CPDP (Bulgaria) - PPN-01-223/2021, PPN-01-307/2021, PPN-01-296/2021

From GDPRhub
CPDP - PPN-01-223/2021, PPN-01-307/2021, PPN-01-296/2021
ППН-01-223, ППН-01-307, ППН-01-296
LogoBG.jpg
Authority: CPDP (Bulgaria)
Jurisdiction: Bulgaria
Relevant Law: Article 5(2) GDPR
Article 6(1) GDPR
Type: Complaint
Outcome: Upheld
Started: 12.03.2021
Decided: 26.01.2023
Published:
Fine: 25,000 BGN
Parties: n/a
National Case Number/Name: PPN-01-223/2021, PPN-01-307/2021, PPN-01-296/2021
ППН-01-223, ППН-01-307, ППН-01-296
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Bulgarian
Original Source: Commission for Personal Data Protection (in BG)
Initial Contributor: lm

The DPA found that a political party lacked a legal basis when it listed data subjects, without their knowledge or consent, as supporters of the party for an election registration. It issued a €12,770 (25,000 BGN) fine.

English Summary

Facts

On April 4, 2021 -- the date on which elections were held for the Bulgarian National Assembly -- one political party (the controller) registered for participation on the basis of an application that included a list with the full names, unique civil numbers and handwritten signatures of 2951 voters supporting the registration of the party.

The Bulgarian DPA (CPDP) received a number of complaints around the time of the election from data subjects alleging that the controller was unlawfully processing their personal data by including them in a list of persons supporting the registration of the political party to participate in the 2021 elections. The processed data included their names and unified civic numbers attributed to their political party. The data subjects did not sign up in support of the registration, nor did they give consent for the processing of their personal data for this purpose.

The political party provided some documents in response to the complaints, but the CPDP noted a lack of adequate participation from the controller, who failed to submit the requested evidence. It did not challenge the data subjects’ allegations or provide a statement on the matter. In one of the few documents provided, the controller stated (without evidence) that the lists of persons supporting the registration of the party in electoral processes are collected and processed by members of the party without their intentional authorisation and purpose. After the data is transmitted to the Central Election Commission, it is destroyed using a shredder and on the computer. The controller claimed to have trained all its members to process personal data in accordance with the GDPR.

Holding

The CPDP found that the controller lacked a legal basis under Article 6(1) GDPR and infringed the accountability principle of Article 5(2) GDRP. It issued a €12,770 (25,000 BGN) fine.

The CPDP found no applicable legal basis in this case. It noted that the controller did not produce any evidence of the legal basis on the basis of which it processed the data. Rejecting legitimate interest as a legal basis, the CPDP considered that the interests of a political entity to participate in elections are not overridden by the interest of the affected data subject whose data is included in the list without their consent. There was also no legal obligation in this case. The processing of personal data in the electoral process is permissible and strictly regulated by the Electoral Code. However, as the CPDP has noted in its guidance on the topic, the performance of the statutory obligation only arises when a data subject has given their consent to support the party’s registration and appear on the list of voters.

The controller's inability to demonstrate a legal basis constituted an infringement of Article 5(2) GDPR's accountability principle. In addition, the CPDP noted that there was no basis or mechanism for verifying the accuracy of the data entered in this case, further indicating an Article 5(2) GDPR violation. The verifying of the identity of individuals, the CPDP states, should be expressed in the specific instructions of the controller, which is obligated under Article 24 GDPR to put in place organisational measures ensuring processing is carried out in accordance with the GDPR. In this case, the CPDP assumed that such measures or internal rules did not exist. It noted no evidence of control on the part of the controller, given that the controller did not provide the requested information.

The CPDP imposed a monetary sanction on the controller. It considered a number of aggravating circumstances, including the failure of the controller to cooperate and the consequences on the data subjects’ rights relating to their participation in the electoral process as a result of the violation. The CPDP also noted that this was not the controller’s first violation – the political party had been previously sanctioned for identical infringements.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Bulgarian original. Please refer to the Bulgarian original for more details.

