ВАС (Bulgaria) - 2606/2021
The Bulgarian Supreme Administrative Court stayed the proceedings in an appeal by the National Revenue Agency (NRA), pending a preliminary ruling by the CJEU. The previous court found that the NRA violated Articles 24 and 32 GDPR in relation to a data breach affecting over 5,000,000 Bulgarians, and awarded the complainant non-pecuniary damages due to the loss of control of his personal data.
English Summary[edit | edit source]
Facts[edit | edit source]
On 15 July 2019, a massive data breach of the National Revenue Agency (NRA) of Bulgaria was revealed. The person responsible for the breach sent an email to major Bulgarian media outlets, detailing the scope of the attack. NRA became aware of the breach on the same date, while the exact date of the breach remained unknown. During the day, media announced leaked data amounted to 57 folders with .csv files detailing the names and national identification numbers of more than 5,000,000 Bulgarian citizens, as well as records on revenues, tax and social security payments, debts, online betting data and company activities dating back as early as 2007, and as recently as June 2019.
NRA notified the personal data breach to the Bulgarian Commission for Personal Data Protection (CPDP), which is the competent supervisory authority in accordance with Article 55 of the GDPR, on 16 July 2019 and to the Prosecutor's Office of Sofia City on 17 July 2019. Again, on 17 July 2019, NRA requested an all-round audit of its information systems by an independent external organization. NRA also developed a special application through which any Bulgarian citizen could check whether their personal data had been compromised.
In a follow-up investigation, CPDP found that personal data of a total of 6,074,140 data subjects was breached, including data for 4,104,786 living Bulgarian and foreign citizens and 1,959,598 dead. The compromised data included names, national identification numbers, addresses, phone numbers, e-mail addresses, data retrieved from annual financial data declared by individuals including reports on paid incomes, insurance declarations, health insurance contributions, data for issued acts of administrative violation, data on payments of taxes and insurance liabilities through [company], data on requested and refunded VAT paid abroad. On 22 August 2019, CPDP issued NRA an order under Article 58(2)(d) supra Article 57(1)(a) and Article 83(2)(a), (c), (d), (f) and (g) of the GDPR for undertaking suitable technical and organizational measures for personal data protection. On 28 August 2019, CPDP served NRA with a decision imposing an administrative penalty for violating Article 32(1)(b) of the GDPR.
On 16 September 2019 a complaint was filed with the Administrative Court of Sofia City (ACSC) against NRA for non-pecuniary damages caused by unlawful inaction of NRA to fulfil its obligations under Articles 24 and 32 of the GDPR which led to the personal data breach, as per Article 4(12) of the GDPR, including with regards to the complainant’s personal data. On 11 August 2019, after initiating a series of checks starting from 26 July 2019, the complainant learned that his personal data has been breached via the NRA application (this fact was not disputed by NRA). The exact type of breached data, such as national identification number, name, nationality, permanent and temporary address, ID data, bank account, and data submitted by organizers of online gambling (bet to a particular online game, size of the bet, data of the bet), was announced and made known to the complainant during the court proceedings.
Since financial data is protected by law and access to it is strictly regulated and could take place only after a ruling of a court under certain limited hypotheses, ACSC noted NRA should be considered not only a data controller, but a body entrusted with the creation, processing and protection of tax and insurance information regarding the obligated subjects, thus being legally protected information with regulated access. ACSC concluded the requirements for the processing of personal data by NRA, given the nature and volume of the information stored, should have been significantly higher than the requirements for the processing of personal data, which did not constitute legally protected information. ACSC found facts for unlawful inaction of NRA, in its capacity as a data controller, under Article 24 and 32 of the GDPR, which led to a breach of the security of personal data under Article 4(12) of the GDPR, and no proof that NRA has fulfilled its obligations in that sense and have not been able to ensure an appropriate level of security.
ACSC found that the allegations of the complainant for NRA’s noncompliance with the data breach notification mechanism under Article 67 of the Bulgarian Personal Data Protection Act (PDPA), supra Article 33 of the GDPR, and violation of the requirement for communicating the personal data breach to the data subjects under Article 66 of the PDPA, supra Article 34 of the GDPR, are incorrect.
