CPDP (Bulgaria) - PSPN-01-243.2021: Difference between revisions

From GDPRhub
mNo edit summary
m (fixed broken link)
 
Line 95: Line 95:


===== Controller 2 =====
===== Controller 2 =====
The CPDP concluded that Controller 2 violated [[Index.php?title=Article 5 GDPR#1a|Article 5(1)(a) GDPR]]'s transparency and fairness principles. The CDPD considered it clear that Controller 2 had processed information related to the data subject’s convictions within the meaning of [[Article 10 GDPR]]. It then transmitted this information to Controller 1 knowing that they were a journalist investigating this issue. The CPDP also noted that Controller 2 had misled the DPA through their written submissions, which incorrectly claimed no part in transmitting the data to Controller 1.
The CPDP concluded that Controller 2 violated [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]]'s transparency and fairness principles. The CDPD considered it clear that Controller 2 had processed information related to the data subject’s convictions within the meaning of [[Article 10 GDPR]]. It then transmitted this information to Controller 1 knowing that they were a journalist investigating this issue. The CPDP also noted that Controller 2 had misled the DPA through their written submissions, which incorrectly claimed no part in transmitting the data to Controller 1.


== Comment ==
== Comment ==

Latest revision as of 13:12, 8 July 2024

CPDP - PSPN-01-243.2021
LogoBG.jpg
Authority: CPDP (Bulgaria)
Jurisdiction: Bulgaria
Relevant Law: Article 5(1)(a) GDPR
Article 5(1)(b) GDPR
Article 5(1)(c) GDPR
Article 5(2) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published: 28.06.2024
Fine: n/a
Parties: n/a
National Case Number/Name: PSPN-01-243.2021
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Bulgarian
Original Source: CPDP (in BG)
Initial Contributor: lm

The DPA issued warnings to two controllers – one who posted personal data on their Facebook and one who provided the first controller with said data – for processing inaccurate and excessive data concerning a data subject’s education and criminal record.

English Summary

Facts

A journalist (Controller 1) published images of a data subject’s medical diploma and criminal record. Controller 1’s post claimed that the data subject’s diploma was not legitimate and that his convictions should be shared on Facebook. The documents contained personal data including the data subject’s names, PIN, date and place of birth, current address, parents’ names and father’s birth date.

On 3 October 2020, the data subject requested that Facebook remove the posts. The social network rejected the data subject’s requests to remove the post because the documents had not been provided by the data subject. The data subject subsequently filed a report with the district prosecutor’s office, which refused to initiate pre-trial proceedings. The data subject then filed a complaint with the Bulgarian DPA (CPDP).

Controller 1 stated that they had previously received reports of abuse and mistreatment by the data subject from medical patients in the community. It claimed that a doctor from the same clinic as the data subject (Controller 2) sent them the information and documents about the data subject.

In the course of its investigation, the CPDP verified that Controller 2 had provided Controller 1 with the information. It also confirmed with the National Register of the Bulgarian Medical Association that the data subject was a registered doctor legitimately graduated in general medicine.

Controller 1 argued that they had visual problems and as a result, did not realise the complete contents of the document or that the diploma contained personal data as their son, who is also their assistant, makes publications on Controller 1's behalf. They also argued that they had not actually posted the content for journalistic purposes and were merely sharing information they considered relevant to the public. The data subject rejected Controller 1's arguments, pointing out that they should have verified their claims with the Bulgarian Medical Association in any case. The data subject also argued that the publication's near 250 interactions made their data available to an unlimited number of people.

Holding

The CPDP issued warnings to both controllers. It found that controller 1 violated Article 5(1)(a), (b) and (d) as well as 5(2) GDPR. Controller 2 violated Article 5(1)(a) GDPR.

The CPDP considered both the journalist and the doctor from the data subject’s same clinic controllers. The journalist, Controller 1, was a controller by nature of publishing the data on their profile. The doctor, Controller 2, was a controller because they distributed the data to Controller 1 with knowledge that they were a journalist intending to investigate and broadcast information about the data subject.

Given that the infringement was brought to an end and the unlawful data was only briefly posted online, the CPDP thought it proportionate to issue a formal nonmonetary warning to both controllers.

Controller 1

The CPDP found that Controller 1’s post violated Article 5(1)(a), (c) and (d) GDPR.

