AI and GDPR in Bulgaria: what every business owner should know

AI regulation has changed significantly in the European Union. GDPR has been in force since 2018 and is not going anywhere. The EU AI Act entered into force gradually from 2024 and continues to add obligations. In 2026 there are already concrete requirements for businesses that use AI — even if they only use it as a tool, not produce it themselves.

This article describes what a Bulgarian business owner should know before implementing an AI system. It is not a substitute for legal advice — before signing an AI contract, review everything with a lawyer who understands both GDPR and the AI Act. But after this article you know which questions to ask.

GDPR — what applies to AI

GDPR applies to any processing of personal data. AI systems often process personal data, even when it does not look that way — a name in an email, a phone number in text, an IP address in a log, biometric recognition in a photo. This triggers all GDPR obligations without exception.

The main obligations that apply for AI:

• Legal basis for processing (Article 6) — consent, contract, legitimate interest, or other basis. Without a legal basis, processing is unlawful.
• Informed subjects (Articles 13-14) — the data subject must know their data is being processed by AI, for what purpose, on what basis, for how long.
• Right to human review of automated decisions (Article 22) — if AI makes a decision with significant effect on the person (credit denial, service termination, hiring assessment), the person has the right to request human review.
• Minimization (Article 5) — the AI system may process only the minimum necessary data, not everything "just in case."
• Retention period (Article 5) — data is deleted when the purpose of processing is fulfilled. Indefinite storage "for training models" is not allowed without a separate legal basis.

EU AI Act — a new layer of obligations

The AI Act categorizes AI systems by risk:

Prohibited practices (Article 5)

These include social scoring systems on the Chinese model, manipulative systems exploiting human vulnerabilities, and real-time biometric recognition in public places (with several exceptions). These systems are completely banned in the EU.

High-risk systems (Article 6)

These include AI for critical infrastructure, education, employment (hiring systems), access to essential services (banking, insurance), law enforcement, migration, and the judicial system. These have strict obligations: risk assessment, documentation, transparency, human oversight, registration in the EU database.

Most SMB projects do NOT fall into this category. A support chatbot, invoice automation, AI booking assistant — all of these are low-risk. But an AI system for hiring or loan assessment — those are high-risk.

Limited risk systems (Article 50)

Chatbots, AI-generated content, deepfakes. The main obligation: transparency. The customer must know they are interacting with AI, not a human. In practice — the chatbot should open the conversation with "Hello, I am an AI assistant."

Minimal risk

Everything else — spam filters, AI product recommendations, automatic email summarization. No specific AI Act obligations (but GDPR remains).

What to require from a provider

Before signing an AI implementation contract, require written answers to the following questions:

1. Where is the data hosted? "European infrastructure" is not enough. Ask for a specific region — Frankfurt, Dublin, Stockholm, etc.
2. Who has access to the data? Only your company? The provider? Subcontractors? The AI model provider (OpenAI, Anthropic)? Each must be listed and justified.
3. Will your data be used to train future AI models? Serious providers say: "No. We have a contract with the model maker that excludes this."
4. What is the process for a personal data erasure request (GDPR Article 17)? How long does it take? Are there residues in training data?
5. Is there a DPA (Data Processing Agreement) between you and the provider? This is mandatory under GDPR Article 28 when using a processor.
6. Who is recorded as controller and who as processor in the DPA? Usually you are the controller, the provider is the processor.
7. Is the system registered in the EU database under the AI Act, if it is high-risk?
8. Is there a Data Protection Impact Assessment (DPIA) under GDPR Article 35 for sensitive processing?

Fines and real risks

GDPR fines can reach up to 4% of global annual turnover or 20 million euros (whichever is higher). AI Act fines — up to 7% of global annual turnover or 35 million euros for the most serious violations.

For realistic assessment: for an SMB in Bulgaria in 2026 the most likely risks are:

• Customer complaint to the CPDP (Bulgarian Data Protection Commission) — triggers an investigation that may take 6-12 months. Even without a fine, defense costs are significant.
• Loss of trust after an incident — especially in B2B, where clients require written guarantees on how their data is processed.
• Inability to work with regulated sectors — banks, insurers, healthcare. They will require detailed DPAs and certifications.

Practical minimum for SMBs

Even for a low-risk AI system, here are the minimum compliance steps:

1. Processing register — a list of all AI systems, what they process, on what basis. GDPR Article 30 requirement.
2. Privacy policy with description of AI processing. Not generic "we use AI" — concretely which model, for what purpose, who has access.
3. DPA with the provider. EU Standard Contractual Clauses for cases when the provider is outside the EU.
4. User-interface labeling — the customer knows they are speaking with AI, not a human.
5. Procedure for data-subject requests (right of access, erasure, portability).
6. Periodic risk assessment — annually for low-risk systems, every 6 months for those with more sensitive data.

Frequently asked questions

If I use ChatGPT or Claude for work, am I subject to these regulations?

Yes, if you input personal data. For example, if you copy a customer email into ChatGPT to draft a reply, you are processing a third party's personal data. This falls under GDPR. You need a legal basis and customer informedness. In practice — many companies do this without realizing, and it is a problem waiting to happen.

Do I have to have a DPO (Data Protection Officer)?

Under GDPR Article 37, a DPO is required if: core activity involves regular and systematic monitoring of individuals at scale, or core activity processes special categories of data (health, biometric, etc.) at scale. For most SMBs it is not mandatory, but it is sensible to have an appointed person for data protection (without the formal DPO title).

What happens if a customer requests their data be deleted?

You have 30 days to respond (Article 12). You must delete the data from all systems, including AI databases and logs. One of the most common problems with AI: data often remains in training sets and cannot be deleted selectively. Your provider must have an answer to this question before you sign a contract.

Does it matter if data is in the cloud or on-premise?

Legally the core principles are the same. Technically, on-premise deployment raises fewer questions about EU data transfer but requires better internal security. For most SMBs the cloud of a European provider is the better choice — professional security you cannot afford in-house.

Have a specific case and are not sure how the regulations apply? Describe it in the chat on the home page — the response will include a regulatory risk assessment and what to include in the technical brief.