CPDP (Bulgaria) - PNN-01-33/2022

From GDPRhub
Revision as of 16:28, 8 February 2023 by SR (talk | contribs) (→‎Facts)
CPDP - PNN-01-33/2022
LogoBG.jpg
Authority: CPDP (Bulgaria)
Jurisdiction: Bulgaria
Relevant Law: Article 32 GDPR
Type: Complaint
Outcome: Partly Upheld
Started:
Decided: 20.12.2022
Published:
Fine: 500 BGN
Parties: n/a
National Case Number/Name: PNN-01-33/2022
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Bulgarian
Original Source: CPDP (in BG)
Initial Contributor: n/a

The Bulgarian DPA fined a doctor 500 Leva for a violation of Article 32 GDPR. The Doctor had allowed that her electronic signature was used to access the vaccination status of a member of the European Parliament. This information was later disclosed in a television programme.

English Summary

Facts

On 9 January 2022, the Bulgarian television program 'This Sunday' broadcasted a news report about the COVID-19 pandemic. The journalist presenting the programme, M.C, stated that the data subject, a member of the European Parliament, had been vaccinated against COVID-19 on 19 August 2021 with the 'Janssen Vaccine', despite the fact that he had publicly been opposed to vaccination and was against COVID-19 restriction measures. With regard to the journalistic source which provided the information, it was not entirely clear how the journalists were able to obtain the information about the vaccination status of the data subject.

The data subject filed a complaint at the Bulgarian DPA (date not disclosed) against the journalist 'M.C' and the media company 'Media EAD', which had broadcasted the report. He stated that this data had been disclosed without his consent and without his knowledge. There was therefore an unlawful access and dissemination of his personal data. The DPA also asked a doctor, who had supposedly accessed the data subject's vaccination status, to provide her side of the story. The doctor claimed that she had not accessed the vaccination status of the data subject, but someone else had used her electronic signature. She stated that other employees of the medical center could also have used her signature to access the vaccination status.

The medical center also took part in the proceedings. The clinic argued that three employees had access to the electronic signature of the doctor and could have accessed the vaccination status of the data subject: K.R., the head nurse, S.P., an employee of the human resources department and lastly, the doctor herself. According to the clinic, the head nurse was the one who recorded them in the electronic system using the doctor's signature. She was also the only one who had the electronic signature and the vaccination platform installed on her computer, which was located in her office.

The medical establishment concluded that the head nurse had abused her position.

Holding

First, the DPA held that the journalist, M.C, could not be regarded as a controller in this case. As a journalist/employee and presenter of the programme, she was a person under Article 29 GDPR. The DPA determined that the controllers in this case were the Doctor, M.M, and the media company, M. EAD. The DPA emphasised that they should be regarded as separate controller's, since there was no evidence that they jointly decided the means and purposes of the processing. Later in the decision, the DPA also determined that the medical establishment itself was a controller.

Second, the DPA confirmed that the information regarding the vaccination status of the data subject constituted health data in the context of Article 9 GDPR.

Third, the DPA assessed the processing conducted by the first controller, the media company, and stated that it was undisputed that this health data was disseminated for journalistic purposes. The Bulgarian DPA then referred to Article 1 of the Bulgarian PDPA, which stated that processing personal data is lawful when carried out for the purpose of freedom of expression. Pursuant to Article 25(h)(3) of this law, Article 9 GDPR does not apply to the processing of personal data for journalistic purposes. The DPA held that the information should be of real public importance to be considered information to be processed for the purpose of journalistic activity. To determine if the current dissemination of information was lawful, a balancing act had to be conducted between the protection of personal data and the freedom of expression. The principle of data minimization was also of importance here. In the present case, the DPA considered that there was a case of real public importance. The data subject was a public figure as a member of the European Parliament, and therefore enjoyed a lower level of protection of his personal data. Next, the DPA confirmed that Article 9 GDPR was not applicable here due to the national law. The DPA also confirmed that in this case, a balance had been struck between the freedom of expression and the right to data protection. Despite the fact that the disclosed data was health data and that this was processed without the knowledge and consent of the data subject, the DPA held that the processing was lawful. There was an overriding interest in the disclosure of this information, mainly because this showed that the data subject, who had been against vaccination and Covid measures in public, was vaccinated himself despite urging others to do the contrary. The information was also presented in broadcast about the pandemic situation and served as an expression of the public's right to receive truthful, complete and comprehensible information. The DPA also stated that the GDPR should not become a tool to manipulate the public and cover up the lies of the data subject. The processing was lawful and in accordance with Article 1 of the Bulgarian PDPA.