Decision on Complaint No. PPN-01-223/12.03.2021, PPN-01-307/09.04.2021, and PPN-01-296/05.04.2021

DECISION

No. PPN-01-223/2021

Sofia, 26.01.2023

The Commission for Personal Data Protection (CPDP), composed of Chair: Ventsislav Karadjov and members: Tsanko Tsollov, Maria Mateva, and Veselin Tselkov, in a session held on 09.11.2022, based on Article 10, Paragraph 1 of the Personal Data Protection Act, respectively Article 57, Paragraph 1, letter “e” of Regulation (EU) 2016/679 of the European Parliament and the Council of 27 April 2016 on the protection of natural persons concerning the processing of personal data and on the free movement of such data (Regulation, GDPR), considered on the merits the complaints No. PPN-01-223/12.03.2021, PPN-01-307/09.04.2021, and PPN-01-296/05.04.2021, filed respectively by D. An., D. Al. and R. M.

The administrative proceedings are according to Article 38 of the Personal Data Protection Act (PDPA).

The CPDP was approached with complaint No. PPN-01-223/12.03.2021, filed by D. An. against the political party ****** with allegations of unlawful processing of his personal data by including it in a list of individuals supporting the registration of the political entity for participation in the parliamentary elections held on 04.04.2021.

The complainant claims that he discovered the violation after checking electronically with the Central Election Commission, the result of which is attached. He declares that he did not sign in support of the political entity's registration and did not give his consent for processing his personal data for this specific purpose.

A complaint with identical content was also filed by Mr. D. An. to the Central Election Commission. The complaint was forwarded to CPDP for review by jurisdiction, along with relevant evidence—a copy of Decision No. *** of the CEC and a copy of page *** from the list of voters supporting the registration of the political entity for participation in the parliamentary elections on 04.04.2021. It was registered under No. PPN-01-242/18.03.2021 in the CPDP's records.

The CPDP was approached with complaint PPN-01-307/09.04.2021 filed by D. Al. and complaint PPN-01-296/05.04.2021 filed by R. M. against the same legal entity—PP ******, with identical allegations of unlawful processing of their personal data by including it in a list of individuals supporting the registration of the political entity for participation in the parliamentary elections held on 04.04.2021. The complaints are accompanied by photocopies of checks current as of 07.04.2021 and 04.04.2021 on the website https://www.cik.bg/bg/ns2021/podpiski, performed based on lists submitted by 38 political parties, coalitions, and initiative committees, showing the complainants' personal data present on page ***, row ***, and page ***, row *** from the list of individuals supporting the registration of PP *** for participation in the parliamentary elections held on 04.04.2021.

Given the principles of equality of parties and truth in administrative proceedings, the political party ****** was informed of the filed complaints, and it was indicated that they could submit a written statement on the allegations in the complaints. Relevant evidence was requested regarding the lawful processing of the complainants' personal data, a certified copy of internal rules and/or Data Protection Policy regarding the processing of personal data by the political party in the electoral process, technical and organizational measures taken for data protection, instruction, order, or other act for training party representatives for collecting personal data in the electoral process, as well as information and results from internal checks performed on the case if such were assigned. The political entity did not actively participate in the proceedings, and the requested evidence was not provided. The complainants' claims were not disputed, and no statement on the subject matter of the complaints was engaged.

To clarify the case factually, copies of pages ***, row ***; ***, row ***; and page ***, row *** from the list of individuals supporting the registration of the political party ****** for participation in the parliamentary elections held on 04.04.2021 were requested from the CEC and provided in response.

The CPDP is an independent state body that protects individuals when processing their personal data, accessing such data, and controlling compliance with PDPA and GDPR.

To exercise its powers, the CPDP must be duly approached.

The complaints contain the required details specified in Article 28, Paragraph 1 of the Rules of Procedure of the CPDP and its administration—information about the complainants, the nature of the request, date, signatures, the indicated passive legitimized party, and the date of awareness of the violation, making them regular.

The subject of the complaints are allegations of unlawful processing of the complainants' personal data—names and personal identification numbers—by the political party ****** by including them in the list submitted to the CEC of individuals supporting the registration of the political entity for participation in the parliamentary elections held on 04.04.2021.

The complaints are filed by natural persons with a legal interest against a duly authorized party—data controller. According to the file data, including a check result from the CEC, the complainant Mr. D. An. learned of the alleged violation on 05.03.2021, Ms. D. Al. on 07.04.2021, and Mr. R. M. on 04.04.2021. Given the statutory deadlines for registration of participants in the electoral process and considering the CPDP was approached with the complaints respectively on 12.03.2021, 09.04.2021, and 05.04.2021, just days after discovering the alleged violations, it is concluded that the complaints were filed within the timeframe of Article 38, Paragraph 1 of PDPA. The CPDP is competent to make a decision—the CPDP, according to its powers under Article 10, Paragraph 1 of PDPA in connection with Article 57, Paragraph 1, letter “e” of Regulation (EU) 2016/679, reviews complaints against acts and actions of data controllers that violate data subjects' rights related to personal data processing, without the exceptions under Article 2, Paragraph 2, letter “c” and Article 55, Paragraph 3 of Regulation (EU) 2016/679, given that the case does not concern activities carried out by a natural person in the course of purely personal or household activities and/or activities carried out by courts in the performance of their judicial functions.

