ВАС - № 6759

From GDPRhub
ВАС - № 6759
Courts logo1.png
Court: ВАС (Bulgaria)
Jurisdiction: Bulgaria
Relevant Law: Article 5(1)(b) GDPR
Article 32(4) GDPR
Article 58(2)(b) GDPR
Article 83(2) GDPR
Article 83(4)(b) GDPR
Art. 208 Administrative Procedure Code (APC)
Article 38(2) Personal Data Protection Act (PDPA)
Published: 04.06.2021
Parties: MiBM Express OOD
The Bulgarian Data Protection Authority (CPDP)
National Case Number/Name: № 6759
European Case Law Identifier:
Appeal from: ACSC (Bulgaria)
№ 6270/2020
Appeal to: Unknown
Original Language(s): Bulgarian
Original Source: Върховния административен съд (in Bulgarian)
Initial Contributor: n/a

The Bulgarian Supreme Administrative Court (BAC) held that a courier service had violated Article 32(4) GDPR by not adequately training its employees regarding data protection and the sharing of personal data with third parties. It also emphasised that the Bulgarian DPA has the power to rule on cases concerning the processing of personal data which also involve the commission of a criminal offense under the Bulgarian Criminal Code.

English Summary[edit | edit source]

Facts[edit | edit source]

On 11 April 2019 a complaint was filed with the Bulgarian Data Protection Authority (CPDP), regarding letters that the complainant had received in relation to debt collecting proceedings against her. The letters were addressed to her, her father, and the legal entity under which they were debtors, and contained their personal data, namely: names and phone numbers. Rather than being directly delivered to the complainant, the letters were delivered by the courier company (MiBM Express OOD) to a local shop keeper, who passed the letter on to the complainant.

After opening an investigation into the incident, the CPDP issued a decision on 5 May 2020, in which it found that the courier, MiBM Express, had violated Article 32(4) of the GDPR. In particular, it had not taken the appropriate steps as a controller to ensure that its employees acting under its authority were prepared to work with personal data and had been trained in data protection, and would not share personal data with third parties. The CPDP also found a violation of the purpose limitation principle. As a result, it fined MiBM Express BGN 5,000, and reprimanded it under Article 58(2)(b).

MiBM Express contested this decision at the Administrative Court of Sofia-city. It argued that in issuing its decision, the CPDP had violated procedural rules as established in the Bulgarian Personal Data Protection Act (PDPA). The judge in the case found that the contested decision had been properly executed by the CPDP. It was imposed by a competent authority within the powers conferred to it under Article 38(1) and (3) PDPA. Moreover, the CPDP had correctly identified a violation of Article 32(4) and 5(1)(b) GDPR and had correctly reprimanded MiBM under Article 58(2)(b). The judge did however hold that in calculating the amount of the fine it imposed, the CPDP had not considered the elements outlined at Article 83(2), and that it was not clear under which criterion the fine was determined. It reduced the fine from BGN 5000 to BGN 1500.

In the present case at the BAC, MiBM Express appealed the decision of the Administrative Court of Sofia-city. It argued that there had been no violation of Article 32(4) GDPR, and in the alternative, that: in accordance with the provisions of Article 83(2) GDPR, the BGN 1500 fine should be further lowered; and that the CPDP does not have the power do rule on cases which involve the commission of a criminal offence within the meaning of the Bulgarian Criminal Code. According to MiBM a crime was committed as its employee forged the signature of the complainant acknowledging receipt of the delivery of the letters.

Holding[edit | edit source]

The BAC upheld the decision of the Administrative Court of Sofia City. It stated there had been an unequivocal violation of Article 32(4) GDPR by MiBM, since: the letters were delivered by MiBM Express, they were delivered to a person other than the complainant, and there was no evidence that MiBM, as a controller, had taken the necessary measures to ensure that its employees, who have access to personal data via the courier service, would not share such data with third parties according to its rules.

The BAC also shared the view of the Administrative Court of Sofia City that the amount of the sanction determined by the CPDP should be reduced to BGN 1500. It stated that there was no evidence to indicate that this sanction should be further reduced; the amount of the fine corresponds to the gravity of the violation, and, in particular, is not excessive in view of the company's financial situation.

Lastly, the BAC acknowledged that there was evidence that a crime had been committed by the MiBM Express employee as regards the forging of the complainants signature. However, it stated that, when considering a complaint for violation of principles on the processing of personal data, the CPDP does not need to assess whether a crime has been committed, and who the perpetrator is. The presence or absence of personal data for a crime under the Criminal Code has nothing to do with the present dispute, which assesses different circumstances. The CPDP is only obliged to assess whether MiBM as a controller has fulfilled its obligations under the GDPR to protect the personal data it processes.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Bulgarian original. Please refer to the Bulgarian original for more details.