CPDP (Bulgaria) - PP-01-291/03.05.2022
CPDP - PP-01-291/03.05.2022 | |
---|---|
Authority: | CPDP (Bulgaria) |
Jurisdiction: | Bulgaria |
Relevant Law: | Article 5(1)(a) GDPR Article 32 GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 17.01.2023 |
Published: | |
Fine: | 2000 BGN |
Parties: | n/a |
National Case Number/Name: | PP-01-291/03.05.2022 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Bulgarian |
Original Source: | CPDP (Bulgaria) (in BG) |
Initial Contributor: | wp |
The DPA fined a company for unlawful transfer of personal data to another controller, caused by lack of appropriate organisational and technical measures under Article 32 GDPR.
English Summary
Facts
Within the process of telecommunication operators’ change, an operator A transferred personal data (name, ID number and phone number) in response to a request of an operator B.
The data subject contacted the operator B and contested their knowledge and consent for operators’ change and subsequent portability of data, because she did not sign any form nor visit the office of the first telecommunication operator.
The operator B explained that data subject’s husband requested the transfer of three phone numbers he claimed to possess. Because of data subject compliant, the operator B took immediate action and transferred the phone number back to the operator A.
The data subject decided to lodge a complaint with the Bulgarian DPA (CPDP).
Holding
The DPA upheld the complaint.
During the proceedings, the DPA assigned the role of data controller with the operator B.
Due to a procedural error the transfer of personal data between the operator A and B occurred. However, an error of that kind did not exempt the data controller from liability. On contrary, the error proved the controller failed to implement appropriate organisational and technical measures under Article 32 GDPR. In particular, the DPA suggested dubious effectiveness of privacy policy, which apparently was not followed in practice, as well no internal control that prevented the error.
According to the DPA, the controller violated Article 5(1)(a) GDPR – principle of good faith and transparency of data processing. The controller unlawfully processed the personal data. This was caused by lack of proper identification of data subject within the process of telecommunication operators’ change. In this case it was irrelevant that data subject’s husband initiated the process and signed the form.
As a result, the DPA issued an order under Article 58(2)(d) GDPR to bring data processing in compliance with the GDPR, especially updated internal procedures and train employees. Also, the DPA fined the controller BGN 2,000 (€1022) in line with Article 58(2)(i) GDPR. The fact that the controller stopped unlawful data processing on its own initiative was a mitigating circumstance.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Bulgarian original. Please refer to the Bulgarian original for more details.
Decision on appeal with reg. No. PPN-01-291/03.05.2022 DECISION No. PPN-01-291 Sofia, 17.01.2023 The Commission for the Protection of Personal Data /"the Commission", "KPLD"/ composed of: Chairman - Ventsislav Karadzov and members - Tsanko Tsolov and Veselin Tselkov, at a regular meeting held on 16.11.2022, on the basis of Art. 10, para. 1 of the Law on the Protection of Personal Data, Art. 57, §1, b. "e" of Regulation 2016/679 and Art. 40, Para. 1 of the Regulations for the Activities of the CPLD and its Administration / PDKZLDNA/ examined the merits of complaint No.PPN-01-291/03.05.2022, filed by P.A. against a telecommunications operator (T.O.1). Administrative proceedings are developed in accordance with the Administrative Procedure Code /APK/ and Article 38 of the Personal Data Protection Act. The Commission for the Protection of Personal Data has been referred to Complaint No.PPN-01-291/03.05.2022. /forwarded by the Commission for Consumer Protection/ submitted by P.A. against T.O. The complaint states that without the knowledge and consent of Mrs. P.A. her mobile number was transferred from another telecommunication operator (T.O.2) to the network of T.O.1. She believes that her personal data - three names, a social security number and a telephone number - were processed illegally for the purposes of drawing up an application for the portability of a nationally significant number when changing the mobile service provider, which was used in an attempt to transfer her mobile number to another network. She indicates that the application was not signed by her, as she did not even visit the office of T.O.1. In accordance with Art. 26 of the APC, the parties are notified of the initiated administrative proceedings, and submission of opinions and evidence on the case are requested. On the basis of Article 34, paragraph 3 of the APC, the parties are given the opportunity to express their position on the administrative file and to present admissible, relevant and necessary evidence. In the opinion of T.O.1, the complaint is contested as unfounded. It is indicated that based on a signal received on 04/19/2022. by Mrs. P.A. to T.O.1, an immediate check was carried out, from which it was established that the applicant's husband - I.A. requested the transfer of 3 mobile numbers, including that of Mrs. P.A., to the network of T.O.1. I.A. has indicated that he is the holder of all mobile numbers. Therefore, the mobile number of Mrs. P.A. was mistakenly transferred to the network of T.O.1 on 18.04.2022. Based on a complaint by P.A. an inspection was carried out, and immediate actions were taken on 21.04.2022. the number is returned to the network of T.O.2. In additional opinions on the case / letters with reg. No.PPN-01-291#6/29.07.2022. and #ППН-01-291#8/09.09.2022/ the complainant emphasizes that she did not provide consent for the transfer of her