CPDP (Bulgaria) - PPN-01-291/03.05.2022: Difference between revisions

CPDP - PPN-01-291/03.05.2022
Authority:	CPDP (Bulgaria)
Jurisdiction:	Bulgaria
Relevant Law:	Article 5(1)(a) GDPR Article 6(1) GDPR Article 24 GDPR
Type:	Complaint
Outcome:	Upheld
Started:
Decided:	17.01.2023
Published:	05.07.2024
Fine:	2,000 BGN
Parties:	n/a
National Case Number/Name:	PPN-01-291/03.05.2022
European Case Law Identifier:	n/a
Appeal:	n/a
Original Language(s):	Bulgarian
Original Source:	CPDP (in BG)
Initial Contributor:	lm

The DPA found that a controller lacked a legal basis to transfer a data subject's phone number to another telecommunications operator without the data subject's prior authorisation. The DPA fined the controller €1,024 (BGN 2,000).

English Summary

Facts

A data subject filed a complaint with the Bulgarian DPA (CPDP) stating that a telecommunications operator (the controller) had transferred their personal data to another telecommunications operator without her consent. The data included her three names, PINs and a telephone number.

The controller argued that the complaint was unfounded. It claimed that it received a signal from the data subject on 19 April 2022 to transfer her phone number to another operator and carried out an immediate verification, which indicated that the data subject’s husband had requested the transfer and had stated he was the holder of the phone number. As a result, the data subject’s data was erroneously transferred. After the controller received the data subject’s complaint, it carried out a verification and reverted the phone number back to its own network.

Holding

The CPDP found that the controller violated Articles 5(1)(a), 6(1) and 24 GDPR. It fined the controller about €1,024 (BGN 2,000) and ordered it to bring its processing operations into compliance.

The CPDP found that the controller had insufficient organisational and technical measures in place for the protection of personal data, infringing Article 24(2) GDPR. Though there was a data protection policy, it was not practically implemented and employees were either unaware or incompetent in applying them. Either way, the CPDP considered this to indicate inadequate controls to protect the data.

It also noted that it was unclear what legal basis the controller relied on to make the transfer. As a result, the processing lacked a legal basis and was not carried out in a transparent or fair manner, infringing Articles 5(1)(a) and 6(1) GDPR.

Even if the transfer occurred as a result of an error, the CPDP considered that this should not relieve the controller of responsibility because its liability is objective. The allegations that the request was carried out by the data subject’s husband does not absolve the controller from liability as a controller and is not a mitigating circumstance, given that the controller should ensure that the person making a processing request is the data subject concerned.

Given the inadequate security measures and lack of data subject verification, the CPDP considered that the degree of responsibility of the controller should be categorized as relatively high. It also took into account that the controller gave conflicting and insufficient information during the course of the investigation. Still, the CPDP did take into account that the controller identified and corrected the error pursuant to the data subject’s objection in a relatively short time.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Bulgarian original. Please refer to the Bulgarian original for more details.

Decision on appeal with reg. No. PPN-01-291/03.05.2022 
DECISION No. PPN-01-291 
Sofia, 17.01.2023 

The Commission for the Protection of Personal Data /"Commission", "KPLD"/ composed of: Chairman - Ventsislav Karadzov and members - Tsanko Tsolov and Veselin Tselkov, at a regular meeting held on 16.11.2022, on the basis of Art. 10, para. 1 of the Law on the Protection of Personal Data, Art. 57, §1, b. "e" of Regulation 2016/679 and Art. 40, Para. 1 of the Regulations for the Activities of the CPLD and its Administration / PDKZLDNA/ examined the merits of complaint No.PPN-01-291/03.05.2022, filed by P.A. against a telecommunications operator (T.O.1). 

Administrative proceedings are developed in accordance with the Administrative Procedure Code /APK/ and Article 38 of the Personal Data Protection Act. 

The Commission for the Protection of Personal Data has been referred to Complaint No.PPN-01-291/03.05.2022. /forwarded by the Commission for Consumer Protection/ submitted by P.A. against T.O. The complaint states that without the knowledge and consent of Mrs. P.A. her mobile number was transferred from another telecommunication operator (T.O.2) to the network of T.O.1. She believes that her personal data - three names, a social security number and a telephone number - were processed illegally for the purposes of drawing up an application for the portability of a nationally significant number when changing the mobile service provider, which was used in an attempt to transfer her mobile number to another network. She indicates that the application was not signed by her, as she did not even visit the office of T.O.1. 

In accordance with Article 26 of the APC, the parties have been notified of the initiated administrative proceedings, and they have been requested to present opinions and evidence on the case. On the basis of Article 34, paragraph 3 of the APC, the parties are given the opportunity to express their position on the administrative file and to present admissible, relevant and necessary evidence. 

