CPDP (Bulgaria) - PNN-01-33/2022
CPDP - PNN-01-33/2022 | |
---|---|
Authority: | CPDP (Bulgaria) |
Jurisdiction: | Bulgaria |
Relevant Law: | Article 32 GDPR |
Type: | Complaint |
Outcome: | Partly Upheld |
Started: | |
Decided: | 20.12.2022 |
Published: | |
Fine: | 500 BGN |
Parties: | n/a |
National Case Number/Name: | PNN-01-33/2022 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Bulgarian |
Original Source: | CPDP (in BG) |
Initial Contributor: | n/a |
The Bulgarian DPA fined a doctor 500 Leva for a violation of Article 32 GDPR. The Doctor had allowed that her electronic signature was used to access the vaccination status of a member of the European Parliament. This information was later disclosed in a television programme.
English Summary
Facts
On 9 January 2022, the Bulgarian television program 'This Sunday' broadcasted a news report about the COVID-19 pandemic. The journalist presenting the programme, M.C, stated that the data subject, a member of the European Parliament, had been vaccinated against COVID-19 on 19 August 2021 with the 'Janssen Vaccine', despite the fact that he had publicly been opposed to vaccination and was against COVID-19 restriction measures. With regard to the journalistic source which provided the information, it was not entirely clear how the journalists were able to obtain the information about the vaccination status of the data subject.
The data subject filed a complaint at the Bulgarian DPA (date not disclosed) against the journalist 'M.C' and the media company 'Media EAD', which had broadcasted the report. He stated that this data had been disclosed without his consent and without his knowledge. There was therefore an unlawful access and dissemination of his personal data. The DPA also asked a doctor, who had supposedly accessed the data subject's vaccination status, to provide her side of the story. The doctor claimed that she had not accessed the vaccination status of the data subject, but someone else had used her electronic signature. She stated that other employees of the medical center could also have used her signature to access the vaccination status.
The medical center also took part in the proceedings. The clinic argued that three employees had access to the electronic signature of the doctor and could have accessed the vaccination status of the data subject: K.R., the head nurse, S.P., an employee of the human resources department and lastly, the doctor herself. According to the clinic, the head nurse was the one who recorded them in the electronic system using the doctor's signature. She was also the only one who had the electronic signature and the vaccination platform installed on her computer, which was located in her office.
The medical establishment concluded that the head nurse had abused her position.
Holding
First, the DPA held that the journalist, M.C, could not be regarded as a controller in this case. As a journalist/employee and presenter of the programme, she was a person under Article 29 GDPR. The DPA determined that the controllers in this case were the Doctor, M.M, and the media company, M. EAD. The DPA emphasised that they should be regarded as separate controller's, since there was no evidence that they jointly decided the means and purposes of the processing. Later in the decision, the DPA also determined that the medical establishment itself was a controller.
Second, the DPA confirmed that the information regarding the vaccination status of the data subject constituted health data in the context of Article 9 GDPR.
Third, the DPA assessed the processing conducted by the first controller, the media company, and stated that it was undisputed that this health data was disseminated for journalistic purposes. The Bulgarian DPA then referred to Article 1 of the Bulgarian PDPA, which stated that processing personal data is lawful when carried out for the purpose of freedom of expression. Pursuant to Article 25(h)(3) of this law, Article 9 GDPR does not apply to the processing of personal data for journalistic purposes. The DPA held that the information should be of real public importance to be considered information to be processed for the purpose of journalistic activity. To determine if the current dissemination of information was lawful, a balancing act had to be conducted between the protection of personal data and the freedom of expression. The principle of data minimization was also of importance here. In the present case, the DPA considered that there was a case of real public importance. The data subject was a public figure as a member of the European Parliament, and therefore enjoyed a lower level of protection of his personal data. Next, the DPA confirmed that Article 9 GDPR was not applicable here due to the national law. The DPA also confirmed that in this case, a balance had been struck between the freedom of expression and the right to data protection. Despite the fact that the disclosed data was health data and that this was processed without the knowledge and consent of the data subject, the DPA held that the processing was lawful. There was an overriding interest in the disclosure of this information, mainly because this showed that the data subject, who had been against vaccination and Covid measures in public, was vaccinated himself despite urging others to do the contrary. The information was also presented in broadcast about the pandemic situation and served as an expression of the public's right to receive truthful, complete and comprehensible information. The DPA also stated that the GDPR should not become a tool to manipulate the public and cover up the lies of the data subject. The processing was lawful and in accordance with Article 1 of the Bulgarian PDPA.
Fourth, the Bulgarian DPA assessed the conduct of the second controller, the doctor. It was undisputed that her signature was used to check the vaccination status of the data subject. It was issued to her in her personal capacity, and the internal medical establishment procedures did not require the doctor to give this signature to other employees, so there was no reason to provide the head nurse with her signature. In contrast with the media company, Article 9 GPDR was applicable for the controller's processing, which included health data. In this regard, the Bulgarian DPA determined that the controller had shown 'gross negligence' with respect to the storage and use of her personal signature, which had resulted in the unauthorised access to the health data of the data subject. The Doctor had not taken appropriate measures to ensure / to demonstrate that personal data was processed in a GDPR complaint way. The fact that this negligence concerned health data made the situation even worse. Since there were no measures implemented at all, the DPA determined that the doctor had violated Articles 32(1) and 32(2) GDPR.The DPA fined the doctor 500 Leva pursuant to Articles 83(4)(a) and 58(2)(i) GDPR.
Lastly, the DPA determined that the medical center, being the third and last controller, had also violated Article 32 GDPR. The facility had allowed the practice of using electronic signatures for the processing of sensitive health data and access to this data. On the date of the breach, this controller had not established appropriate technical and organisational measures for the processing of sensitive personal data, nor was the controller able to show that it processed data in accordance with the GDPR. Also, there was a lack of training and supervision, which resulted in the violation of Article 32 GDPR. Because the controller had already addressed some of the identified issues, the DPA warned this controller pursuant to Article 58(2)(b) GDPR.
Comment
To be updated
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Bulgarian original. Please refer to the Bulgarian original for more details.
