao.government.bg

Data Protection Officer:

phone number: +359 2 935 74 08

e-mail: g.nikolova@bulnao.government.bg

The applications to exercise individual rights are submitted in person or by an expressly authorized person who has a certified authorization. The applications could also be submitted electronically following the procedure on completion and submission of electronic documents as laid down by the legislation in force.

The application must contain:

а) name, address and other data required for the identification of the natural person;

b) description of the request;

c) preferred form of communication and actions within the meaning of Art. 15 – 22 of Regulation (EU) 2016/679;

d) signature, date of submission of the application and address for correspondence;

e) if the application is submitted by an authorized person, a copy of the certified authorization must be attached.

You will not be charged any fee for access to your personal data (or for the exercise of any of your rights). If your request is manifestly unfounded, repetitive or excessive, it may be denied under these circumstances.

We may ask you for specific information required to confirm your identity and to guarantee your right of access to personal data. This is a security measure which guarantees that personal data is not disclosed to a person who does not have the right to receive them.

We try to respond to all legitimate requests within one month. In certain cases, more than one month is required, if your request is particularly complex or you have submitted several requests. When an extended period is objectively necessary – in order to collect all necessary data or in case of serious impediment to our work, this period could be extended, but for a maximum of 60 days. In this case you will be duly notified.

You have the right to submit your complaint to the competent supervisory authority at any time:

Commission for Personal Data Protection of the Republic of Bulgaria:

Address: 2, Prof. Tsvetan Lazarov Blvd., Sofia 1592  

email: kzld@cpdp.bg

We would wish, however, to examine the possibility of satisfying your request before you approach the Commission for Personal Data Protection, so please, contact us first.

The Policy on Transparency and Personal Data Protection was adopted in 2019.