CPDP (Bulgaria) - PPN-01-223/2021, PPN-01-307/2021, PPN-01-296/2021: Difference between revisions

CPDP - PPN-01-033/2021, PPN-01-307/2021, PPN-01-296/2021
Authority:	CPDP (Bulgaria)
Jurisdiction:	Bulgaria
Relevant Law:	Article 5(2) GDPR Article 6(1) GDPR
Type:	Complaint
Outcome:	Upheld
Started:	12.03.2021
Decided:	26.01.2023
Published:
Fine:	25,000 BGN
Parties:	n/a
National Case Number/Name:	PPN-01-033/2021, PPN-01-307/2021, PPN-01-296/2021
European Case Law Identifier:	n/a
Appeal:	n/a
Original Language(s):	Bulgarian
Original Source:	Commission for Personal Data Protection (in BG)
Initial Contributor:	lm

The DPA found that a political party lacked a legal basis when it registered data subjects, without their knowledge or consent, as supporters of the party for an election registration. It issued a €12,770 (25,000 BGN) fine.

English Summary

Facts

On April 4, 2021 -- the date on which elections were held for the Bulgarian National Assembly -- one political party (the controller) registered for participation on the basis of an application that included a list with the full names, unique civil number and handwritten signature of 2951 voters supporting the registration of the party.

The Bulgarian DPA (CPDP) received a number of complaints around the time of the election from data subjects alleging that the controller was unlawfully processing their personal data by including them in a list of persons supporting the registration of the political individual to participate in 2021 elections. The processed data included their names and unified civic numbers attributed to their political party. The data subjects did not sign up in support of the registration, nor did they give consent for the processing of their personal data for this purpose.

The political party provided some documents in response to the complaint, but the CPDP noted a lack of adequate participation, who failed to submit the requested evidence. It did not challenge the data subjects’ allegations or provide a statement on the matter. In one of the few documents provided, the controller stated (without evidence) that the lists of persons supporting the registration of the party in electoral processes are collected and processed by members of the party without their intentional authorisation and purpose. After the data is transmitted to the Central Election Commission, it is destroyed on a shredded and on the computer. The controller claimed to have trained all its members to process personal data in accordance with the GDPR.

Holding

The CPDP found that the controller lacked a legal basis under Article 6(1) GDPR and infringed the accountability principle of Article 5(2) GDRP. It issued a €12,770 (25,000 BGN) fine.

The CPDP found no applicable legal basis in this case. It noted that the controller did not produce any evidence of the legal basis on the basis of which it processed the data. Rejecting legitimate interest as a legal basis, the CPDP considered that the interests of a political entity to participate in elections are not overridden by the interest of the affected data subject whose data is included in the list without their consent. There was also no legal obligation in this case. The processing of personal data in the electoral process is permissible and strictly regulated by the Electoral Code. However, as the CPDP has noted in its guidance on the topic, the performance of the statutory obligation only arises when a data subject has given their consent to support the party’s registration and appear on the list of voters.

The controller's inability to demonstrate a legal basis constituted an infringement of Article 5(2) GDPR's accountability principle. In addition, the CPDP noted that there was no basis or mechanism for verifying the accuracy of the data entered in this case, further indicating an Article 5(2) GDPR violation. The verifying of the identity of individuals, the CPDP states, should be expressed in the specific instructions of the controller, which is obligated under Article 24 GDPR to put in place organisational measures ensuring processing is carried out in accordance with the GDPR. In this case, the CPDP assumed that such measures or internal rules did not exist. It noted no evidence of control on the part of the controller, given that the controller did not provide the requested information.

The CPDP imposed a monetary sanction on the controller. It considered a number of aggravating circumstances, including the failure of the controller to cooperate and the consequences on the data subjects’ rights relating to their participation in the electoral process as a result of the violation. The CPDP also noted that this was not the controller’s first violation – the political party had been previously sanctioned for identical infringements.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Bulgarian original. Please refer to the Bulgarian original for more details.