The conditions of Article 32 of the Administrative Procedure Code (APC) for consolidating and reviewing the complaints in one administrative proceeding are met, given that the parties' rights and obligations arise from the same factual situation, are filed against the same entity, and fall under the competence of the same administrative body—CPDP.

For these reasons and considering the lack of negative preconditions specified in Article 27, Paragraph 2 of APC, the complaints were accepted as admissible during the CPDP's session held on 08.09.2021 and consolidated for review in one administrative proceeding based on Article 32 of APC. The complainants: D. An., D. Al., and R. M., and the respondent—political party ******, were constituted as parties in the proceedings.

To clarify the case legally and factually, handwriting expertise of the signatures on ***, row ***; ***, row ***; and page ***, row *** from the list of voters supporting the registration of the political party ****** for participation in the parliamentary elections held on 04.04.2021 was permitted. During the proceedings, the complainants were informed of the possibility to provide comparative material for the expertise to establish the authenticity or non-authenticity of the signatures in the list submitted to the CEC of individuals supporting the registration of the political party for participation in the elections held on 11.07.2021. Comparative material was provided by all three complainants and sent to the National Institute of Criminology (NIC).

Graphical expertise was prepared, reflected in Protocol No. *** of 13.06.2022, Protocol No. *** of 13.06.2022, and Protocol No. *** of 11.08.2022 in the NIC records, sent to CPDP with accompanying letters PPN-01-296#12/20.06.2022, PPN-01-223#19/20.06.2022, and PPN-01-307#13/15.08.2022, concluding that the signatures subject to the expertise were not made by the complainants D. An., D. Al., and R. M.

A public session for reviewing the complaints on the merits was scheduled for 09.11.2022 at 1:00 PM, for which the parties were duly notified. A copy of the expertise was sent to the parties for review and opinion, with instructions on the distribution of the evidentiary burden in the process. No objections to the expertise were submitted, no additional evidence was engaged, and no requests regarding the evidence were made.

To clarify the case factually, additional evidence was requested from the respondent for lawful processing of the complainant's personal data, certified copies of internal rules and/or Data Protection Policy regarding the processing of personal data by the political party in the electoral process, technical and organizational measures taken for data protection, instruction, order, or other act for training party representatives for collecting personal data in the electoral process, as well as information and results from an internal check performed on the case if such was assigned. The requested evidence was not provided.

With a laconic statement dated 08.11.2022, without attached evidence, exhausting the respondent's activity in the process, it was stated that the lists of individuals supporting the party's registration in the electoral process are collected and processed by party members without their explicit authorization for this purpose. It was clarified that once the data was handed over to the CEC, “they were shredded and destroyed on a computer.” It was claimed that the party had trained all its members on data processing, and they were familiar with GDPR.

At the session held on 09.11.2022, the complaints were reviewed on the merits.

The parties, duly notified, did not appear and were not represented.

As an administrative body and in connection with the need to establish the truth in the case, a fundamental principle in administrative proceedings, according to Article 7 of APC, requiring the existence of established actual facts and considering the gathered evidence and raised claims, the commission accepts that complaints No. PPN-01-223/12.03.2021, PPN-01-307/09.04.2021, and PPN-01-296/05.04.2021, are well-founded.

The subject of the complaints are allegations of unlawful processing of the complainants' personal data—names and personal identification numbers—by the political party ****** by including them in a list of individuals supporting the registration of the political entity for participation in the parliamentary elections held on 04.04.2021.

It is well known that parliamentary elections were held on 04.04.2021. With Decision No. 2084-NS/17.02.2021 of the CEC, the political party ****** was registered to participate in the elections based on an application submitted on 15.02.2021, registered under No. ** in the party register for participation in the parliamentary elections. A list containing the full names, personal identification number, and handwritten signature of 2951 voters supporting the party's registration was presented with the registration application, the same personal data being sufficient for the unambiguous identification of individuals.