personal mobile number to another network, respectively – for the use of her personal data for this purpose by the employees in the office of T.O.1. She claims that as a result of these actions, she was left without mobile service. She points out that she never submitted any applications in "T.O.1, in view of which the mobile operator inappropriately raised arguments about non-obligation of penalties, as well as that the objections about her family situation and about her husband's companies are not in place - they are not relevant to the dispute, since the mobile number is her personal. On the basis of Art. 38, para. 1 of the PDKZLDNA, the Commission issued a Decision on the regularity and admissibility of the appeal at a closed meeting held on 14.09.2022, on the basis of which the parties P.A. – appellant and T. O.1 – defendant. The parties are duly notified of the open meeting of the CPLD, scheduled for 11/16/2022. Additional statement No.PPN-01-291#14/03.10.2022 was received. to the defendant, in which it is confirmed that the number was mistakenly transferred to the network of T.O.1 on 18.04.2022. and activated under the terms of the contract concluded with I.A. during his visit to the office on 11.04.2022. It is stated that Mrs. P.A. she did not visit the office of the company, and that she did not sign the portability application. It is believed that this was done by Mr. I.A. At the time of submitting the answer, the administrator is not processing personal data of Mrs. P.A. for the purposes of providing electronic communication services, but only for the purposes of defending oneself in the current administrative proceedings. Evidence is presented - a copy of a system screen, from which it is clear that no result is visualized when entering the applicant's personal identification number. It is appealed that when considering the case, it should be taken into account that upon discovering the error, the administrator immediately took actions to terminate the contract with T.O.1 without penalties, as on 21.04.2022. the mobile number is returned back to the previous operator's network. With Protocol No.PPN-01-291#15/11.11.2022 the rules and policies for the protection of personal data are attached to the administrative file, which are duly disclosed to the data subject and to third parties by publishing them on the website of the mobile operator. At the open meeting of the CPLD, the parties did not appear or represent themselves, and did not take additional opinions on the case. With the fact thus established, from the legal point of view the appeal is admissible and well-founded. In Regulation 2016/679 and LLDP, the rules for the protection of natural persons in connection with the processing of personal data, as well as the rules regarding the free movement of personal data /arg. from Art. 1 of the Regulation and Art. 1 of the LLDP/. The Commission is a permanently operating independent supervisory body that ensures the protection of individuals in the processing of their personal data / Art. 6 of the Labor Code/. It exercises its powers under Article 58 of the Regulation as appropriate - to investigate, to impose sanctions and to issue instructions for the lawful and correct application of the Regulation, so that the purpose of Article 1, item 2 of the Regulation is achieved - for the protection of fundamental rights and freedoms of natural persons, to which also belongs their right to the protection of their personal data. The definition of "personal data" is contained in the provision of Article 4, item 1 of Regulation 2016/679, namely: "any information related to an identified natural person or a natural person who can be identified ... directly or indirectly, in particular by an identifier such as name, identification number, location data, online identifier or by one or more characteristics specific to the physical, physiological, genetic, psychic, mental, economic, cultural or social identity of that natural person'. In the current hypothesis, personal data of the person, representing three names, social security number and telephone number, were processed. The defendant T.O.1 is a legal entity - a personal data administrator within the meaning of Article 4, paragraph 7 of the Regulation and processes the complainant's personal data through the operations of collection, storage and use within the meaning of Article 4, paragraph - is 2 of the Regulation. On the question of the legality of the procedural actions on personal data processing, it should be noted that they were carried out without a legal basis within the meaning of Art. 6, §1 of the Regulation, contrary to the principle of lawfulness and good faith under Art. 5, § 1, b. "a" of Regulation 2016/679, as well as in violation of the administrator's general obligations to take appropriate organizational and technical measures under Article 24, §1 and §2 of the Regulation. It is not disputed between the parties that the process processing took place as a result of an error, that the applicant did not wish to conclude a contract with the respondent company, that the hypothesis of pre-contractual relations did not arise, and that she did not appear at the office of the mobile operator, for to fill out the process application that gave rise to the transfer of her mobile number to another operator. It is also indisputable that at least for the period from 04/18/2021. until 21.04.2022 the personal data of the complainant were processed illegally by the administrator. The complainant's one-sided claims that she was left without mobile service could not be accepted, as the transfer of a mobile number between different operators is not equivalent to being left without mobile service. Even if the defendant's claims that the transfer occurred as a result of a mistake are accepted, it should be noted