Controller 1 infringed the accuracy principle pursuant to Article 5(1)(d) GDPR. Regardless of whether or not the processing occurred for ‘journalistic purposes,’ the CPDP noted that accuracy obligations still applied. This reasoning related to the data subject’s diploma: While the CPDP considered that the diploma did not contain personal data because it only had an outdated photograph of the data subject from 1996, it determined that the image not being up to date implicated the accuracy principle.

The CPDP also considered that the post violated data minimisation obligations pursuant to Article 5(1)(c) GDPR. Information about the data subject’s previous convictions had already been deleted due to rehabilitation purposes. Thus, for the purposes of his medical practice, the CPDP said that the data subject should be considered unconvicted. As a result, Article 10 GDPR was also implicated. The inclusion of the data subject’s date and place of birth, PIN, address and kin connection data were also excessive. On the other hand, the processing of the data subject’s name and complete educational degree is not unlawful because it can be found in the register of the Bulgarian Medical Association.

Controller 2

The CPDP concluded that Controller 2 violated Article 5(1)(a) GDPR's transparency and fairness principles. The CDPD considered it clear that Controller 2 had processed information related to the data subject’s convictions within the meaning of Article 10 GDPR. It then transmitted this information to Controller 1 knowing that they were a journalist investigating this issue. The CPDP also noted that Controller 2 had misled the DPA through their written submissions, which incorrectly claimed no part in transmitting the data to Controller 1.

Comment

Share your comments here! The CPDP's reasoning regarding Controller 1's accuracy and data minimisation principle infringements is a bit convoluted.

With regard to the diploma's accuracy, the CPDP simultaneously considers that (1) the outdated photograph renders the data subject sufficiently unidentifiable such that it is not personal data; and (2) the outdated nature of the photograph may implicate the accuracy principle -- which of course, applies only to personal data, making the reasoning circular. T

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Bulgarian original. Please refer to the Bulgarian original for more details.