Decision on appeals with reg. No. PPN-01-223/12.03.2021, PPN-01-307/09.04.2021 and PPN-01-296/05.04.2021 DECISION No.PPN-01-223/ 2021 Sofia, 26.01.2023 The Commission for the Protection of Personal Data (CPDP) in composition: Chairman: Vencislav Karadjov and members: Tsanko Tsolov, Maria Mateva and Veselin Tselkov at a meeting held on 09.11.2022, on the basis of Article 10, Paragraph 1 of the Law on Protection of personal data, respectively Art. 57, §1, letter "e" of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016. on the protection of natural persons in connection with the processing of personal data and on the free movement of such data (Regulation, GDPR), examined the merits of complaints No.PPN-01-223/12.03.2021, PPN-01-307/09.04.2021 . and PPN-01-296/05.04.2021, filed respectively by D.An., D.Al. and R.M. Administrative proceedings are in accordance with Article 38 of the Personal Data Protection Act (PDPA). The Commission for the Protection of Personal Data was referred to complaint No.PPN-01-223/12.03.2021, submitted by D.An. against a political party ****** with allegations of unlawful processing of his personal data by including them in a list of persons supporting the registration of the political entity for participation in the held on 04.04.2021. elections for people's representatives. The complainant claims that he discovered the violation after conducting an electronic inquiry at the Central Electoral Commission, the result of which is attached. He declares that he did not sign in support of the registration of the political entity and did not give his consent to the processing of his personal data for the specific purpose. Complaint with identical content Mr. D.An. has also submitted to the Central Election Commission. The complaint was forwarded to the CPLD for examination on the basis of competence, together with relevant evidence - a copy of Decision No.*** of the CEC and a copy of page *** of the list of voters supporting the registration of the political entity to participate in the elections for people's representatives of 04.04.2021. Filed under No. PPN-01-242/18.03.2021. according to the inventory of the CPLD. CPLD was referred with a complaint PPN-01-307/09.04.2021. submitted by D.Al. and appeal PPN-01-296/04.05.2021 submitted by R.M. against the same legal entity - PP ******, with identical claims - unlawful processing of their personal data by including them in a list of persons supporting the registration of the political entity for participation in the held on 04.04.2021. elections for people's representatives. Attached to the complaints is a photocopy of references up-to-date as of 04/07/2021. and 04.04.2021 on the website https://www.cik.bg/bg/ns2021/podpiski, carried out on the basis of lists submitted by 38 political parties, coalitions and initiative committees, evident from the content of which personal data of the applicants are available on page ** *, line *** and page ***, line *** from the list of persons supporting the registration of PP *** for participation in the held on 04.04.2021. elections for people's representatives. In view of the principles of equality of the parties and truthfulness advocated in the administrative process, the political party ****** was informed about the submitted complaints, it was given the opportunity to engage in a written opinion on the statements presented in the complaints. Evidence relevant to the case of the lawful processing of the personal data of the applicants, a certified copy of internal rules and/or the Personal Data Protection Policy regarding the processing of personal data by a political party in the electoral process, technical and organizational measures taken to protect the personal data are required. data, instruction, order or other act for training the representatives of the party to collect personal data in the electoral process, as well as information and results of the internal checks carried out in the case, if such have been assigned. There is a lack of active participation of the political entity in the proceedings, the required evidence has not been presented. The claims of the complainants are not disputed, an opinion on the subject of the complaints is not engaged. With a view to clarifying the case from a factual point of view, the CEC requested and submitted a copy of pages: ***, line ***; ***, line *** and page ***, line *** from the CEC provided list of persons supporting the registration of a political party ****** for participation in the held on 04.04.2021. elections for people's representatives. The Commission for the Protection of Personal Data is an independent state body that protects individuals in the processing of their personal data, in the implementation of access to this data and control of compliance with the GDPR and GDPR. In order to exercise its powers, the Commission should be validly referred. Complaints contain the required details specified in the provision of art. 28, paragraph 1 of the Regulations for the activities of the Commission for the Protection of Personal Data and its administration - there are data on the complainants, the nature