SOLUTION No. PNN-01-33/2022. Sofia, 20.12.2022 The Commission for Personal Data Protection (CPDP), composed of. 1 of the Personal Data Protection Act in conjunction with Article 57, § 1, point "f" of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the Regulation, GDPR), examined the merits of complaint No. PPN-01-33/17.01.2022. The administrative proceedings are under Article 38 of the Personal Data Protection Act (PDPA). The Commission for Personal Data Protection was referred to the complaint PPN-01-33/17.01.2022, filed by N.D. against Media EAD (M. EAD) and M.C., in her capacity as a journalist at the media outlet, alleging unlawful access to a special category of personal data relating to his state of health and, in particular, his vaccination status, and their dissemination through a report in the television programme "This Weekend", broadcast on the air of the media outlet on 09.01.2022 at 09:30, repeated the same evening in the central news broadcast of the television outlet, at 19:00, as the first leading news item. The complainant claims that in the course of the report the journalist M.C. "disclosed on air personal health data" of four MPs from the political party "V.", including his own, including: the date and the specific type of drug injected into the individuals. He is categorical that the data were disseminated without his knowledge and consent, and that there was no such consent with regard to the other three MPs. Mr. N.D. claims that Ms. M.C. stated on air that she had access to "this type of health personal data of all MPs of the V. Party", and she also announced the exact number of persons with medical manipulations performed. He considers that there has been unlawful access and dissemination of his personal data and asks the CPD to investigate the case and identify the original source of the information. He asks that, if the CPD considers it necessary, this information be addressed to the Public Prosecutor's Office and the relevant regulatory authorities. Asks for an injunction to 'immediately stop' the alleged infringement, insofar as the material was repeated repeatedly in the news broadcasts of the media on 09.01.2022 and 10.01.2022, and its use by the media, in various television programmes broadcast within its programme, continued as of 13.01.2022. No evidence is attached to the complaint, a link to the material originally broadcast on the air of the media is provided. Evidentiary motions were made: for the admission, for the purpose of giving explanations, of each of the four MPs whose personal data had been disseminated and for the request for explanations from M.C. as to the source of the information. The latter request made in the complaint is inadmissible under the provision of Article 25h(4) of the PDPA according to which "The exercise of the powers of the Commission under Article 58(4) of Regulation (EU) 2016/679 may not lead to the disclosure of the secrecy of the source of the information". On 18.01.2022, in the interest of clarifying the actual facts relevant to the case, a screen print was made of the contents of the text file referred to in the complaint: https://btvnovinite.bg/predavania/tazi�sabota-i-nedelia/koi-sa-deputatite-koito-narichat-vaksinite- experimental-technost-a-vsashtnost-sa�imunizirani.html, and the text file posted to the link KLD DECISIONS CPC November - December 2022 35 A video file, lasting 14:53 minutes, has been downloaded on CD. The actions are documented in Protocol PPN-01-33#3/18.01.2022, with screen print and CD attached. In the light of the principles of equality of arms and truthfulness, which are enshrined in the administrative procedure, M. EAD and Ms M.C., in her capacity as a journalist, were sent notification letters about the administrative proceedings initiated in the case, were given the opportunity to submit written statements on the allegations set out in the complaint and to submit relevant evidence. Written submissions PPN-01-33#6/01.02.2022 and PPN-01- 33#7/01.02.2022 were submitted in response, expressed respectively by Ms M.C. and the company, with identical arguments for the unfoundedness of the complaint, insofar as the applicant is a public figure - a Member of Parliament, whose personal data has been processed for journalistic purposes on issues of public importance concerning the Covid-19 pandemic, the vaccination against Covid-19 and the "green certificate", on which the applicant has a clearly expressed and publicized position against vaccination and coercive measures to contain the Covid-19 pandemic. Relevant evidence is attached to support the allegations made in the submissions. The Commission for Personal Data Protection is an independent state authority that protects individuals in the processing of their personal data and access to such data, as well as controls compliance with the PDPA and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. In order to exercise its powers, the Commission must be validly addressed. The complaint contains the mandatory requisites - there are details of the complainant - N.D., the nature of the request, the date and signature, the passively legitimated parties, as well as the date of knowledge of the infringement, in view of which it is regular. In this connection, it should be noted that, although the complaint alleges infringements by three other persons, in so far as they are not identified and the complaint does not bear their signatures and there is no evidence of any authorisation on their part in respect of Mr N.D., they do not have the status of complainants. The subject-matter of the complaint are allegations of unlawful access to and dissemination of a special category of data relating to the applicant's state of health and, in particular, vaccination status. These, together with data relating to the applicant's full name and his capacity as a Member of the European Parliament, are personal data within the meaning of the GDPR, in so far as the person concerned can be undeniably identified The complaint was lodged by an individual with a legal interest. It is undisputed that the processing of personal data according to the above-mentioned legal definition is at issue, and that the passively legitimated party M. EAD is a controller of personal data as defined in Article 4(7) of Regulation (EU) 2016/679, as it defines the purposes of the processing - the presentation of information of public interest in a television broadcast, and the means of the processing - by broadcasting reports and programmes on the air of the media. By virtue of Article 58 of Regulation (EU) 2016/679, which defines the powers of the supervisory authority, the Regulation and the PDPA respectively are only applicable to controllers and processors. The analysis of this provision, in accordance with the purpose of the PDPA, leads to the conclusion that in order for the Commission to exercise its rights, the violations of the subject's rights must have been committed by the controller or processor and the complaint must be directed against the latter, who in that capacity have violated the rights of the individual. In this regard, it should be noted that the journalist and presenter of the programme, M.C., as an employee of the media and in her capacity as presenter of the programme broadcast on the air of the media, does not have the capacity of an administrator or processor of personal data, since she processes personal data in the performance of her official duties, i.e. she is a person under Article 29 of the Regulation and acts under the authority of the controller and in practice "engages" him in his processing activities, in so far as she actually KLD DECISIONS CPC November - December 2022 36 carried out, as host of the transmission, the processing activities alleged to have infringed the rights of the applicant. The Commission was seized on 13.01.2022, only two days after the alleged violation took place, which leads to the conclusion that the complaint was filed within the time limit under Art. 1 of the PDPA. The competent authority - the CPCL - was seized of the matter, which, pursuant to its powers under Art. 1 of the PDPA in conjunction with Article 57, § 1, point "f" of Regulation (EU) 2016/679, examines complaints against acts and actions of personal data controllers that violate the rights of data subjects related to the processing of personal data, as there are no exceptions under Art. 2(2)(c) and Article 55(3) of the Regulation, given that the case does not concern processing activities carried out by an individual in the course of purely personal or domestic activities and/or activities carried out by the courts in the exercise of their judicial functions. For the above reasons and in the absence of the negative prerequisites under Article 27, paragraph 2 of the APC, at a meeting of the Commission held on 19.01.2022, the appeal was declared admissible and the following were constituted as parties to the proceedings: the