CPDP (Bulgaria) - PPN-01-223/2021, PPN-01-307/2021, PPN-01-296/2021: Difference between revisions

From GDPRhub
mNo edit summary
(fixed case number, url, translation and minor things in text)
Line 7: Line 7:
|DPA_With_Country=CPDP (Bulgaria)
|DPA_With_Country=CPDP (Bulgaria)


|Case_Number_Name=PPN-01-033/2021, PPN-01-307/2021, PPN-01-296/2021
|Case_Number_Name=PPN-01-01-223/2021, PPN-01-307/2021, PPN-01-296/2021 <br> ППН-01-223, ППН-01-307, ППН-01-296
|ECLI=
|ECLI=


|Original_Source_Name_1=Commission for Personal Data Protection
|Original_Source_Name_1=Commission for Personal Data Protection
|Original_Source_Link_1=https://cpdp.bg/%25d1%2580%25d0%25b5%25d1%2588%25d0%25b5%25d0%25bd%25d0%25b8%25d0%25b5-%25d0%25bf%25d0%25be-%25d0%25b6%25d0%25b0%25d0%25bb%25d0%25b1%25d0%25b8-%25d1%2581-%25d1%2580%25d0%25b5%25d0%25b3-%25e2%2584%2596-%25d0%25bf%25d0%25bf%25d0%25bd-01-223-12-03-2021-%25d0%25b3-%25d0%25bf%25d0%25bf%25d0%25bd-01-307-09-0/
|Original_Source_Link_1=https://cpdp.bg/%D1%80%D0%B5%D1%88%D0%B5%D0%BD%D0%B8%D0%B5-%D0%BF%D0%BE-%D0%B6%D0%B0%D0%BB%D0%B1%D0%B8-%D1%81-%D1%80%D0%B5%D0%B3-%E2%84%96-%D0%BF%D0%BF%D0%BD-01-223-12-03-2021-%D0%B3-%D0%BF%D0%BF%D0%BD-01-307-09-0/
|Original_Source_Language_1=Bulgarian
|Original_Source_Language_1=Bulgarian
|Original_Source_Language__Code_1=BG
|Original_Source_Language__Code_1=BG
Line 66: Line 66:


=== Facts ===
=== Facts ===
On April 4, 2021 -- the date on which elections were held for the Bulgarian National Assembly -- one political party (the controller) registered for participation on the basis of an application that included a list with the full names, unique civil number and handwritten signature of 2951 voters supporting the registration of the party.  
On April 4, 2021 -- the date on which elections were held for the Bulgarian National Assembly -- one political party (the controller) registered for participation on the basis of an application that included a list with the full names, unique civil numbers and handwritten signatures of 2951 voters supporting the registration of the party.  


The Bulgarian DPA (CPDP) received a number of complaints around the time of the election from data subjects alleging that the controller was unlawfully processing their personal data by including them in a list of persons supporting the registration of the political individual to participate in 2021 elections. The processed data included their names and unified civic numbers attributed to their political party. The data subjects did not sign up in support of the registration, nor did they give consent for the processing of their personal data for this purpose.
The Bulgarian DPA (CPDP) received a number of complaints around the time of the election from data subjects alleging that the controller was unlawfully processing their personal data by including them in a list of persons supporting the registration of the political party to participate in the 2021 elections. The processed data included their names and unified civic numbers attributed to their political party. The data subjects did not sign up in support of the registration, nor did they give consent for the processing of their personal data for this purpose.


The political party provided some documents in response to the complaint, but the CPDP noted a lack of adequate participation, who failed to submit the requested evidence. It did not challenge the data subjects’ allegations or provide a statement on the matter. In one of the few documents provided, the controller stated (without evidence) that the lists of persons supporting the registration of the party in electoral processes are collected and processed by members of the party without  their intentional authorisation and purpose. After the data is transmitted to the Central Election Commission, it is destroyed on a shredded and on the computer. The controller claimed to have trained all its members to process personal data in accordance with the GDPR.
The political party provided some documents in response to the complaints, but the CPDP noted a lack of adequate participation from the controller, who failed to submit the requested evidence. It did not challenge the data subjects’ allegations or provide a statement on the matter. In one of the few documents provided, the controller stated (without evidence) that the lists of persons supporting the registration of the party in electoral processes are collected and processed by members of the party without  their intentional authorisation and purpose. After the data is transmitted to the Central Election Commission, it is destroyed using a shredder and on the computer. The controller claimed to have trained all its members to process personal data in accordance with the GDPR.


=== Holding ===
=== Holding ===
Line 91: Line 91:


