The Commission for protection of personal data adopted a new Regulation concerning the minimum level of technical and organizational measures and admissible type of protection of personal data.

The Regulation introduces five different types of personal data protection:
 - physical protection;
 - personal protection;
 - documentary protection;
 - protection of automatic information systems and/or networks; and
 - cryptographic protection.

 The new rules provide for four levels of impact, depending on the extent of the adverse effects that may be caused by unauthorized processing of personal data:
“extremely high”,
“high”,
“average” and
“low”.

Pursuant to the Personal Data Protection Act in case the administrator has not issued the above mentioned Instruction with all mandatory requisites, the administrator may be imposed penalties up to the amount of BGN 5’000, respectively up to BGN 10’000 for continuous breach.