appellant - N.D., the respondent M. EAD, in its capacity as a personal data controller, and the interested party M.C., in her capacity as a journalist in the media and presenter of the programme in question. An open hearing on the merits of the appeal has been scheduled for 16.03.2022 at 13:00, of which the parties have been duly notified. In order to clarify the facts of the case, the Ministry of Health and the I.O. Inc. have requested information and log files on the access to the vaccination status of the complainant from the date of his vaccination against COVID-19 until 09.01.2022, the date of the report, as well as specific information whether the complainant was vaccinated against COVID-19 and when, in order to assess whether the information given in the media broadcast corresponds to reality. The requested information and evidence had not been provided by the date of the scheduled public hearing, therefore the substantive hearing of the appeal was adjourned to 04/05/2022. In the course of the proceedings before the CPD, a cover letter with reference No. PPN-01- 33#19/21.03.2022 from I.O. Inc. informed that "N.D. was vaccinated against COVID-19 on 19.08.0221. Between the date of vaccination and 09.01.2022, N.D.'s vaccination status records were reviewed on 06.01.2022 and 07.01.2022 by Dr. M.M." Certified copy of the submission by I.O. AD was provided to the parties to the proceedings for their perusal, and the applicant was specifically requested to clarify whether he knew Dr M.M. and to specify whether he was his personal and/or treating physician. In response, and by letter No. PPN-01-33#23/01.04.2022, the complainant responded in the negative to the inquiry from the CPD - he did not know Dr. M.M., nor was he his personal and/or attending physician. In view of the foregoing and on the basis of Article 9(2) (principle of ex officio jurisdiction) and Article 7 (principle of truthfulness) of the Code of Civil Procedure, in view of the evidence collected ex officio on the file and the subject-matter of the complaint, which also contains allegations of unlawful access to the applicant's health status, the Commission, by a decision taken at a meeting held on 06-07.04.2022, constituted, ex officio, Dr M.M. as a respondent in the proceedings, in her capacity as a personal data controller. A public hearing on the merits of the appeal has been scheduled for 04/05/2022 by 13.00 in the administrative building of the CPD in the town of. Sofia, bul. "Proff. 2, Meeting Hall, 4th floor. In order to clarify the facts of the case, I.O. AD, information was requested regarding the identifier through which Dr. M.M. accessed the complainant's vaccination status data, clarification of what data is visualized and available to the service user when "viewing" the person's vaccination status, and what the access channel used by Dr. M.M. was for the review of Mr. N.D.'s vaccination status data performed on 06.01.2022 and 07.01.2022. KLD DECISIONS CPC November - December 2022 37 In response and by letter PPN-01-33#33/26.04.2022, the requested information was provided. It is specifically stated by I.O. Inc. that the data that is displayed and available to the service user Dr. M.M. when "reviewing" Mr. N.D.'s vaccination status is: date of immunization record, national immunization reference number, dose sequence, date of next vaccine and availability of certificate. It is specified that the access channel to the data is immune.his.bg, the login to the system is done by a qualified electronic signature, after checking whether the doctor concerned has an active registration with the Bulgarian Medical Association. In the course of the proceedings, a written opinion PPN-01-33#34/29.04.2022 on the merits of the dispute, in the part concerning the processing of data for journalistic purposes and the disclosure of the source of information, was received electronically, without an electronic signature. It is stated that the opinion comes from the Association of European Journalists - Bulgaria, without the signature of a specific person. The Association is not a party to the proceedings, in view of which the Commission for the Protection of Personal Data considers the submitted opinion to be irrelevant and should not be commented on in the grounds of the decision, leaving unclear how the Association was informed about the case, which it comments on in detail concerning the vaccination status and the quality of the applicant as a Member of the European Parliament. On 04.05.2022, the CPLC received a request from the appellant to postpone the public hearing on the appeal scheduled for the same date due to work commitments and inability to attend the hearing. On the basis of the application filed and due to the defendant Dr. M.M. not being properly notified of the proceedings, the hearing of the substantive appeal scheduled for 04.05.2022 was adjourned to 22.06.2022 at 13:00 hours, of which the parties were duly notified. Notwithstanding the opportunity given to Dr. M.M. to be heard on the matter and the express directions that she should furnish information and evidence as to the basis of her access to the complainant's health/vaccination status regarding Covid-19 on 06.01.2022 and 07.01.2022 and attach any other relevant evidence in the matter, no such evidence was adduced. Till 21.06.2022, a day before the scheduled public hearing to consider the merits of the complaint, there is no procedural activity by the respondent, the complaint has not been contested, no evidence or even allegations have been adduced on the subject matter of the dispute with which the CPWD is being referred. In the course of the proceedings, by letter PPN-01-121/15.02.2022, the CEM informed that it had been informed of complaints filed by N.D. and V.M. regarding the publication of personal data of MPs in a journalistic investigation disseminated in the media programme of the media service provider M. EAD. They point out that the CEM considered at its meeting a report on the compliance of the broadcast with the provisions of the Broadcasting Act, in particular: with the norms relating to guaranteeing the right of citizens to information with the degree of protection of their privacy of public figures with influence in society. They inform that the CJM held that there was no violation of the RTI Act insofar as the journalistic audio-visual material contributed to the development of public dialogue on health policy and the accountability of democratically elected figures to their constituents. A public meeting of the Board was held on June 22, 2022 to consider the merits of the appeal. The appellant N.D. - duly notified, did not appear and was not represented at the hearing before the Committee. The defendant, M.C., duly notified, did not appear and was not represented. For M. EAD, legal adviser B.G. appeared with power of attorney on file. The defendant, Dr M.M., was represented by lawyer. A., with power of attorney submitted at the hearing. KLD DECISIONS CPC November - December 2022 38 The legal representatives of M. EAD and Dr M.M. contest the appeal. They do not adduce any new evidence. The procedural representative of the media maintains the written opinion expressed in the course of the proceedings that the complaint is unfounded. Attorney A. asserted that her confidant, Dr. M.M., did not access the complainant's personal information regarding his vaccination status on 06/01/2022 and 07/01/2022. She alleged that Dr. M.M. did not personally use her electronic signature until 31.05.2022 and clarified that the electronic signatures of all the doctors at SCC, including her confidante's electronic signature, were used by the centre's employee, S.P. He adds that "five years ago, these electronic signatures of the doctors of the DCC were kept with the employee, S.P., who was in charge of Human Resources." She kept them and she sent the information to all the doctors of the DCC by the 4th of the month to the NHIF - who was served, what expenses, what the NHIF needed to remit to them. To make it easy for her, she has put one PIN on all the electronic signatures - on all the doctors, on all the electronic cards. Having sent this data to the NHIS, since Dr. M.M. is the only one who is a physician at the SCC, and a physician at the hospital where she heads the internal medicine department, she herself is a specialist cardiologist, and since in the vaccination that is organized by this internal medicine department, all the certificates that are issued to the vaccinated persons are issued with the electronic signature of M.M.. So after S.P. is done with the reports, she hands over the electronic signature to the head nurse at C.R. Hospital, who puts the electronic signature on her computer, doesn't take it out at all, and it stays on day and night so it's easy for her, so she doesn't waste time...." In order to prove the latter, he asks that two witnesses - S.P. and K.R. - be admitted to cross�examination. He asks the