<pre>
<pre>
Decision on appeals with reg. No. PPN-01-223/12.03.2021, PPN-01-307/09.04.2021 and PPN-01-296/05.04.2021 DECISION No.PPN-01-223/ 2021 Sofia, 26.01.2023 The Commission for the Protection of Personal Data (CPDP) in composition: Chairman: Vencislav Karadjov and members: Tsanko Tsolov, Maria Mateva and Veselin Tselkov at a meeting held on 09.11.2022, on the basis of Article 10, Paragraph 1 of the Law on Protection of personal data, respectively Art. 57, §1, letter "e" of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016. on the protection of natural persons in connection with the processing of personal data and on the free movement of such data (Regulation, GDPR), examined the merits of complaints No.PPN-01-223/12.03.2021, PPN-01-307/09.04.2021 . and PPN-01-296/05.04.2021, filed respectively by D.An., D.Al. and R.M. Administrative proceedings are in accordance with Article 38 of the Personal Data Protection Act (PDPA). The Commission for the Protection of Personal Data was referred to complaint No.PPN-01-223/12.03.2021, submitted by D.An. against a political party ****** with allegations of unlawful processing of his personal data by including them in a list of persons supporting the registration of the political entity for participation in the held on 04.04.2021. elections for people's representatives. The complainant claims that he discovered the violation after conducting an electronic inquiry at the Central Electoral Commission, the result of which is attached. He declares that he did not sign in support of the registration of the political entity and did not give his consent to the processing of his personal data for the specific purpose. Complaint with identical content Mr. D.An. has also submitted to the Central Election Commission. The complaint was forwarded to the CPLD for examination on the basis of competence, together with relevant evidence - a copy of Decision No.*** of the CEC and a copy of page *** of the list of voters supporting the registration of the political entity to participate in the elections for people's representatives of 04.04.2021. Filed under No. PPN-01-242/18.03.2021. according to the inventory of the CPLD. CPLD was referred with a complaint PPN-01-307/09.04.2021. submitted by D.Al. and appeal PPN-01-296/04.05.2021 submitted by R.M. against the same legal entity - PP ******, with identical claims - unlawful processing of their personal data by including them in a list of persons supporting the registration of the political entity for participation in the held on 04.04.2021. elections for people's representatives. Attached to the complaints is a photocopy of references up-to-date as of 04/07/2021. and 04.04.2021 on the website https://www.cik.bg/bg/ns2021/podpiski, carried out on the basis of lists submitted by 38 political parties, coalitions and initiative committees, evident from the content of which personal data of the applicants are available on page ** *, line *** and page ***, line *** from the list of persons supporting the registration of PP *** for participation in the held on 04.04.2021. elections for people's representatives. In view of the principles of equality of the parties and truthfulness advocated in the administrative process, the political party ****** was informed about the submitted complaints, it was given the opportunity to engage in a written opinion on the statements presented in the complaints. Evidence relevant to the case of the lawful processing of the personal data of the applicants, a certified copy of internal rules and/or the Personal Data Protection Policy regarding the processing of personal data by a political party in the electoral process, technical and organizational measures taken to protect the personal data are required. data, instruction, order or other act for training the representatives of the party to collect personal data in the electoral process, as well as information and results of the internal checks carried out in the case, if such have been assigned. There is a lack of active participation of the political entity in the proceedings, the required evidence has not been presented. The claims of the complainants are not disputed, an opinion on the subject of the complaints is not engaged. With a view to clarifying the case from a factual point of view, the CEC requested and submitted a copy of pages: ***, line ***; ***, line *** and page ***, line *** from the CEC provided list of persons supporting the registration of a political party ****** for participation in the held on 04.04.2021. elections for people's representatives. The Commission for the Protection of Personal Data is an independent state body that protects individuals in the processing of their personal data, in the implementation of access to this data and control of compliance with the GDPR and GDPR. In order to exercise its powers, the Commission should be validly referred. Complaints contain the required details specified in the provision of art. 28, paragraph 1 of the Regulations for the activities of the Commission for the Protection of Personal Data and its administration - there are data on the complainants, the nature of the request, date, signatures, the passively legitimized person is indicated country and date of knowledge of the violation, in view of which they are regular. The subject of the complaints are the allegations of unlawful processing of personal data of the complainants – names and uniform civil number, by a political party ****** by including them in a list provided to the CEC of persons supporting the registration of the political entity for participation in the 04/04/2021 elections for people's representatives. Complaints are filed by natural persons with a legal interest, against the proper party – the controller of personal data. According to data from the file, including the result of an inquiry at the CEC, the applicant Mr. D.An. learned about the alleged violation on 05.03.2021, Mrs. D.Al. on 07.04.2021. and Mr. R.M. on 04.04.2021. In this regard and in view of the statutory deadlines for registration of participants in the electoral process established in the IC and insofar as the CPLD was referred to the complaints on 12.03.2021 and 09.04.2021, respectively. and 04/05/2021, a few days after the alleged violations were established, the conclusion follows that the complaints were submitted within the period under Article 38, Paragraph 1 of the Labor Code. Referred authority is competent to give a ruling - the CPLD, which, according to its powers under Art. 10, paragraph 1 of the CPLD in connection with Art. 57, §1, letter "f" of Regulation (EU) 2016/679, examines complaints against acts and actions of the administrators of personal data, which violate the rights of data subjects related to the processing of personal data, and the exceptions under Art. 2, §2, letter "c" and Art. 55, §3 of Regulation (EU) 2016/679 given the fact that the case does not concern processing activities carried out by an individual in the course of purely personal or domestic activities and/or activities carried out by courts in the performance of their judicial functions. The prerequisites of Art. 32 of the APC are present for the unification and examination of complaints in one general administrative proceeding, in view of the fact that the rights and obligations of the parties arise from the same factual situation, are filed against the same person and are within the competence of one and the same administrative body – CPLD. For the stated reasons and given the absence of the negative prerequisites specified in art. 27, para. 2 of the APC, held on 09.08.2021. meeting of the commission, the complaints were accepted as admissible and, on the basis of Article 32 of the APC, they were combined for consideration in one administrative proceeding. The following are constituted as parties to the proceedings: applicants: D.An., D.Al. and R.M. and on the other hand – political party ******. In order to clarify the case from a legal and factual point of view, handwriting examinations of the signatures placed on ***, line *** have been allowed; ***, line *** and page ***, line *** from the list submitted to the CEC of voters supporting the registration of a political party ****** for participation in the elections held on 04.04.2021. elections for people's representatives. In the course of the proceedings, the appellants were informed of the possibility of providing comparative material for carrying out the expertise in order to establish the truth, respectively the falsity of the signatures in the list submitted to the CEC supporting the registration of the political party for participation in the elections held on 11.07.2021. elections. Comparative material was provided by all three appellants and sent to the National Institute of Forensic Science (NIC). Graphic examinations have been prepared and reflected in Protocol No.*** dated 13.06.2022, Protocol No.*** dated 13.06.2022. and Protocol No. *** dated 11.08.2022. according to the inventory of NIK, sent to the CPLD with accompanying letters PPN-01-296#12/20.06.2022, PPN-01-223#19/20.06.2022. and PPN-01-307#13/15.08.2022, with conclusions that the signatures subject to the examinations were not signed by the applicants D.An., D.Al. and R.M. An open session has been scheduled for consideration of the complaints on the merits on 09.11.2022. from 1:00 p.m., of which the parties are regularly notified. A copy of the expertise has been sent to the parties for perusal and opinion, with instructions on the distribution of the burden of proof in the process. There were no objections to the expertises, no additional evidence was committed, no demands were made on the evidence. In order to clarify the case from a factual point of view, the defendant has again requested evidence of the lawful processing of the personal data of the complainant, a certified copy of internal rules and/or the Policy for the protection of personal data regarding the processing of personal data by a political party in the electoral process, undertaken technically and organizational measures for the protection of personal data, an instruction, order or other act for training party representatives to collect personal data in the electoral process, as well as information and results of an internal audit carried out in the case, if one has been assigned. The requested evidence was not provided. With a laconic opinion dated 08.11.2022, without attached evidence, which exhausts the activity of the defendant in the process, it is stated that the lists of persons supporting the registration of the party in the electoral process are collected and processed by members of the party without their deliberate authorization for the goal. They specify that after the data have been submitted to the CEC "they are destroyed on a shredder and a computer". It is claimed that the party has trained all its members on the processing of personal data and they are familiar with the GDPR. On 09.11.2022. meeting of the commission, the appeals were examined on their merits. The parties – regularly notified, do not appear, do not represent themselves. In its capacity as an administrative body and in connection with the need to establish the truth of the case, as a basic principle in administrative proceedings, according to Art. 7 of the APC, requiring the presence of established actual facts and given the evidence collected and the allegations made, the commission accepts that appeals No. PPN-01-223/12.03.2021, PPN-01-307/09.04.2021. and PPN-01-296/05.04.2021, are well founded. The subject of the appeals are the allegations of unlawful processing of personal data of the appellants D.An., D.Al. and R.M. – names and uniform civil number, from a political party ****** by including them in a list of persons supporting the registration of the political entity for participation in the held on 04.04.2021. elections for people's representatives. It is notorious that on 04.04.2021 elections for the National Assembly were held. With Decision No. 2084-NS/17.02.2021 of the CEC political party ****** is registered to participate in the elections for people's representatives on the basis of submitted on 15.02.2021. application filed under No.** in the register of parties for participation in the elections for people's representatives. A list containing the three names, the uniform civil number and handwritten signature of 2,951 voters supporting the registration of the party is submitted to the registration application, the same personal data, as they are sufficient for indisputable individualization of persons. The evidence collected in the file, in particular the materials presented by the CEC, testify that the personal data of the applicants D.An., D.Al. and R.M., in a volume of three names and a single civil number, are present respectively on page ***, line ***, page ***, line *** and page ***, line ** * from the list of voters supporting the registration of a political party ****** for participation in the procedural elections submitted to the CEC. The provision of personal data by a political entity to the CEC for the registration of the party for participation in the elections is a form of processing of personal data and as such should be carried out in compliance with the provisions of Regulation EU 2016/679, in particular those of Article 6, §1 of the regulation, the same applicable insofar as the data were provided on 15.02.2021. The claims of the complainants regarding illegal processing of their data by PP ****** for the registration of the political entity for participation in the elections held on 04/04/2021 are well-founded. In support of this conclusion are the conclusions of graphic examinations, reflected in Protocol No.*** dated 13.06.2022, Protocol No.*** dated 13.06.2022. and Protocol No. *** dated 11.08.2022. according to the inventory of NIK, sent to the CPLD with accompanying letters PPN-01-296#12/20.06.2022, PPN-01-223#19/20.06.2022. and PPN-01-307#13/15.08.2022, with conclusions that the signatures subject to the examinations were not signed by the applicants D.An., D.Al. and R.M. The latter testifies that the processing of the applicants' personal data was carried out without their consent - a specific and informed statement of will in the sense of Article 4, §11 of the Regulation. In the specific case, none of the other conditions specified in Article 6, §1 of the Regulation are present, as evidence to the contrary has not been committed, nor has such been claimed by the defendant. Despite the legal opportunity granted to the respondent and the instructions related to the distribution of the burden of proof in the process, the administrator – PP ******, did not provide evidence of the existence of a condition for the legality of the processing of personal data of the applicants for the specific purpose. There is a lack of evidence to substantiate the applicability of Article 6, §1, letter "b" of the GDPR - existence of a contract concluded between the parties for the implementation of any necessary processing of personal data of the applicants by the political party or for undertaking steps at the request of the data subject before the conclusion of the contract. The grounds under Art. 6, §1, letters "d" and "e" of the GDPR are irrelevant - they are applicable in other, different and incompatible with the present, hypotheses concerning the processing of personal data for the protection of vital interests related to the life and health of the data subject, the performance of a task of public interest, as well as in the exercise of official powers, such as are not delegated to political parties. The hypothesis of Article 6, §1, letter "f" of the Regulation is inapplicable - the interests of the administrator are not superior to the interests of the affected natural person, whose data are included in the list submitted to the CEC without his consent, as it is indisputable that the latter is prioritized over the interest of the political entity to participate in the elections. There is also no legal obligation for processing on the part of the administrator, insofar as the participation of political parties in the electoral process is a legal possibility, in the implementation of which the legally established rules should be complied with, in particular those in the field of personal data protection according to the norm of Art. .133, paragraph 4 of the IC. The processing of personal data in the electoral process is permissible and strictly regulated. The Electoral Code contains specific rules regarding the processing of personal data in the electoral process regarding the purposes of processing, categories of personal data, etc. In this regard, and although the applicant's data were processed in a statutory procedure, the fulfillment of the legally established obligation, respectively realization of the legitimate interests of the personal data administrator, in this case the political party, arise only if the person whose personal data appears in the list of voters supporting the registration of the party to participate in the elections, has given its consent to this support. However, when the last prerequisite is not present, the relevant political entity cannot use the person's personal data to realize its legitimate interests in participating in the electoral process. In this direction, the CEC and CPLD adopted joint instructions regarding the processing and protection of personal data in the electoral process. In the document published on 12.02.2021, also available on the CPLD website at https://cpdp.bg/%d1%83%d0%ba%d0%b0%d0%b7%d0%b0%d0% bd%d0%b8%d1%8f-%d0%bd%d0%b0-%d1%86%d0%b8%d0%ba-%d0%b8-%d0%ba%d0%b7%d0%bb% d0%b4-%d0%be%d1%82%d0%bd%d0%be%d1%81%d0%bd%d0%be-%d0%be%d0%b1%d1%80%d0%b0% d0%b1%d0%be%d1%82/ detailed explanations are given regarding the legal framework for the protection of personal data, as well as the rights and obligations of all participants in the electoral process – political parties, coalitions of parties, initiative committees, candidates, representatives , advocates, observers, mass media representatives and election commissions in the various types of elections. The guidelines are intended to facilitate the participants in the electoral process and to prevent violations. Based on the stated considerations and the evidence collected in the case file, it is necessary to conclude that the personal data of the complainants were processed, by including them in the CEC's list of persons supporting the registration of the political entity for participation in the elections for people's representatives held in the Republic of Bulgaria on 04.04. 2021, in violation of Art. 6, §1 of the GDPR, without any of the conditions specified in the provision being present, as the rights of the person who appealed to the CPLD were violated. The General Data Protection Regulation and the GDPR imposes an obligation on the administrator to process personal data in a lawful manner, not allowing, at the risk of administrative and criminal liability, the misuse of personal data, even less allowing the possibility in the lists filled out in front of persons from the party and used by the party to participate in the election process, to enter other people's personal data. Conversely, a wrong interpretation, contradicts both the letter and the spirit of the law and creates uncertainty in the processing of personal data and prerequisites for their abuse in a field that affects not only the persons who appealed to the CPLD, but society as a whole, as it concerns the state management and the possibility for citizens to participate in it at their will, without the latter being manipulated through the use of their personal data, without their knowledge and consent. In the context of complaints and the electoral process, this responsibility includes the undisputed identification of the person who enters the data, and the person before whom the same is submitted certifies with his signature, placed below the list, that the data was entered in front of him and by the person to whom it relates. There is no legal basis and mechanism for verifying the accuracy of the entered data and the identity of the person. Permissible and not prohibited by law are, for example, identification with an identity document or other document with a photo of the person and three names to be provided, for reference only, to the person in front of whom the signatures are being placed, with a view to verifying the identity of the voter. Undoubtedly, the ways to verify the identity of the persons should be expressed in the specific instructions, order or other act of the administrator, in expression of his obligation to introduce organizational measures in the sense of Article 24 of the GDPR, taking into account the nature, scope, context and the purposes of the processing, as well as the risks of varying probability and severity for the rights and freedoms of natural persons, in order to ensure and be able to prove that the processing is carried out in accordance with the GDPR. In the specific case, it should be assumed that such measures, rules and control regarding the collection of personal data and their use in the electoral process are absent insofar as, despite a specific request addressed to the administrator, the latter does not provide internal rules and/or a Policy for the protection of personal data regarding the processing of personal data by a political party in the electoral process, technical and organizational measures taken to protect personal data, an instruction, order or other act for training party representatives to collect personal data in the electoral process. The evidence collected in the file also testifies to violation of Article 24 of the GDPR committed by the administrator, as well as a violation of the "principle of accountability" under Article 5, §2 of the GDPR, insofar as the administrator is unable to prove processing of personal data in accordance with the principles specified in the GDPR, in terms of measures taken by him – trainings, briefings, written internal rules, orders, etc. For control, preliminary and subsequent, on the part of the administrator, there is also a lack of evidence, insofar as information was explicitly requested from the political party, but not provided and results of an internal inspection carried out in the case, nor information that such was assigned to establish the reasons, omissions that led to the violation under Art. 6, §1 of the GDPR.
Decision on Complaint No. PPN-01-223/12.03.2021, PPN-01-307/09.04.2021, and PPN-01-296/05.04.2021
In view of the nature of the detected violation of Article 6, §1 of the GDPR, the commission considers that the corrective measures under Article 58, §2, letter "a", "b", "c", "d", "e", " f", "g", "h" and "j" of the Regulation are inapplicable and inexpedient in this case, given the gravity of the violation and the fact that the same has been completed. Given the severity of the violation and the fact that the same has been completed and it is next for the administrator to whom the order was issued, the commission considers it expedient, effective and dissuasive to exercise corrective authority under Art. 58, §2, letter "i" of the GDPR - imposition of a property sanction. The administrator is obliged to know the law and to comply with its requirements, even more so because he owes the necessary care provided for in the law and arising from his subject of activity, personnel and economic resources.
 