Fourth, the Bulgarian DPA assessed the conduct of the second controller, the doctor. It was undisputed that her signature was used to check the vaccination status of the data subject. It was issued to her in her personal capacity, and the internal medical establishment procedures did not require the doctor to give this signature to other employees, so there was no reason to provide the head nurse with her signature. In contrast with the media company, Article 9 GPDR was applicable for the controller's processing, which included health data. In this regard, the Bulgarian DPA determined that the controller had shown 'gross negligence' with respect to the storage and use of her personal signature, which had resulted in the unauthorised access to the health data of the data subject. The Doctor had not taken appropriate measures to ensure / to demonstrate that personal data was processed in a GDPR complaint way. The fact that this negligence concerned health data made the situation even worse. Since there were no measures implemented at all, the DPA determined that the doctor had violated Articles 32(1) and 32(2) GDPR.The DPA fined the doctor 500 Leva pursuant to Articles 83(4)(a) and 58(2)(i) GDPR.

Lastly, the DPA determined that the medical center, being the third and last controller, had also violated Article 32 GDPR. The facility had allowed the practice of using electronic signatures for the processing of sensitive health data and access to this data. On the date of the breach, this controller had not established appropriate technical and organisational measures for the processing of sensitive personal data, nor was the controller able to show that it processed data in accordance with the GDPR. Also, there was a lack of training and supervision, which resulted in the violation of Article 32 GDPR. Because the controller had already addressed some of the identified issues, the DPA warned this controller pursuant to Article 58(2)(b) GDPR.

Comment

To be updated

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Bulgarian original. Please refer to the Bulgarian original for more details.

