03 / Compliance Landscape
GDPR in full force, with a stricter-than-average criminal data interpretation
Bulgaria's CPDP has adopted a strict reading of criminal data processing. Legitimate interest is not sufficient. Only a specific legal obligation qualifies.
GDPR + Bulgarian PDPA: the binding compliance framework
CPDP supervision. Strict criminal data restrictions. Consent-first screening.
What's happening
GDPR (Regulation 2016/679) applies in full. The domestic implementation is the Personal Data Protection Act (PDPA), supervised by the CPDP (Commission for Personal Data Protection). Employment screening typically requires explicit consent.
Why it matters
CPDP has adopted a strict interpretation of criminal data processing. Criminal records can only be processed under GDPR Article 6(1)(c), legal obligation. Processing criminal data under legitimate interest (Article 6(1)(f)) is explicitly prohibited in Bulgaria.
Where it breaks
Blanket criminal screening across all roles is not lawful in Bulgaria. The employer needs a specific legal basis for the criminal check, not just consent or a generic business need. Roles without a specific legal mandate cannot be screened against criminal records.
Reality insight
This is stricter than many other EU member states. TPRM teams should verify that their provider applies this restriction correctly and does not default to a broader interpretation. Vendors running criminal checks on all Bulgarian roles are creating compliance exposure.
No legitimate interest for criminal data
CPDP explicitly prohibits processing criminal records under GDPR legitimate interest. Only a specific legal obligation qualifies. This is stricter than many other EU member states and means blanket criminal screening across all roles is not lawful in Bulgaria.
Cyrillic/Latin name transliteration compliance risk
Bulgarian national IDs use Cyrillic characters. Official transliteration to Latin uses ISO 9:1995 standard, but inconsistencies across institutions and documents create systematic name-matching failures. Always capture both Cyrillic and Latin variants of names. Mismatches are a major red flag.
Criminal certificates: regional court decentralisation
- Certificates of non-conviction (свидетелства за съдимост) are issued by regional courts under the Ministry of Justice.
- Sofia and major cities typically respond within 5-7 business days. Smaller regional courts (Ruse, Pazardzhik) may take 2-4 weeks.
- Non-Bulgarian language requests face additional delays. Native-language capability is a material differentiator for vendor selection.
- The decentralised structure means there is no single national criminal database for private screening providers to query.
Procurement implication
If your screening vendor processes criminal records for Bulgarian candidates without a specific legal basis for each role, they are creating GDPR exposure for your organisation. Ask your vendor which roles qualify for criminal screening under Bulgarian PDPA and CPDP guidance.
Decision trigger
Can your vendor document a specific legal basis for criminal screening for each Bulgarian role, or do they apply blanket criminal checks that may violate CPDP guidance?
04 / Operational Gaps
Every check type has its own dependency chain, timeline, and failure mode
Constraints are structural: limited digitisation, regional court decentralisation, and dual-script documentation. They do not resolve with better technology.
Verification process: where it stalls
1
Candidate consent
GDPR-compliant capture
2
Identity (EGN)
EGN + document, 0-1 days
3
Employment
NRA + HR confirm
Stall: NRA response lag
4
Education
NEAA / registrar / archive
Stall: 64% manual chase
5
Criminal
Regional courts / Ministry
Gap: decentralised courts
6
Address
National register / field
Identity: EGN-anchored, three document types
- EGN (Unique Identification Number): 10-digit code present on all government-issued identity documents. Encodes birth date, gender, and region.
- National ID card (Lична карта): issued by local police. Valid in EU/Schengen only.
- Passport: issued by Border Police / Ministry of Interior. Required for non-Schengen travel.
- EU ID card: EGN-linked. Valid in EU/EEA.
Employment: NRA is the trusted source
- NRA (National Revenue Agency) maintains employer-reported employment and tax-contribution records. Access via eServices portal with candidate consent.
- Electronic employment record (June 2025): unified digital trail of work history. First government-backed system of its kind in Southeast Europe.
- TAT: 3-5 business days for recent employment, up to 2 weeks for older records.
- Cross-border gap: many Bulgarian IT candidates have worked in Romania, Turkey, or other EU/non-EU states. Always screen for undisclosed multi-country employment.
Education: NEAA accreditation, limited digital access
- NEAA (National Accreditation and Assessment Agency) accredits institutions. Ministry of Education maintains the registry of recognised programmes.
- 16% resolve via NEAA portal (3-5 day TAT). 64% require manual registrar email (8-14 day TAT). 20% require physical archive access (10-18 day TAT).
- Cross-border degrees require ENIC-NARIC evaluation for recognition.
Regional court processing delays
Bulgarian criminal records are decentralised by regional court. Small regional courts may process requests very slowly, particularly those in English or through third parties. Plan for 3-4 week TAT for regional candidates.
Credit and financial: regulated roles only
- Central Credit Register (CCR) operated by the Bulgarian National Bank. Used for regulated financial-sector roles.