In the opinion of T.O.1, the complaint is contested as unfounded. It is indicated that based on a signal received on 19.04.2022. by Mrs. P.A. to T.O.1, an immediate check was carried out, from which it was established that the applicant's husband - I.A. requested the transfer of 3 mobile numbers, including that of Mrs. P.A., to the network of T.O.1. I.A. has indicated that he is the holder of all mobile numbers. Therefore, the mobile number of Mrs. P.A. was mistakenly transferred to the network of T.O.1 on 18.04.2022. Based on a complaint by P.A. an inspection was carried out, and immediate actions were taken on 21.04.2022. the number is returned back to the network of T.O.2. 

In additionally expressed opinions on the case / letters with reg. No.PPN-01-291#6/29.07.2022. and №ППН-01-291#8/09.09.2022/ the complainant emphasizes that she did not provide consent for the transfer of her personal mobile number to another network, respectively – for the use of her personal data for this purpose by the employees in the office of T.O.1. She claims that as a result of these actions, she was left without mobile service. She points out that she never submitted any applications in "T.O.1, in view of which the mobile operator inappropriately raised arguments about the non-obligation of penalties, and that the objections about her family situation and about her husband's companies are not in place - they are not relevant to the dispute, since the mobile number is her personal. 

On the basis of Art. 38, para. 1 of the PDKZLDNA, the Commission issued a Decision on the regularity and admissibility of the appeal at a closed meeting held on 14.09.2022, on the basis of which the parties P.A. – appellant and T. O.1 – defendant. The parties have been duly notified of the open meeting of the CPLD, scheduled for 16.11.2022. 

An additional statement No.PPN-01-291#14/03.10.2022 was received. to the defendant, in which it is confirmed that the number was mistakenly transferred to the network of T.O.1 on 18.04.2022. and activated under the terms of the contract concluded with I.A. during his visit to the office on 11.04.2022. It is stated that Mrs. P.A. she did not visit the office of the company, and that she did not sign the portability application. It is believed that this was done by Mr. I.A. At the time of submitting the answer, the administrator is not processing personal data of Mrs. P.A. for the purposes of providing electronic communication services, but only for the purposes of defending oneself in the current administrative proceedings. Evidence is presented - a copy of a system screen, from which it is clear that no result is visualized when entering the applicant's personal identification number. It is appealed that when considering the case, it should be taken into account that upon discovering the error, the administrator immediately took actions to terminate the contract with T.O.1 without penalties, as on 21.04.2022. the mobile number is returned back to the previous operator's network.

With Protocol No.PPN-01-291#15/11.11.2022 the rules and policies for the protection of personal data are attached to the administrative file, which are duly disclosed to the data subject and to third parties by publishing them on the mobile operator's website. 

At the open meeting of the CPLD, the parties did not appear or represent themselves, and did not take additional opinions on the case. 

With the fact thus established, from the legal point of view the appeal is admissible and well-founded. 

In Regulation 2016/679 and LLDP, the rules for the protection of natural persons in connection with the processing of personal data, as well as the rules regarding the free movement of personal data /arg. from Art. 1 of the Regulation and Art. 1 of the LLDP/. 

The Commission is a permanently operating independent supervisory body that ensures the protection of individuals in the processing of their personal data / Art. 6 of the Labor Code/. It exercises its powers as appropriate under Article 58 of the Regulation - to investigate, to impose sanctions and to issue instructions for the lawful and correct application of the Regulation, so that the purpose of Article 1, item 2 of the Regulation is achieved - for the protection of fundamental rights and freedoms of natural persons, to which also belongs their right to the protection of their personal data. 

The definition of "personal data" is contained in the provision of Article 4, item 1 of Regulation 2016/679, namely: "any information related to an identified natural person or a natural person who can be identified ... directly or indirectly, in particular by an identifier such as name, identification number, location data, online identifier or by one or more characteristics specific to the physical, physiological, genetic, psychic, mental, economic, cultural or social identity of that natural person'. In the current hypothesis, personal data of the person, representing three names, social security number and telephone number, were processed. 

The defendant T.O.1 is a legal entity - a personal data administrator within the meaning of Article 4, paragraph 7 of the Regulation and processes the complainant's personal data through the operations of collection, storage and use within the meaning of Article 4, paragraph - is 2 of the Regulation.

On the question of the legality of the procedural actions on personal data processing, it should be noted that they were carried out without a legal basis within the meaning of Art. 6, §1 of the Regulation, contrary to the principle of lawfulness and good faith under Art. 5, § 1, b. "a" of Regulation 2016/679, as well as in violation of the administrator's general obligations to take appropriate organizational and technical measures under Article 24, §1 and §2 of the Regulation. 