of the request, date, signatures, the passively legitimized person is indicated country and date of knowledge of the violation, in view of which they are regular. The subject of the complaints are the allegations of unlawful processing of personal data of the complainants – names and uniform civil number, by a political party ****** by including them in a list provided to the CEC of persons supporting the registration of the political entity for participation in the 04/04/2021 elections for people's representatives. Complaints are filed by natural persons with a legal interest, against the proper party – the controller of personal data. According to data from the file, including the result of an inquiry at the CEC, the applicant Mr. D.An. learned about the alleged violation on 05.03.2021, Mrs. D.Al. – on 07.04.2021. and Mr. R.M. – on 04.04.2021. In this regard and in view of the statutory deadlines for registration of participants in the electoral process established in the IC and insofar as the CPLD was referred to the complaints on 12.03.2021 and 09.04.2021, respectively. and 04/05/2021, a few days after the alleged violations were established, the conclusion follows that the complaints were submitted within the period under Article 38, Paragraph 1 of the Labor Code. Referred authority is competent to give a ruling - the CPLD, which, according to its powers under Art. 10, paragraph 1 of the CPLD in connection with Art. 57, §1, letter "f" of Regulation (EU) 2016/679, examines complaints against acts and actions of the administrators of personal data, which violate the rights of data subjects related to the processing of personal data, and the exceptions under Art. 2, §2, letter "c" and Art. 55, §3 of Regulation (EU) 2016/679 given the fact that the case does not concern processing activities carried out by an individual in the course of purely personal or domestic activities and/or activities carried out by courts in the performance of their judicial functions. The prerequisites of Art. 32 of the APC are present for the unification and examination of complaints in one general administrative proceeding, in view of the fact that the rights and obligations of the parties arise from the same factual situation, are filed against the same person and are within the competence of one and the same administrative body – CPLD. For the stated reasons and given the absence of the negative prerequisites specified in art. 27, para. 2 of the APC, held on 09.08.2021. meeting of the commission, the complaints were accepted as admissible and, on the basis of Article 32 of the APC, they were combined for consideration in one administrative proceeding. The following are constituted as parties to the proceedings: applicants: D.An., D.Al. and R.M. and on the other hand – political party ******. In order to clarify the case from a legal and factual point of view, handwriting examinations of the signatures placed on ***, line *** have been allowed; ***, line *** and page ***, line *** from the list submitted to the CEC of voters supporting the registration of a political party ****** for participation in the elections held on 04.04.2021. elections for people's representatives. In the course of the proceedings, the appellants were informed of the possibility of providing comparative material for carrying out the expertise in order to establish the truth, respectively the falsity of the signatures in the list submitted to the CEC supporting the registration of the political party for participation in the elections held on 11.07.2021. elections. Comparative material was provided by all three appellants and sent to the National Institute of Forensic Science (NIC). Graphic examinations have been prepared and reflected in Protocol No.*** dated 13.06.2022, Protocol No.*** dated 13.06.2022. and Protocol No. *** dated 11.08.2022. according to the inventory of NIK, sent to the CPLD with accompanying letters PPN-01-296#12/20.06.2022, PPN-01-223#19/20.06.2022. and PPN-01-307#13/15.08.2022, with conclusions that the signatures subject to the examinations were not signed by the applicants D.An., D.Al. and R.M. An open session has been scheduled for consideration of the complaints on the merits on 09.11.2022. from 1:00 p.m., of which the parties are regularly notified. A copy of the expertise has been sent to the parties for perusal and opinion, with instructions on the distribution of the burden of proof in the process. There were no objections to the expertises, no additional evidence was committed, no demands were made on the evidence. In order to clarify the case from a factual point of view, the defendant has again requested evidence of the lawful processing of the personal data of the complainant, a certified copy of internal rules and/or the Policy for the protection of personal data regarding the processing of personal data by a political party in the electoral process, undertaken technically and organizational measures for the protection of personal data, an instruction, order or other act for training party representatives to collect personal data in the electoral process, as well as information and