ВАС - 6307/27.06.2022
ВАС - 6307/27.06.2022 | |
---|---|
Court: | ВАС (Bulgaria) |
Jurisdiction: | Bulgaria |
Relevant Law: | Article 4(7) GDPR Article 4(8) GDPR Article 5(1)(a) GDPR Article 5(1)(f) GDPR Article 24 GDPR Article 25 GDPR Article 32 GDPR Article 58(2)(d) GDPR Article 83(2) GDPR Article 83(3) GDPR Article 83(5)(a) GDPR Article 38 of Personal Data Protection Act |
Decided: | 27.06.2022 |
Published: | |
Parties: | Speedy AD The Bulgarian Data Protection Authority (CPDP) |
National Case Number/Name: | 6307/27.06.2022 |
European Case Law Identifier: | |
Appeal from: | Administrative Court of Sofia-city № 5111/ 6.08.2021 |
Appeal to: | Not appealed |
Original Language(s): | Bulgarian |
Original Source: | Supreme Administrative Court (BAC) (in Bulgarian) |
Initial Contributor: | Marieta Gencheva |
The Bulgarian Supreme Administrative Court confirmed the fine for Speedy AD in amount for 3000 Leva for the delivery of the parcel to a person other than the reciever, because of unlawfully disclosing the recipient's data to a third person.
English Summary
Facts
A data subject filed a complaint with the Bulgarian DPA because a courier, Speedy AD (the controller) had delivered a parcel addressed to them to another person, which was located at the address and is not the addressee.
On 04.09.2021, for the data subject was prepared and sent a parcel, which parcel contained a form letter with personal data- two names, an address and a telephone number in connection with an organised service action for the car of the data subject.
On the same date, the data subject has informed the controller, that did not reside at the address indicated for delivery and die not indicate a new address for redirection of the shipment. The parcel was delivered by a courier of Speedy AD on 5.09.2019, despite a timely phone call from the addressee on 4.09.2019 that they not live at the address. It was delivered to an unknown person who signed instead of the data subject.The employee of the controller did not perform identity verification and did not reflect this properly in the system of the controller.
Holding
The Bulgarian Supreme Administrative Court (ВАС) finds that the data on the bill of lading and in the shipment - two names, mobile phone number, address of previous residence, the capacity of the data subject as the owner of a specific and individualized vehicle, constitute personal data. The acts of receiving, storing and transmitting personal data in the context of the delivery of a shipment constitute processing of personal data.
The statutory requirement that postal items be provided to recipients in person constitutes a measure to protect the personal data subject in order to verify the identity of the recipient and to ensure the lawfulness of the processing of personal data as a response to the obligations of the controller to put in place appropriate technical and organisational measures within the meaning of Articles 24 and 25 GDPR.
The Bulgarian Data Protection Authority (CPDP) found a breach of Article 5(1)(a) GDPR and Article 5(1)(f) GDPR since the personal data of the data subject were disclosed to a third person without legal grounds. For this violation, the DPA fined the controller 3000 Leva. The CPDP also found a violation of Article 32 GDPR since the controller did not implement the measures necessary to prevent such disclosure. Under Article 58 (2)(d) GDPR, Speedy AD is ordered to comply with the personal data processing operations with the provisions of the GDPR, for this purpose to conduct training of its employees and employees of subcontractors who process personal data on behalf of Speedy AD, a 6-month deadline for compliance with the order is set. The Administrative Court of Sofia-city dismissed the appeal against the decision of the CPDP .
The Bulgarian Supreme Administrative Court (ВАС) confirmed, that by holding that there had been a breach of the principle of legality and good faith within the meaning of Article 5(1)(1)(a) and (f) GDPR, the Administrative Court of Sofia-city gave a substantively lawful judgment which should be upheld. The failure to apply appropriate technical and organisational measures results in access to personal data by a third party without a legal basis, therefore the imposed coercive administrative measure and the sanction of BGN 3000 are justified and lawful.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Bulgarian original. Please refer to the Bulgarian original for more details.