Decision on appeal with reg. No. PPN-01-243/19.03.2021 DECISION No. PPN-01-243/19.03.2021 Sofia, 26.01.2023 The Commission for the Protection of Personal Data /"the Commission", "KPLD"/ composed of: Chairman - Vencislav Karadzhov and members - Tsanko Tsolov, Maria Mateva, Veselin Tselkov, at a regular meeting held on 02.11.2022, on the basis of Art. 10 , para. 1 of the Personal Data Protection Act, art. 57, §1, b. "e" of Regulation 2016/679 and art. 38, para. 1 of the Regulations for the Activities of the CPLD and its Administration /PDKZLDNA/ , examined complaint No.PPN-01-243/19.03.2021 filed by V. against K. and R. The Commission for Personal Data Protection was referred with complaint No.PPN-01-243/19.03.2021. of V. against K. and R. for unlawful distribution of personal data on Facebook. The complaint states that the Facebook profile of a user ****** with the name "K." on 27.09.2020 and on 02.10.2020 images of a medical diploma named V. have been published, as well as a criminal record certificate containing his personal data / three names, social security number, date and place of birth, current address, names of V.'s parents, as well as date of birth of his father/. The post opines that his medical degree was fake and that the person was convicted and therefore this information should be "shared" on Facebook. The complainant indicates that since the publication was "shared" by more than 259 users, his personal data became available to an unlimited number of recipients. On 03.10.2020 has submitted a request to the social network to remove the posts, but Facebook has refused. He indicates that the documents in question were not provided by him. He filed a report with the *** district prosecutor's office for the same act, and during the investigation, K. explained that she had received his personal data from the person R. and published them accordingly. Evidence is presented as follows: a certified copy of the Constitutive Protocol for a notary check that the publication was made on K.'s Facebook profile on 09/27/2020; certified "true to the original" copy of the publication dated 02.10.2020; a copy of the prosecutor's decree refusing to initiate pre-trial proceedings. In the course of the administrative proceedings, evidence was collected and opinions and evidence were requested from the parties. A check was carried out regarding the allegations in the complaint, and it was established that the cited publications are not publicly available on the Facebook profile ******, for which a Protocol #ППН-01-243#1(21)/21.03.2022 was drawn up. The complainant was notified of the initiated proceedings in accordance with Art. 26, para. 1 of the APC / letter with ex. №PPN-01-243#2(21)/25.03.2021 /. On the basis of Art. 34 et seq. of the APC, opinions and evidence are requested from the defendants / letter No. PPN-01-243#3(21)/25.03.2022. to Mrs. K. and letter No.PPN-01-243#4(21)/25.03.2022. to Mrs. R. /. In a written response to R. /ent. №ППН-01-243#5(21)/04.04.2022/ the same denies that she provided Mrs. K. with the complainant's personal data, stating that she did not see the post on Facebook. It emphasizes that it does not have a criminal record certificate for Dr. V. and does not process his personal data, nor did it provide them to third parties. Based on a request for assistance from third parties on the basis of Article 36, paragraph 6 of the APC, additional information was received from the *** District Prosecutor's Office / letter №PPN-01-243#12(21)/19.05.2022. /, in which it is stated that after a preliminary inspection was ordered, a refusal to initiate pre-trial proceedings was ruled. In a statement with entry №PPN-01-243#14(21)/20.05.2022 it is explained to Mrs. K. that she, in her capacity as a journalist, received numerous reports of abuse among the **** community in the ***** district by Dr. V. In 2020. the doctor practicing in the same polyclinic where V. works - Mrs. R. - sent her information about him, including a photo of a criminal record and a medical education diploma. The publication was present on her personal profile within no more than a week and consisted of distributing a photo that she received from the colleague of Dr. V.K. indicates that she has a visual problem that does not allow her to have a visual idea of the content of the publication, claims that she did not know that the diploma in question contained personal data, but knew that the content of the publication represented a diploma, in her opinion, fake, as well as a criminal record. Due to her emotional indignation at the possibility that V. is a "fake doctor", she shared her post on her personal Facebook profile. A statement was received from lawyer N.G. /letter №ППН-01-243#23(21)/17.06.2022/, in her capacity as a representative of the applicant, in which the complaint is maintained, disputing the claim that K., although blind, did not know what he publishes, since the publication itself contains enough offensive qualifications and remarks that V.'s diploma is not genuine and that he is a fraud. It indicates that K. did not even make an attempt to make an inquiry under the order of ZDOI to the Medical University or to ask the victim about the circumstances that he published. Within the framework of held on 01.06.2022. meeting pursuant to Art. 38, para. 1 of the PDKLDNA, the Commission considered the complaint on regularity and admissibility, and the following parties were constituted: V. – complainant, K. and R. – defendants. A meeting to consider the appeal on the merits is scheduled for 20.07.2022, of which the parties are regularly notified. The same has been postponed to 02.11.2022, based on a decision of the CPLD to collect additional evidence to clarify the case. An inquiry was made in the publicly accessible National Register of the Bulgarian Medical Union /BLS/, for which Protocol No.PPN-01-243#34(21)/15.08.2022 was drawn up, in which it is stated that Dr. V. with VIN *** is a registered doctor who graduated in the specialty "General Medicine". Official information was requested from the