results of an internal audit carried out in the case, if one has been assigned. The requested evidence was not provided. With a laconic opinion dated 08.11.2022, without attached evidence, which exhausts the activity of the defendant in the process, it is stated that the lists of persons supporting the registration of the party in the electoral process are collected and processed by members of the party without their deliberate authorization for the goal. They specify that after the data have been submitted to the CEC "they are destroyed on a shredder and a computer". It is claimed that the party has trained all its members on the processing of personal data and they are familiar with the GDPR. On 09.11.2022. meeting of the commission, the appeals were examined on their merits.  The parties – regularly notified, do not appear, do not represent themselves. In its capacity as an administrative body and in connection with the need to establish the truth of the case, as a basic principle in administrative proceedings, according to Art. 7 of the APC, requiring the presence of established actual facts and given the evidence collected and the allegations made, the commission accepts that appeals No. PPN-01-223/12.03.2021, PPN-01-307/09.04.2021. and PPN-01-296/05.04.2021, are well founded. The subject of the appeals are the allegations of unlawful processing of personal data of the appellants D.An., D.Al. and R.M. – names and uniform civil number, from a political party ****** by including them in a list of persons supporting the registration of the political entity for participation in the held on 04.04.2021. elections for people's representatives. It is notorious that on 04.04.2021 elections for the National Assembly were held. With Decision No. 2084-NS/17.02.2021 of the CEC political party ****** is registered to participate in the elections for people's representatives on the basis of submitted on 15.02.2021. application filed under No.** in the register of parties for participation in the elections for people's representatives. A list containing the three names, the uniform civil number and handwritten signature of 2,951 voters supporting the registration of the party is submitted to the registration application, the same personal data, as they are sufficient for indisputable individualization of persons. The evidence collected in the file, in particular the materials presented by the CEC, testify that the personal data of the applicants D.An., D.Al. and R.M., in a volume of three names and a single civil number, are present respectively on page ***, line ***, page ***, line *** and page ***, line ** * from the list of voters supporting the registration of a political party ****** for participation in the procedural elections submitted to the CEC. The provision of personal data by a political entity to the CEC for the registration of the party for participation in the elections is a form of processing of personal data and as such should be carried out in compliance with the provisions of Regulation EU 2016/679, in particular those of Article 6, §1 of the regulation, the same applicable insofar as the data were provided on 15.02.2021. The claims of the complainants regarding illegal processing of their data by PP ****** for the registration of the political entity for participation in the elections held on 04/04/2021 are well-founded. In support of this conclusion are the conclusions of graphic examinations, reflected in Protocol No.*** dated 13.06.2022, Protocol No.*** dated 13.06.2022. and Protocol No. *** dated 11.08.2022. according to the inventory of NIK, sent to the CPLD with accompanying letters PPN-01-296#12/20.06.2022, PPN-01-223#19/20.06.2022. and PPN-01-307#13/15.08.2022, with conclusions that the signatures subject to the examinations were not signed by the applicants D.An., D.Al. and R.M. The latter testifies that the processing of the applicants' personal data was carried out without their consent - a specific and informed statement of will in the sense of Article 4, §11 of the Regulation. In the specific case, none of the other conditions specified in Article 6, §1 of the Regulation are present, as evidence to the contrary has not been committed, nor has such been claimed by the defendant. Despite the legal opportunity granted to the respondent and the instructions related to the distribution of the burden of proof in the process, the administrator – PP ******, did not provide evidence of the existence of a condition for the legality of the processing of personal data of the applicants for the specific purpose. There is a lack of evidence to substantiate the applicability of Article 6, §1, letter "b" of the GDPR - existence of a contract concluded between the parties for the implementation of any necessary processing of personal data of the applicants by the political party or for undertaking steps at the request of the data subject before the conclusion of the contract. The grounds under Art. 6, §1, letters "d" and "e" of the GDPR are irrelevant - they are applicable in other, different and incompatible with the present, hypotheses concerning the processing of personal