The proceedings are under Art. 208 et seq. of the APC. It was formed on the cassation appeal of "Speedy" AD against rejection decision No. 5111/ 6.08.2021 according to the inventory of the Administrative Court of Sofia-city. Requests the annulment of the decision due to material illegality, unreasonableness and in case of substantial violations of the rules of judicial procedure, annulment of the decision of the CPLD or reduction of the penalty. The shipment has been accepted by a person who has indicated that they are the correct addressee, with details that have been specified by the sender for the recipient. "Speedy" JSC is not responsible for the lawful processing of personal data that may be contained in the shipment, in what sense are the reasons of the court. There is absolutely no evidence that the shipment contains personal data. The complainant has the capacity of controller only for personal data that is on the waybill but not in the shipment. It is not clear whether for the court the operator is obliged to identify the recipient, given the General Terms and Conditions and instructions of "Speedy" JSC. There is no evidence that the courier "made it appear" to the bill of lading that the shipment was received by the addressee. In the ordinary courier service, the courier does not require an identity document of the recipient and delivers the shipment upon an express reply from the person that it corresponds to the data on the bill of lading. The shipment was received by a person who identified himself as "Sotirova". The case file contains a response from the sender, according to which the shipment does not contain personal data, but advertising material. The copy of the bill of lading for the consignee has personal data and telephone number deleted, and only a delivery address is present, which does not constitute personal data. Only a copy of the bill of lading intended for the operator's employee has personal data. The objections regarding the individualization of the punishment have not been discussed at all. The defendant, the Commission for the Protection of Personal Data, contests the cassation appeal. He claims that the decision is correct, since "Speedy" JSC is the controller of personal data both on the bill of lading accompanying the shipment and in the shipment itself, and therefore a violation has been committed regarding the acceptance, storage and transmission of personal data in the context of the assigned delivery of shipment. "Porsche Inter Auto BG" EOOD and "Rapido Express and Logistics" EOOD does not express an opinion.V. Sotirova does not express an opinion. The representative of the Supreme Administrative Prosecutor's Office gives a conclusion that the cassation appeal is groundless. The Supreme Administrative Court, fifth department, taking into account that the cassation appeal was submitted within the period under Art. 211, para. 1 APC, on its part, finds the same admissible. Considered in substance, it is unfounded for the following reasons: The subject of judicial review for legality before the court of first instance on the appeal of "Speedy" AD is Decision PPN-01-1560/1.04.2021 of the Commission for the Protection of Personal Data (CPDP), with which on the basis of Art. 42, para. 1 (ed. SG No. 81/2011) of the Personal Data Protection Act (PDPA), a property sanction of BGN 3,000 was imposed on "Speedy" AD for violation of Art. 5, par. 1, b. "a", propositions 1 and 2 and b. "e" from Regulation 2016/679/ as of 5/09/2019 upon delivery of a shipment with waybill No. 60728765359, as per Art. 58, par. 2, b. "d" of the Regulation, "Speedy" AD is ordered to comply with the operations of processing personal data with the provisions of the Regulation, for the purpose of conducting training for its employees and the employees of the subcontractors who process personal data on behalf of "Speedy" AD, a 6-month deadline was set for the execution of the order, and with item 4 a monetary penalty of BGN 3,000 was imposed on the basis of item 1 of the decision and art. 83, par. 5, b. "a" top par. 2 and par. 3 and Art. 58, par. 2 b. "and" from Regulation /EC/2016/679. In order to reject the appeal with decision No. 5111/ 6.08.2021 according to administrative order No. 4651/ 2021 according to the inventory of the ASSG, the court of first instance accepted that the decision of the CPLD was issued by a competent authority, in the form prescribed by law and in accordance with the powers under Art. 38, para. 2 of the Labor Code. CPLD was referred with a complaint by V. Sotirova, on which a file was created, an inspection was carried out and an administrative act was issued. On 09/04/2021, "Porsche Inter Auto BG" EOOD applied for delivery of a shipment with waybill No. 32534915 to "Rapido Express and Logistics" EOOD, in which the shipment contained a letter with a form, the letter containing personal data - two names, address and telephone number number on the occasion of an organized service action. With the letter, "Porsche Inter Auto BG" EOOD informs V. Sotirova that the motor vehicle owned by her is subject to a service action for the replacement of the passenger airbag. The court accepts that the data on the bill of lading and in the shipment - two names, mobile phone, address of previous residence, the status of V. Sotirova as the owner of a specific and individualized motor vehicle - constitute personal data. The actions of receiving, storing and transmitting personal data in the context of the assigned delivery of a shipment by "Rapido Express and Logistics" EOOD, constitute those of personal data processing. In the case, it was established that during the delivery of a shipment assigned by "Rapido Express and Logistics" EOOD with the above-mentioned bill of lading, intended for V. Sotirova, "Speedy" JSC through its employee committed a violation of par. 5, para. 1, b. "a" pr. first and second, b. "is" from Regulation 2016/679, because the shipment was delivered to a person other than its recipient, and the shipment was given the appearance that it was received personally by V. Sotirova. The principles of legality and good faith have been violated. This is because on September 4, 2021, V. Sotirova notified "Speedy" JSC that she does not reside at the address specified for delivery, and does not specify a new address for forwarding the shipment. According to the Work Instructions under item 3, if the address is wrong, the courier is obliged to notify the sender of the bill of lading and follow his instructions. However, an employee informs her that an inspection will be