It is not disputed between the parties that the process processing took place as a result of an error, that the applicant did not wish to conclude a contract with the respondent company, that the hypothesis of pre-contractual relations did not arise, and that she did not appear at the office of the mobile operator, for to fill out the process application that gave rise to the transfer of her mobile number to another operator. It is also indisputable that at least for the period from 04/18/2021. until 21.04.2022 the personal data of the complainant were processed illegally by the administrator. The complainant's one-sided claims that she was left without mobile service could not be accepted, as the transfer of a mobile number between different operators is not equivalent to being left without mobile service. 

Even if the defendant's claims that the transfer occurred as a result of a mistake are accepted, it should be noted that this circumstance could not relieve the administrator from responsibility, taking into account that the administrator's responsibility is objective /innocent/ that the same should be able to prove compliance with the Regulation, that in the present case no appropriate organizational and technical measures have been taken, as well as no sufficiently effective policies for the protection of personal data /or at least no sufficient control over their compliance has been exercised/ , taking into account the fact that the administrator should unambiguously identify the natural person - data subject before entering into contractual relations with him, so that the legal basis for processing personal data according to Art. 6, §1, b. " of the Regulation, and above all taking into account the fact that the administrator processes personal data of a large number of natural persons, therefore only in the presence of appropriate and effective rules and policies for the protection of personal data, as well as in the event of adequate control over their implementation, the administrator would could ensure and prove compliance with this Regulation. 

The reference to error on the part of the administrator, as well as the contradictory and biased evidence presented by the defendant, from which it is not clear on the basis of which specific application the transfer was made, as well as on what grounds, lead to the conclusion that apart from illegality, also for dishonest and non-transparent processing of personal data within the meaning of Article 5, §1, b. "a" of the Regulation. 

Regardless of the fact that it is not in dispute between the parties that the application in question was not signed by the applicant, and that she was not physically present at the company's office for the purposes of submitting an application for the transfer of the mobile number, the personal data administrator T.O. 1 is responsible for the unlawful processing of personal data within the meaning of the Regulation, as the data subject should be unambiguously identified and sign in the presence of the relevant employees in the company's office. The responsibility for this lies with the personal data administrator, not the specific employees who carried out the transfer. Insofar as there is no unambiguous identification of the data subject, it should be noted that systematic control over the actions of the employees has not been carried out, which falls within the scope of the obligations of the administrator for bona fide and lawful data processing.

Regardless of the fact that the administrator has written rules and policies for data protection, it is found that there is no practical implementation of the same. The actions of the administrator and his employees lead to the indisputable conclusion that, in practice, either the relevant employees are not familiar with these policies, or they are not applied, and in both cases, the relevant control was not implemented. In this sense, the prescribed rules and policies should be developed in the direction of supplementing the control mechanisms.

The claims of the mobile operator that the actions were carried out by the complainant's husband do not exempt him from responsibility, in his capacity as a personal data administrator, and they cannot be credited as a mitigating circumstance, since the administrator under the Regulation has an obligation to process personal data in good faith , and in order to do so, it must, in accordance with its rules and policies, ensure that the individual has requested that their personal data be processed for the purpose of number transfer, and that the relevant individual is uniquely identified.

Given the opportunity for the Commission to assess, as appropriate, which of its corrective powers to exercise in accordance with Art. 58, §2 of Regulation 2016/679, the measure under Art. 58, §2, b. "d" should be applied in the case under consideration " of Regulation 2016/679, and the administrator was issued an order to comply with the personal data processing operations with the provisions of the Regulation, as it is appropriate in this case to appropriately supplement the rules for the protection of personal data, by carrying out an internal review of the rules, related to the identification of natural persons, with the corresponding appropriate training of the company's employees, with relevant and appropriate data protection policies concerning the activities of transferring mobile numbers between the three mobile operators and, above all, the personal data processed as a result , as well as the control exercised by the administrator.

In the current hypothesis, an appropriate mechanism for incoming training of new employees, as well as periodic training of the remaining employees, should be provided for, which should include the explicitly changed procedures for the identification of natural persons, as well as pay special attention to the processing of personal data when transferring mobile numbers between the three mobile operators.

The corrective measure should be cumulated with a pecuniary sanction under Art. 58, §2, b. "i" of Regulation 2016/679, in order to fulfill the sanctioning functions of the Regulation, as well as to have a warning effect on the administrator given the danger of committing other such violations that could affect a considerable number of natural persons.