Commission to admit a technical expert from an IT specialist in order to establish "from which IP address, from which computer all this information was downloaded". Advocate A. informed that the case was also the subject of case No. ***/2022 of the District Prosecutor's Office - Pazardzhik. In view of the submissions made by the representative of Dr. M.M., by the decision of the open meeting of the Committee held on 22.06.2022, the State Medical Centre was also made a respondent in the proceedings. A fresh public hearing on the merits of the appeal has been scheduled for 14.09.2022 at 13:00 hrs, of which the parties have been duly notified. The SCC was informed of the proceedings, given the opportunity to comment on the case and to submit relevant evidence. At the request of the procedural representative of the defendant M.M., two witnesses - S.P. and K.R. - were admitted to examination by deposition in the public hearing scheduled for 14.09.2022. Information has been requested on the case file No. ***/2022 of the District Prosecutor's Office - Pazardzhik, namely on the subject of the case file, its movement and results, and in the hypothesis of the evidence collected in the case file on the access of personal data of the applicant on 06-07.01.2022. and the use of the relevant electronic signature, respectively information received in the case file in this regard from Dr. M.M. (defendant in the proceedings before the CPDL) or other persons, including S.P. and K.R. (called as witnesses in the proceedings before the CPDL), a copy of the same. As of 12.09.2022, the requested information has not been provided. In order to clarify the case from the factual side, evidence and information have been requested from a third party not participating in the proceedings - Borika AD - the issuer of the electronic signature of Dr. M.M., in particular: how many and what carriers and when was the respective electronic signature issued?, Who and when received the electronic signature and the respective carriers?, Are the carriers active as of 06 and 07.01.2022? From which IP address is the electronic signature normally used and specifically from which IP address was it used on 01.06.2022 at 08:48 and on 01.07.2022 at 07:27? In response, Borika AD informed that the company had issued to M.M. M. Bricka as follows: KLD DECISIONS CPC November - December 2022 39 1. Serial No. *** with author and holder M.M., with author and holder ID ****, valid from 01.10.2016 to 03.10.2017 and from 02.10.2017 to 02.10.2018; 2. Serial No. *** with author and holder M.M., with author and holder ID****, valid as follows from 25.09.2018 to 25.09.2019, from 25.09.2019 to 24.09.2020, from 23.09.2020 to 23.09.2021 and from 24.09.2021 to 24.09.2022. The company clarified that the certificate for the CEP was issued on a B-trust smart card and was received by the holder's proxy. They add that the renewal of the certificate on 24.09.2021 was done online - without the physical presence of the holder of the CEP in the office of the certification service provider. They point out that the company does not receive information on the IP addresses from which the CEP certificates are used. In support of their claims, they attach a certified copy of the certification services contract No **** of 03.10.2016, with a copy of the identity card, the acceptance report and the request No ****/03.10.2016 for the issuance of an electronic signature. In the course of the proceedings, an opinion PPN-01-33#57/12.09.2022 was issued by the SCC on the unfoundedness of the complaint, arguing that the company had taken the necessary measures to limit and prevent the misuse of personal data and documents. They state that three employees of the company had access to Dr. M.M.'s electronic signature - S.P. - an employee of the Human Resources Department, K.R. - the head nurse at the medical institution and Dr. M.M. They added that due to a requirement of the NHIF and in order to facilitate the work of the physicians at the facility, Ms. S.P., with the knowledge and permission of the physicians, submitted monthly reports, between the 1st-5th of each month, to the NHIF for the work they performed. They point out that during the pandemic period, the hospital was instructed by the RHC to open a vaccination office and to register an electronic signature for the submission of data on vaccinations carried out on the premises of the hospital, and that the signature of Dr. They informed that in the process, the company has appointed the head nurse K.R. to report the vaccinations done in the MH platform using Dr. M.M.'s signature. They alleged that on 05/01/2022, after the report was submitted to the NHSO's POC, Ms. S.P. gave the signature to the head nurse, K.R., and after that date the signature was with K.R. so that she could continue to update the vaccination information and green certificates issued. They alleged that "Dr. M.M.'s e-signature and the vaccine platform link are installed solely on Chief Nurse K.R.'s computer," as "The computer on which K.R. works is located in her office, which only she has access to." They stated that the applicant was not a patient of the medical institution, had not undergone any medical examinations or manipulations at the medical institution and that the latter did not process his personal data. They state that 'for security purposes, all workstations in the medical establishment have static IP addresses, but when a workstation accesses a page on the Internet the traffic goes through the company's router and exits from the external IP address ****', therefore 'even if he is enrolled in I.O. Inc. the IP address from where the information was accessed will only show the external IP, not the internal IP of the computer itself." They inform that after doing an "analysis of K.R.'s computer" they found no information on events, history or files for the relevant dates 06-07.01.2022 due to the longer period of time - more than 7 months. Regarding the allegations of the legal representative of Dr. M.M. about a hacker attack, they point out that after checking and analyzing the entire information network and infrastructure of the company, they found no traces of such in the logs or installed malware. They consider that Ms. K.R. abused her position, acted unlawfully and intentionally, and in no way complied with the rules and policies put in place by the company regarding the protection of personal data and the application of the GDPR, and for those her KLD DECISIONS CPC November - December 2022 40 actions the company is not liable. In view of the violation found, they point out that the medical institution has "taken actions to correct the way of working in the company and to introduce additional rules and norms in order to ensure the confidentiality of personal data obtained in the process of work, including their non-disclosure", a training and instruction program has been prepared for all employees of the company on the application of the GDPR and the newly introduced rules by the medical institution, part of the changes concern the use of electronic signatures, namely: "All personal electronic signatures The submission of monthly activity reports with an electronic signature is carried out as follows: the person who owns the signature personally provides it to a member of the administration, personally enters the security password (pin code) and the report is submitted to the NHIF by a member of the administration in his presence. After submission of the report, the signature owner shall collect it. In this way, the electronic signature is under constant control and monitoring of the owner. Assisting with the filing of the report by an administrative officer in the presence of the owner of the electronic signature is optional and to facilitate the work of physicians. At the discretion of the physician, the physician may file the monthly report independently." In conclusion, they inform that the employment relationship between the hospital and Ms K.R. is terminated as of 31.08.2022. They find the complaint unfounded as regards the establishment and the allegations to the contrary made by Dr M.M.'s legal representative unsubstantiated. A further public hearing was held on 14.09.2022 to consider the merits of the appeal, of which the parties were duly notified. The appellant N.D. - duly notified, did not appear and was not represented at the hearing before the Committee. Defendant M. EAD is represented by legal advisor B.G. with power of attorney on file. The defendant Dr M.M. was represented by lawyer. A. with power of attorney on file. SCC is represented by Atty. J.N. with a power of attorney presented at the hearing. The correct name of the legal entity constituted and duly notified of the meeting, the DCC, was clarified at the meeting. The defendants' representatives contest the appeal. They point to no new evidence. Adv. A. does not support the request for the admission of S.P. as a witness. At the