CPDP (Bulgaria) - PNN-01-137/2019
CPDP - № ППН-01-137/2019 | |
---|---|
Authority: | CPDP (Bulgaria) |
Jurisdiction: | Bulgaria |
Relevant Law: | Article 6(1) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 06.01.2020 |
Published: | |
Fine: | 10.0000 BGN |
Parties: | n/a |
National Case Number/Name: | № ППН-01-137/2019 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Bulgarian |
Original Source: | CPDP (in BG) |
Initial Contributor: | n/a |
The Bulgarian Commission for Personal Data Protection (CPDP) imposed a fine of BGN 10,000 (approximately EUR 5,000) on a company providing utility services. The data controller processed personal data without any legal basis as required by Article 6(1) GDPR.
English Summary
Facts
The Bulgarian DPA examined a complaint lodged by a citizen, V.V., against a company providing utility services (‘the company’) and a private bailiff regarding unlawful processing of personal data (name and personal number). The individual received а message from a private bailiff for distraint upon his salary because of financial obligations owned to the company. However, the individual claimed not having any relations with the company and thus, a complaint for violation of Article 6(1) GDPR was lodged.
A company providing utility services took enforcement actions for recovery of amounts receivable against 3 debtors, and a private bailiff commenced enforcement actions. The enforcement order indicated the name of one of the debtros who appeared to have the same name as the complainant. The enforcement order missed indicating the personal number of the person liable which the company, upon request of the private bailiff, provided with.
Following all the enforcement actions taken, a message for distraint upon the salary was sent to the complainant’s employer. On 2nd January 2019 the individual sent e-mail to the private bailiff with detailed explanation and supporting documents that he does not have any relations with the company, and the distraint was cancelled.
The company identified the mistake in the personal number, and on 15th January 2019 the correct personal number of the debtor was provided to the private bailiff. The company claimed that the case does not concern unlawful processing of personal data and thus, a violation of Article 6(1) GDPR. A mistake performed by an employee lead to a technical error and provision of incorrect information.
Dispute
Is there a violation of Article 6(1) GDPR committed by the private bailiff and the company providing utility services?
Holding
The Bulgarian DPA decided that the complaint against the private bailiff is unfounded. The company provided wrong information to the private bailiff based on which enforcement actions were commenced and the individual’s personal data was processed. Although the individual was not liable and the personal data shall not be proceed for the purposes of the enforcement actions, based on the applicable law the bailiff shall not refuse to proceed with the enforcement actions.
The Bulgarian DPA decided that the complaint against the company providing utility services is founded and imposed a fine of BGN 10,000. The company processed the individual’s personal data (names and personal number) by providing them to the private bailiff for the purposes of the commencement of the enforcement actions without having any legal ground according to Article 6(1) GDPR.
This lead to research of the individual’s assets, verifications and acquiring documents and non-material damages, namely damages to the reputation of the individual before the employer and the colleagues, as well as stress until the situation was clarified and the error was corrected. The Bulgarian DPA determined the actions of the company providing utility services as negligent.
Comment
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Bulgarian original. Please refer to the Bulgarian original for more details.