that this circumstance could not relieve the administrator from responsibility, taking into account that the administrator's responsibility is objective /innocent/ that the same should be able to prove compliance with the Regulation, that in the present case no appropriate organizational and technical measures have been taken, as well as no sufficiently effective policies for the protection of personal data /or at least no sufficient control over their compliance has been exercised/ , taking into account the fact that the administrator should unambiguously identify the natural person - data subject before entering into contractual relations with him, so that the legal basis for processing personal data according to Art. 6, §1, b. " of the Regulation, and above all taking into account the fact that the administrator processes personal data of a large number of natural persons, therefore only in the presence of appropriate and effective rules and policies for the protection of personal data, as well as in the event of adequate control over their implementation, the administrator would could ensure and prove compliance with this Regulation. The reference to error on the part of the administrator, as well as the contradictory and biased evidence presented by the defendant, from which it is not clear on the basis of which specific application the transfer was made, as well as on what grounds, lead to the conclusion that apart from illegality, also for dishonest and non-transparent processing of personal data within the meaning of Article 5, §1, b. "a" of the Regulation. Regardless of the fact that it is not in dispute between the parties that the application in question was not signed by the applicant, and that she was not physically present at the company's office for the purposes of submitting an application for the transfer of the mobile number, the personal data controller T.O. 1 is responsible for the unlawful processing of personal data within the meaning of the Regulation, as the data subject should be unambiguously identified and sign in the presence of the relevant employees in the company's office. The responsibility for this lies with the personal data administrator, not the specific employees who carried out the transfer. Insofar as there is no unambiguous identification of the data subject, it should be noted that systematic control over the actions of the employees has not been carried out, which falls within the scope of the obligations of the administrator for bona fide and lawful data processing. Regardless of the fact that the administrator has written rules and policies for data protection, it is found that there is no practical implementation of the same. The actions of the administrator and his employees lead to the indisputable conclusion that, in practice, either the relevant employees are not familiar with these policies, or they are not applied, and in both cases, the relevant control was not implemented. In this sense, the prescribed rules and policies should be developed in the direction of supplementing the control mechanisms. The claims of the mobile operator that the actions were carried out by the complainant's husband do not exempt him from responsibility, in his capacity as a personal data administrator, and they cannot be credited as a mitigating circumstance, since the administrator under the Regulation has an obligation to process personal data in good faith , and in order to do so, it must, in accordance with its rules and policies, ensure that the individual has requested that their personal data be processed for the purpose of number transfer, and that the relevant individual is uniquely identified. Given the opportunity for the Commission to assess, as appropriate, which of its corrective powers to exercise in accordance with Art. 58, §2 of Regulation 2016/679, the measure under Art. 58, §2, b. "d" should be applied in the case under consideration " of Regulation 2016/679, and the administrator was issued an order to comply with the personal data processing operations with the provisions of the Regulation, and it is appropriate in this case to appropriately supplement the rules for the protection of personal data, by carrying out an internal review of the rules, related to the identification of natural persons, with the corresponding appropriate training of the company's employees, with relevant and appropriate data protection policies concerning the activities of transferring mobile numbers between the three mobile operators and, above all, the personal data processed as a result , as well as the control exercised by the administrator. In the current hypothesis, an appropriate mechanism for the incoming training of new employees, as well as periodic training of the remaining employees, should be provided for, which should include the explicitly changed procedures for the identification of natural persons, as well as pay special attention to the processing of personal data when transferring mobile numbers between the three mobile operators. The corrective measure should be cumulated with a pecuniary sanction under Art. 58, §2, b. "i" of Regulation 2016/679, in order to fulfill the sanctioning functions of the Regulation, as well as to have a warning effect on the administrator given the danger of committing other such violations that could affect a considerable number of natural persons. To the extent that, when imposing a pecuniary sanction, the supervisory authority should comply with the general conditions under Art. 83, §2 of the Regulation, so that the imposed sanction is effective, proportionate and dissuasive, but also does not appear excessive in relation to the established violation, in the case under consideration it would be appropriate to impose a pecuniary sanction in an amount close to the minimum, for the