To the extent that, when imposing a pecuniary sanction, the supervisory authority should comply with the general conditions under Art. 83, §2 of the Regulation so that the imposed sanction is effective, proportionate and dissuasive, but also does not appear excessive in relation to the established violation, in the case under consideration it would be appropriate to impose a pecuniary sanction in an amount close to the minimum, for the following reasons:

The administrator has corrected and established his error by referring to the data subject's objection. The latter did not suffer damages, regardless of the fact that this happened for objective reasons. The violation was stopped in a relatively short period of time.

The violation is the processing of personal data of one data subject and the same lasted for a relatively short time interval, but not because the administrator took actions to stop the violation, but for objective reasons. The supervisory authority became aware of the breach not from a notification received by the controller, but based on a complaint by the data subject.

The defendant's arguments that the breach was not accompanied by pecuniary damage to the data subject in the form of fines should not be seen as a mitigating circumstance, not least because the data subject did not contribute to the proceedings by his actions processing of personal data.

Since the controller is a legal entity, the question of intent is not applicable.

A mitigating circumstance is that the administrator stopped the violation on his own initiative.

The degree of responsibility of the administrator should be categorized as relatively high, bearing in mind that the organizational and technical measures introduced by him in accordance with Art. 24, §1 and §2 of the Regulation, including data protection policies, respectively exercise control on them, are not sufficient to stop or avoid the infringement. From the fact that in the initially submitted request to transfer a mobile number to another mobile operator /Application for portability No.****/ there was no correspondence between the holder of the mobile number and the person who submitted the request, from the fact that based on the same application, Contract No.**** was concluded, in which it was objectified that number ***** with the holder, the applicant P.A. is such on the face of I.A. /indicating in an application for portability dated 15.04.2022 that he acts in his capacity as a manager of a company ****/, it follows that the relevant preventive and control mechanisms were not implemented in relation to the actions preceding the change of mobile phone provider services, so that the data subject can be uniquely identified, to clarify his actual will before entering into contractual relations with the mobile operator, as well as to clarify the question of whether the number requested for transfer belongs to the person who presented it as his own. The same requirements are explicitly introduced in the provisions of art. 230b, para. 4, ex. 21 and art. 230c, paragraph 22 of the Law on Electronic Communications.

The Commission does not accept the arguments of the applicant that she was left without mobile service, as far as the fact that her mobile number was switched from one mobile network to another is not equivalent to being left without service, considering that the statements so relieved could not constitute an aggravation of responsibility circumstances.

The administrator provided assistance to the supervisory authority, but during the proceedings provided conflicting and insufficient information so that the risks and reasons that led to the violation were identified.
In the present scenario, the administrator did not realize direct or indirect financial benefits, nor did he avoid losses as a result of the violation, as the same was the result of circumstances beyond his control / the complainant's unwillingness to use the mobile services of this operator/.

The personal data administrator T.O.1 has previous violations related to the grounds for processing personal data and data security / so e.g. Decision No.PPN-01-162(2020)/2021, by which a sanction was imposed on the administrator for violation of the principle of Art. 6, §1 of the Regulation/, his actions were repeatedly sanctioned by the Commission, the same being explained in a number of its decisions the application and meaning of the Personal Data Protection Regulation.

In view of the above and on the basis of Article 38, paragraph 3 of the LLDP, the Commission for the Protection of Personal Data with 3 votes "for" and 0 "against"
RESOLVE:
1. Announces Complaint No. PPN-01-291/03.05.2022 of P.A. against T.O.1 with for reasonable.
2. Based on Art. 58, §2, b."i" and Art. 83, §5, b."a" of the Regulation for violation of Art. 6 and Art. 5, §1, b."a" of Regulation (EU) 2016/679 imposes on the administrator T.O.1 an administrative penalty - a pecuniary sanction in the amount of 2000 /two thousand/ BGN.
3. On the basis of Art. 58, §2, letter "d" for a violation of Art. 24, §1 and §2 of Regulation /EU/ 2016/679 issues an order to the administrator T.O.1 to comply with the processing operations of personal data with the provisions of the Regulation according to the reasons for this Decision, for the implementation of which he must submit evidence within 3 months from the entry into force of the Decision.
After the entry into force of this Decision, the amount of the imposed administrative sanction should be paid to the following bank account of the Commission:
BNB Bank – CU
IBAN: BG18BNBG96613000158601 BIC BNBGBGSD
Owner: Commission for Personal Data Protection, BULSTAT 130961721
The pecuniary sanction should be paid within 14 days of the entry into force of the Decision, otherwise enforcement actions will be taken.
This Decision can be appealed within 14 days of its delivery through the Commission for the Protection of Personal Data before the Administrative Court of Sofia City.