ВАС - № 6759: Difference between revisions
No edit summary |
No edit summary |
||
Line 60: | Line 60: | ||
}} | }} | ||
In progress | In progress | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
On 11 April 2019 a complaint was filed with the Bulgarian Data Protection Authority (CPDP), regarding a letter that the complainant had received in relation to | On 11 April 2019 a complaint was filed with the Bulgarian Data Protection Authority (CPDP), regarding a letter that the complainant had received in relation to debt collecting proceedings against her. The letter was addressed to her, her father, and the legal entity under which they were debtors, and contained their personal data, namely: names and phone numbers. Rather than being directly delivered to the complainant, the letter was delivered by the courier company (MiBM Express OOD) to a local shop keeper, who passed the letter on to the complainant. | ||
After opening an investigation into the incident, the CPDP issued a decision on 5 May 2020, in which it found that the courier, MiBM Express, had violated Article 32(4) of the GDPR. In particular, it had not taken the appropriate steps as a controller to ensure that its employees | After opening an investigation into the incident, the CPDP issued a decision on 5 May 2020, in which it found that the courier, MiBM Express, had violated Article 32(4) of the GDPR. In particular, it had not taken the appropriate steps as a controller to ensure that its employees acting under its authority were prepared to work with personal data and had been trained in data protection, and would not share personal data with third parties. The CPDP also found a violation of the purpose limitation principle. As a result, it fined MiBM Express BGN 5,000, and reprimanded it under Article 58(2)(b). | ||
MiBM Express | MiBM Express contested this decision at the Administrative Court of Sofia-city. It argued that in issuing its decision, the CPDP had violated procedural rules as established in the Bulgarian Personal Data Protection Act (PDPA). The judge in the case found that the contested decision had been properly executed by the CPDP. It was imposed by a competent authority within the powers conferred to it under Article 38(1) and (3) PDPA. Moreover, the CPDP had correctly identified a violation of Article 32(4) and 5(1)(b) GDPR and had correctly reprimanded MiBM under Article 58(2)(b). The judge did however hold that in calculating the amount of the fine it imposed, the CPDP had not considered the elements outlined at Article 83(2), and that it was not clear under which criterion the fine was determined. It thus reduced the fine from BGN 5000 to BGN 1500. | ||
In the present case, | In the present case, MiBM Express appealed this decision of the Administrative Court of Sofia-city, arguing that there had been no violation of Article 32(4) GDPR, and that, in any case, the CPDP does not have the power do rule on cases involving personal data, which involve the commission of a criminal offence within the meaning of the Bulgarian Criminal Code. | ||
The Court did not perform the necessary court proceedings to clarify the nature of the alleged violation. | |||
There was no ruling of the court on the allegation in the appeal that in its decision the CPDP did not discuss article 83(2). | |||
=== Holding === | === Holding === |
Revision as of 08:08, 9 June 2021
ВАС - № 6759 | |
---|---|
Court: | ВАС (Bulgaria) |
Jurisdiction: | Bulgaria |
Relevant Law: | Article 5(1)(b) GDPR Article 32(4) GDPR Article 58(2)(b) GDPR Article 83(2) GDPR Article 83(4)(b) GDPR Art. 208 Administrative Procedure Code (APC) Article 38(2) Personal Data Protection Act (PDPA) |
Decided: | |
Published: | 04.06.2021 |
Parties: | MiBM Express OOD The Bulgarian Data Protection Authority (CPDP) |
National Case Number/Name: | № 6759 |
European Case Law Identifier: | |
Appeal from: | Административен съд София-град (Administrative Court of Sofia-city) № 6270/2020 |
Appeal to: | Unknown |
Original Language(s): | Bulgarian |
Original Source: | Върховния административен съд (in Bulgarian) |
Initial Contributor: | n/a |
In progress
English Summary
Facts
On 11 April 2019 a complaint was filed with the Bulgarian Data Protection Authority (CPDP), regarding a letter that the complainant had received in relation to debt collecting proceedings against her. The letter was addressed to her, her father, and the legal entity under which they were debtors, and contained their personal data, namely: names and phone numbers. Rather than being directly delivered to the complainant, the letter was delivered by the courier company (MiBM Express OOD) to a local shop keeper, who passed the letter on to the complainant.
After opening an investigation into the incident, the CPDP issued a decision on 5 May 2020, in which it found that the courier, MiBM Express, had violated Article 32(4) of the GDPR. In particular, it had not taken the appropriate steps as a controller to ensure that its employees acting under its authority were prepared to work with personal data and had been trained in data protection, and would not share personal data with third parties. The CPDP also found a violation of the purpose limitation principle. As a result, it fined MiBM Express BGN 5,000, and reprimanded it under Article 58(2)(b).
MiBM Express contested this decision at the Administrative Court of Sofia-city. It argued that in issuing its decision, the CPDP had violated procedural rules as established in the Bulgarian Personal Data Protection Act (PDPA). The judge in the case found that the contested decision had been properly executed by the CPDP. It was imposed by a competent authority within the powers conferred to it under Article 38(1) and (3) PDPA. Moreover, the CPDP had correctly identified a violation of Article 32(4) and 5(1)(b) GDPR and had correctly reprimanded MiBM under Article 58(2)(b). The judge did however hold that in calculating the amount of the fine it imposed, the CPDP had not considered the elements outlined at Article 83(2), and that it was not clear under which criterion the fine was determined. It thus reduced the fine from BGN 5000 to BGN 1500.
In the present case, MiBM Express appealed this decision of the Administrative Court of Sofia-city, arguing that there had been no violation of Article 32(4) GDPR, and that, in any case, the CPDP does not have the power do rule on cases involving personal data, which involve the commission of a criminal offence within the meaning of the Bulgarian Criminal Code.
The Court did not perform the necessary court proceedings to clarify the nature of the alleged violation.
There was no ruling of the court on the allegation in the appeal that in its decision the CPDP did not discuss article 83(2).
Holding
In progress. essentially: the court did properly consider, and the criminal code thing not relevant.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Bulgarian original. Please refer to the Bulgarian original for more details.