There are no mitigating circumstances when determining the amount of the sanction. The circumstances under Art. 83, §2, letters "b" and "i" of the Regulation are irrelevant insofar as it concerns an administrator - a legal entity that is not at fault, and at the time of committing the violation approved codes of conduct, respectively approved mechanisms for certification are not entered.
DECISION
Circumstances should be qualified as aggravating: the rights of three individuals were violated; the violations are completed; the administrator does not assist the CPDP to clarify the case; data on the unique civil number of the persons were processed, and as a result of the registration, the rights of the applicants related to the electoral legislation and their participation in the electoral process were limited; the violations became known to the CPLD as a result of a referral by the affected persons.
 
The fact that the violation is not the first for the administrator is also relevant. The political party was sanctioned for an identical violation - processing of personal data in the electoral process without a legal basis, with the following coming into force: Decision №Ж-420#6/21.11.2016, with a sanction in the amount of BGN 15,300, Decision №Ж- 60#8/19.10.2018, with an imposed sanction in the amount of BGN 10,000 and Decision PPN-01-1672/07.10.2020, with an imposed sanction in the amount of BGN 2,500.
No. PPN-01-223/2021
It should be noted, as an aggravating circumstance, that the personal data of the applicant D.Al. were once again processed illegally by the political party in connection with its participation in the electoral process. In 2017 Mrs. D.Al. appealed to the CPLD with a complaint (Ж-85/20.02.2017) for misuse of her personal data by a political party ****** for registration of the political party for participation in the 2017 National Assembly elections. The expertise assigned to the case established that the signature in the list of voters was not signed by Mrs. D.Al. and its frog was accepted by the CPLD as well-founded, and the party sanctioned it with the effective Decision No. Ж-60#8/19.10.2018, with an imposed sanction in the amount of BGN 10,000.
 
The violation is also related to the complainant D.An., who appealed to the CPLD with a complaint (Ж-624/17.10.2016) against the political entity for an identical violation, misuse of his personal data for party registration to participate in the elections for President and Vice President of the Republic of Bulgaria held on November 6, 2016. After an examination, the complaint of Mr. D.An. was accepted as justified, and the political subject was imposed a property sanction in the amount of BGN 15,300, objectified in the effective Decision No. Ж-420#6/21.11.2016. of CPLD.
Sofia, 26.01.2023
Based on the stated considerations, the commission considers that, in view of the principle of proportionality between the severity of the violation and the amount of the penalty, the property sanction imposed on the political party ****** should be in the amount of BGN 25,000 - an amount far below the average minimum provided for in the Regulation on this violation. Taking into account the purpose of the punishment, which should have a deterrent and warning function, the nature and severity of the violation, the public relations it affects, the categories of personal data affected, the commission considers that the type and amount of the power exercised undoubtedly meets the requirements of the LLPD and Regulation 2016/ 679 efficiency and deterrent effect, while at the same time not violating the principle of proportionality and the requirement of proportionality.
 
With regard to the detected violations of Art. 24 and Art. 5, §2 of the GDPR, the commission finds it appropriate to issue an order under Art. 58, §2, letter "d" of the GDPR to the administrator, namely to take technical and organizational measures for protection of personal data, including conducting training, including immediately before the specific elections, of the party representatives participating in the process of collecting personal data in the electoral process, introducing a mechanism for ongoing and subsequent control and accountability in the processing of personal data in the electoral process and to submit a Personal Data Protection Policy consistent with the regulation, in which the rules for the collection and processing of personal data should be clearly spelled out, including in signatures to support the political entity for registration in the electoral process and when collecting personal data data of persons supporting the registration of the party for participation in referendums.
The Commission for Personal Data Protection (CPDP), composed of Chair: Ventsislav Karadjov and members: Tsanko Tsollov, Maria Mateva, and Veselin Tselkov, in a session held on 09.11.2022, based on Article 10, Paragraph 1 of the Personal Data Protection Act, respectively Article 57, Paragraph 1, letter “e” of Regulation (EU) 2016/679 of the European Parliament and the Council of 27 April 2016 on the protection of natural persons concerning the processing of personal data and on the free movement of such data (Regulation, GDPR), considered on the merits the complaints No. PPN-01-223/12.03.2021, PPN-01-307/09.04.2021, and PPN-01-296/05.04.2021, filed respectively by D. An., D. Al. and R. M.
However, it should be noted that the non-fulfillment of the commission's order, within the specified period, is accompanied by a sanction for non-fulfillment in view of its effectiveness and the possibility of an additional sanctioning mechanism for verification and control of the implementation. The goal is to achieve general prevention and proportionate and lawful processing of personal data. Thus, orders are effective, as they are accompanied by corresponding sanctions in case of non-fulfilment, as the legislator foresees that in case of non-compliance with an effective order of the supervisory authority, an administrative penalty of "fine" or "property penalty" of up to 20000000 EUR will be imposed.
 
Guided by the above and on the basis of Article 38, Paragraph 3 of the Personal Data Protection Act, the Commission for the Protection of Personal Data,
The administrative proceedings are according to Article 38 of the Personal Data Protection Act (PDPA).
RESOLVE:
 
1. Announces complaints PPN-01-223/12.03.2021, PPN-01-307/09.04.2021. and PPN-01-296/05.04.2021, filed respectively by D.An., D.Al. and R.M., for reasonable.
The CPDP was approached with complaint No. PPN-01-223/12.03.2021, filed by D. An. against the political party ****** with allegations of unlawful processing of his personal data by including it in a list of individuals supporting the registration of the political entity for participation in the parliamentary elections held on 04.04.2021.
2. On the basis of Art. 83, §5, letter "a", in connection with Art. 58, §2, letter "i" of Regulation EU 679/2016 imposes on a political party ****** a property sanction in the amount of BGN 25,000 (twenty-five thousand BGN) for processing the personal data of the applicants in violation of Article 6, §1 of EU Regulation 2016/679.
 
3. On the basis of Article 58, §2, letter "d" of the GDPR and for violation of Article 24 of the GDPR and Article 5, §2 of the GDPR issues an order to political party ****** to take technical and organizational measures to protect personal data, including training, including immediately before each election, of party representatives participating in the process of collecting personal data in the electoral process; to submit a Personal Data Protection Policy consistent with the Regulation, in which the rules for the collection and processing of personal data should be clearly spelled out, including in signatures to support the political entity for registration in the electoral process, as well as in the collection of personal data of persons supporting the registration of the party for participation in referendums and to introduce a mechanism for ongoing and subsequent control and accountability in the processing of personal data.
The complainant claims that he discovered the violation after checking electronically with the Central Election Commission, the result of which is attached. He declares that he did not sign in support of the political entity's registration and did not give his consent for processing his personal data for this specific purpose.
4. Deadline for implementation of the issued order – three months from the entry into force of the decision, after which to notify the commission of the implementation by presenting the relevant relevant evidence.
 