carried out, and a day later she receives a call back that the package has already been delivered. The shipment was delivered on 5/09/2019, however, to an unknown person. The court accepts that the personal data were not processed in a way that would ensure an appropriate level of personal data security, appropriate technical and organizational measures were not implemented, there is no data on personal data processing rules. A violation of the principle of integrity and confidentiality was also admitted. It indicates that even a telephone number on the bill of lading is sufficient to accept the processing of personal data. The court accepts that the prescription is lawful, as well as the imposed sanction. The decision is correct. In compliance with Art. 35 and 36 of the APC, all circumstances relevant to the dispute have been clarified by the Commission for the Protection of Personal Data. On page 126 is attached the letter of "Porsche Inter Auto BG" EOOD to the addressee, which contains two names - V. Sotirova, address Sofia, [street] [tel. number]., as on p. 127 is attached ref. waybill 60728765359 with the consignee's names, address and telephone number, issued by "Meiling Porsche Sofia West". Attached on page 137 is the bill of lading drawn up by "Rapido Express and Logistics" EOOD, generated in the system of "Speedy" JSC through integration, which allows the generation of bill of lading 60728765359 with the relevant personal data. The parcel was delivered by a courier of "Speedy" JSC on 09/05/2019, despite the timely telephone call from the addressee on 09/04/2019 that he does not live at the specified address. It was handed over to an unknown person who signed instead of V. Sotirova, and this fact was proven by a graphological examination. "Speedy" AD is an independent administrator of personal data and meets the definition under Art. 3, para. 1 and para. 2 (repealed) of the Labor Code, in its relevant version, as well as of the current Art. 4, para. 7 and para. 8 of Regulation (EU) 2016/679. Within the scope of providing one service (in this case postal service), it is possible for the relevant person to have the status of a personal data administrator in some actions/operations, and in others to have the status of a personal data processor. The postal operator operates under the conditions of strict and comprehensive legal regulations such as the Postal Service, which is why it does not have the status of a processor, but of an independent administrator of personal data. The postal operator is tasked with carrying and delivering a specific parcel which may or may not contain personal data. According to Art. 6, para. 3 of the ZPU, postal items are delivered personally to the recipients, in their mailboxes, at post offices, and the conditions for delivery are determined by general rules prepared by the KRS. In this case, the shipment traveled with the courier service "city courier - 1 day", with the additional service "return receipt" at the expense of "Rapido Express and Logistics" EOOD. According to the General Terms and Conditions of the postal operator, an additional "reference" service requires verification of the recipient's identity, which is not the case here. A person other than the recipient may receive the shipment, according to the General Terms and Conditions, against a signature and an identity document provided, and the three names of this person are entered in the company's official documents. The courier delivered the parcel according to "usual rules of the industry" to a person who was at the address and was not the addressee, but without performing an identity check, without properly reflecting this in the system of "Speedy" JSC / l. 161 letter of "Speedy" AD to CPLD/. The claim of the postal operator that there is no personal data of the recipient such as names and address on the parcel itself is not supported by any evidence and is only alleged. But to be a personal data administrator, it is enough that the accompanying documents such as the bill of lading, the sender's copy, contain names, mobile phone, address and this constitutes processing of personal data as an act of receiving, storing and transmitting personal data. The law's requirement that postal items be delivered personally to the recipients is a measure to protect the subject of personal data in order to verify the identity of the recipient and ensure the lawfulness of the processing of personal data as a response to the controller's obligations to introduce appropriate technical and organizational measures under the meaning of Art. 24 and Art. 25 of the Regulation. As can be seen from the attached Courier Work Instructions, the courier identifies the recipient natural person only by requesting the name and surname of the recipient at the address and checking the name and surname with those in the Shipment Inventory, which does not guarantee delivery of the parcel to the recipient personally. Having accepted that there has been a violation of the principle of legality and good faith in the sense of Article 5, paragraph 1, paragraph 1, b."a" and b."e" of Regulation /EC/ 2016/679 of the CPLD the court has rendered a materially lawful decision, which should be upheld. The failure to implement appropriate technical and organizational measures has the consequence of access to personal data by a third party without a legal basis, which is why the enforced administrative measure and the imposed sanction of BGN 3,000 are justified and lawful. Given the outcome of the case, the actions taken by the defendant in the cassation appeal CPLD expenses in the amount of a legal consultant's fee should be respected. The same was requested with the response to the cassation appeal on Article 32 of the case and is due, according to Art. 143, para. 3 and Art. 78, para. 8 in accordance with Art. 37, paragraph 1 of the ZPP in conjunction with Art. 24 of the Ordinance on the payment of legal aid and is due at the discretion of the court in the amount of BGN 200, given the factual and legal complexity of the dispute. Based on the above and on the basis of Art. 221, para. 2, ex. first of the APC, the Supreme Administrative Court, fifth department, DECIDES: REMAINS IN FORCE decision No. 5111/ 6.08.2021 according to administrative order No. 4651/ 2021 according to the inventory of the ADMINISTRATIVE COURT SOFIA- CITY OF OSUZDA "SPIDI" JSC to pay to the COMMISSION FOR THE PROTECTION OF PERSONAL DATA the expenses incurred in the case in the amount of 200/ two hundred BGN/ BGN, representing a legal consultancy fee. The decision is final.