BLS /letter №ППН-01-243#35/23.08.2022/, and an answer was provided that Dr. V. is a regular member of the social organization, that he has completed higher education "Medicine" and acquired specialty "General Medicine". Copies of the two diplomas of Dr. V are presented. From the *** district prosecutor's office, the relevant information related to the explanations of the persons provided in the course of the created prosecutor's file No. ***, with the same subject and with the same parties / application, has been requested of V. vs. K. and R./, on which it was decided to refuse to institute pre-trial proceedings on the grounds that the acts in question were of a private nature. From K.'s explanations, it is clear that the same in 2018 and 2020 was requested by persons from the **** community, as well as by doctors, and more specifically by R., to make a media publication about the person B. regarding allegations of the bad and improper treatment of his patients. In September 2020 was asked by Dr. R. to do a journalistic show about Dr. V., but she did not respond to the request, but made a Facebook post on her profile concerning V. Basically, K. develops an active journalistic activity. In the specific case, she received from Dr. R. the diploma and the criminal record certificate of V. From the information of Dr. R., submitted to Insp. V.B. on 17.12.2020, it is established that she knows Dr. V. well, since for the period from 14.02.2018 until 04.02.2020 worked "office to office" in the city of *** in a medical facility. From her close professional contact with him, she gained insight into his "criminal practices" and on her initiative, various proceedings, including pre-trial proceedings, were instituted against him. Dr. R. introduced K. to the text of the alerts by providing her with a copy of a "diploma-like" document she claimed to have downloaded from the Internet. She did not make her distribute the document on the Internet, but she knew that K wanted to do a journalistic program about Dr. V. A criminal record check was received for the person C. Information was requested from Meta Platforms Ireland Limited as to who the administrator is of the Facebook profile and from which IP addresses it is used / letter No.PPN-01-243#38(21)/25.08.2022. and №PPN-01-243#48(21)/24.10.2022/, but no answer to the questions was received. A protocol No.PPN-01-243#51(21)/27.10.2022 was drawn up, with which it was established that no personal data is visualized in the public part of the Facebook profile. At the meeting held on 02.11.2021. The parties, regularly notified, are represented as follows: the appellant V. through Adv.N.G.; the defendant R. through attorney I.M. The defendant K. did not appear and was not represented. During the meeting, lawyer N.G. presents Decision No.*** of the Administrative Court – *** city, together with Decision of the Supreme Administrative Court No.***, which confirms it in its entirety, stating that for the needs of the Law on Medical Facilities and for his registration as a doctor Dr. V. is unconvicted and that there will always be a difference in the data in the criminal record certificate and the criminal record report, since he has been rehabilitated. Presents a certificate of criminal record, reg. No. ***, from which it is evident that Dr. V. has not been convicted, paying attention that this is the case for the needs of all third parties, and otherwise – rehabilitated by law. It presents a certified protocol from 01.10.2018. from a court session of the *** district court. Lawyer N.G. indicates that it supports the complaint, considering it to be proven beyond doubt, which is established by all the evidence collected during the proceedings. Lawyer I.M. contested the complaint as unproven. He indicates that the published document, which according to him resembles a diploma, does not contain personal data and accordingly there is no danger for the rights of V. In the provided opportunity for counterarguments, lawyer N.G. indicates that, according to her, it is a question of distribution of social security numbers, names, etc. personal data, insofar as the diploma is a document that generally contains such a volume of personal data. With the fact thus established, from the legal point of view the appeal is admissible and well-founded. Regulation 2016/679 and the LLDP introduced the rules for the protection of natural persons in connection with the processing of personal data, as well as the rules regarding the free movement of such data / art. 1 of the Regulation and Art. 1 of the LLDP/. The Commission is a permanently operating independent supervisory body that ensures the protection of individuals in the processing of their personal data / Art. 6 of the LLDP/. The Authority shall, as appropriate, exercise its powers under Article 58 of the Regulation - to investigate, to impose sanctions and to issue instructions for the lawful and correct application of the Regulation, so that the purpose of Article 1, t .2 of the Regulation – for protection of fundamental rights and freedoms of natural persons, to which also belongs their right to protection of their personal data.  The definition of "personal data" is contained in the provision of Art. 4, 1) of Regulation 2016/679, namely: "any information related to an identified natural person or a natural person who can be identified ... directly or indirectly, by -specifically by an identifier such as name, identification number, location data, online identifier or by one or more characteristics specific to the physical, physiological, genetic, psychic, mental, economic, cultural or social identity of that natural person”. The Commission was referred with a complaint for violated personal rights within the meaning of Article 38, paragraph 1 of the LLDP, the subject of which is the illegal distribution of personal data of the person B., representing three names, date and place of birth, social security number, current address, details of previous convictions and education. An aggravating circumstance is that the publication contains personal data of third parties /names of V.'s parents and date of birth of his father/, as well as data on family relationships. The defendants are administrators of personal data within the meaning of Art. 4, 7) of the Regulation and process the applicant's personal data by distributing them in the following way: by publishing them on the Facebook profile **** by Mrs. K. – administrator of the same profile, for which circumstance Constitutive Protocol No.