The decision is subject to appeal within 14 days of its delivery, through the Commission for the Protection of Personal Data, before the Administrative Court of Sofia - city.
A complaint with identical content was also filed by Mr. D. An. to the Central Election Commission. The complaint was forwarded to CPDP for review by jurisdiction, along with relevant evidence—a copy of Decision No. *** of the CEC and a copy of page *** from the list of voters supporting the registration of the political entity for participation in the parliamentary elections on 04.04.2021. It was registered under No. PPN-01-242/18.03.2021 in the CPDP's records.
After the decision enters into force, the amount of the imposed penalty should be transferred by bank transfer
 
The CPDP was approached with complaint PPN-01-307/09.04.2021 filed by D. Al. and complaint PPN-01-296/05.04.2021 filed by R. M. against the same legal entity—PP ******, with identical allegations of unlawful processing of their personal data by including it in a list of individuals supporting the registration of the political entity for participation in the parliamentary elections held on 04.04.2021. The complaints are accompanied by photocopies of checks current as of 07.04.2021 and 04.04.2021 on the website https://www.cik.bg/bg/ns2021/podpiski, performed based on lists submitted by 38 political parties, coalitions, and initiative committees, showing the complainants' personal data present on page ***, row ***, and page ***, row *** from the list of individuals supporting the registration of PP *** for participation in the parliamentary elections held on 04.04.2021.
 
Given the principles of equality of parties and truth in administrative proceedings, the political party ****** was informed of the filed complaints, and it was indicated that they could submit a written statement on the allegations in the complaints. Relevant evidence was requested regarding the lawful processing of the complainants' personal data, a certified copy of internal rules and/or Data Protection Policy regarding the processing of personal data by the political party in the electoral process, technical and organizational measures taken for data protection, instruction, order, or other act for training party representatives for collecting personal data in the electoral process, as well as information and results from internal checks performed on the case if such were assigned. The political entity did not actively participate in the proceedings, and the requested evidence was not provided. The complainants' claims were not disputed, and no statement on the subject matter of the complaints was engaged.
 
To clarify the case factually, copies of pages ***, row ***; ***, row ***; and page ***, row *** from the list of individuals supporting the registration of the political party ****** for participation in the parliamentary elections held on 04.04.2021 were requested from the CEC and provided in response.
 
The CPDP is an independent state body that protects individuals when processing their personal data, accessing such data, and controlling compliance with PDPA and GDPR.
 
To exercise its powers, the CPDP must be duly approached.
 
The complaints contain the required details specified in Article 28, Paragraph 1 of the Rules of Procedure of the CPDP and its administration—information about the complainants, the nature of the request, date, signatures, the indicated passive legitimized party, and the date of awareness of the violation, making them regular.
 
The subject of the complaints are allegations of unlawful processing of the complainants' personal data—names and personal identification numbers—by the political party ****** by including them in the list submitted to the CEC of individuals supporting the registration of the political entity for participation in the parliamentary elections held on 04.04.2021.
 
The complaints are filed by natural persons with a legal interest against a duly authorized party—data controller. According to the file data, including a check result from the CEC, the complainant Mr. D. An. learned of the alleged violation on 05.03.2021, Ms. D. Al. on 07.04.2021, and Mr. R. M. on 04.04.2021. Given the statutory deadlines for registration of participants in the electoral process and considering the CPDP was approached with the complaints respectively on 12.03.2021, 09.04.2021, and 05.04.2021, just days after discovering the alleged violations, it is concluded that the complaints were filed within the timeframe of Article 38, Paragraph 1 of PDPA. The CPDP is competent to make a decision—the CPDP, according to its powers under Article 10, Paragraph 1 of PDPA in connection with Article 57, Paragraph 1, letter “e” of Regulation (EU) 2016/679, reviews complaints against acts and actions of data controllers that violate data subjects' rights related to personal data processing, without the exceptions under Article 2, Paragraph 2, letter “c” and Article 55, Paragraph 3 of Regulation (EU) 2016/679, given that the case does not concern activities carried out by a natural person in the course of purely personal or household activities and/or activities carried out by courts in the performance of their judicial functions.
 
The conditions of Article 32 of the Administrative Procedure Code (APC) for consolidating and reviewing the complaints in one administrative proceeding are met, given that the parties' rights and obligations arise from the same factual situation, are filed against the same entity, and fall under the competence of the same administrative body—CPDP.
 
For these reasons and considering the lack of negative preconditions specified in Article 27, Paragraph 2 of APC, the complaints were accepted as admissible during the CPDP's session held on 08.09.2021 and consolidated for review in one administrative proceeding based on Article 32 of APC. The complainants: D. An., D. Al., and R. M., and the respondent—political party ******, were constituted as parties in the proceedings.
 
To clarify the case legally and factually, handwriting expertise of the signatures on ***, row ***; ***, row ***; and page ***, row *** from the list of voters supporting the registration of the political party ****** for participation in the parliamentary elections held on 04.04.2021 was permitted. During the proceedings, the complainants were informed of the possibility to provide comparative material for the expertise to establish the authenticity or non-authenticity of the signatures in the list submitted to the CEC of individuals supporting the registration of the political party for participation in the elections held on 11.07.2021. Comparative material was provided by all three complainants and sent to the National Institute of Criminology (NIC).
 
Graphical expertise was prepared, reflected in Protocol No. *** of 13.06.2022, Protocol No. *** of 13.06.2022, and Protocol No. *** of 11.08.2022 in the NIC records, sent to CPDP with accompanying letters PPN-01-296#12/20.06.2022, PPN-01-223#19/20.06.2022, and PPN-01-307#13/15.08.2022, concluding that the signatures subject to the expertise were not made by the complainants D. An., D. Al., and R. M.
 
A public session for reviewing the complaints on the merits was scheduled for 09.11.2022 at 1:00 PM, for which the parties were duly notified. A copy of the expertise was sent to the parties for review and opinion, with instructions on the distribution of the evidentiary burden in the process. No objections to the expertise were submitted, no additional evidence was engaged, and no requests regarding the evidence were made.
 
To clarify the case factually, additional evidence was requested from the respondent for lawful processing of the complainant's personal data, certified copies of internal rules and/or Data Protection Policy regarding the processing of personal data by the political party in the electoral process, technical and organizational measures taken for data protection, instruction, order, or other act for training party representatives for collecting personal data in the electoral process, as well as information and results from an internal check performed on the case if such was assigned. The requested evidence was not provided.
 
With a laconic statement dated 08.11.2022, without attached evidence, exhausting the respondent's activity in the process, it was stated that the lists of individuals supporting the party's registration in the electoral process are collected and processed by party members without their explicit authorization for this purpose. It was clarified that once the data was handed over to the CEC, “they were shredded and destroyed on a computer.It was claimed that the party had trained all its members on data processing, and they were familiar with GDPR.
 
At the session held on 09.11.2022, the complaints were reviewed on the merits.
 
The parties, duly notified, did not appear and were not represented.
 
As an administrative body and in connection with the need to establish the truth in the case, a fundamental principle in administrative proceedings, according to Article 7 of APC, requiring the existence of established actual facts and considering the gathered evidence and raised claims, the commission accepts that complaints No. PPN-01-223/12.03.2021, PPN-01-307/09.04.2021, and PPN-01-296/05.04.2021, are well-founded.
 
The subject of the complaints are allegations of unlawful processing of the complainants' personal data—names and personal identification numbers—by the political party ****** by including them in a list of individuals supporting the registration of the political entity for participation in the parliamentary elections held on 04.04.2021.
 
It is well known that parliamentary elections were held on 04.04.2021. With Decision No. 2084-NS/17.02.2021 of the CEC, the political party ****** was registered to participate in the elections based on an application submitted on 15.02.2021, registered under No. ** in the party register for participation in the parliamentary elections. A list containing the full names, personal identification number, and handwritten signature of 2951 voters supporting the party's registration was presented with the registration application, the same personal data being sufficient for the unambiguous identification of individuals.
 
The gathered evidence, particularly the materials provided by the CEC, indicates that the complainants' personal data D. An., D. Al., and R. M., in the volume of full names and personal identification number, are present respectively on page ***, row ***, page ***, row ***, and page ***, row *** from the list of voters supporting the registration of the political party ****** for participation in the mentioned elections.
 
Providing personal data by a political entity to the CEC for party registration to participate in the elections is a form of data processing and must comply with the provisions of Regulation (EU) 2016/679, particularly Article 6, Paragraph 1 of the regulation, applicable since the data was provided on 15.02.2021.
 
The complainants' claims for unlawful processing of their data by PP ****** for registering the political entity to participate in the 04.04.2021 elections are well-founded. The conclusions of the graphical expertise, reflected in Protocol No. *** of 13.06.2022, Protocol No. *** of 13.06.2022, and Protocol No. *** of 11.08.2022 in the NIC records, sent to CPDP with accompanying letters PPN-01-296#12/20.06.2022, PPN-01-223#19/20.06.2022, and PPN-01-307#13/15.08.2022, conclude that the signatures subject to the expertise were not made by the complainants D. An., D. Al., and R. M. This indicates that the processing of the complainants' personal data was done without their consent—a specific and informed declaration of intent under Article 4, Paragraph 11 of the Regulation.
 
