News

11 March 2026

Ombudsman Velislava Delcheva has issued recommendations to the legislative and executive branches to improve the functioning of the whistleblower protection system in Bulgaria. This is evident in the Third Report from the Ombudsman’s external audit of the activities related to handling reports and protecting whistleblowers at the Commission for Personal Data Protection (CPDP). The Commission serves as the central authority for external reporting of violations under the Act on the Protection of Persons Who Report or Publicly Disclose Breaches.

The report contains the results of a planned audit conducted between 1 October 2024 and 30 September 2025 at the CPDP, as well as the specific work carried out in response to complaints and the protection of those who filed them

We would like to remind you that the Whistleblowers Protection Act has been in force since 2023; with its adoption, our country transposed Directive (EU) 2019/1937. With an amendment to the Ombudsman Act, the institution’s powers were expanded to include the authority to conduct such an external audit of activities related to handling reports and the protection of whistleblowers. To this end, a new directorate, “Audit of Activities Related to Handling Reports and the Protection of Whistleblowers,” was established within the Ombudsman Institution.

The primary objective of the audit team is to ensure that the CPDP fully complies with its legal obligations regarding the handling of reports and the protection of whistleblowers in accordance with the Act.

The Whistleblowers Protection Act provides protection for a wide range of individuals who may be subject to retaliation in connection with a report they have filed. This is necessary in view of the existing “imbalance of power” between whistleblowers and the affected parties—the alleged perpetrators of the breaches. The Act prohibits any retaliatory actions, including dismissal, demotion, disciplinary measures, early termination of contracts, and other adverse consequences.

The audit identifies both positive developments and a number of systemic challenges in the implementation of the whistleblower protection mechanism.

With regard to the protection of whistleblowers, the report notes a development in the practice of CPDP through the introduction of a new approach—the issuance of a letter or certificate to protect and limit the disclosure of whistleblowers’ identities. However, in practice, protection remains limited to the issuance of such a document, without an established system for assessing and monitoring the risk of retaliation, and without monitoring the protection provided after the certificate is issued. It has also been established that the Commission does not exercise its powers under the Act to apply administrative penalty provisions. The CPDP acknowledges that it cannot independently assess the causal link between retaliatory actions and the whistleblowing, which leads to a lack of protection, as whistleblowers are referred to the courts.

The audit also finds that almost three years after the Act came into force, corrective measures have not been implemented in response to a single report. This indicates that the mechanism for administrative protection provided for by the competent authorities is not functioning. The main reasons are a lack of clarity regarding the type of administrative act by which they are implemented, the procedural rules for applying the measures, and the mechanism for cooperation between institutions.

With regard to support measures, the audit team finds that they are mainly provided in the form of standard information notices, without individual guidance or follow-up. There is no mechanism in place to ensure that whistleblowers actually understand and are able to use the legal protections provided for by Act. In addition, legal assistance is not free of charge, and psychological support is not provided for by this Act.

Regulatory and practical difficulties arise in interactions with the competent authorities. There is a discrepancy between the inspection deadlines under the Whistleblowers Protection Act and the inspection deadlines set by the competent authorities under their respective special laws. Furthermore, the CPDP has not exercised its authority to issue guidelines on how inspections should be conducted by the competent authorities under Article 20(4) of the Act; interaction with the competent authorities is limited to requesting information on the stages of the inspection, and there are no guidelines regarding the protection of individuals.

The conclusion of the audit is that, in its current form, the protection mechanism does not fully ensure the effective, timely, and efficient protection of persons reporting breaches of public interest, as provided for by the Whistleblowers Protection Act and Directive (EU) 2019/1937.