request of the legal representatives of M. EAD and Dr. M.M., the examination of the appeal on its merits was postponed to the next meeting of the CPDL on 23.11.2022, for the attorneys' acquaintance. A. and legal counsel B.G. with the evidence newly collected by the CPPLD. To clarify the case from the factual side, I.O. JSC, information was requested and in response by letter PPN- 01-33#69 dated 06.10.2022, that the IP address from which the vaccination status of the complainant was accessed on 06.01.2022 and 07.01.2022 was ****. In the course of the proceedings, the District Prosecutor's Office - Pazardzhik replied that the pre�trial proceedings initiated in the case ***/2022 according to the inventory of the Regional Prosecutor's Office of the Ministry of Interior - Pazardzhik "is in its initial stage", therefore it is not possible to provide information on specific facts established in it. By covering letter PPN-01-33#68 dated 29.09.2022, additional representation and relevant evidence, namely, certified copy of Order No. 2 dated 04.01.2021 and payment order dated 20.09.2021 have been submitted by the DCC. In the opinion, the company has stated that "to assist its employees, the hospital is working towards easing some of the commitments of the KLD DECISIONS CPC November - December 2022 41 physicians," and one of the bases of assistance the company has undertaken is assisting with the application for the issuance and renewal of electronic signatures of pre-hospital physicians and "not least with the submission of monthly reports of pre-hospital physicians in the IPS to the NHIS." They specify that the submission of reports is regulated by an internal order, "with an employee of the company's administration assisting the doctors technically in submitting the reports", but only if the doctor wishes, who voluntarily provides his/her electronic signature to the employee. "They add that the medical establishment strives to provide all technical assistance to the medical staff, and every action taken by the company is to facilitate the work process, and the services offered are free of charge and have no binding At a public hearing of the CPD held on 23.11.2022, the complaint was considered on its merits. The appellant N.D. - duly notified, did not appear, did not represent himself. M.C. - duly notified, did not appear, was not represented. The defendant M. EAD - regularly notified, was represented by legal adviser B.G. Defendant M.M. - regularly notified, represented by lawyer. А. The defendant DCC - regularly notified, was represented by counsel. J.N. Counsel for the defendants individually contest the appeal. They do not adduce any new evidence and have no requests for evidence. Adv. A. does not support the request for examination of a witness, stating that Ms K.R. also refused to testify. Counsel for the respondents maintain the pleadings filed in the course of the proceedings that the appeal is unfounded and request the Commission to uphold the appeal against the respondents. Counsel B.G. added that the television journalist M.C. had put forward data concerning the complainant N.D., but that this data was entirely in the context of the most topical public issue at the time, namely the Kovid epidemic, vaccination and the commitment of the political party "V." and the political slogan branding vaccines as experimental with an appeal to their constituents not to vaccinate them. It is submitted that the personal example of each member of a political party, including the applicant, is determinative of the health of the electorate and of society in general. In that regard, he considers that it is undoubtedly incumbent on both the media and the journalist to make the information relating to the official position of the political party 'B.' known to viewers and to the public, because the comparison between an official position and actual conduct is very important to make and to inform people what the true position of each member of that political party actually is. Adv. A. reiterates the allegations that the electronic signature was not in the possession of Dr. M.M., and therefore considers that the complaint is unfounded with regard to her confidant, since the alleged violation could not have been committed by her. In its capacity as an administrative authority and in relation to the need to establish the truth of the case, as a fundamental principle in administrative proceedings, pursuant to Article 7 of the APC, requiring the existence of established facts and taking into account the evidence gathered and the allegations made, the Commission finds that, examined on its merits, the complaint No. EAD and well founded in respect of Dr. M.M. and the DCC. The subject-matter of the complaint are allegations of unlawful access to and dissemination of a special category of data relating to the applicant's state of health and, in particular, his vaccination status, as identified by his name and his position as a Member of the European Parliament. KLD DECISIONS CPC November - December 2022 42 The data controllers in the present case are Dr M.M., with regard to access to the applicant's health and, in particular, vaccination status, and M. M.M. EAD, with regard to the dissemination of special category data relating to the applicant's state of health and, in particular, vaccination status. The Commission does not seek to establish a causal link between the two processing hypotheses, since the sources of the information are protected, and therefore Dr M.M. and M. EAD should be regarded as separate data controllers, in so far as there is no evidence that they jointly determined the purposes and means of the processing. The procedural actions undertaken by the CPDL, including the ex officio collection of evidence, concern the clarification of the case from the factual side, the obligations of the administrative authority arising from the APC, concerning the subject of the dispute - unlawful access and dissemination of personal data concerning the vaccination status of the complainant. Ms M.C. was not required to disclose her journalistic sources of information in relation to the broadcast report, nor was such information requested from the other participants in the administrative proceedings. regarding M. EAD: From the evidence collected in the case file it is established, and it is not disputed between the parties in the proceedings, that on 09.01.2022 in the programme "This Sunday", broadcast on the air of M. TV, journalistic material was presented - a report with a subsequent commentary by a guest in the studio, which referred to the topic of the pandemic Covid-19 and the issues of the attitude towards: 1) vaccination and those vaccinated for Covid-19; 2) the anti-epidemic measures taken by the state in connection with the pandemic Covid-19; 3) the imminent introduction of restrictive measures on admission to the building of the National Assembly, after the presentation of item No. Green Certificate; and 4) an upcoming protest against the Green Certificate, organized by the parliamentary political party "V.", on 12.01.2022. It is evident from the content of the report that the reporter and author of the programme, M.C., reported that the complainant N.D. was vaccinated against Covid-19 on 19 August 2021 with a vaccine from Janssen. The statement was made on the sidelines of the SC in an interview with the MP N.D. himself. The interview was dated 07.01.2022 and was broadcast two days later on the programme "This Sunday" on 09.01.2022 and distributed on the air of the media BTV. The interview contained information related to the complainant's health and specifically vaccination status, specifically that the person was vaccinated against Covid-19 on August 19, 2021, with a vaccine from Janssen. The data on the applicant's vaccination status, taken together with the data contained in the material on the applicant's name, image and position held - Member of the European Parliament - are undeniably personal data within the meaning of the GDPR, in so far as the person can be undeniably identified. The same should qualify as a special category of data within the meaning of Article 9 of the GDPR, in so far as it relates to the person's state of health - 'personal data relating to the physical or mental state of the person, including the provision of health services, which provide information about his state of health' (Article 4(15) of the GDPR). According to Recital 35 of the GDPR, personal data concerning the health of a data subject should cover any information relating to his or her physical or mental state of health in the past, present or future. Moreover, at the national level, the Health Act (HPA) defines 'health information' as personal data relating to the health, physical or mental development of individuals, as well as any other information contained in medical prescriptions, prescriptions, reports, certificates or other medical documentation. In this sense, as