SOLUTION
No. PNN-01-33/2022. Sofia, 
20.12.2022
The Commission for Personal Data Protection (CPDP), composed of. 1 of the Personal Data 
Protection Act in conjunction with Article 57, § 1, point "f" of Regulation (EU) 2016/679 of the European 
Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the 
processing of personal data and on the free movement of such data (the Regulation, GDPR), examined 
the merits of complaint No. PPN-01-33/17.01.2022.
The administrative proceedings are under Article 38 of the Personal Data Protection Act (PDPA).
The Commission for Personal Data Protection was referred to the complaint PPN-01-33/17.01.2022, 
filed by N.D. against Media EAD (M. EAD) and M.C., in her capacity as a journalist at the media outlet, 
alleging unlawful access to a special category of personal data relating to his state of health and, in 
particular, his vaccination status, and their dissemination through a report in the television programme 
"This Weekend", broadcast on the air of the media outlet on 09.01.2022 at 09:30, repeated the same 
evening in the central news broadcast of the television outlet, at 19:00, as the first leading news item.
The complainant claims that in the course of the report the journalist M.C. "disclosed on air 
personal health data" of four MPs from the political party "V.", including his own, including: the date and 
the specific type of drug injected into the individuals. He is categorical that the data were disseminated 
without his knowledge and consent, and that there was no such consent with regard to the other three 
MPs.
Mr. N.D. claims that Ms. M.C. stated on air that she had access to "this type of health personal 
data of all MPs of the V. Party", and she also announced the exact number of persons with medical 
manipulations performed.
He considers that there has been unlawful access and dissemination of his personal data and asks 
the CPD to investigate the case and identify the original source of the information. He asks that, if the CPD 
considers it necessary, this information be addressed to the Public Prosecutor's Office and the relevant 
regulatory authorities. Asks for an injunction to 'immediately stop' the alleged infringement, insofar as 
the material was repeated repeatedly in the news broadcasts of the media on 09.01.2022 and 10.01.2022, 
and its use by the media, in various television programmes broadcast within its programme, continued as 
of 13.01.2022.
No evidence is attached to the complaint, a link to the material originally broadcast on the air of 
the media is provided.
Evidentiary motions were made: for the admission, for the purpose of giving explanations, of each 
of the four MPs whose personal data had been disseminated and for the request for explanations from 
M.C. as to the source of the information. The latter request made in the complaint is inadmissible under 
the provision of Article 25h(4) of the PDPA according to which "The exercise of the powers of the 
Commission under Article 58(4) of Regulation (EU) 2016/679 may not lead to the disclosure of the 
secrecy of the source of the information".
On 18.01.2022, in the interest of clarifying the actual facts relevant to the case, a screen print was 
made of the contents of the text file referred to in the complaint: https://btvnovinite.bg/predavania/tazi�sabota-i-nedelia/koi-sa-deputatite-koito-narichat-vaksinite- experimental-technost-a-vsashtnost-sa�imunizirani.html, and the text file posted to the link
KLD DECISIONS
CPC November - December 2022 35
A video file, lasting 14:53 minutes, has been downloaded on CD. The actions are documented in Protocol 
PPN-01-33#3/18.01.2022, with screen print and CD attached.
In the light of the principles of equality of arms and truthfulness, which are enshrined in the 
administrative procedure, M. EAD and Ms M.C., in her capacity as a journalist, were sent notification 
letters about the administrative proceedings initiated in the case, were given the opportunity to submit written 
statements on the allegations set out in the complaint and to submit relevant evidence.
Written submissions PPN-01-33#6/01.02.2022 and PPN-01- 33#7/01.02.2022 were 
submitted in response, expressed respectively by Ms M.C. and the company, with identical arguments 
for the unfoundedness of the complaint, insofar as the applicant is a public figure - a Member of Parliament, 
whose personal data has been processed for journalistic purposes on issues of public importance concerning 
the Covid-19 pandemic, the vaccination against Covid-19 and the "green certificate", on which the 
applicant has a clearly expressed and publicized position against vaccination and coercive measures to 
contain the Covid-19 pandemic. Relevant evidence is attached to support the allegations made in the 
submissions.
The Commission for Personal Data Protection is an independent state authority that protects 
individuals in the processing of their personal data and access to such data, as well as controls compliance 