data for the protection of vital interests related to the life and health of the data subject, the performance of a task of public interest, as well as in the exercise of official powers, such as are not delegated to political parties. The hypothesis of Article 6, §1, letter "f" of the Regulation is inapplicable - the interests of the administrator are not superior to the interests of the affected natural person, whose data are included in the list submitted to the CEC without his consent, as it is indisputable that the latter is prioritized over the interest of the political entity to participate in the elections. There is also no legal obligation for processing on the part of the administrator, insofar as the participation of political parties in the electoral process is a legal possibility, in the implementation of which the legally established rules should be complied with, in particular those in the field of personal data protection according to the norm of Art. .133, paragraph 4 of the IC. The processing of personal data in the electoral process is permissible and strictly regulated. The Electoral Code contains specific rules regarding the processing of personal data in the electoral process regarding the purposes of processing, categories of personal data, etc. In this regard, and although the applicant's data were processed in a statutory procedure, the fulfillment of the legally established obligation, respectively realization of the legitimate interests of the personal data administrator, in this case the political party, arise only if the person whose personal data appears in the list of voters supporting the registration of the party to participate in the elections, has given its consent to this support. However, when the last prerequisite is not present, the relevant political entity cannot use the person's personal data to realize its legitimate interests in participating in the electoral process. In this direction, the CEC and CPLD adopted joint instructions regarding the processing and protection of personal data in the electoral process. In the document published on 12.02.2021, also available on the CPLD website at https://cpdp.bg/%d1%83%d0%ba%d0%b0%d0%b7%d0%b0%d0% bd%d0%b8%d1%8f-%d0%bd%d0%b0-%d1%86%d0%b8%d0%ba-%d0%b8-%d0%ba%d0%b7%d0%bb% d0%b4-%d0%be%d1%82%d0%bd%d0%be%d1%81%d0%bd%d0%be-%d0%be%d0%b1%d1%80%d0%b0% d0%b1%d0%be%d1%82/ detailed explanations are given regarding the legal framework for the protection of personal data, as well as the rights and obligations of all participants in the electoral process – political parties, coalitions of parties, initiative committees, candidates, representatives , advocates, observers, mass media representatives and election commissions in the various types of elections. The guidelines are intended to facilitate the participants in the electoral process and to prevent violations. Based on the stated considerations and the evidence collected in the case file, it is necessary to conclude that the personal data of the complainants were processed, by including them in the CEC's list of persons supporting the registration of the political entity for participation in the elections for people's representatives held in the Republic of Bulgaria on 04.04. 2021, in violation of Art. 6, §1 of the GDPR, without any of the conditions specified in the provision being present, as the rights of the person who appealed to the CPLD were violated. The General Data Protection Regulation and the GDPR imposes an obligation on the administrator to process personal data in a lawful manner, not allowing, at the risk of administrative and criminal liability, the misuse of personal data, even less allowing the possibility in the lists filled out in front of persons from the party and used by the party to participate in the election process, to enter other people's personal data. Conversely, a wrong interpretation, contradicts both the letter and the spirit of the law and creates uncertainty in the processing of personal data and prerequisites for their abuse in a field that affects not only the persons who appealed to the CPLD, but society as a whole, as it concerns the state management and the possibility for citizens to participate in it at their will, without the latter being manipulated through the use of their personal data, without their knowledge and consent. In the context of complaints and the electoral process, this responsibility includes the undisputed identification of the person who enters the data, and the person before whom the same is submitted certifies with his signature, placed below the list, that the data was entered in front of him and by the person to whom it relates. There is no legal basis and mechanism for verifying the accuracy of the entered data and the identity of the person. Permissible and not prohibited by law are, for example, identification with an identity document or other document with a photo of the person and three names to be provided, for reference only, to the person in front of whom the signatures are being placed, with a view to verifying the identity of the voter. Undoubtedly, the ways to verify