ВАС - № 6759

From GDPRhub
Revision as of 14:19, 8 June 2021 by 10.90.129.140 (talk)
ВАС - № 6759
Courts logo1.png
Court: ВАС (Bulgaria)
Jurisdiction: Bulgaria
Relevant Law: Article 5(1)(b) GDPR
Article 32(4) GDPR
Article 58(2)(b) GDPR
Article 83(2) GDPR
Article 83(4)(b) GDPR
Art. 208 Administrative Procedure Code (APC)
Article 38(2) Personal Data Protection Act (PDPA)
Decided:
Published: 04.06.2021
Parties: MiBM Express OOD
The Bulgarian Data Protection Authority (CPDP)
National Case Number/Name: № 6759
European Case Law Identifier:
Appeal from: Административен съд София-град (Administrative Court of Sofia-city)
№ 6270/2020
Appeal to: Unknown
Original Language(s): Bulgarian
Original Source: Върховния административен съд (in Bulgarian)
Initial Contributor: n/a

In progress

English Summary

Facts

On 11 April 2019 a complaint was filed with the Bulgarian Data Protection Authority (CPDP), regarding a letter that the complainant had received in relation to enforcement proceedings against her. The letter was addressed to her, her father, and the legal entity under which they were debtors, and contained their personal data, namely: names and phone numbers. Rather than being directly delivered to the complainant, the letter was delivered by the courier company (MiBM Express OOD) to a local shop keeper, who passed the letter on to the complainant.

After opening an investigation into the incident, the CPDP issued a decision on 5 May 2020, in which it found that the courier, MiBM Express, had violated Article 32(4) of the GDPR. In particular, it had not taken the appropriate steps as a controller to ensure that its employees, acting under its authority, were prepared to work with personal data and had been trained in data protection, and would not share personal data with third parties. The CPDP also found a violation of the purpose limitation principle. As a result, it fined MiBM Express BGN 5,000, and ordered it to bring its processing operations into compliance with the GDPR.

MiBM Express appealed contested this decision at the Administrative Court of Sofia-city. It argued that in issuing its decision, the CPDP had violated procedural rules as established in the Bulgarian Personal Data Protection Act (PDPA). The judge in the case found that the contested decision had been imposed by a competent authority within the powers conferred to is under Article 38(1) and (3) PDPA. Moreover, the CPDP had correctly identified a violation of Article 32(4) and 5(1)(b) GDPR; and, the CDPD had correctly issued a corrective measure under Article 58(2)(b). then say why reuced. A court reduced it to BGN 1,500.

In the present case, BGN appealed to say that the Court . Said the court didn't properly consider. and criminal code thing.

Holding

In progress. essentially: the court did properly consider, and the criminal code thing not relevant.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Bulgarian original. Please refer to the Bulgarian original for more details.