Despite the only witness with regards to the non-pecuniary damages is a member of the complainant’s inner circle, ACSC credited that only such a person could have witnessed the psychological and emotional state of the complainant and found the complainant's concerns and fears for misuse of his personal data are justified and realistic. Also, ACSC found that the mere fact personal and financial data have been breached, published online, and became a potential object of uncontrolled (in terms of time, place, and volume) violation, determined the occurrence of non-pecuniary damages to the data subject. However, ACSC found the amount of damaged claimed, being BGN 1,000, was unjustified and lowered the award to BGN 500; with interest due only by the date of filing the claim for damages.
In the present case before the Supreme Administrative Court of the Republic of Bulgaria (SAC), NRA appealed the decision of ACSC. It argued that the court’s decision was incorrect due to violation of substantive law, significant violations of the rules of court proceedings and unfoundedness; with cassation grounds for annulment within the meaning of Article 209 (2) and (3) of the Administrative Procedure Code. An annulment of the court decision was requested.
Holding[edit | edit source]
SAC found that the cassation appeal was admissible, but after proceeding on the merits of the dispute, procedural obstacles arose for SAC’s consideration on the merits.
At present, there is a pending case C-340/21 before the Court of Justice of the European Union (CJEU), initiated by a request for a preliminary ruling under Article 267 TFEU on the interpretation of recitals 74, 85 and 146, point 12 of Article 4 and Articles 5(2), 24, 32 and 82 of Regulation 2016/679. The request is made by SAC with reference to an Administrative Case 1037 of 2021.
Questions referred for a preliminary ruling include:
(1) Are Articles 24 and 32 of Regulation (EU) 2016/679 to be interpreted as meaning that unauthorised disclosure of, or access to, personal data within the meaning of point 12 of Article 4 of Regulation (EU) 2016/679 by persons who are not employees of the controller’s administration and are not subject to its control is sufficient for the presumption that the technical and organisational measures implemented are not appropriate?
(2) If the first question is answered in the negative, what should be the subject matter and scope of the judicial review of legality in the examination as to whether the technical and organisational measures implemented by the controller are appropriate pursuant to Article 32 of Regulation (EU) 2016/679?
(3) If the first question is answered in the negative, is the principle of accountability under Article 5(2) and Article 24 of Regulation (EU) 2016/679, read in conjunction with Recital 74 thereof, to be interpreted as meaning that, in legal proceedings under Article 82(1) of Regulation (EU) 2016/679, the controller bears the burden of proving that the technical and organisational measures implemented are appropriate pursuant to Article 32 of that regulation? Can the obtaining of an expert’s report be regarded as a necessary and sufficient means of proof to establish whether the technical and organisational measures implemented by the controller were appropriate in a case such as the present one, where the unauthorised access to, and disclosure of, personal data are the result of a ‘hacking attack’?
(4) Is Article 82(3) of Regulation (EU) 2016/679 to be interpreted as meaning that unauthorised disclosure of, or access to, personal data within the meaning of Article 4(12) of Regulation (EU) 2016/679 by means of, as in the present case, a ‘hacking attack’ by persons who are not employees of the controller’s administration and are not subject to its control constitutes an event for which the controller is not in any way responsible and which entitles it to exemption from liability?
(5) Is Article 82(1) and (2) of Regulation (EU) 2016/679, read in conjunction with Recitals 85 and 146 thereof, to be interpreted as meaning that, in a case such as the present one, involving a personal data breach consisting in unauthorized access to, and dissemination of, personal data by means of a ‘hacking attack’, the worries, fears and anxieties suffered by the data subject with regard to a possible misuse of personal data in the future fall per se within the concept of non-material damage, which is to be interpreted broadly, and entitle him or her to compensation for damage where such misuse has not been established and/or the data subject has not suffered any further harm?
SAC considered these questions asked relevant to the present case and considered the court obliged to comply with the interpretation by the CJEU once given and binding for all national courts. Thus, SAC found the only procedural way to ensure the correct application of Community law was to stay the proceedings until the end of the proceedings under case C-340/2021 of the Court of Justice of the European Union.
Comment[edit | edit source]
Interestingly, there are a number of recent decisions where the Supreme Administrative Court of the Republic of Bulgaria stayed proceedings for exactly the same reasons. This is a common practice of the Bulgarian courts and could be seen with regards to a number of cases/topics throughout recent years.
In cases where there was a ruling despite the existing pending case C-340/21 before the Court of Justice of the European Union, the Court found unjustified motives of the first instance and ruled on the merits of the dispute.
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Bulgarian original. Please refer to the Bulgarian original for more details.