*** was drawn up by a notary, which is not disputed by the defendant K. and her lawyer; through the provision of them by R. to Mrs. K., who, according to R., wanted to "make a broadcast and a journalistic investigation about this man". The administrator of the Facebook profile from which the publications, the subject of the complaint to the Commission, were made, is Mrs. K., who in principle develops an active journalistic activity, but in the course of the current administrative proceedings denies that the publication is for journalistic purposes. K.'s position that, due to impaired vision, she makes publications through her son, who is also her assistant, does not exclude the fact that she understands and is aware of what information containing personal data has been published about V. and his relatives on her Facebook profile. The same does not mean that she personally cannot make publications - on the contrary, from the many comments, announcements and titles of process publications, made precisely from K.'s profile, it is clear that she repeatedly refers to V., calling him by his names, makes insulting qualifications that the same is a "fake doctor" with a "fake diploma", i.e. the same one knows data about his educational qualifications, finding the fact that he is a doctor embarrassing, invites his friends to "like" and "share" the post, stating that "a tool is our strength in this social network"; within the same profile, active communication "flows" between K. and the other users specifically regarding the personality of Dr. V. - for example, a user calls the administrator "K., pusni tova koeto napisa do Prokuraturata", a user appeals for "death of such killers, we rely on you", then on September 27, at 4:24 p.m., K. "updates" his status, and at 10:59 p.m. on the same date, K. publishes an announcement "Attention: the Prosecutor's Office! To the Ministry of Health! To the health fund! To R.Z.I.! A "doctor" kills ***** in a ***** neighborhood, destroys vaccines and drains the health fund... Pay attention, the diploma is fake. The same one is also convicted... Friends, please share, let more people understand...", under which his diploma and criminal record report with personal data are published, as described in the Constitutive Protocol. In the opinions expressed, K. did not claim that she did not understand what the publication contained, quite the opposite – she only stated that she had no visual idea. However, she knew that she was publishing a copy of documents related to educational qualifications and previous convictions, as from her active actions - the publication and removal of the publication after less than a week, which was done at her own discretion, it is clear that K. had an idea of what exactly was being published – a diploma and a criminal record certificate of the person C. This follows unequivocally from the comment on the publication made by K. herself, namely that "the diploma is fake" and that "the same person is also convicted". It is a well-known fact that such documents contain information about individuals, representing personal data. In the situation that K. decided to have her own Facebook profile, to make publications from it, to make this particular publication for V. based on the photos of documents forwarded by Dr. R. /which is ambiguously indicated in all her statements, both before the present administrative body and in the explanation in the course of the police investigation/, even if the defense thesis that she had no visual perception is accepted, in the event that she had any doubt about the nature of the publication, the same should have been interested in what it published, such as e.g. could have asked her assistant what personal data would be published. It should be noted that K.'s statements before the present administrative body completely overlap in meaning with those before the police officers, therefore this Commission has no reason to doubt what K. said regarding the fact that the publication is hers, that K. uses aids – a computer program and an assistant, that she knows that she is publishing photos of V.'s documents, which were provided to her by Dr. R., but claims that she does not know that this act constitutes a process of personal data processing . Ignorance of the law is no excuse, however, and the Regulation has direct applicability, which is why it cannot be considered that the latter processes personal data of B. legally due to ignorance of the legislation in the field of personal data protection. K. herself does not claim that she is not aware of her actions, but claims that she does not know that her actions constitute a process of personal data processing. Therefore, in the present case, it concerns the hypothesis of ignorance of the law, which does not excuse, and not an inability to "understand" what suggestions are made by her legal representative before the Commission. On the contrary - K. herself indicates that she is a journalist, indicates which column on national air she leads, with what topic is the same, with a simple search on the Internet, one can see many of her publications, including clips that show a high degree of intelligence and emotional that person's empathy for the community they set out to represent, albeit with a visual problem for which there is a TELK. The latter does not in itself mean that K. or any person with disabilities cannot perform a certain activity. But this does not mean that there are circumstances for her that preclude compliance with the legislation in the field of personal data protection. In his pleading