the identity of the persons should be expressed in the specific instructions, order or other act of the administrator, in expression of his obligation to introduce organizational measures in the sense of Article 24 of the GDPR, taking into account the nature, scope, context and the purposes of the processing, as well as the risks of varying probability and severity for the rights and freedoms of natural persons, in order to ensure and be able to prove that the processing is carried out in accordance with the GDPR. In the specific case, it should be assumed that such measures, rules and control regarding the collection of personal data and their use in the electoral process are absent insofar as, despite a specific request addressed to the administrator, the latter does not provide internal rules and/or a Policy for the protection of personal data regarding the processing of personal data by a political party in the electoral process, technical and organizational measures taken to protect personal data, an instruction, order or other act for training party representatives to collect personal data in the electoral process. The evidence collected in the file also testifies to violation of Article 24 of the GDPR committed by the administrator, as well as a violation of the "principle of accountability" under Article 5, §2 of the GDPR, insofar as the administrator is unable to prove processing of personal data in accordance with the principles specified in the GDPR, in terms of measures taken by him – trainings, briefings, written internal rules, orders, etc. For control, preliminary and subsequent, on the part of the administrator, there is also a lack of evidence, insofar as information was explicitly requested from the political party, but not provided and results of an internal inspection carried out in the case, nor information that such was assigned to establish the reasons, omissions that led to the violation under Art. 6, §1 of the GDPR.
In view of the nature of the detected violation of Article 6, §1 of the GDPR, the commission considers that the corrective measures under Article 58, §2, letter "a", "b", "c", "d", "e", " f", "g", "h" and "j" of the Regulation are inapplicable and inexpedient in this case, given the gravity of the violation and the fact that the same has been completed. Given the severity of the violation and the fact that the same has been completed and it is next for the administrator to whom the order was issued, the commission considers it expedient, effective and dissuasive to exercise corrective authority under Art. 58, §2, letter "i" of the GDPR - imposition of a property sanction. The administrator is obliged to know the law and to comply with its requirements, even more so because he owes the necessary care provided for in the law and arising from his subject of activity, personnel and economic resources.
There are no mitigating circumstances when determining the amount of the sanction. The circumstances under Art. 83, §2, letters "b" and "i" of the Regulation are irrelevant insofar as it concerns an administrator - a legal entity that is not at fault, and at the time of committing the violation approved codes of conduct, respectively approved mechanisms for certification are not entered.
Circumstances should be qualified as aggravating: the rights of three individuals were violated; the violations are completed; the administrator does not assist the CPDP to clarify the case; data on the unique civil number of the persons were processed, and as a result of the registration, the rights of the applicants related to the electoral legislation and their participation in the electoral process were limited; the violations became known to the CPLD as a result of a referral by the affected persons.
The fact that the violation is not the first for the administrator is also relevant. The political party was sanctioned for an identical violation - processing of personal data in the electoral process without a legal basis, with the following coming into force: Decision №Ж-420#6/21.11.2016, with a sanction in the amount of BGN 15,300, Decision №Ж- 60#8/19.10.2018, with an imposed sanction in the amount of BGN 10,000 and Decision PPN-01-1672/07.10.2020, with an imposed sanction in the amount of BGN 2,500.
It should be noted, as an aggravating circumstance, that the personal data of the applicant D.Al. were once again processed illegally by the political party in connection with its participation in the electoral process. In 2017 Mrs. D.Al. appealed to the CPLD with a complaint (Ж-85/20.02.2017) for misuse of her personal data by a political party ****** for registration of the political party for participation in the 2017 National Assembly elections. The expertise assigned to the case established that the signature in the list of voters was not signed by Mrs. D.Al. and its frog was accepted by the CPLD as well-founded, and the party sanctioned it with the effective Decision No. Ж-60#8/19.10.2018, with an imposed sanction in the amount of BGN 10,000.