with the PDPA and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 
2016 on the protection of natural persons with regard to the processing of personal data and on the free 
movement of such data.
In order to exercise its powers, the Commission must be validly addressed.
The complaint contains the mandatory requisites - there are details of the complainant - N.D., the 
nature of the request, the date and signature, the passively legitimated parties, as well as the date of 
knowledge of the infringement, in view of which it is regular. In this connection, it should be noted that, 
although the complaint alleges infringements by three other persons, in so far as they are not identified 
and the complaint does not bear their signatures and there is no evidence of any authorisation on their 
part in respect of Mr N.D., they do not have the status of complainants.
The subject-matter of the complaint are allegations of unlawful access to and dissemination of a 
special category of data relating to the applicant's state of health and, in particular, vaccination status. 
These, together with data relating to the applicant's full name and his capacity as a Member of the 
European Parliament, are personal data within the meaning of the GDPR, in so far as the person 
concerned can be undeniably identified
The complaint was lodged by an individual with a legal interest. It is undisputed that the processing of 
personal data according to the above-mentioned legal definition is at issue, and that the passively 
legitimated party M. EAD is a controller of personal data as defined in Article 4(7) of Regulation (EU) 
2016/679, as it defines the purposes of the processing - the presentation of information of public interest 
in a television broadcast, and the means of the processing - by broadcasting reports and programmes on 
the air of the media. By virtue of Article 58 of Regulation (EU) 2016/679, which defines the powers of 
the supervisory authority, the Regulation and the PDPA respectively are only applicable to controllers and 
processors. The analysis of this provision, in accordance with the purpose of the PDPA, leads to the 
conclusion that in order for the Commission to exercise its rights, the violations of the subject's rights 
must have been committed by the controller or processor and the complaint must be directed against the 
latter, who in that capacity have violated the rights of the individual. In this regard, it should be noted that 
the journalist and presenter of the programme, M.C., as an employee of the media and in her capacity as 
presenter of the programme broadcast on the air of the media, does not have the capacity of an 
administrator or processor of personal data, since she processes personal data in the performance of her 
official duties, i.e. she is a person under Article 29 of the Regulation and acts under the authority of the 
controller and in practice "engages" him in his processing activities, in so far as she actually
KLD DECISIONS
CPC November - December 2022 36
carried out, as host of the transmission, the processing activities alleged to have infringed the rights of the 
applicant.
The Commission was seized on 13.01.2022, only two days after the alleged violation took place, which 
leads to the conclusion that the complaint was filed within the time limit under Art. 1 of the PDPA. The 
competent authority - the CPCL - was seized of the matter, which, pursuant to its powers under Art. 1 of 
the PDPA in conjunction with Article 57, § 1, point "f" of Regulation (EU) 2016/679, examines 
complaints against acts and actions of personal data controllers that violate the rights of data subjects 
related to the processing of personal data, as there are no exceptions under Art. 2(2)(c) and Article 55(3) 
of the Regulation, given that the case does not concern processing activities carried out by an individual 
in the course of purely personal or domestic activities and/or activities carried out by the courts in the 
exercise of their judicial functions.
For the above reasons and in the absence of the negative prerequisites under Article 27, paragraph 
2 of the APC, at a meeting of the Commission held on 19.01.2022, the appeal was declared admissible 
and the following were constituted as parties to the proceedings: the appellant - N.D., the respondent M. 
EAD, in its capacity as a personal data controller, and the interested party M.C., in her capacity as a 
journalist in the media and presenter of the programme in question. An open hearing on the merits of the 
appeal has been scheduled for 16.03.2022 at 13:00, of which the parties have been duly notified. In order 
to clarify the facts of the case, the Ministry of Health and the I.O. Inc. have requested information and 
log files on the access to the vaccination status of the complainant from the date of his vaccination 
against COVID-19 until 09.01.2022, the date of the report, as well as specific information whether the 