before the Commission, the lawyer of the other respondent I.M. defends K., saying that the relevant community has the right to know and she /K./ "did it as a public discussion" and if she did it, it was for a noble purpose and there should not be a public danger, so it should be sanctioned, which act according to lawyer I.M. it is commendable. It should be noted that this thesis of his should not be credited, except because he has no representative authority in relation to K., and also because the two defendants have conflicting interests, conditioned by the fact that K. directly disclosed the same factual situation to two different institutions in different proceedings without knowing that a cross-examination would be made, and from her statements it follows the uncontradicted information that it was Dr. R. who provided her with the photographs containing personal data of V., and the latter, denying this before the CPLD, says the exact opposite in her written statements during the investigation, which, regardless of the fact that they were not given under oath, were signed by her herself, given to an appropriate authority and at that moment they coincided with what was said by K., and at the present moment they are also confirmed by the entire body of evidence and in particular by the collected indirect evidence, such as the presented court decision of the ASSG, which shows that the signal indicating the incapacity of C., due to the circumstances of his conviction, was filed precisely by Mrs. R., i.e. it is indisputably proven in the present proceedings that it was she who disseminated to Mrs. K. data about his previous and already erased convictions /which can only be ascertained from a criminal record report, but not from a criminal record certificate/. This action in itself constitutes illegal processing of personal data in the sense of the basic principles related to the processing of personal data, regulated in Art. 10 and Art. 5, §1, b. "a" of the Regulation. It should be noted that K. says that she is "afraid" that Dr. V. will harm Mrs. R. and therefore does not mention her name to the Commission as a source of information. As far as K. in principle develops an active journalistic activity, but denies that the Facebook profile from which he publishes is used for journalistic purposes, it should be noted that regardless of whether the process processing falls into the category of processing personal data for the so-called "journalistic purposes" or not, the administrator should, in addition to respecting the privacy of individuals / art. 25h, para. 1 of the Labor Code/, also to comply with the principles of Article 5 of Regulation (EU) 2016/679. It should be noted that the concept of "journalistic goals" is interpreted extremely freely in judicial practice, as it includes the activities of collecting, analyzing, interpreting, distributing through the mass media of current and socially significant information. Regardless of the fact that K. is basically a journalist and as such interprets and disseminates information potentially of public interest, she should consider her journalistic activity with the inviolability of the human person and private life, which values are of a higher order compared to freedom of expression. When processing personal data, regardless of whether the same is done for journalistic purposes or not, the information should be assessed in relation to its relevance, accuracy, significance, in order for the processing to be brought in line with the principle of Art. 5 §1, b. "d ” of the Regulation. With regard to the committed claims of performing a role in the interest of the community, it should be noted that when taking action in the interest of a particular community, be it ethnic or not, K. should satisfy himself that the information he communicates to that community, is accurate, true and in volume necessary to achieve the objectives. In this case, this was not done.K. had many mechanisms to establish the accuracy and up-to-dateness of the data, such as, for example, she could have made a query in the register of the Bulgarian Medical Union, which is publicly, directly and freely accessible, in order to establish V.'s affiliation to the medical profession, respectively not to raise doubts about the authenticity of his diploma and about the circumstances of whether he can practice the medical profession due to his previous convictions.  In the next place, contrary to the principle of accuracy, up-to-dateness and reduction of data to a minimum, information about previous convictions was published, which has already been deleted due to rehabilitation, or, as the legal representative of Dr. V. rightly notes and proves – for the purposes of V.'s medical practice, as well as for all third parties, he should be considered unconvicted. On the other hand, the claims in the complaint that the image of a diploma shows personal data are not correct – only a photo of the person is visible, but since the diploma is from 1996, it could not be considered that the data subject can be unequivocally identified by the image so published. At the same time, the image is out of date, which again leads to the conclusion of violation of the principle of accuracy. The personal data (three names and social security number) of V. are visualized not from the diploma, but from a document for a completed first course of study in the specialty "medicine". The complaint did not formulate a request for the distribution of personal data through this document, but in any case, this volume of personal data was illegally distributed through the criminal record reference within the same publication and a violation was present. In accordance with the principles of Art. 5, §1, b."a" and §2 of Regulation 2016/679, the processing should be carried out lawfully, in good faith and in a transparent manner in relation to the data subject, such as the controller, in accordance with the principle of accountability under Art. 5, §2 of the Regulation is responsible for its actions in processing