The violation is also related to the complainant D.An., who appealed to the CPLD with a complaint (Ж-624/17.10.2016) against the political entity for an identical violation, misuse of his personal data for party registration to participate in the elections for President and Vice President of the Republic of Bulgaria held on November 6, 2016. After an examination, the complaint of Mr. D.An. was accepted as justified, and the political subject was imposed a property sanction in the amount of BGN 15,300, objectified in the effective Decision No. Ж-420#6/21.11.2016. of CPLD.
Based on the stated considerations, the commission considers that, in view of the principle of proportionality between the severity of the violation and the amount of the penalty, the property sanction imposed on the political party ****** should be in the amount of BGN 25,000 - an amount far below the average minimum provided for in the Regulation on this violation. Taking into account the purpose of the punishment, which should have a deterrent and warning function, the nature and severity of the violation, the public relations it affects, the categories of personal data affected, the commission considers that the type and amount of the power exercised undoubtedly meets the requirements of the LLPD and Regulation 2016/ 679 efficiency and deterrent effect, while at the same time not violating the principle of proportionality and the requirement of proportionality.
With regard to the detected violations of Art. 24 and Art. 5, §2 of the GDPR, the commission finds it appropriate to issue an order under Art. 58, §2, letter "d" of the GDPR to the administrator, namely to take technical and organizational measures for protection of personal data, including conducting training, including immediately before the specific elections, of the party representatives participating in the process of collecting personal data in the electoral process, introducing a mechanism for ongoing and subsequent control and accountability in the processing of personal data in the electoral process and to submit a Personal Data Protection Policy consistent with the regulation, in which the rules for the collection and processing of personal data should be clearly spelled out, including in signatures to support the political entity for registration in the electoral process and when collecting personal data data of persons supporting the registration of the party for participation in referendums.
However, it should be noted that the non-fulfillment of the commission's order, within the specified period, is accompanied by a sanction for non-fulfillment in view of its effectiveness and the possibility of an additional sanctioning mechanism for verification and control of the implementation. The goal is to achieve general prevention and proportionate and lawful processing of personal data. Thus, orders are effective, as they are accompanied by corresponding sanctions in case of non-fulfilment, as the legislator foresees that in case of non-compliance with an effective order of the supervisory authority, an administrative penalty of "fine" or "property penalty" of up to 20000000 EUR will be imposed.
Guided by the above and on the basis of Article 38, Paragraph 3 of the Personal Data Protection Act, the Commission for the Protection of Personal Data,
RESOLVE:
1. Announces complaints PPN-01-223/12.03.2021, PPN-01-307/09.04.2021. and PPN-01-296/05.04.2021, filed respectively by D.An., D.Al. and R.M., for reasonable.
2. On the basis of Art. 83, §5, letter "a", in connection with Art. 58, §2, letter "i" of Regulation EU 679/2016 imposes on a political party ****** a property sanction in the amount of BGN 25,000 (twenty-five thousand BGN) for processing the personal data of the applicants in violation of Article 6, §1 of EU Regulation 2016/679.
3. On the basis of Article 58, §2, letter "d" of the GDPR and for violation of Article 24 of the GDPR and Article 5, §2 of the GDPR issues an order to political party ****** to take technical and organizational measures to protect personal data, including training, including immediately before each election, of party representatives participating in the process of collecting personal data in the electoral process; to submit a Personal Data Protection Policy consistent with the Regulation, in which the rules for the collection and processing of personal data should be clearly spelled out, including in signatures to support the political entity for registration in the electoral process, as well as in the collection of personal data of persons supporting the registration of the party for participation in referendums and to introduce a mechanism for ongoing and subsequent control and accountability in the processing of personal data.
4. Deadline for implementation of the issued order – three months from the entry into force of the decision, after which to notify the commission of the implementation by presenting the relevant relevant evidence.
The decision is subject to appeal within 14 days of its delivery, through the Commission for the Protection of Personal Data, before the Administrative Court of Sofia - city.
After the decision enters into force, the amount of the imposed penalty should be transferred by bank transfer