Bulgarian whistleblower protection law "ЗЗЛПСПОИН"

Bulgaria handed its whistleblowing system to an unlikely office. The Commission for Personal Data Protection runs the state reporting channel. The Law on the Protection of Persons Reporting or Publicly Disclosing Information about Breaches (ЗЗЛПСПОИН) bars anonymous reports and ignores anything older than two years. Skip the in-house channel and a firm can be fined up to 20,000 leva. Here is how the rules work.

Who and what does the law protect?

The law covers a wide field. A report can flag a breach of EU law. That takes in public procurement, financial services, and product safety. It also takes in transport safety, the environment, public health, and data protection. But Bulgaria went further than the Directive asks. The law covers any ordinary crime a worker learns of on the job. It also covers Bulgarian rules on labour, the civil service, and public debts. So a worker can report a theft or a safety cover-up, not just an EU-law breach.

"This Act applies to reports or public disclosure of information about ... a general-nature criminal offence of which a person under Article 5 became aware in connection with carrying out their work."
Article 3(1) of the Law on the Protection of Persons Reporting Breaches

Protection reaches a long list of people. It covers employees and civil servants. The self-employed, contractors, and suppliers are included. So are volunteers and trainees. The shield extends to company officers, shareholders, and the sole owner of a firm. It even reaches a job applicant who learned of a breach while being hired, and a worker whose contract has already ended. Helpers and relatives are protected too, since they can face payback for someone else's report.

Some matters sit outside the law. It does not touch classified information, or defence deals caught by the EU treaties. Legal privilege is out, so lawyers bound to secrecy stay covered. Medical confidentiality is out as well. So are court deliberations and the rules of criminal procedure.

Which employers must set up a channel?

The duty falls on every public-sector employer. It also falls on private firms with 50 or more workers. Size does not matter in some fields. A firm in finance or anti-money-laundering must build a channel whatever its headcount. The same goes for other listed EU-act areas. Small towns get a break. A municipality under 10,000 people may share resources with others. So can one with fewer than 50 staff.

The duty arrived in waves. The law took effect on 4 May 2023, three months after it was published. Public bodies and larger private firms had to be ready then. Private firms with 50 to 249 staff got more time. Their deadline was 17 December 2023. Those mid-sized firms may also run a shared channel. They can name one person or one unit to handle reports for the whole group.

Every obliged employer must publish how to report. The details go on its website and on its premises. And it must review its own reporting rules at least once every three years.

How do you set up the internal reporting channel?

First, name an employee to receive and assess reports. It can be the person who already handles data protection. That works as long as there is no conflict of interest. They alone may read incoming reports. They must keep each reporter's name safe. They must shut out anyone with no need to see it. Staff must be able to report in writing, by phone, or in person. The reporter fills in a standard form, set by the data-protection commission.

"The employees responsible for examining reports shall ... acknowledge receipt within 7 days, ensure that the identity of the reporting person is duly protected, and provide feedback on the action taken within a period of no more than three months."
Article 16 of the Law on the Protection of Persons Reporting Breaches

The clock then starts. The handler must confirm receipt within 7 days. They must give the reporter feedback within three months. Each employer keeps a non-public register of reports. The register notes who took the report and when. It notes the alleged breach and the action that followed. If the facts check out, the handler proposes a fix. If a crime shows up, the file goes straight to the prosecutor.

WeMoral hands the named officer a sealed inbox. No one else can open it. It also keeps the non-public register Article 18 requires, with each entry timestamped. It is self-hosted whistleblowing software that meets what ЗЗЛПСПОИН asks of the internal channel. A private firm may pass the work to an outside provider, and WeMoral takes that seat. When the commission forwards a case, or the Ombudsman audits the file, that timestamped register is the record you reach for. You can open the in-house channel in a day.

What happens when you report to the state?

The external route runs through one body. Bulgaria named its Commission for Personal Data Protection as the central authority for outside reports. The same regulator that guards personal data now takes whistleblower reports. It does not judge most cases itself. It forwards each report to the right sector regulator within 7 days. And it keeps the reporter's name out of that hand-off.

"The central authority for external reporting and for the protection of persons who are granted protection under this Act shall be the Commission for Personal Data Protection."
Article 19 of the Law on the Protection of Persons Reporting Breaches

The list of receiving bodies is long. A finance report goes to the Financial Supervision Commission. A food report goes to the Bulgarian Food Safety Agency. A competition report goes to the competition regulator. In all, the commission can route reports to 14 named authorities. It must give the reporter feedback within three months. A hard case can stretch that to six months. You can read the channel rules on the commission's own site.

The channel is its own unit inside the commission. Reports are shared out among trained staff at random. Those staff may not pass report details to anyone. That bar even covers the other members of the commission.

One more check sits on top. The Ombudsman of the Republic audits the commission's work on reports. The Ombudsman looks at whether deadlines were met, whether the registers match the law, and whether reporters were kept safe. It also hears complaints against the commission, and reports each year to Parliament. So the body that runs the channel is itself watched.

No anonymous reports, and a two-year clock

Bulgaria made two choices the Directive left open. It will not open proceedings on an anonymous report. And it will not act on a breach committed more than two years ago. The standard form asks for the reporter's full name and address. It asks for their phone and signature. So the system is built around named reports.

"No proceedings shall be opened on: 1. anonymous reports; 2. reports concerning breaches committed more than two years ago."
Article 9 of the Law on the Protection of Persons Reporting Breaches

There is one safety valve. Say a person reported anonymously. Say they were identified later, and then faced payback. The law still shields them. They only need good reason to think the report was true. So the two-year clock and the no-anonymous rule narrow the front door. But they do not strip cover from someone who is unmasked and punished.

How are whistleblowers protected from payback?

Retaliation is banned outright. The law lists 15 forms of it. They run from dismissal and demotion to a pay cut. They include a forced transfer and a bad reference. A blacklist, a cancelled contract, and a pulled licence are on the list. So is an order to take a medical exam. Threats and attempts count too.

"Any form of retaliation against the persons referred to in Article 5, having the character of reprisal and placing them at a disadvantage, as well as threats or attempts at such action, shall be prohibited."
Article 33 of the Law on the Protection of Persons Reporting Breaches

The law also tilts the field toward the reporter. A whistleblower hit by reprisal can claim damages. The harm is presumed deliberate until the other side proves otherwise. And in a retaliation case, the employer carries the burden. It must prove its action had a lawful reason. It must show the report was not the cause.

Support comes with the shield. The commission gives free advice. The National Legal Aid Bureau provides legal aid. That covers criminal, civil, and administrative cases. A mediator can help in cross-border disputes. A reporter is also freed from liability for getting the information. And a protected disclosure of a trade secret counts as lawful.

A reporter facing court action has one more right. They can ask the court to drop the case. They need only have had good reason to think the report was needed to expose a breach.

What are the fines?

Penalties run in leva, the national currency. The lev is pegged to the euro at 1.95583. The chair of the data-protection commission issues the penalty notices. The money goes to the state budget. The figures below rise on a repeat breach.

Bulgaria's design is its own. Most countries built a fresh office. Others leaned on a labour regulator. Bulgaria gave the job to its data guardian. Then it set an Ombudsman to watch the watcher. On paper it is a tidy fit. The commission already knows how to keep names secret. The open question is harder. Does routing a report through one commission, and on to 14 ministries, keep the sender as safe as the law promises? To see how Bulgaria sits beside the rest of the bloc, our list of whistleblowing laws by country lays them side by side.