personal data. In the case under consideration, the administrator K. should not have published information at all, including personal data related to convictions and violations, even less deleted ones, which is why there was a violation of Art. 5, §1, b. "a", in accordance with Article 10 of the Regulation. K. should not have a criminal record certificate of V. at all, inasmuch as the certificate, unlike the criminal record certificate, is issued only for official purposes and only to the authorities, limited and expressly listed in art. 33, para. 5 of Ordinance No. 8 of 26.02.2008 on the functions and organization of the activity of the criminal records bureaus, i.e. even V. himself could not be issued a criminal record certificate, even less to third parties. The trial publication was available on K.'s Facebook profile in the period from 09/27/2020. until 02.10.2020, which is indisputably proven by the evidence submitted to the complaint, and is confirmed by the opinion of Mrs. K., provided in the course of the current administrative proceedings / so e.g. letter No.PPN-01-243#14(21)/20.05.2022 /. Due to these circumstances, the personal data subject to illegal processing are date and place of birth, social security number, address data, family relationship data, criminal record data. The processing of three names and data for the completed educational degree "doctor" does not constitute illegal processing of personal data, as precisely through this volume of personal data, Dr. V. can /and should/ be found in the register of the Bulgarian Medical Union. Considering all the facts and circumstances of the case, a mitigating circumstance is that the post was online for a significantly short period of time and that it was taken down at the sole discretion of the administrator. Circumstances aggravating responsibility are the fact that the publication also contains personal data of third parties, the fact that it was "shared" and "seen" by many people /246 people according to K.'s data/ and because the administrator deliberately directed these persons to do so. In the case of the violations established in this way, and taking into account that the supervisory authority has discretion in exercising its powers under Art. 58, §2 of the Regulation, taking into account that the violation of Mrs. K. was suspended on her own initiative and the corrective powers of Suspension Commissions would have no applicability, given that Administrator K. has no other violations of the Regulation, that she has specific needs by using assistive devices, and that she should be given the opportunity to correct herself by being told how to do so to process personal data lawfully so that there are no other violations of the Regulation, K. should be given an official warning that the personal data processing operations have violated the provisions of the Regulation. The complaint directed against the administrator R. is well-founded, apart from the above-mentioned considerations, also considering the following. Doctor R. is a personal data controller within the meaning of Art. 4, 7) of Regulation (EU) 2016/679 and processes personal data of Dr. V., including those related to convictions and violations, which by virtue of Article 10 of the Regulation should be carried out only under the control of an official body or be legally permitted, which is not the case in the present scenario. From the information collected officially by other state bodies, it is established that Mrs. R. provided written information, signed by herself, during the preliminary inspection under case No.**** according to the inventory of the *** District Prosecutor's Office , i.e. before an appropriate authority, from which it is clear that she knows Dr. V. as a medical colleague, based on her complaints, proceedings were initiated before various institutions, which she provided to K. for familiarization, including providing her with a copy of the diploma him in expression of the opinion formed by her about illegal activity carried out by V. The information of Dr. R. is confirmed by the explanation of K. during the same proceedings, in which the latter states: "I am from the person Dr. R. received the diploma, criminal record certificate". The arguments of lawyer I.M. that there are no written documents on these images are not relevant to the dispute, because for a violation of the Regulation it is important whether there is a distribution of personal data, not whether documents are distributed, whether they are authentic, presented in full, etc., to which lawyer I.M. pays special attention in the defense of Dr. R. before the Commission. The same does not matter as far as the legality of personal data processing is concerned. From the active activity of Dr. R., related to the initiation of various proceedings on complaints and reports against V., it is clear that the latter processes information representing personal data of V. and allowing his indisputable identification, processing it in a way and for the purpose of providing it to third parties, among whom are Mrs. K. and the Medical Supervision Executive Agency. This circumstance is established by Dr. R.'s information and confirmed by K.'s explanations. It is not disputed by her lawyer either - he only disputes that the published materials are not official documents. Regardless of the fact that, when exercising his right to protection before the CPLD, R. denies processing V.'s personal data, the explanations and information given to an inspector from the Police Department bear the signature of the relevant persons who provided them, as well as the inspector who accepted the report, are included to the body of evidence in the present administrative proceedings and are not disputed by the parties in the process or by their representatives. What was stated by Ms. R. is confirmed by the reasons for the Decision No. *** presented during the open session. of the ASSG, from which it is evident that according to report No. *** to the IA "MN" of Dr. M.R., proceedings were initiated to delete