The gathered evidence, particularly the materials provided by the CEC, indicates that the complainants' personal data D. An., D. Al., and R. M., in the volume of full names and personal identification number, are present respectively on page ***, row ***, page ***, row ***, and page ***, row *** from the list of voters supporting the registration of the political party ****** for participation in the mentioned elections.

Providing personal data by a political entity to the CEC for party registration to participate in the elections is a form of data processing and must comply with the provisions of Regulation (EU) 2016/679, particularly Article 6, Paragraph 1 of the regulation, applicable since the data was provided on 15.02.2021.

The complainants' claims for unlawful processing of their data by PP ****** for registering the political entity to participate in the 04.04.2021 elections are well-founded. The conclusions of the graphical expertise, reflected in Protocol No. *** of 13.06.2022, Protocol No. *** of 13.06.2022, and Protocol No. *** of 11.08.2022 in the NIC records, sent to CPDP with accompanying letters PPN-01-296#12/20.06.2022, PPN-01-223#19/20.06.2022, and PPN-01-307#13/15.08.2022, conclude that the signatures subject to the expertise were not made by the complainants D. An., D. Al., and R. M. This indicates that the processing of the complainants' personal data was done without their consent—a specific and informed declaration of intent under Article 4, Paragraph 11 of the Regulation.

In this case, none of the other conditions listed in Article 6, Paragraph 1 of the Regulation are present, as there is no evidence to the contrary, nor is such claimed by the respondent. Despite the respondent's legal opportunity and instructions related to the distribution of the evidentiary burden in the process, the controller—PP ******, did not engage evidence for the legality of processing the complainants' personal data for the specific purpose. There is no evidence to substantiate the applicability of Article 6, Paragraph 1, letter “b” of GDPR—existence of a contract between the parties requiring the processing of the complainants' personal data by the political party or for taking steps at the data subject's request before concluding the contract. The grounds under Article 6, Paragraph 1, letters “c” and “d” of GDPR are irrelevant—they apply in other, different and incompatible scenarios involving data processing for protecting vital interests related to the life and health of the data subject, performing a task in the public interest, and exercising official authority not delegated to political parties.

The hypothesis of Article 6, Paragraph 1, letter “e” of the Regulation is inapplicable—the controller's interests are not paramount to the interest of the affected individual whose data is included in the list submitted to the CEC without their consent, as it is undeniable that the latter's interest takes precedence over the political entity's interest in participating in the elections. There is also no legal obligation for processing by the controller since the participation of political parties in the electoral process is a legal opportunity that must be realized in compliance with statutory rules, particularly those in the field of personal data protection under Article 133, Paragraph 4 of the Electoral Code.

Processing personal data in the electoral process is permissible and strictly regulated. The Electoral Code contains specific rules regarding data processing in the electoral process, such as processing purposes, data categories, and more. In this regard, even though the complainants' data was processed in a statutory procedure, the fulfillment of statutory obligations, respectively, the realization of the data controller's legitimate interests—in this case, the political party—arise only if the individual whose data is included in the list of voters supporting the party's registration for participation in the elections has given their consent for such support. However, if this prerequisite is not present, the political entity cannot use the individual's personal data to realize its legitimate interests in the electoral process. This is also in line with the joint guidelines adopted by the CEC and CPDP regarding data processing and protection in the electoral process. The document, published on 12.02.2021 and available on the CPDP's website at https://cpdp.bg/%d1%83%d0%ba%d0%b0%d0%b7%d0%b0%d0%bd%d0%b8%d1%8f-%d0%bd%d0%b0-%d1%86%d0%b8%d0%ba-%d0%b8-%d0%ba%d0%b7%d0%bb%d0%b4-%d0%be%d1%82%d0%bd%d0%be%d1%81%d0%bd%d0%be-%d0%be%d0%b1%d1%80%d0%b0%d0%b1%d0%be%d1%82/ provides detailed explanations on the legal framework for data protection and the rights and obligations of all participants in the electoral process—political parties, coalitions, initiative committees, candidates, representatives, observers, media representatives, and election commissions in various types of elections. The guidelines aim to facilitate participants in the electoral process and prevent violations.

Given the above arguments and gathered evidence, it is concluded that the complainants' personal data was processed by including it in the list of individuals supporting the political entity's registration for participation in the parliamentary elections held in the Republic of Bulgaria on 04.04.2021, in violation of Article 6, Paragraph 1 of GDPR, without meeting any of the conditions listed in the provision, thus violating the data subject's rights who approached the CPDP.