- Credit reports accessible with explicit candidate consent. Issued within 2-3 business days.
turnaround time by check
Realistic TAT range per check type (days)
Min-to-max range observed across Bulgaria programmes. Longest TAT in Eastern Europe batch due to limited digitisation.
IdentityEGN + document
0-1 days
EmploymentNRA + HR confirm x 2
2-6 days
EducationMinistry or registrar
1-18 days
CriminalRegional court or Ministry
2-14 days
AddressSofia vs regional
1-8 days
Source: OutsourceVerify Bulgaria operating data, 2024-2026 rolling window.
What companies assume
EU member means fast, digitised verification
Criminal checks can be run on all roles
Latin-alphabet name matching is sufficient
Education degrees verify through portals
Same process as Poland or Romania
Cost savings extend to screening costs
What actually happens
Limited digitisation compared to Central European peers. 64% of education checks require manual registrar contact.
CPDP prohibits criminal screening under legitimate interest. Only roles with a specific legal mandate qualify.
Cyrillic-native documents produce 32-52 transliteration mismatches per 1,000 candidates. Dual-name capture is essential.
Only 16% resolve via NEAA portal. The rest require manual processing with 8-18 day TAT.
Bulgaria has stricter criminal data rules and slower institutional response than Central European EU peers.
IT salary savings of 30-40% do not reduce verification complexity. Screening cost is driven by institutional access, not labour cost.
Decision trigger
When your vendor reports "completed" on a Bulgarian education check, does that mean NEAA portal confirmation, registrar email confirmation, or archive retrieval? Do you know the difference?
05 / Decision Impact
Three scenarios. Three different risk exposures.
Your operating context determines your verification risk. Each scenario below maps to a distinct failure mode.
Nearshore IT Scale-Up
Growing Sofia IT operation with 50+ hires per quarter. Multi-country employment histories, university degrees, and professional certifications require deep verification. Cyrillic name-handling at scale compounds transliteration errors.
Risk: Name-matching failures cascade through employment, education, and criminal checks simultaneously.
Medium exposure
Market Entry into Bulgaria
First outsourcing engagement. No baseline for Bulgarian institutional timelines or Cyrillic documentation handling. Vendor selected based on EU-wide coverage claims without Bulgaria-specific capability.
Risk: Generic EU screening process does not account for Bulgaria's unique dual-script and digitisation challenges.
Medium exposure
Audit and Compliance Review
GDPR audit requires evidence of lawful criminal data processing basis. CPDP's strict interpretation means blanket criminal checks create compliance exposure. Consent trails and legal-basis documentation required.
Risk: Vendor cannot demonstrate role-specific legal basis for criminal screening under CPDP guidance.
Medium exposure
Decision trigger
The right question is not "do you cover Bulgaria." It is: does your vendor have native Cyrillic name-handling, NEAA portal access, and CPDP-compliant criminal screening workflows?
Executive Intelligence Summary
Bulgaria: 7 conclusions for decision-makers
Cyrillic/Latin transliteration is the single largest verification risk. 32-52 name mismatches per 1,000 candidates. Dual-name capture at intake is not optional. It is a process requirement.
CPDP's criminal data interpretation is stricter than most EU member states. Only roles with a specific legal obligation qualify for criminal screening. Blanket checks create GDPR exposure.
64% of education verifications still resolve via manual registrar contact. Only 16% go through the NEAA portal. Plan for 8-14 day TAT on the majority of education checks.
Bulgaria's June 2025 electronic employment record is a structural advantage. The NRA's unified digital work-history system is the first in Southeast Europe and positions Bulgaria ahead of regional peers for employment verification.
IT salary savings of 30-40% vs Poland or Romania do not reduce screening complexity. Verification cost is driven by institutional access and Cyrillic name-handling, not by local labour costs.
Regional court decentralisation creates variable criminal check TAT. Sofia responds in 5-7 days. Regional courts may take 3-4 weeks, especially for English-language requests. Native Bulgarian capability is a material differentiator.
Vendor evaluation should test for Bulgaria-specific operational depth. Ask for Cyrillic name-handling workflows, NEAA portal access, NRA electronic record integration, CPDP-compliant criminal screening documentation, and native Bulgarian-language institutional communications.
Country benchmark
Bulgaria Verification Benchmark Pack
Market-specific constraints, institutional access data, typical timelines, and source verification pathways. PDF format, designed for internal circulation.
Request benchmark
Delivery in this market
Verification in this jurisdiction is executed by a regional cell with direct institutional access, operating under our central programme office. Cases run in parallel with other active markets. Evidence standards, quality gates, and escalation protocols are identical regardless of geography. Surge capacity is pre-built, not assembled on demand.
About this brief. Reflects the regulatory and operational landscape as of May 2026. TAT ranges and red flag rates are first-party operating data, presented as observed ranges. GDPR compliance calendar sourced to CPDP official guidance. Institutional data sourced to NRA, NEAA, and Ministry of Justice public records.