from the register under Art. 44 and Art. 45 of the Health Care Act of a medical institution , represented by V., because Dr. V. was convicted, i.e. for the occurrence of the circumstances under Art. 44, paragraph 1, item 2 of the ZLZ. R. disputes the right of Dr. V. to practice medicine in connection with his previous convictions, i.e. she knew that the person had been convicted and reported this fact to the institution responsible for the supervision of medical facilities, respectively processes information related to convictions of the person B. From the evidence presented, valued as a whole, a definite conclusion follows that R. processes information related to convictions and violations of V. in the sense of Article 10 of the Regulation, on the basis of which he submits his appeal for the deletion of the medical facility. The fact that R. has information about V.'s convictions is not contested by her legal representative, lawyer I.M. /he disputes only the official document quality of the distributed materials/. Therefore, as well as for the reasons stated on page 8 of this Decision, the Commission considers that in the present proceedings it has been indisputably proven that it was Ms. R. who disclosed the personal data of Dr. V. to Ms. K ., in the context of concerns about fraud and the possibility that K. as a journalist could help her. For the existence of a violation of the Regulation, the processing of information representing personal data is relevant so that the data subject can be unambiguously identified, and not the presence of a specific document. R. has personal data in the amount of three names of V., social security number, data on professional qualifications, data on previous convictions, which information she processes, trying to prove that the person does not have the right to practice the medical profession, submitting complaints precisely to these institutions that can hinder his activity as a doctor and lead to the cancellation of his practice, as well as providing them to the journalist K., whose opinion has weight among the local public and could also prevent Dr. V. from exercising the activity you are. When considering all the facts and circumstances of the case, Ms. R.'s violation is expressed in illegal, dishonest and "non-transparent" processing of personal data in relation to the data subject, contrary to the principle of 5, §1, b."a ” from the Regulation, with Ms. R. additionally misleading the supervisory authority through her written opinions before the Commission. Insofar as the violation has ceased and given that Dr. R. has no other established violations of the Regulation, it would be proportionate, effective and dissuasive to issue an official warning that the personal data processing operations have violated the provisions of the Regulation. In view of the above and on the basis of Article 38, paragraph 1 of the Personal Data Protection Act, the Commission for the Protection of Personal Data with 4 votes "for" and 0 "against" RES I: 1. Announces Complaint No. PPN-01-243/19.03.2021 . to V. as justified in relation to K. and on the basis of Art. 58, §2, b. "b" issues her an official warning for violation of Art. 5, §1, b. "a", b. "d" and §2 of Regulation 2016/679.
2. Announces Complaint No. PPN-01-243/19.03.2021. of V. as justified in relation to R. and on the basis of Art. 58, §2, b. "b", issues her an official warning for violation of Art. 5, §1, b. "a" of Regulation 2016/679.
This Decision can be appealed through the Commission for the Protection of Personal Data before the Administrative Court - Sofia City within 14 days of its delivery.
__________
1 DP No. ****; Etc. Etc. No. *****; DP No. ****; Etc. Etc. ****; DP No. ***; Etc. Etc. No. ****; signal ****; signal input no *****; signal input No. ****
2 "in 2020, a doctor practicing in the polyclinic where Mr. V. works also sent me information about him along with attachments, one of which is the diploma in question, as well as a criminal record certificate. This publication was present in my personal profile within no more than a week…it consisted of sharing a photo that I received from the complainant's colleague…I did not know it contained personal data…about the content I only know one thing, that it is a fake diploma and criminal record and emotionally outraged I just shared it on my personal profile… I just shared a photo of a diploma... the computer program for the blind that I use on my phone, when something is photographed, the content does not read it to me... in this regard, I did not know that the photo contained personal data" /sub. my/
3 "from the person Dr. R., I received the diploma, document of criminal record... in addition to these documents, I received numerous complaints with entry numbers"
4 Criminal record certificate, reg. No. ***** and Decision No. **** /entered into force/.
5 "(5) A criminal record certificate is issued for official purposes to:
1. court, prosecutor's office and investigative bodies;
2. the authorities under § 1, items 1 and 2 of the additional provisions of the Law on the Protection of Classified Information;
3. institutions and departments, when by law they have the right to receive such information;
4. judicial authorities of another country, when this is provided for in an international treaty to which the Republic of Bulgaria is a party, or in an act of the European Union (EU);
5. central authority for transmitting or receiving information about criminal records from an EU member state;
6. foreign diplomatic and consular missions in the Republic of Bulgaria for their citizens;
7. (New - SG No. 78 of 2015, in force from 9.10.2015) The Central Electoral Commission - for candidates for people's representatives, for president and vice president, for members of the European Parliament and for municipal councilors and mayors .”
6 "when a person representing the medical institution has been convicted of an intentional crime of a general nature, unless he has been rehabilitated, or is deprived of the right to exercise a certain profession or activity."