the Commission has already had the opportunity to rule in Opinion PNMD-01-12/2022, the set of all data contained in KLD DECISIONS CPC November - December 2022 43 certificate issued in connection with a vaccination against Covid-19, including the vaccination itself and the date of vaccination, as well as the vaccinated product itself, and may be disclosed directly or indirectly through it, fall within the scope of the term "health data" within the meaning of the GDPR and, in particular, "health information" within the meaning of the HIPAA. In view of the content, nature and periodicity of the programme, as well as its dissemination and access, it is undisputed that the information was disseminated for journalistic purposes in connection with a journalistic investigation disseminated in the programme of the media service provider M. EAD. This is an act of processing personal data within the meaning of Article 4(2) of Regulation No 2016/679, in so far as, by means of the reportage and transmission at issue, the applicant's personal data were accessible and disseminated to an unlimited number of viewers of the media. By argument of Art. 1 of the PDPA, the processing of personal data for journalistic purposes is lawful when carried out for the exercise of freedom of expression and the right to information, while respecting privacy. In this respect, the provision of Article 9 of the GDPR concerning the processing of special categories of personal data, including those relating to health status, are inapplicable by virtue of Article 25h, para. 3 of the PDPA according to which Articles 6, 9, 10, 30, 34 and Chapter 5 of the GDPR do not apply to the processing of personal data for journalistic purposes. According to Recital 4 of Regulation (EU) 2016/679, the right to the protection of personal data must be considered in relation to its functions in society and in balance with other fundamental rights, such as freedom of expression and freedom of information, in accordance with the principle of proportionality, insofar as the right to the protection of personal data is not an absolute right, nor is the right to freedom of expression and freedom of information (Article 11 of the EU Charter of Fundamental Rights). The term "journalistic purposes" is not defined by the legislator, but has been extensively considered and interpreted in case law. Essential to journalistic activity is the collection, analysis, interpretation and dissemination through the mass media of relevant and socially significant information. All journalistic activity is a manifestation of freedom of expression in a state governed by the rule of law, and restrictions on freedom of expression and information are permissible only to the extent necessary in a democratic society under Article 10 § 2 of the European Convention for the Protection of Human Rights and Fundamental Freedoms. Starting from the concept of journalism as the practice of collecting, analyzing and interpreting information about current events, topics, phenomena, personalities and trends of contemporary life, presented in different genres and forms and disseminated to a mass audience, the conclusion is that it concerns the processing of personal data for journalistic purposes. By its nature, journalistic activity requires the dissemination of information on matters of public interest. The public dissemination of information for these purposes is a journalistic activity, since the very act of dissemination is an expression of opinion, view, judgment of the public information and its relevance to the interests of society. In order to process information for the purposes of journalistic activity, the information must concern matters of value which, in the light of the relations concerned, are of real public importance. In assessing the balance between the two competing rights, it is the principle of 'data minimisation' that is relevant - the personal data processed should be relevant, related to and limited to what is necessary in relation to the purposes for which it is processed, with the specific case of satisfying the public interest. Journalistic purposes by definition include the exercise of the right to information and freedom of expression. Restrictions on freedom of expression and information are only permissible to the extent necessary in a democratic society under Article 10(2) ECHR. By its very nature, journalistic activity requires the dissemination of information on matters of public interest. The publication of a report in a media broadcast constitutes public disclosure. The public dissemination of information for these purposes is journalistic KLD DECISIONS CPC November - December 2022 44 activity, since the very fact of dissemination is an expression of opinion, view, judgment of public information and its importance for the interests of society. In order for information to be processed for the purposes of journalistic activity, the information must concern matters of value which, in the light of the relations concerned, are of real public importance, as is the case here. In the present case, it is indisputable that the data subject is a public figure - a Member of Parliament, and as such enjoys a lower level of protection of his personal data, but only and insofar as they are relevant and related to the functions exercised by him as a Member of Parliament and the positions he expresses as such and in this capacity to his constituents. It is undisputed that the personal data concerning the applicant's state of health as regards the vaccination against Covid-19 were disseminated by the media without his knowledge or consent. There is no evidence that they were made public by the complainant or the health authorities, but the same is irrelevant in so far as the provisions of Article 9 of the GDPR are inapplicable in the present case. Public figures have a lower threshold of protection of their privacy, but interference with it is only permissible when there is a balance between the right to protection of privacy and the right to freedom of expression and information. In the present case, however, a balance has been struck. Sensitive health information within the meaning of the Health Act has been disclosed, namely personal data relating to the health, physical and mental development of the individual, as well as information relating to the individual contained in medical examinations, prescriptions, certificates and other medical documentation. The information has been disclosed and disseminated by a media outlet that is outside the scope of the persons entitled to process the personal data of citizens relating to their state of health as defined by the Health Act - medical and health care institutions, state bodies competent in the field of health care and health insurance and relevant medical professionals. The evidence gathered in the file and the factual situation clarified lead to the conclusion that there is an overriding public interest in the disclosure of the information, given the right of the public to be informed and the categorical position stated and promoted by the complainant against vaccination against Covid-19 and green certificates, which does not correspond with the actions of the MP, who was vaccinated on a date prior to his statements as an MP, despite urging and agitating persons to the contrary, claiming that vaccines "are ex The information relates to a public figure and is necessary for the performance of a task in the public interest in so far as that interest would not be served without disclosure of the data. The journalistic material has been prepared and broadcast in a pandemic situation in which the contribution of the media is to provide a platform for active discussion and debate of the issue, actively seeking and clarifying different, including contradictory, opinions and positions, presenting the arguments of particular groups in society, with the emphasis on the truth, disclosure and exposition of a real factual situation, as an expression of the public's right to receive truthful, complete and comprehensible information to help it make an informed and reasonable judgement based on The report reveals the publicly expressed opinion and statement of the complainant, not in his personal capacity, but as a Member of Parliament with influence and authority with the electorate, on the nature of the pandemic and his opposition, as a public figure, to the measures taken by the State to deal with the pandemic, but at the same time exercising personal conduct that is inconsistent with the publicly expressed opposition. In this respect, the defendant's observations can be shared. EAD that the display of a contradiction between conduct and publicly expressed opinion is subject to the exercise of civil control by the mass media for the purpose of public awareness and debate on an undeniably publicly significant KLD DECISIONS CPC November - December 2022 45 Topic. And while the GDPR is designed