In this case, none of the other conditions listed in Article 6, Paragraph 1 of the Regulation are present, as there is no evidence to the contrary, nor is such claimed by the respondent. Despite the respondent's legal opportunity and instructions related to the distribution of the evidentiary burden in the process, the controller—PP ******, did not engage evidence for the legality of processing the complainants' personal data for the specific purpose. There is no evidence to substantiate the applicability of Article 6, Paragraph 1, letter “b” of GDPR—existence of a contract between the parties requiring the processing of the complainants' personal data by the political party or for taking steps at the data subject's request before concluding the contract. The grounds under Article 6, Paragraph 1, letters “c” and “d” of GDPR are irrelevant—they apply in other, different and incompatible scenarios involving data processing for protecting vital interests related to the life and health of the data subject, performing a task in the public interest, and exercising official authority not delegated to political parties.
 
The hypothesis of Article 6, Paragraph 1, letter “e” of the Regulation is inapplicable—the controller's interests are not paramount to the interest of the affected individual whose data is included in the list submitted to the CEC without their consent, as it is undeniable that the latter's interest takes precedence over the political entity's interest in participating in the elections. There is also no legal obligation for processing by the controller since the participation of political parties in the electoral process is a legal opportunity that must be realized in compliance with statutory rules, particularly those in the field of personal data protection under Article 133, Paragraph 4 of the Electoral Code.
 
Processing personal data in the electoral process is permissible and strictly regulated. The Electoral Code contains specific rules regarding data processing in the electoral process, such as processing purposes, data categories, and more. In this regard, even though the complainants' data was processed in a statutory procedure, the fulfillment of statutory obligations, respectively, the realization of the data controller's legitimate interests—in this case, the political party—arise only if the individual whose data is included in the list of voters supporting the party's registration for participation in the elections has given their consent for such support. However, if this prerequisite is not present, the political entity cannot use the individual's personal data to realize its legitimate interests in the electoral process. This is also in line with the joint guidelines adopted by the CEC and CPDP regarding data processing and protection in the electoral process. The document, published on 12.02.2021 and available on the CPDP's website at https://cpdp.bg/%d1%83%d0%ba%d0%b0%d0%b7%d0%b0%d0%bd%d0%b8%d1%8f-%d0%bd%d0%b0-%d1%86%d0%b8%d0%ba-%d0%b8-%d0%ba%d0%b7%d0%bb%d0%b4-%d0%be%d1%82%d0%bd%d0%be%d1%81%d0%bd%d0%be-%d0%be%d0%b1%d1%80%d0%b0%d0%b1%d0%be%d1%82/ provides detailed explanations on the legal framework for data protection and the rights and obligations of all participants in the electoral process—political parties, coalitions, initiative committees, candidates, representatives, observers, media representatives, and election commissions in various types of elections. The guidelines aim to facilitate participants in the electoral process and prevent violations.
 
Given the above arguments and gathered evidence, it is concluded that the complainants' personal data was processed by including it in the list of individuals supporting the political entity's registration for participation in the parliamentary elections held in the Republic of Bulgaria on 04.04.2021, in violation of Article 6, Paragraph 1 of GDPR, without meeting any of the conditions listed in the provision, thus violating the data subject's rights who approached the CPDP.
 
GDPR and PDPA obligate the controller to process personal data lawfully, without allowing, with the risk of administrative liability, data misuse, much less allowing the possibility of including others' personal data in lists compiled by party representatives and used by the party in the electoral process. Conversely, misinterpreting the law contradicts both the letter and spirit of the law and creates uncertainty in data processing and grounds for misuse in an area affecting not only individuals approaching the CPDP but society as a whole, as it concerns state governance and citizens' ability to participate in it by their will, without it being manipulated through the use of their personal data without their knowledge and consent.
 
In the context of complaints and the electoral process, this responsibility includes unambiguously identifying the individual entering the data, as the person before whom they are submitted certifies with their signature under the list that the data were entered before them and by the individual they pertain to. There is no legal ground and mechanism for verifying the accuracy of entered data and the individual's identity. For instance, it is permissible and not prohibited by law to present an identity document or another document with a photo and full names to the person before whom the signatures are placed, just for reference, to verify the voter's identity. Undoubtedly, the methods for verifying individuals' identity should be reflected in specific guidelines, orders, or other acts of the controller, as part of its obligation to implement organizational measures under Article 24 of GDPR, taking into account the nature, scope, context, and purposes of processing, as well as risks with varying probability and severity for individuals' rights and freedoms, to ensure and be able to prove that processing is conducted in accordance with GDPR. In this case, it should be accepted that such measures, rules, and controls concerning the collection and use of personal data in the electoral process are absent, as despite specific requests to the controller, it has not provided internal rules and/or Data Protection Policy regarding the processing of personal data by a political party in the electoral process, technical and organizational measures for data protection, instruction, order, or another act for training party representatives for collecting personal data in the electoral process. The gathered evidence also indicates a violation of Article 24 of GDPR by the controller, as well as a violation of the "accountability principle" under Article 5, Paragraph 2 of GDPR, given that the controller cannot prove that data processing complies with the principles set out in GDPR, with measures taken by it—training, instructions, internal rules, orders, etc. There is also no evidence of control, prior and subsequent, by the controller, given that the political party has expressly been requested, but has not provided information and results from an internal check performed on the case, nor information that such was assigned to establish the reasons, omissions leading to the violation under Article 6, Paragraph 1 of GDPR.
 
Considering the nature of the established violation of Article 6, Paragraph 1 of GDPR, the commission deems that corrective measures under Article 58, Paragraph 2, letters “a”, “b”, “c”, “d”, “e”, “f”, “g”, “h”, and “j” of the Regulation are inapplicable and impractical in this case, given the severity of the violation and the fact that it is completed. Given the severity of the violation and the fact that it is completed and recurrent for the controller who has been issued a mandate, the commission deems it appropriate, effective, and deterring to exercise corrective power under Article 58, Paragraph 2, letter “i” of GDPR—imposing a financial penalty. The controller must be familiar with the law and comply with its requirements, especially as it owes the necessary care provided in the law and arising from its subject of activity, personnel, and economic resources.
 
There are no mitigating circumstances for determining the penalty's amount. The circumstances under Article 83, Paragraph 2, letters “b” and “i” of the Regulation are irrelevant since it concerns a controller—a legal entity that does not form guilt, and at the time of the violation, approved codes of conduct or approved certification mechanisms were not introduced.
 
As aggravating circumstances should be qualified: the rights of three individuals were violated; the violations are completed; the controller did not cooperate with the CPDP to clarify the case; personal data of individuals, including the personal identification number, were processed, and as a result of the registration, the complainants' rights related to electoral legislation and their participation in the electoral process were restricted; the violations were brought to the CPDP's attention as a result of complaints from the affected individuals.
 
It is also relevant that the violation is not the first for the controller. The political party has been sanctioned for an identical violation—processing personal data in the electoral process without a legal basis, with the following decisions being final: Decision No. J-420#6/21.11.2016, with a sanction of 15300 BGN, Decision No. J-60#8/19.10.2018, with a sanction of 10000 BGN, and Decision PPN-01-1672/07.10.2020, with a sanction of 2500 BGN.
 
It should be noted as an aggravating circumstance that the personal data of complainant D. Al. has been unlawfully processed again by the political party concerning its participation in the electoral process. In 2017, Ms. D. Al. approached the CPDP with a complaint (J-85/20.02.2017) for misuse of her personal data by the political party ****** for registering the political party to participate in the parliamentary elections held in 2017. An expertise appointed on the case established that the signature in the voter list was not made by Ms. D. Al., and her complaint was accepted by the CPDP as well-founded, and the party was sanctioned with a final Decision No. J-60#8/19.10.2018, with a sanction of 10000 BGN.
 
The violation is also recurrent concerning the complainant D. An., who approached the CPDP with a complaint (J-624/17.10.2016) against the political entity for an identical violation, misuse of his personal data for the party's registration for participation in the presidential and vice-presidential elections in the Republic of Bulgaria held on 06.11.2016. After an expertise, Mr. D. An.'s complaint was accepted as well-founded, and a financial sanction of 15300 BGN was imposed on the political entity, as stated in the final Decision No. J-420#6/21.11.2016 of the CPDP.
 
For these reasons, the commission considers that given the principle of proportionality between the severity of the violation and the penalty's amount, the imposed financial sanction on the political party ****** should be 25000 BGN—an amount well below the average minimum provided in the Regulation for this violation. Considering the penalty's purpose, which should have a deterring and warning function, the nature and severity of the violation, the public relations it affects, the categories of affected personal data, the commission considers that the exercised power in type and amount undoubtedly meets the effectiveness and deterrent effect sought by PDPA and Regulation 2016/679 while not violating the principle of proportionality and the requirement for proportionality.
 
Regarding the established violations of Article 24 and Article 5, Paragraph 2 of GDPR, the commission deems it appropriate to issue a mandate under Article 58, Paragraph 2, letter “d” of GDPR to the controller, namely to take technical and organizational measures for data protection, including training, immediately before each election, of the party representatives involved in collecting personal data in the electoral process; to present a Data Protection Policy compliant with the regulation, clearly outlining the rules for collecting and processing personal data, including in lists supporting the political entity's registration in the electoral process, and in collecting personal data of individuals supporting the party's registration for participation in referenda, and to implement a mechanism for ongoing and subsequent control and accountability in processing personal data.
 