complainant was vaccinated against COVID-19 and when, in order to assess whether the information 
given in the media broadcast corresponds to reality.
The requested information and evidence had not been provided by the date of the scheduled 
public hearing, therefore the substantive hearing of the appeal was adjourned to 04/05/2022.
In the course of the proceedings before the CPD, a cover letter with reference No. PPN-01-
33#19/21.03.2022 from I.O. Inc. informed that "N.D. was vaccinated against COVID-19 on 19.08.0221. 
Between the date of vaccination and 09.01.2022, N.D.'s vaccination status records were reviewed on 
06.01.2022 and 07.01.2022 by Dr. M.M."
Certified copy of the submission by I.O. AD was provided to the parties to the proceedings for their 
perusal, and the applicant was specifically requested to clarify whether he knew Dr M.M. and to specify 
whether he was his personal and/or treating physician.
In response, and by letter No. PPN-01-33#23/01.04.2022, the complainant responded in the 
negative to the inquiry from the CPD - he did not know Dr. M.M., nor was he his personal and/or 
attending physician.
In view of the foregoing and on the basis of Article 9(2) (principle of ex officio jurisdiction) and Article 
7 (principle of truthfulness) of the Code of Civil Procedure, in view of the evidence collected ex officio on 
the file and the subject-matter of the complaint, which also contains allegations of unlawful access to the 
applicant's health status, the Commission, by a decision taken at a meeting held on 06-07.04.2022, 
constituted, ex officio, Dr M.M. as a respondent in the proceedings, in her capacity as a personal data 
controller.
A public hearing on the merits of the appeal has been scheduled for 04/05/2022 by
13.00 in the administrative building of the CPD in the town of. Sofia, bul. "Proff. 2, Meeting Hall, 4th 
floor.
In order to clarify the facts of the case, I.O. AD, information was requested regarding the 
identifier through which Dr. M.M. accessed the complainant's vaccination status data, clarification of 
what data is visualized and available to the service user when "viewing" the person's vaccination status, 
and what the access channel used by Dr. M.M. was for the review of Mr. N.D.'s vaccination status data 
performed on 06.01.2022 and 07.01.2022.
KLD DECISIONS
CPC November - December 2022 37
In response and by letter PPN-01-33#33/26.04.2022, the requested information was provided. It is 
specifically stated by I.O. Inc. that the data that is displayed and available to the service user Dr. M.M. 
when "reviewing" Mr. N.D.'s vaccination status is: date of immunization record, national immunization 
reference number, dose sequence, date of next vaccine and availability of certificate. It is specified that the 
access channel to the data is immune.his.bg, the login to the system is done by a qualified electronic 
signature, after checking whether the doctor concerned has an active registration with the Bulgarian 
Medical Association.
In the course of the proceedings, a written opinion PPN-01-33#34/29.04.2022 on the merits of the 
dispute, in the part concerning the processing of data for journalistic purposes and the disclosure of the 
source of information, was received electronically, without an electronic signature. It is stated that the 
opinion comes from the Association of European Journalists - Bulgaria, without the signature of a 
specific person. The Association is not a party to the proceedings, in view of which the Commission for 
the Protection of Personal Data considers the submitted opinion to be irrelevant and should not be 
commented on in the grounds of the decision, leaving unclear how the Association was informed about 
the case, which it comments on in detail concerning the vaccination status and the quality of the applicant 
as a Member of the European Parliament.
On 04.05.2022, the CPLC received a request from the appellant to postpone the public hearing on 
the appeal scheduled for the same date due to work commitments and inability to attend the hearing.
On the basis of the application filed and due to the defendant Dr. M.M. not being properly notified 
of the proceedings, the hearing of the substantive appeal scheduled for 04.05.2022 was adjourned to 
22.06.2022 at 13:00 hours, of which the parties were duly notified. Notwithstanding the opportunity given 
to Dr. M.M. to be heard on the matter and the express directions that she should furnish information and 
evidence as to the basis of her access to the complainant's health/vaccination status regarding Covid-19 
on 06.01.2022 and 07.01.2022 and attach any other relevant evidence in the matter, no such evidence 
was adduced. Till 21.06.2022, a day before the scheduled public hearing to consider the merits of the 
complaint, there is no procedural activity by the respondent, the complaint has not been contested, no 
evidence or even allegations have been adduced on the subject matter of the dispute with which the 