GDPR and PDPA obligate the controller to process personal data lawfully, without allowing, with the risk of administrative liability, data misuse, much less allowing the possibility of including others' personal data in lists compiled by party representatives and used by the party in the electoral process. Conversely, misinterpreting the law contradicts both the letter and spirit of the law and creates uncertainty in data processing and grounds for misuse in an area affecting not only individuals approaching the CPDP but society as a whole, as it concerns state governance and citizens' ability to participate in it by their will, without it being manipulated through the use of their personal data without their knowledge and consent.

In the context of complaints and the electoral process, this responsibility includes unambiguously identifying the individual entering the data, as the person before whom they are submitted certifies with their signature under the list that the data were entered before them and by the individual they pertain to. There is no legal ground and mechanism for verifying the accuracy of entered data and the individual's identity. For instance, it is permissible and not prohibited by law to present an identity document or another document with a photo and full names to the person before whom the signatures are placed, just for reference, to verify the voter's identity. Undoubtedly, the methods for verifying individuals' identity should be reflected in specific guidelines, orders, or other acts of the controller, as part of its obligation to implement organizational measures under Article 24 of GDPR, taking into account the nature, scope, context, and purposes of processing, as well as risks with varying probability and severity for individuals' rights and freedoms, to ensure and be able to prove that processing is conducted in accordance with GDPR. In this case, it should be accepted that such measures, rules, and controls concerning the collection and use of personal data in the electoral process are absent, as despite specific requests to the controller, it has not provided internal rules and/or Data Protection Policy regarding the processing of personal data by a political party in the electoral process, technical and organizational measures for data protection, instruction, order, or another act for training party representatives for collecting personal data in the electoral process. The gathered evidence also indicates a violation of Article 24 of GDPR by the controller, as well as a violation of the "accountability principle" under Article 5, Paragraph 2 of GDPR, given that the controller cannot prove that data processing complies with the principles set out in GDPR, with measures taken by it—training, instructions, internal rules, orders, etc. There is also no evidence of control, prior and subsequent, by the controller, given that the political party has expressly been requested, but has not provided information and results from an internal check performed on the case, nor information that such was assigned to establish the reasons, omissions leading to the violation under Article 6, Paragraph 1 of GDPR.

Considering the nature of the established violation of Article 6, Paragraph 1 of GDPR, the commission deems that corrective measures under Article 58, Paragraph 2, letters “a”, “b”, “c”, “d”, “e”, “f”, “g”, “h”, and “j” of the Regulation are inapplicable and impractical in this case, given the severity of the violation and the fact that it is completed. Given the severity of the violation and the fact that it is completed and recurrent for the controller who has been issued a mandate, the commission deems it appropriate, effective, and deterring to exercise corrective power under Article 58, Paragraph 2, letter “i” of GDPR—imposing a financial penalty. The controller must be familiar with the law and comply with its requirements, especially as it owes the necessary care provided in the law and arising from its subject of activity, personnel, and economic resources.

There are no mitigating circumstances for determining the penalty's amount. The circumstances under Article 83, Paragraph 2, letters “b” and “i” of the Regulation are irrelevant since it concerns a controller—a legal entity that does not form guilt, and at the time of the violation, approved codes of conduct or approved certification mechanisms were not introduced.

As aggravating circumstances should be qualified: the rights of three individuals were violated; the violations are completed; the controller did not cooperate with the CPDP to clarify the case; personal data of individuals, including the personal identification number, were processed, and as a result of the registration, the complainants' rights related to electoral legislation and their participation in the electoral process were restricted; the violations were brought to the CPDP's attention as a result of complaints from the affected individuals.

It is also relevant that the violation is not the first for the controller. The political party has been sanctioned for an identical violation—processing personal data in the electoral process without a legal basis, with the following decisions being final: Decision No. J-420#6/21.11.2016, with a sanction of 15300 BGN, Decision No. J-60#8/19.10.2018, with a sanction of 10000 BGN, and Decision PPN-01-1672/07.10.2020, with a sanction of 2500 BGN.

It should be noted as an aggravating circumstance that the personal data of complainant D. Al. has been unlawfully processed again by the political party concerning its participation in the electoral process. In 2017, Ms. D. Al. approached the CPDP with a complaint (J-85/20.02.2017) for misuse of her personal data by the political party ****** for registering the political party to participate in the parliamentary elections held in 2017. An expertise appointed on the case established that the signature in the voter list was not made by Ms. D. Al., and her complaint was accepted by the CPDP as well-founded, and the party was sanctioned with a final Decision No. J-60#8/19.10.2018, with a sanction of 10000 BGN.