It should be noted, however, that non-compliance with the commission's mandate within the specified period is subject to a sanction for non-compliance to ensure its effectiveness and the possibility of an additional sanction mechanism for monitoring and control of implementation. The aim is to achieve general prevention and proportional and lawful processing of personal data. Such mandates are effective as they are tied with corresponding sanctions for non-compliance, with the legislator providing that non-compliance with a final mandate of the supervisory authority shall be subject to an administrative penalty "fine" or "financial penalty" up to 20000000 EUR.
 
Based on the above and under Article 38, Paragraph 3 of the PDPA, the Commission for Personal Data Protection,
 
DECIDES:
 
    1. Declares complaints PPN-01-223/12.03.2021,
    PPN-01-307/09.04.2021, and PPN-01-296/05.04.2021, filed
    respectively by D. An., D. Al., and R. M., as
    well-founded.
 
    2. Under Article 83, Paragraph 5, letter "a", in
    connection with Article 58, Paragraph 2, letter "i"
    of Regulation (EU) 679/2016, imposes on the political
    party ****** a financial penalty of 25000 BGN
    (twenty-five thousand leva) for processing the
    complainants' personal data in violation of Article 6,
    Paragraph 1 of Regulation (EU) 2016/679.
 
    3. Under Article 58, Paragraph 2, letter "d" of GDPR,
    and for violation of Article 24 and Article 5,
    Paragraph 2 of GDPR, issues a mandate to the political
    party ****** to take technical and organizational
    measures for data protection, including training,
    immediately before each election, of the party
    representatives involved in collecting personal data in
    the electoral process; to present a Data Protection
    Policy compliant with the regulation, clearly outlining
    the rules for collecting and processing personal data,
    including in lists supporting the political entity's
    registration in the electoral process, and in collecting
    personal data of individuals supporting the party's
    registration for participation in referenda, and to
    implement a mechanism for ongoing and subsequent
    control and accountability in processing personal data.
 
    4. The deadline for implementing the issued mandate is
    three months from the decision's entry into force, after
    which to notify the commission of the implementation by
    presenting the relevant evidence.
 
The decision is subject to appeal within 14 days from its delivery through the Commission for Personal Data Protection before the Administrative Court Sofia city.
 
Upon the decision's entry into force, the amount of the imposed penalty must be transferred via bank:
 
Bank BNB – CU, IBAN: BG18BNBG96613000158601, BIC BNBGBGSD
 
Commission for Personal Data Protection, BULSTAT 130961721.
 
CHAIRMAN:
Ventsislav Karadjov /s/
 
MEMBERS:
Tsanko Tsolov /s/
Maria Mateva /s/
Veselin Tselkov /s/
</pre>
</pre>

Revision as of 11:31, 10 July 2024

CPDP - PPN-01-01-223/2021, PPN-01-307/2021, PPN-01-296/2021
ППН-01-223, ППН-01-307, ППН-01-296
LogoBG.jpg
Authority: CPDP (Bulgaria)
Jurisdiction: Bulgaria
Relevant Law: Article 5(2) GDPR
Article 6(1) GDPR
Type: Complaint
Outcome: Upheld
Started: 12.03.2021
Decided: 26.01.2023
Published:
Fine: 25,000 BGN
Parties: n/a
National Case Number/Name: PPN-01-01-223/2021, PPN-01-307/2021, PPN-01-296/2021
ППН-01-223, ППН-01-307, ППН-01-296
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Bulgarian
Original Source: Commission for Personal Data Protection (in BG)
Initial Contributor: lm

The DPA found that a political party lacked a legal basis when it listed data subjects, without their knowledge or consent, as supporters of the party for an election registration. It issued a €12,770 (25,000 BGN) fine.

English Summary

Facts

On April 4, 2021 -- the date on which elections were held for the Bulgarian National Assembly -- one political party (the controller) registered for participation on the basis of an application that included a list with the full names, unique civil numbers and handwritten signatures of 2951 voters supporting the registration of the party.

The Bulgarian DPA (CPDP) received a number of complaints around the time of the election from data subjects alleging that the controller was unlawfully processing their personal data by including them in a list of persons supporting the registration of the political party to participate in the 2021 elections. The processed data included their names and unified civic numbers attributed to their political party. The data subjects did not sign up in support of the registration, nor did they give consent for the processing of their personal data for this purpose.

The political party provided some documents in response to the complaints, but the CPDP noted a lack of adequate participation from the controller, who failed to submit the requested evidence. It did not challenge the data subjects’ allegations or provide a statement on the matter. In one of the few documents provided, the controller stated (without evidence) that the lists of persons supporting the registration of the party in electoral processes are collected and processed by members of the party without their intentional authorisation and purpose. After the data is transmitted to the Central Election Commission, it is destroyed using a shredder and on the computer. The controller claimed to have trained all its members to process personal data in accordance with the GDPR.

Holding

The CPDP found that the controller lacked a legal basis under Article 6(1) GDPR and infringed the accountability principle of Article 5(2) GDRP. It issued a €12,770 (25,000 BGN) fine.

The CPDP found no applicable legal basis in this case. It noted that the controller did not produce any evidence of the legal basis on the basis of which it processed the data. Rejecting legitimate interest as a legal basis, the CPDP considered that the interests of a political entity to participate in elections are not overridden by the interest of the affected data subject whose data is included in the list without their consent. There was also no legal obligation in this case. The processing of personal data in the electoral process is permissible and strictly regulated by the Electoral Code. However, as the CPDP has noted in its guidance on the topic, the performance of the statutory obligation only arises when a data subject has given their consent to support the party’s registration and appear on the list of voters.

The controller's inability to demonstrate a legal basis constituted an infringement of Article 5(2) GDPR's accountability principle. In addition, the CPDP noted that there was no basis or mechanism for verifying the accuracy of the data entered in this case, further indicating an Article 5(2) GDPR violation. The verifying of the identity of individuals, the CPDP states, should be expressed in the specific instructions of the controller, which is obligated under Article 24 GDPR to put in place organisational measures ensuring processing is carried out in accordance with the GDPR. In this case, the CPDP assumed that such measures or internal rules did not exist. It noted no evidence of control on the part of the controller, given that the controller did not provide the requested information.

The CPDP imposed a monetary sanction on the controller. It considered a number of aggravating circumstances, including the failure of the controller to cooperate and the consequences on the data subjects’ rights relating to their participation in the electoral process as a result of the violation. The CPDP also noted that this was not the controller’s first violation – the political party had been previously sanctioned for identical infringements.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Bulgarian original. Please refer to the Bulgarian original for more details.

Decision on Complaint No. PPN-01-223/12.03.2021, PPN-01-307/09.04.2021, and PPN-01-296/05.04.2021

DECISION

No. PPN-01-223/2021

Sofia, 26.01.2023

The Commission for Personal Data Protection (CPDP), composed of Chair: Ventsislav Karadjov and members: Tsanko Tsollov, Maria Mateva, and Veselin Tselkov, in a session held on 09.11.2022, based on Article 10, Paragraph 1 of the Personal Data Protection Act, respectively Article 57, Paragraph 1, letter “e” of Regulation (EU) 2016/679 of the European Parliament and the Council of 27 April 2016 on the protection of natural persons concerning the processing of personal data and on the free movement of such data (Regulation, GDPR), considered on the merits the complaints No. PPN-01-223/12.03.2021, PPN-01-307/09.04.2021, and PPN-01-296/05.04.2021, filed respectively by D. An., D. Al. and R. M.

The administrative proceedings are according to Article 38 of the Personal Data Protection Act (PDPA).

The CPDP was approached with complaint No. PPN-01-223/12.03.2021, filed by D. An. against the political party ****** with allegations of unlawful processing of his personal data by including it in a list of individuals supporting the registration of the political entity for participation in the parliamentary elections held on 04.04.2021.

The complainant claims that he discovered the violation after checking electronically with the Central Election Commission, the result of which is attached. He declares that he did not sign in support of the political entity's registration and did not give his consent for processing his personal data for this specific purpose.

A complaint with identical content was also filed by Mr. D. An. to the Central Election Commission. The complaint was forwarded to CPDP for review by jurisdiction, along with relevant evidence—a copy of Decision No. *** of the CEC and a copy of page *** from the list of voters supporting the registration of the political entity for participation in the parliamentary elections on 04.04.2021. It was registered under No. PPN-01-242/18.03.2021 in the CPDP's records.

The CPDP was approached with complaint PPN-01-307/09.04.2021 filed by D. Al. and complaint PPN-01-296/05.04.2021 filed by R. M. against the same legal entity—PP ******, with identical allegations of unlawful processing of their personal data by including it in a list of individuals supporting the registration of the political entity for participation in the parliamentary elections held on 04.04.2021. The complaints are accompanied by photocopies of checks current as of 07.04.2021 and 04.04.2021 on the website https://www.cik.bg/bg/ns2021/podpiski, performed based on lists submitted by 38 political parties, coalitions, and initiative committees, showing the complainants' personal data present on page ***, row ***, and page ***, row *** from the list of individuals supporting the registration of PP *** for participation in the parliamentary elections held on 04.04.2021.

Given the principles of equality of parties and truth in administrative proceedings, the political party ****** was informed of the filed complaints, and it was indicated that they could submit a written statement on the allegations in the complaints. Relevant evidence was requested regarding the lawful processing of the complainants' personal data, a certified copy of internal rules and/or Data Protection Policy regarding the processing of personal data by the political party in the electoral process, technical and organizational measures taken for data protection, instruction, order, or other act for training party representatives for collecting personal data in the electoral process, as well as information and results from internal checks performed on the case if such were assigned. The political entity did not actively participate in the proceedings, and the requested evidence was not provided. The complainants' claims were not disputed, and no statement on the subject matter of the complaints was engaged.

