ВАС - № 6759

From GDPRhub
Revision as of 08:08, 9 June 2021 by 10.90.129.140 (talk)
ВАС - № 6759
Courts logo1.png
Court: ВАС (Bulgaria)
Jurisdiction: Bulgaria
Relevant Law: Article 5(1)(b) GDPR
Article 32(4) GDPR
Article 58(2)(b) GDPR
Article 83(2) GDPR
Article 83(4)(b) GDPR
Art. 208 Administrative Procedure Code (APC)
Article 38(2) Personal Data Protection Act (PDPA)
Decided:
Published: 04.06.2021
Parties: MiBM Express OOD
The Bulgarian Data Protection Authority (CPDP)
National Case Number/Name: № 6759
European Case Law Identifier:
Appeal from: Административен съд София-град (Administrative Court of Sofia-city)
№ 6270/2020
Appeal to: Unknown
Original Language(s): Bulgarian
Original Source: Върховния административен съд (in Bulgarian)
Initial Contributor: n/a

In progress

English Summary

Facts

On 11 April 2019 a complaint was filed with the Bulgarian Data Protection Authority (CPDP), regarding a letter that the complainant had received in relation to debt collecting proceedings against her. The letter was addressed to her, her father, and the legal entity under which they were debtors, and contained their personal data, namely: names and phone numbers. Rather than being directly delivered to the complainant, the letter was delivered by the courier company (MiBM Express OOD) to a local shop keeper, who passed the letter on to the complainant.

After opening an investigation into the incident, the CPDP issued a decision on 5 May 2020, in which it found that the courier, MiBM Express, had violated Article 32(4) of the GDPR. In particular, it had not taken the appropriate steps as a controller to ensure that its employees acting under its authority were prepared to work with personal data and had been trained in data protection, and would not share personal data with third parties. The CPDP also found a violation of the purpose limitation principle. As a result, it fined MiBM Express BGN 5,000, and reprimanded it under Article 58(2)(b).

MiBM Express contested this decision at the Administrative Court of Sofia-city. It argued that in issuing its decision, the CPDP had violated procedural rules as established in the Bulgarian Personal Data Protection Act (PDPA). The judge in the case found that the contested decision had been properly executed by the CPDP. It was imposed by a competent authority within the powers conferred to it under Article 38(1) and (3) PDPA. Moreover, the CPDP had correctly identified a violation of Article 32(4) and 5(1)(b) GDPR and had correctly reprimanded MiBM under Article 58(2)(b). The judge did however hold that in calculating the amount of the fine it imposed, the CPDP had not considered the elements outlined at Article 83(2), and that it was not clear under which criterion the fine was determined. It thus reduced the fine from BGN 5000 to BGN 1500.

In the present case, MiBM Express appealed this decision of the Administrative Court of Sofia-city, arguing that there had been no violation of Article 32(4) GDPR, and that, in any case, the CPDP does not have the power do rule on cases involving personal data, which involve the commission of a criminal offence within the meaning of the Bulgarian Criminal Code.

The Court did not perform the necessary court proceedings to clarify the nature of the alleged violation.

There was no ruling of the court on the allegation in the appeal that in its decision the CPDP did not discuss article 83(2).

Holding

In progress. essentially: the court did properly consider, and the criminal code thing not relevant.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Bulgarian original. Please refer to the Bulgarian original for more details.