CPWD is being referred.
In the course of the proceedings, by letter PPN-01-121/15.02.2022, the CEM informed that it had 
been informed of complaints filed by N.D. and V.M. regarding the publication of personal data of MPs in 
a journalistic investigation disseminated in the media programme of the media service provider M. EAD. 
They point out that the CEM considered at its meeting a report on the compliance of the broadcast with the 
provisions of the Broadcasting Act, in particular: with the norms relating to guaranteeing the right of 
citizens to information with the degree of protection of their privacy of public figures with influence in 
society. They inform that the CJM held that there was no violation of the RTI Act insofar as the 
journalistic audio-visual material contributed to the development of public dialogue on health policy and 
the accountability of democratically elected figures to their constituents.
A public meeting of the Board was held on June 22, 2022 to consider the merits of the appeal.
The appellant N.D. - duly notified, did not appear and was not represented at the hearing before 
the Committee.
The defendant, M.C., duly notified, did not appear and was not represented. For M. 
EAD, legal adviser B.G. appeared with power of attorney on file.
The defendant, Dr M.M., was represented by lawyer. A., with power of attorney submitted at the 
hearing.
KLD DECISIONS
CPC November - December 2022 38
The legal representatives of M. EAD and Dr M.M. contest the appeal. They do not adduce any 
new evidence. The procedural representative of the media maintains the written opinion expressed in the 
course of the proceedings that the complaint is unfounded.
Attorney A. asserted that her confidant, Dr. M.M., did not access the complainant's personal 
information regarding his vaccination status on 06/01/2022 and 07/01/2022. She alleged that Dr. M.M. 
did not personally use her electronic signature until 31.05.2022 and clarified that the electronic signatures 
of all the doctors at SCC, including her confidante's electronic signature, were used by the centre's 
employee, S.P. He adds that "five years ago, these electronic signatures of the doctors of the DCC were 
kept with the employee, S.P., who was in charge of Human Resources." She kept them and she sent the 
information to all the doctors of the DCC by the 4th of the month to the NHIF - who was served, what 
expenses, what the NHIF needed to remit to them. To make it easy for her, she has put one PIN on all the 
electronic signatures - on all the doctors, on all the electronic cards.
Having sent this data to the NHIS, since Dr. M.M. is the only one who is a physician at the SCC, 
and a physician at the hospital where she heads the internal medicine department, she herself is a 
specialist cardiologist, and since in the vaccination that is organized by this internal medicine department, 
all the certificates that are issued to the vaccinated persons are issued with the electronic signature of 
M.M..
So after S.P. is done with the reports, she hands over the electronic signature to the head nurse at C.R. 
Hospital, who puts the electronic signature on her computer, doesn't take it out at all, and it stays on day 
and night so it's easy for her, so she doesn't waste time...."
In order to prove the latter, he asks that two witnesses - S.P. and K.R. - be admitted to cross�examination. He asks the Commission to admit a technical expert from an IT specialist in order to 
establish "from which IP address, from which computer all this information was downloaded".
Advocate A. informed that the case was also the subject of case No. ***/2022 of the District 
Prosecutor's Office - Pazardzhik.
In view of the submissions made by the representative of Dr. M.M., by the decision of the open 
meeting of the Committee held on 22.06.2022, the State Medical Centre was also made a respondent in 
the proceedings. A fresh public hearing on the merits of the appeal has been scheduled for 14.09.2022 at 
13:00 hrs, of which the parties have been duly notified.
The SCC was informed of the proceedings, given the opportunity to comment on the case and to 
submit relevant evidence.
At the request of the procedural representative of the defendant M.M., two witnesses - S.P. and 
K.R. - were admitted to examination by deposition in the public hearing scheduled for 14.09.2022. 
Information has been requested on the case file No. ***/2022 of the District Prosecutor's Office -
Pazardzhik, namely on the subject of the case file, its movement and results, and in the hypothesis of the 
evidence collected in the case file on the access of personal data of the applicant on 06-07.01.2022. and 
the use of the relevant electronic signature, respectively information received in the case file in this regard 
from Dr. M.M. (defendant in the proceedings before the CPDL) or other persons, including S.P. and K.R. 
(called as witnesses in the proceedings before the CPDL), a copy of the same. As of 12.09.2022, the 