to protect the privacy of individuals, it cannot and should not be used as a tool to manipulate the public and cover up behaviour, such as the untruths spoken by a public figure on public health issues. In the instant case, in balancing two competing rights in a pandemic setting, the disclosure of the individual's health status by the media was in accordance with s. 25h of the PIPEDA insofar as it was relevant and related to ensuring the public's right to information with the degree of protection of the privacy of public figures and their influence in society. Similar to the CJM's perception, it can be concluded that journalistic audio-visual material contributes to the development of public dialogue on health care policy and the accountability of democratically elected figures to their constituents, and in the context of Article 25h of the GDPR, is carried out in fulfilment of the public's right to information to information of public importance. This is also the long-standing case-law and practice of the ECtHR. The opinion of a certain category of persons - public figures such as the applicant - expressed in public contributes to the formation of a definition of the attitudes of society as a whole, as well as influencing the choices of the majority of citizens, including with regard to the right to make an informed decision on vaccination. It is because of this specific public position and influence of these individuals that they should be subject to more intense public criticism in order to ensure the public's right to seek and receive accurate and truthful information on issues of importance to society, which in a pandemic context is undoubtedly the issue of vaccination against Covid-19. The public has the right to be informed of the actions and deeds of these individuals so that every citizen can form an opinion about the individual and the positions they express in the context of the actual and factual actions that contradict them. In the ECtHR's decision in the case of Katya Kasabova and Bozhidar Bozhkov v. Bulgaria concerning a sanction decision against journalists for reporting on a long-established corrupt practice in admissions to elite high schools in the city of Sofia. The ECtHR court stressed that too strict an attitude towards the professional conduct of journalists could lead to the frustration of their obligations to inform the public and concluded that the Bulgarian court's interference in their right to expression was not "necessary in a democratic society". The ECtHR's decision in Yordanov and Toshev (journalists) v. Bulgaria is similar. Upholding the opinion expressed above in Kasabova and Bozhkov v. Bulgaria, the Court adds that in seeking the right balance between the protection of freedom of expression enshrined in Article 10 and the protection of the reputation of the persons against whom the accusations are made, which is one aspect of the right to privacy protected by Article 8 of the Convention, the vital role of a "public watchdog" that the press plays in a democratic society is of particular importance. While it must not overstep certain boundaries, in particular with regard to the reputation and rights of others, it has a duty - in a manner consistent with its duties and responsibilities - to convey information and ideas on political and other matters of public concern. The Court stresses that "the sanctions imposed by the national authorities are capable of deterring the press from engaging in debate on matters of legitimate public interest" and revealing the truth. Moreover, the Court links the freedom to disseminate information to the right of everyone and of society as a whole to be informed and emphasizes the duty of the media to provide information on matters of public interest. (See also in this sense the Decision of the CC of the Republic of Bulgaria No. 8/2019 of the CC in Case No. 4/2019). Beyond any reasonable doubt in this case is the existence of a heightened public interest in the information contained in the report. Regulation 2016/679 gives enhanced protection to individuals in relation to the processing of personal data, but also strikes a balance with other fundamental rights, in particular freedom of expression and information, as those rights are provided for in KLD DECISIONS CPC November - December 2022 46 in the CPPCC and HOPES. For the reasons set out above, given the particular factual situation and the person's status as a public figure, the Committee finds that the dissemination of information about the person's health status regarding the Covid-19 vaccination is in the public interest and the public's right to be informed. The publication in this case of such information is part and parcel of the task of the media in a democratic society, insofar as the information presented is true and provoked, as evidenced by the report, by the false information the person presents. The complainant's actions and the calls he made against vaccination and the statements made in the report in question, and not only there, that he would never have this 'liquid', do not correspond to the complainant's actual actions and are liable to mislead the public, given his status as a public figure and the impact he has on some of the citizens of the Republic of Bulgaria. In this regard, the Commission considers that the processing is lawful and in accordance w i t h Art. 1 of the PDPA and there is no violation as alleged by the complainant, given that the consent of the person is not an element of the lawfulness of the processing of personal data for journalistic purposes, but the processing is carried out for the exercise of freedom of expression and the right to information in a democratic society. regarding Dr. M.M.: The above grounds for lawfulness of the processing of personal data by the media are irrelevant to the processing of personal data by Dr. M.M. The exemptions provided for the processing of personal data for journalistic purposes are inapplicable to Dr M.M. in her capacity as data controller. It is undisputed from the evidence on file that on 06.01.2022 and 07.01.2022, Dr M.M.'s personal electronic signature was used to access details of Mr N.D.'s vaccination status, namely date of registration of immunisation, national reference number of immunisation, sequence of dose, date of next vaccination and availability of certificate. The data access channel was immuno.his.bg, the login to the system was done via a qualified electronic signature, after checking whether the doctor concerned had an active registration with the Bulgarian Medical Association. It is undisputed that the access was made from the IP address *******, an external IP address of the medical institution of the Medical Centre where Dr M.M. worked at the date of access. The evidence is undoubtedly a special category relating to a person's state of health, for the reasons set out above. With regard to the latter, the GDPR introduces a prohibition on their processing (Article 9(1) GDPR), while allowing for explicit and limitative exceptions (Article 9(2) GDPR). In the present case, there is no evidence in the file of the existence of any of the exceptions introduced by the legislator in Article 9(2)(a) to (j) in respect of Dr M.M. The data were accessed without the person's knowledge or consent, as the defendant was not Mr N.D.'s personal and/or attending physician, was not a patient of the medical establishment, and had not performed any medical examinations or manipulations at the medical establishment. In the course of the proceedings, Dr. M.M.'s legal representative alleges that a procedure was established that required the physician to physically provide this electronic signature, including allegations that the electronic signature was issued for official purposes. However, the facts alleged by counsel have not been established in the course of these proceedings; to the contrary, the evidence gathered by Borika plc and the internal rules and procedures, including the manager's order, establish first that the signature was issued to Dr M.M. in her personal capacity, notwithstanding that it was obtained by an attorney with Dr M.M.'s authorisation, and the procedures that have been set up at the hospital do not require the provision and storage of the electronic signature by the hospital employee, namely the head nurse, but only support the work of the doctors, and at their request. KLD DECISIONS CPC November - December 2022 47 Evidence in the record establishes that Dr. M.M.'s gross negligence with respect to the storage and use of her personal electronic signature resulted in unauthorized access to sensitive personal data about the complainant related to her vaccination status. Responsibility for the latter lies with the data controller, Dr M.M., in so far as the signature used for access is personal and the responsibility for its use and storage is also personal. However, in the present case, Dr. M.M. did not take appropriate measures to