To clarify the case factually, copies of pages ***, row ***; ***, row ***; and page ***, row *** from the list of individuals supporting the registration of the political party ****** for participation in the parliamentary elections held on 04.04.2021 were requested from the CEC and provided in response.

The CPDP is an independent state body that protects individuals when processing their personal data, accessing such data, and controlling compliance with PDPA and GDPR.

To exercise its powers, the CPDP must be duly approached.

The complaints contain the required details specified in Article 28, Paragraph 1 of the Rules of Procedure of the CPDP and its administration—information about the complainants, the nature of the request, date, signatures, the indicated passive legitimized party, and the date of awareness of the violation, making them regular.

The subject of the complaints are allegations of unlawful processing of the complainants' personal data—names and personal identification numbers—by the political party ****** by including them in the list submitted to the CEC of individuals supporting the registration of the political entity for participation in the parliamentary elections held on 04.04.2021.

The complaints are filed by natural persons with a legal interest against a duly authorized party—data controller. According to the file data, including a check result from the CEC, the complainant Mr. D. An. learned of the alleged violation on 05.03.2021, Ms. D. Al. on 07.04.2021, and Mr. R. M. on 04.04.2021. Given the statutory deadlines for registration of participants in the electoral process and considering the CPDP was approached with the complaints respectively on 12.03.2021, 09.04.2021, and 05.04.2021, just days after discovering the alleged violations, it is concluded that the complaints were filed within the timeframe of Article 38, Paragraph 1 of PDPA. The CPDP is competent to make a decision—the CPDP, according to its powers under Article 10, Paragraph 1 of PDPA in connection with Article 57, Paragraph 1, letter “e” of Regulation (EU) 2016/679, reviews complaints against acts and actions of data controllers that violate data subjects' rights related to personal data processing, without the exceptions under Article 2, Paragraph 2, letter “c” and Article 55, Paragraph 3 of Regulation (EU) 2016/679, given that the case does not concern activities carried out by a natural person in the course of purely personal or household activities and/or activities carried out by courts in the performance of their judicial functions.

The conditions of Article 32 of the Administrative Procedure Code (APC) for consolidating and reviewing the complaints in one administrative proceeding are met, given that the parties' rights and obligations arise from the same factual situation, are filed against the same entity, and fall under the competence of the same administrative body—CPDP.

For these reasons and considering the lack of negative preconditions specified in Article 27, Paragraph 2 of APC, the complaints were accepted as admissible during the CPDP's session held on 08.09.2021 and consolidated for review in one administrative proceeding based on Article 32 of APC. The complainants: D. An., D. Al., and R. M., and the respondent—political party ******, were constituted as parties in the proceedings.

To clarify the case legally and factually, handwriting expertise of the signatures on ***, row ***; ***, row ***; and page ***, row *** from the list of voters supporting the registration of the political party ****** for participation in the parliamentary elections held on 04.04.2021 was permitted. During the proceedings, the complainants were informed of the possibility to provide comparative material for the expertise to establish the authenticity or non-authenticity of the signatures in the list submitted to the CEC of individuals supporting the registration of the political party for participation in the elections held on 11.07.2021. Comparative material was provided by all three complainants and sent to the National Institute of Criminology (NIC).

Graphical expertise was prepared, reflected in Protocol No. *** of 13.06.2022, Protocol No. *** of 13.06.2022, and Protocol No. *** of 11.08.2022 in the NIC records, sent to CPDP with accompanying letters PPN-01-296#12/20.06.2022, PPN-01-223#19/20.06.2022, and PPN-01-307#13/15.08.2022, concluding that the signatures subject to the expertise were not made by the complainants D. An., D. Al., and R. M.

A public session for reviewing the complaints on the merits was scheduled for 09.11.2022 at 1:00 PM, for which the parties were duly notified. A copy of the expertise was sent to the parties for review and opinion, with instructions on the distribution of the evidentiary burden in the process. No objections to the expertise were submitted, no additional evidence was engaged, and no requests regarding the evidence were made.

To clarify the case factually, additional evidence was requested from the respondent for lawful processing of the complainant's personal data, certified copies of internal rules and/or Data Protection Policy regarding the processing of personal data by the political party in the electoral process, technical and organizational measures taken for data protection, instruction, order, or other act for training party representatives for collecting personal data in the electoral process, as well as information and results from an internal check performed on the case if such was assigned. The requested evidence was not provided.

With a laconic statement dated 08.11.2022, without attached evidence, exhausting the respondent's activity in the process, it was stated that the lists of individuals supporting the party's registration in the electoral process are collected and processed by party members without their explicit authorization for this purpose. It was clarified that once the data was handed over to the CEC, “they were shredded and destroyed on a computer.” It was claimed that the party had trained all its members on data processing, and they were familiar with GDPR.

At the session held on 09.11.2022, the complaints were reviewed on the merits.

The parties, duly notified, did not appear and were not represented.

As an administrative body and in connection with the need to establish the truth in the case, a fundamental principle in administrative proceedings, according to Article 7 of APC, requiring the existence of established actual facts and considering the gathered evidence and raised claims, the commission accepts that complaints No. PPN-01-223/12.03.2021, PPN-01-307/09.04.2021, and PPN-01-296/05.04.2021, are well-founded.

The subject of the complaints are allegations of unlawful processing of the complainants' personal data—names and personal identification numbers—by the political party ****** by including them in a list of individuals supporting the registration of the political entity for participation in the parliamentary elections held on 04.04.2021.

It is well known that parliamentary elections were held on 04.04.2021. With Decision No. 2084-NS/17.02.2021 of the CEC, the political party ****** was registered to participate in the elections based on an application submitted on 15.02.2021, registered under No. ** in the party register for participation in the parliamentary elections. A list containing the full names, personal identification number, and handwritten signature of 2951 voters supporting the party's registration was presented with the registration application, the same personal data being sufficient for the unambiguous identification of individuals.

The gathered evidence, particularly the materials provided by the CEC, indicates that the complainants' personal data D. An., D. Al., and R. M., in the volume of full names and personal identification number, are present respectively on page ***, row ***, page ***, row ***, and page ***, row *** from the list of voters supporting the registration of the political party ****** for participation in the mentioned elections.

Providing personal data by a political entity to the CEC for party registration to participate in the elections is a form of data processing and must comply with the provisions of Regulation (EU) 2016/679, particularly Article 6, Paragraph 1 of the regulation, applicable since the data was provided on 15.02.2021.

The complainants' claims for unlawful processing of their data by PP ****** for registering the political entity to participate in the 04.04.2021 elections are well-founded. The conclusions of the graphical expertise, reflected in Protocol No. *** of 13.06.2022, Protocol No. *** of 13.06.2022, and Protocol No. *** of 11.08.2022 in the NIC records, sent to CPDP with accompanying letters PPN-01-296#12/20.06.2022, PPN-01-223#19/20.06.2022, and PPN-01-307#13/15.08.2022, conclude that the signatures subject to the expertise were not made by the complainants D. An., D. Al., and R. M. This indicates that the processing of the complainants' personal data was done without their consent—a specific and informed declaration of intent under Article 4, Paragraph 11 of the Regulation.

In this case, none of the other conditions listed in Article 6, Paragraph 1 of the Regulation are present, as there is no evidence to the contrary, nor is such claimed by the respondent. Despite the respondent's legal opportunity and instructions related to the distribution of the evidentiary burden in the process, the controller—PP ******, did not engage evidence for the legality of processing the complainants' personal data for the specific purpose. There is no evidence to substantiate the applicability of Article 6, Paragraph 1, letter “b” of GDPR—existence of a contract between the parties requiring the processing of the complainants' personal data by the political party or for taking steps at the data subject's request before concluding the contract. The grounds under Article 6, Paragraph 1, letters “c” and “d” of GDPR are irrelevant—they apply in other, different and incompatible scenarios involving data processing for protecting vital interests related to the life and health of the data subject, performing a task in the public interest, and exercising official authority not delegated to political parties.

The hypothesis of Article 6, Paragraph 1, letter “e” of the Regulation is inapplicable—the controller's interests are not paramount to the interest of the affected individual whose data is included in the list submitted to the CEC without their consent, as it is undeniable that the latter's interest takes precedence over the political entity's interest in participating in the elections. There is also no legal obligation for processing by the controller since the participation of political parties in the electoral process is a legal opportunity that must be realized in compliance with statutory rules, particularly those in the field of personal data protection under Article 133, Paragraph 4 of the Electoral Code.

Processing personal data in the electoral process is permissible and strictly regulated. The Electoral Code contains specific rules regarding data processing in the electoral process, such as processing purposes, data categories, and more. In this regard, even though the complainants' data was processed in a statutory procedure, the fulfillment of statutory obligations, respectively, the realization of the data controller's legitimate interests—in this case, the political party—arise only if the individual whose data is included in the list of voters supporting the party's registration for participation in the elections has given their consent for such support. However, if this prerequisite is not present, the political entity cannot use the individual's personal data to realize its legitimate interests in the electoral process. This is also in line with the joint guidelines adopted by the CEC and CPDP regarding data processing and protection in the electoral process. The document, published on 12.02.2021 and available on the CPDP's website at https://cpdp.bg/%d1%83%d0%ba%d0%b0%d0%b7%d0%b0%d0%bd%d0%b8%d1%8f-%d0%bd%d0%b0-%d1%86%d0%b8%d0%ba-%d0%b8-%d0%ba%d0%b7%d0%bb%d0%b4-%d0%be%d1%82%d0%bd%d0%be%d1%81%d0%bd%d0%be-%d0%be%d0%b1%d1%80%d0%b0%d0%b1%d0%be%d1%82/ provides detailed explanations on the legal framework for data protection and the rights and obligations of all participants in the electoral process—political parties, coalitions, initiative committees, candidates, representatives, observers, media representatives, and election commissions in various types of elections. The guidelines aim to facilitate participants in the electoral process and prevent violations.