The violation is also recurrent concerning the complainant D. An., who approached the CPDP with a complaint (J-624/17.10.2016) against the political entity for an identical violation, misuse of his personal data for the party's registration for participation in the presidential and vice-presidential elections in the Republic of Bulgaria held on 06.11.2016. After an expertise, Mr. D. An.'s complaint was accepted as well-founded, and a financial sanction of 15300 BGN was imposed on the political entity, as stated in the final Decision No. J-420#6/21.11.2016 of the CPDP.

For these reasons, the commission considers that given the principle of proportionality between the severity of the violation and the penalty's amount, the imposed financial sanction on the political party ****** should be 25000 BGN—an amount well below the average minimum provided in the Regulation for this violation. Considering the penalty's purpose, which should have a deterring and warning function, the nature and severity of the violation, the public relations it affects, the categories of affected personal data, the commission considers that the exercised power in type and amount undoubtedly meets the effectiveness and deterrent effect sought by PDPA and Regulation 2016/679 while not violating the principle of proportionality and the requirement for proportionality.

Regarding the established violations of Article 24 and Article 5, Paragraph 2 of GDPR, the commission deems it appropriate to issue a mandate under Article 58, Paragraph 2, letter “d” of GDPR to the controller, namely to take technical and organizational measures for data protection, including training, immediately before each election, of the party representatives involved in collecting personal data in the electoral process; to present a Data Protection Policy compliant with the regulation, clearly outlining the rules for collecting and processing personal data, including in lists supporting the political entity's registration in the electoral process, and in collecting personal data of individuals supporting the party's registration for participation in referenda, and to implement a mechanism for ongoing and subsequent control and accountability in processing personal data.

It should be noted, however, that non-compliance with the commission's mandate within the specified period is subject to a sanction for non-compliance to ensure its effectiveness and the possibility of an additional sanction mechanism for monitoring and control of implementation. The aim is to achieve general prevention and proportional and lawful processing of personal data. Such mandates are effective as they are tied with corresponding sanctions for non-compliance, with the legislator providing that non-compliance with a final mandate of the supervisory authority shall be subject to an administrative penalty "fine" or "financial penalty" up to 20000000 EUR.

Based on the above and under Article 38, Paragraph 3 of the PDPA, the Commission for Personal Data Protection,

DECIDES:

    1. Declares complaints PPN-01-223/12.03.2021,
    PPN-01-307/09.04.2021, and PPN-01-296/05.04.2021, filed
    respectively by D. An., D. Al., and R. M., as
    well-founded.

    2. Under Article 83, Paragraph 5, letter "a", in
    connection with Article 58, Paragraph 2, letter "i"
    of Regulation (EU) 679/2016, imposes on the political
    party ****** a financial penalty of 25000 BGN
    (twenty-five thousand leva) for processing the
    complainants' personal data in violation of Article 6,
    Paragraph 1 of Regulation (EU) 2016/679.

    3. Under Article 58, Paragraph 2, letter "d" of GDPR,
    and for violation of Article 24 and Article 5,
    Paragraph 2 of GDPR, issues a mandate to the political
    party ****** to take technical and organizational
    measures for data protection, including training,
    immediately before each election, of the party
    representatives involved in collecting personal data in
    the electoral process; to present a Data Protection
    Policy compliant with the regulation, clearly outlining
    the rules for collecting and processing personal data,
    including in lists supporting the political entity's
    registration in the electoral process, and in collecting
    personal data of individuals supporting the party's
    registration for participation in referenda, and to
    implement a mechanism for ongoing and subsequent
    control and accountability in processing personal data.

    4. The deadline for implementing the issued mandate is
    three months from the decision's entry into force, after
    which to notify the commission of the implementation by
    presenting the relevant evidence.

The decision is subject to appeal within 14 days from its delivery through the Commission for Personal Data Protection before the Administrative Court Sofia – city.

Upon the decision's entry into force, the amount of the imposed penalty must be transferred via bank:

Bank BNB – CU, IBAN: BG18BNBG96613000158601, BIC BNBGBGSD

Commission for Personal Data Protection, BULSTAT 130961721.

CHAIRMAN: 
Ventsislav Karadjov /s/

MEMBERS:
Tsanko Tsolov /s/
Maria Mateva /s/
Veselin Tselkov /s/