following reasons: The administrator has corrected and established his error by referring to the data subject's objection. The latter did not suffer damages, regardless of the fact that this happened for objective reasons. The violation was stopped in a relatively short period of time. The violation is the processing of personal data of one data subject and the same lasted for a relatively short time interval, but not because the administrator took actions to stop the violation, but for objective reasons. The supervisory authority became aware of the breach not from a notification received by the controller, but based on a complaint by the data subject. The defendant's arguments that the breach was not accompanied by pecuniary damage to the data subject in the form of fines should not be seen as a mitigating circumstance, not least because the data subject did not contribute to the proceedings by his actions processing of personal data. Since the controller is a legal entity, the question of intent is not applicable. A mitigating circumstance is that the administrator stopped the violation on his own initiative. The degree of responsibility of the administrator should be categorized as relatively high, bearing in mind that the organizational and technical measures introduced by him in accordance with Art. 24, §1 and §2 of the Regulation, including data protection policies, respectively exercise control on them, are not sufficient to stop or avoid the infringement. From the fact that in the initially submitted request to transfer a mobile number to another mobile operator /Application for portability No.****/ there was no correspondence between the holder of the mobile number and the person who submitted the request, from the fact that based on the same application, Contract No.**** was concluded, in which it was objectified that number ***** with the holder, the applicant P.A. is such on the face of I.A. /indicating in an application for portability dated 15.04.2022 that he acts in his capacity as a manager of a company ****/, it follows that the relevant preventive and control mechanisms were not implemented in relation to the actions preceding the change of mobile phone provider services, so that the data subject can be uniquely identified, to clarify his actual will before entering into contractual relations with the mobile operator, as well as to clarify the question of whether the number requested for transfer belongs to the person who presented it as his own. The same requirements are explicitly introduced in the provisions of art. 230b, para. 4, ex. 21 and art. 230c, para. 22 of the Law on Electronic Communications. The Commission does not accept the applicant's arguments that she was left without mobile service, as far as the fact that her mobile number was switched from one mobile network to another is not equivalent to being left without service, given that the statements thus relieved could not constitute an aggravation of responsibility circumstances. The administrator provided assistance to the supervisory authority, but during the proceedings provided conflicting and insufficient information so that the risks and reasons that led to the violation were identified. In the present scenario, the administrator did not realize direct or indirect financial benefits, nor did he avoid losses as a result of the violation, as the same was the result of circumstances beyond his control / the complainant's unwillingness to use the mobile services of this operator/. The personal data administrator T.O.1 has previous violations related to the grounds for processing personal data and data security / so e.g. Decision No.PPN-01-162(2020)/2021, by which a sanction was imposed on the administrator for violation of the principle of Art. 6, §1 of the Regulation/, his actions were repeatedly sanctioned by the Commission, the same being explained in a number of its decisions the application and meaning of the Personal Data Protection Regulation. In view of the above and on the basis of Article 38, paragraph 3 of the LLDP, the Commission for the Protection of Personal Data with 3 votes "for" and 0 "against" RESOLVE: 1. Announces Complaint No.PPN-01-291/03.05.2022 of P.A. against T.O.1 with for reasonable. 2. On the basis of Art. 58, §2, b. "i" and Art. 83, §5, b. "a" of the Regulation for violation of Art. 6 and Art. 5, §1, b. "a" of Regulation (EU) 2016/679 imposes on the administrator T.O.1 an administrative penalty - a pecuniary sanction in the amount of 2000 /two thousand/ BGN. 3. On the basis of Art. 58, §2, letter "d" for a violation of Art. 24, §1 and §2 of Regulation /EU/ 2016/679 issues an order to the administrator T.O.1 to comply with the processing operations of personal data with the provisions of the Regulation according to the reasons for this Decision, for the implementation of which he must present evidence within 3 months from the entry into force of the Decision. After the entry into force of this Decision, the amount of the imposed administrative sanction should be paid to the following bank account of the Commission: BNB Bank – CU IBAN: BG18BNBG96613000158601 BIC BNBGBGSD Owner: Commission for Personal Data Protection, BULSTAT 130961721 The pecuniary sanction should be paid within 14 days of the entry into force of the Decision, otherwise enforcement actions will be taken. This Decision can be appealed within 14 days of its delivery through the Commission for the Protection of Personal Data before the Administrative Court of Sofia City. __________ 1 "Providers shall not delay, abuse, or switch providers without the express consent of end-users." 2 "End-users must be properly informed and protected during the process and not transferred to another provider against their will." CHAIRMAN: MEMBERS: Vencislav Karadjov /p/ Tsanko Tsolov /p/ Veselin Tselkov /p/