Given the above arguments and gathered evidence, it is concluded that the complainants' personal data was processed by including it in the list of individuals supporting the political entity's registration for participation in the parliamentary elections held in the Republic of Bulgaria on 04.04.2021, in violation of Article 6, Paragraph 1 of GDPR, without meeting any of the conditions listed in the provision, thus violating the data subject's rights who approached the CPDP.

GDPR and PDPA obligate the controller to process personal data lawfully, without allowing, with the risk of administrative liability, data misuse, much less allowing the possibility of including others' personal data in lists compiled by party representatives and used by the party in the electoral process. Conversely, misinterpreting the law contradicts both the letter and spirit of the law and creates uncertainty in data processing and grounds for misuse in an area affecting not only individuals approaching the CPDP but society as a whole, as it concerns state governance and citizens' ability to participate in it by their will, without it being manipulated through the use of their personal data without their knowledge and consent.

In the context of complaints and the electoral process, this responsibility includes unambiguously identifying the individual entering the data, as the person before whom they are submitted certifies with their signature under the list that the data were entered before them and by the individual they pertain to. There is no legal ground and mechanism for verifying the accuracy of entered data and the individual's identity. For instance, it is permissible and not prohibited by law to present an identity document or another document with a photo and full names to the person before whom the signatures are placed, just for reference, to verify the voter's identity. Undoubtedly, the methods for verifying individuals' identity should be reflected in specific guidelines, orders, or other acts of the controller, as part of its obligation to implement organizational measures under Article 24 of GDPR, taking into account the nature, scope, context, and purposes of processing, as well as risks with varying probability and severity for individuals' rights and freedoms, to ensure and be able to prove that processing is conducted in accordance with GDPR. In this case, it should be accepted that such measures, rules, and controls concerning the collection and use of personal data in the electoral process are absent, as despite specific requests to the controller, it has not provided internal rules and/or Data Protection Policy regarding the processing of personal data by a political party in the electoral process, technical and organizational measures for data protection, instruction, order, or another act for training party representatives for collecting personal data in the electoral process. The gathered evidence also indicates a violation of Article 24 of GDPR by the controller, as well as a violation of the "accountability principle" under Article 5, Paragraph 2 of GDPR, given that the controller cannot prove that data processing complies with the principles set out in GDPR, with measures taken by it—training, instructions, internal rules, orders, etc. There is also no evidence of control, prior and subsequent, by the controller, given that the political party has expressly been requested, but has not provided information and results from an internal check performed on the case, nor information that such was assigned to establish the reasons, omissions leading to the violation under Article 6, Paragraph 1 of GDPR.

Considering the nature of the established violation of Article 6, Paragraph 1 of GDPR, the commission deems that corrective measures under Article 58, Paragraph 2, letters “a”, “b”, “c”, “d”, “e”, “f”, “g”, “h”, and “j” of the Regulation are inapplicable and impractical in this case, given the severity of the violation and the fact that it is completed. Given the severity of the violation and the fact that it is completed and recurrent for the controller who has been issued a mandate, the commission deems it appropriate, effective, and deterring to exercise corrective power under Article 58, Paragraph 2, letter “i” of GDPR—imposing a financial penalty. The controller must be familiar with the law and comply with its requirements, especially as it owes the necessary care provided in the law and arising from its subject of activity, personnel, and economic resources.

There are no mitigating circumstances for determining the penalty's amount. The circumstances under Article 83, Paragraph 2, letters “b” and “i” of the Regulation are irrelevant since it concerns a controller—a legal entity that does not form guilt, and at the time of the violation, approved codes of conduct or approved certification mechanisms were not introduced.

As aggravating circumstances should be qualified: the rights of three individuals were violated; the violations are completed; the controller did not cooperate with the CPDP to clarify the case; personal data of individuals, including the personal identification number, were processed, and as a result of the registration, the complainants' rights related to electoral legislation and their participation in the electoral process were restricted; the violations were brought to the CPDP's attention as a result of complaints from the affected individuals.

It is also relevant that the violation is not the first for the controller. The political party has been sanctioned for an identical violation—processing personal data in the electoral process without a legal basis, with the following decisions being final: Decision No. J-420#6/21.11.2016, with a sanction of 15300 BGN, Decision No. J-60#8/19.10.2018, with a sanction of 10000 BGN, and Decision PPN-01-1672/07.10.2020, with a sanction of 2500 BGN.

It should be noted as an aggravating circumstance that the personal data of complainant D. Al. has been unlawfully processed again by the political party concerning its participation in the electoral process. In 2017, Ms. D. Al. approached the CPDP with a complaint (J-85/20.02.2017) for misuse of her personal data by the political party ****** for registering the political party to participate in the parliamentary elections held in 2017. An expertise appointed on the case established that the signature in the voter list was not made by Ms. D. Al., and her complaint was accepted by the CPDP as well-founded, and the party was sanctioned with a final Decision No. J-60#8/19.10.2018, with a sanction of 10000 BGN.

The violation is also recurrent concerning the complainant D. An., who approached the CPDP with a complaint (J-624/17.10.2016) against the political entity for an identical violation, misuse of his personal data for the party's registration for participation in the presidential and vice-presidential elections in the Republic of Bulgaria held on 06.11.2016. After an expertise, Mr. D. An.'s complaint was accepted as well-founded, and a financial sanction of 15300 BGN was imposed on the political entity, as stated in the final Decision No. J-420#6/21.11.2016 of the CPDP.

For these reasons, the commission considers that given the principle of proportionality between the severity of the violation and the penalty's amount, the imposed financial sanction on the political party ****** should be 25000 BGN—an amount well below the average minimum provided in the Regulation for this violation. Considering the penalty's purpose, which should have a deterring and warning function, the nature and severity of the violation, the public relations it affects, the categories of affected personal data, the commission considers that the exercised power in type and amount undoubtedly meets the effectiveness and deterrent effect sought by PDPA and Regulation 2016/679 while not violating the principle of proportionality and the requirement for proportionality.

Regarding the established violations of Article 24 and Article 5, Paragraph 2 of GDPR, the commission deems it appropriate to issue a mandate under Article 58, Paragraph 2, letter “d” of GDPR to the controller, namely to take technical and organizational measures for data protection, including training, immediately before each election, of the party representatives involved in collecting personal data in the electoral process; to present a Data Protection Policy compliant with the regulation, clearly outlining the rules for collecting and processing personal data, including in lists supporting the political entity's registration in the electoral process, and in collecting personal data of individuals supporting the party's registration for participation in referenda, and to implement a mechanism for ongoing and subsequent control and accountability in processing personal data.

It should be noted, however, that non-compliance with the commission's mandate within the specified period is subject to a sanction for non-compliance to ensure its effectiveness and the possibility of an additional sanction mechanism for monitoring and control of implementation. The aim is to achieve general prevention and proportional and lawful processing of personal data. Such mandates are effective as they are tied with corresponding sanctions for non-compliance, with the legislator providing that non-compliance with a final mandate of the supervisory authority shall be subject to an administrative penalty "fine" or "financial penalty" up to 20000000 EUR.

Based on the above and under Article 38, Paragraph 3 of the PDPA, the Commission for Personal Data Protection,

DECIDES:

    1. Declares complaints PPN-01-223/12.03.2021,
    PPN-01-307/09.04.2021, and PPN-01-296/05.04.2021, filed
    respectively by D. An., D. Al., and R. M., as
    well-founded.

    2. Under Article 83, Paragraph 5, letter "a", in
    connection with Article 58, Paragraph 2, letter "i"
    of Regulation (EU) 679/2016, imposes on the political
    party ****** a financial penalty of 25000 BGN
    (twenty-five thousand leva) for processing the
    complainants' personal data in violation of Article 6,
    Paragraph 1 of Regulation (EU) 2016/679.

    3. Under Article 58, Paragraph 2, letter "d" of GDPR,
    and for violation of Article 24 and Article 5,
    Paragraph 2 of GDPR, issues a mandate to the political
    party ****** to take technical and organizational
    measures for data protection, including training,
    immediately before each election, of the party
    representatives involved in collecting personal data in
    the electoral process; to present a Data Protection
    Policy compliant with the regulation, clearly outlining
    the rules for collecting and processing personal data,
    including in lists supporting the political entity's
    registration in the electoral process, and in collecting
    personal data of individuals supporting the party's
    registration for participation in referenda, and to
    implement a mechanism for ongoing and subsequent
    control and accountability in processing personal data.

    4. The deadline for implementing the issued mandate is
    three months from the decision's entry into force, after
    which to notify the commission of the implementation by
    presenting the relevant evidence.

The decision is subject to appeal within 14 days from its delivery through the Commission for Personal Data Protection before the Administrative Court Sofia – city.

Upon the decision's entry into force, the amount of the imposed penalty must be transferred via bank:

Bank BNB – CU, IBAN: BG18BNBG96613000158601, BIC BNBGBGSD

Commission for Personal Data Protection, BULSTAT 130961721.

CHAIRMAN: 
Ventsislav Karadjov /s/

MEMBERS:
Tsanko Tsolov /s/
Maria Mateva /s/
Veselin Tselkov /s/