Can data protection rules affect the assignment of receivables in Bulgaria?


For many years, a common practice in Bulgaria is debtors to submit complains to the Bulgarian DPA for unlawful processing of their personal data due to performed assignement of their debts to a new creditor (cession). As a result a non-consistent practice has been formed of the DPA through the years where quite often the consent of the deptor for the processing of his/her personal data is sought as a condition for the assignement of the debt/ the receivables to a new creditor. However, after GDPR Bulgarian DPA undertaken certain changes in their interpetation on whether consent is required for the processing of personal data of a debtor when a creditor assign/ transfer a debt to a new creditor (e.g. in case of cession).

Pursuant to the assignment of receivables (cession) agreement the creditor under a certain receivable (assignor) assigns it to a third party (assignee). Since the debtor is not a party tot he cession agreement quite often in the practice the debtor complaint for not been asked for permission his/ her personal data to be provided to the new creditor and/ or for not being aware that a third party will process his/her data.

Under Bulgarian legislation the debtor is not a party to the assignment agreement and their consent is not required for the transaction to take effect. However, as the effective performance of an assignment agreement requires and involves the provision of all the documentation regarding the reveivables to the new creditor and thus, the provision of the personal data of the debtor to the new creditor. Thus, the question on what legal basis applies to such provision of personal data has been subject to numerous disputes before Bulgarian DPA and in the past quite often a consent from the debtor was sought for the provision of their personal data to the new creditor.

However, the consent is an inappropriate legal basis for personal data processing under assignment agreements. This is explained by the fact that if processing is based on consent, it would allow the debtor to block the creditor from disposing of their receivables by pre-venting the creditor from processing the personal data contained in the debt documentation or debt related documents – information about who the debtor is and what his contact details are, where his obligation arises from, what is its amount and maturity, etc.

Therefore, other legal grounds may serve as basis for processing the debtor’s personal data.

The assignor may base its data processing activation on compliance with a legal obligation as the law obliges the assignor to provide the assignee with the debt documentation and thus, to perform the related processing of the personal data contained in this documentation. In addition, the assignor has a legitimate interest to dispose of its receivable as it deems appropriate.

The assignee, on the other hand, a legitimate interest to collect their receivable. In addition, the performance of a contract to which the data subject is a party also may serve as a legal basis, since the data subject is a party ynder the contract under which the assigned receivables have arisen. However, the last legal basis will apply if the assignment has lead an action against the debtor by notification under Art. 99, Para. 3 and 4 of the Contracts and Obligations Act.

According to more recent practical guidance by the Commission for Personal Data Protection (CPDP), the legal fact which makes the personal data processing admissible is the assignment of the receivable, not the notification of the debtor. This means that the assignee may lawfully process the debtor’s personal data even prior to this notification.

Finally, a key requirement to be fulfilled in case of an assignment is the notification of the debtor of the processing of their personal data. In case of cession the new data controller – assignee obtains the personal data not directly from the data subject, but from another source – the assignor. In order to ensure transparent data processing, the data subject needs to be provided with information under Art. 14 of the GDPR.


Article provided by: Desislava Krusteva and Martin Zahariev (Dimitrov, Petrov & Co., Bulgaria)



Discover more about INPLP, the INPLP-Members and the GDPR-FINE database

Dr. Tobias Höllwarth (Managing Director INPLP)

What is the INPLP?

INPLP is a not-for-profit international network of qualified professionals providing expert counsel on legal and compliance issues relating to data privacy and associated matters. INPLP provides targeted and concise guidance, multi-jurisdictional views and practical information to address the ever-increasing and intensifying field of data protection challenges. INPLP fulfils its mission by sharing know-how, conducting joint research into data processing practices and engaging proactively in international cooperation in both the private and public sectors.