ensure and was able to demonstrate that the personal data of the complainant were processed/accessed in accordance with the GDPR. The allegations that the provision of the signature for use by an employee of the administration of the medical establishment was in fulfilment of a duty imposed on Dr M.M. by the medical establishment at which she worked cannot be credited as relevant and true. In the first place, there is no evidence to that effect; her allegations are disputed by the medical establishment, which categorically indicates that the company provides each physician with assistance in the administration of services, but at the physician's request and initiative, and not under obligation. Separately, even if the converse were true, insofar as the signature is personal, it is the data controller, in this case Dr. M.M., w h o s h o u l d determine the purposes, means and manner in which personal data will be processed/accessed through her electronic signature. Moreover, a specific category of personal data is accessed through the signature - health-related, and therefore the controls and measures put in place by the controller should be heightened. These are not present in this case at all, therefore the error committed by Dr. M.M. should be qualified as such under Article 32 par. 1 and 2 of the GDPR, as there is no undisputed evidence to hold her liable for the access actually made. It is a fact that, by means of the electronic signature, not on one occasion but on two consecutive dates, the applicant's sensitive personal data were unlawfully and without justification accessed in an electronic environment from the IP address of the medical institution where Dr M.M. M.M., who claims that she only became aware of the infringement after she was notified by the CPT of the present proceedings, i.e. months after the infringement took place. The allegations that another person misused and improperly accessed the personal data using Dr. M.M.'s electronic signature, even if well-founded, although there is no such evidence in the file, cannot sanitise the infringement, in so far as it is the responsibility of the controller (Article 32(1) and (2) GDPR) to apply measures appropriate to prevent the unlawful processing of personal data, having regard to the scope, context and purposes of the processing, as well as the risks of varying likelihood and severity to the rights of natural persons. There are no measures at all in this case, a circumstance which is confirmed by the legal representative of Dr M.M., who states that her confidante does not use her signature, or regulate access to immuno.his.bg, a huge database of sensitive personal data, access to which is regulated and restricted, provided by means of a qualified electronic signature, after verification of whether the doctor concerned holds an active registration with the Bulgarian Medical Association. It is undisputed that Dr. M.M. did not organize the storage of the signature, which is the input for the database containing information on the health conditions of the persons, respectively did not create, nor did she apply appropriate technical and organizational measures, did not make an assessment, did not evaluate the risks associated with the use of the signature and access to this special category of personal data. Taking into account the established violation, the fact that it concerns the processing of a special category of data and the fact that the act is not a one-off and is completed, the Commission considers appropriate, effective and dissuasive the exercise of corrective power under Art. 1 and 2 of the GDPR. The corrective measures under Article 58(1)(a), (c), (d), (e), (f), (g), (h) and (j) of the GDPR are inapplicable because of the nature of the infringement, those under Article 58(2)(b) are disproportionate and those under (d) are inappropriate given the actions taken by Dr M.M. to control her electronic signature after the infringement was established. KLD DECISIONS CPC November - December 2022 48 In determining the amount of the fine, the circumstances that the violation was the first found by the CPMP with respect to this administrator, as well as the workload and commitment of Dr. M.M. and of physicians in general in the pandemic, should be qualified as mitigating factors. As aggravating factors, the Commission considers that the data accessed are special category and that this is a repeated infringement committed in conditions of negligence on the part of the controller. with regard to the DCC The evidence in the record, the allegations of the defendants, including those of SCC, also evidence a violation by the facility of Article 32 of the GDPR regarding the facility's practices for allowing the use of electronic signatures of physicians for the processing of sensitive personal health�related data, including access to such data. It is undisputed that the medical establishment, as a separate controller of personal data, had not, as of the date of the breach, January 2022, established appropriate technical and organizational measures for the processing of sensitive personal data by the administration of the medical establishment, or that those established were not able to ensure and demonstrate that the processing was carried out in accordance with the GDPR, moreover, that there was a lack of training and supervision regarding the procedure, albeit not formally prescribed, which, apparently from the evidence, has established itself as an unregulated and unregulated pra It is a fact that the infrastructure/IP address of the DCC was used for the unauthorized access, which did not establish a proper control mechanism. It is a fact that after initiation of the present proceedings, the company has "taken steps to correct the way of working in the company" and has put in place a training and briefing programme for all the employees of the company on the application of the GDPR and the rules newly introduced by the hospital, part of the changes relate to the use of electronic signatures, namely, "All personal electronic signatures are to be stored only by their owners, and the responsibility for storage is entirely theirs. The submission of monthly activity reports with an electronic signature shall be carried out as follows: the person who owns the signature shall personally provide it to an administrative officer, personally enter the security password (pin code) and in his presence the report shall be submitted to the NHIF by an administrative officer. After submitting the report, the owner of the signature picks it up. In this way the electronic signature is under constant control and monitoring of the owner. Assisting with the filing of the report by an administrative officer in the presence of the owner of the electronic signature is optional and to facilitate the work of physicians. At the discretion of the doctor, he may submit the monthly report independently." The fact is that the additional measures introduced cannot sanitise the inaction on the part of the health establishment, which by its passive behaviour contributed to the infringement committed, but are grounds for imposing a remedy under Article 58, § 2, point "b" of the GDPR - a formal warning to the company in view of the fact that, although at a later stage, the measures were reviewed and updated in accordance with its obligation under Art. 1 of the GDPR. The imposition of a sanction on the administrator of the DCC is disproportionate in so far as the administrator is not directly involved in the infringement committed, but by its passive behaviour has created further preconditions for its commission. Guided by the above and pursuant to Art. 38, para. 3 of the Personal Data Protection Act, the Commission for Personal Data Protection, DECIDE: 1. Declares complaint pPN-01-33/17.01.2022 unfounded with respect to M. EAD. 2. Declares the complaint well founded in respect of Dr M.M. 3. Pursuant to Article 83(4)(a) in conjunction with Article 58(2)(i) KLD DECISIONS CPC November - December 2022 49 of Regulation (EU) 2016/679 imposes on Dr. M.M. with ID******, as a personal data controller, a fine of BGN 500 (five hundred leva) for violation of Article 32, § 1 and 2 of the Regulation. 4. Declares that the complaint is well-founded with respect to DCC. 5. On the basis of Article 58, § 2, letter "b" of the GDPR, issues an official warning to the SCC with the UIC *********, as a personal data controller, for violation of Article 32, § 1 and 2 of the GDPR. The decision is subject to appeal within 14 days of its delivery through the Commission for Personal Data Protection before the Administrative Court of Sofia - city. After the judgment has entered into force, the amount of the penalty imposed shall be paid by bank transfer: BNB Bank - Central Bank, IBAN: BG18BNBG96613000158601, BIC BNBGBGSD Commission for Personal Data Protection, BULSTAT 130961721. PRESENTER: MEMBERS: Ventsislav Karadzhov /p/ Tsanko Tsolov /p/ MariaMateva /p