requested information has not been provided.
In order to clarify the case from the factual side, evidence and information have been requested 
from a third party not participating in the proceedings - Borika AD - the issuer of the electronic signature 
of Dr. M.M., in particular: how many and what carriers and when was the respective electronic signature 
issued?, Who and when received the electronic signature and the respective carriers?, Are the carriers 
active as of 06 and 07.01.2022? From which IP address is the electronic signature normally used and 
specifically from which IP address was it used on 01.06.2022 at 08:48 and on 01.07.2022 at 07:27?
In response, Borika AD informed that the company had issued to M.M. M. Bricka as follows:
KLD DECISIONS
CPC November - December 2022 39
1. Serial No. *** with author and holder M.M., with author and holder ID ****, valid from 
01.10.2016 to 03.10.2017 and from 02.10.2017 to 02.10.2018;
2. Serial No. *** with author and holder M.M., with author and holder ID****, valid as follows 
from 25.09.2018 to 25.09.2019, from 25.09.2019 to 24.09.2020, from 23.09.2020 to 23.09.2021 and from 
24.09.2021 to 24.09.2022.
The company clarified that the certificate for the CEP was issued on a B-trust smart card and was 
received by the holder's proxy. They add that the renewal of the certificate on 24.09.2021 was done online -
without the physical presence of the holder of the CEP in the office of the certification service provider. 
They point out that the company does not receive information on the IP addresses from which the CEP 
certificates are used. In support of their claims, they attach a certified copy of the certification services 
contract No **** of 03.10.2016, with a copy of the identity card, the acceptance report and the request No 
****/03.10.2016 for the issuance of an electronic signature.
In the course of the proceedings, an opinion PPN-01-33#57/12.09.2022 was issued by the SCC on 
the unfoundedness of the complaint, arguing that the company had taken the necessary measures to limit 
and prevent the misuse of personal data and documents.
They state that three employees of the company had access to Dr. M.M.'s electronic signature -
S.P. - an employee of the Human Resources Department, K.R. - the head nurse at the medical institution and 
Dr. M.M. They added that due to a requirement of the NHIF and in order to facilitate the work of the 
physicians at the facility, Ms. S.P., with the knowledge and permission of the physicians, submitted
monthly reports, between the 1st-5th of each month, to the NHIF for the work they performed.
They point out that during the pandemic period, the hospital was instructed by the RHC to open a 
vaccination office and to register an electronic signature for the submission of data on vaccinations carried 
out on the premises of the hospital, and that the signature of Dr. They informed that in the process, the 
company has appointed the head nurse K.R. to report the vaccinations done in the MH platform using Dr. 
M.M.'s signature.
They alleged that on 05/01/2022, after the report was submitted to the NHSO's POC, Ms. S.P. 
gave the signature to the head nurse, K.R., and after that date the signature was with K.R. so that she 
could continue to update the vaccination information and green certificates issued. They alleged that
"Dr. M.M.'s e-signature and the vaccine platform link are installed solely on Chief Nurse K.R.'s 
computer," as "The computer on which K.R. works is located in her office, which only she has access to."
They stated that the applicant was not a patient of the medical institution, had not undergone any 
medical examinations or manipulations at the medical institution and that the latter did not process his 
personal data. They state that 'for security purposes, all workstations in the medical establishment have 
static IP addresses, but when a workstation accesses a page on the Internet the traffic goes through the 
company's router and exits from the external IP address ****', therefore 'even if he is enrolled in I.O. Inc. 
the IP address from where the information was accessed will only show the external IP, not the internal 
IP of the computer itself."
They inform that after doing an "analysis of K.R.'s computer" they found no information on 
events, history or files for the relevant dates 06-07.01.2022 due to the longer period of time - more than 7 
months. Regarding the allegations of the legal representative of Dr. M.M. about a hacker attack, they 
point out that after checking and analyzing the entire information network and infrastructure of the 
company, they found no traces of such in the logs or installed malware. They consider that Ms. K.R. 
abused her position, acted unlawfully and intentionally, and in no way complied with the rules and 
policies put in place by the company regarding the protection of personal data and the application of the 
GDPR, and for those her
KLD DECISIONS
CPC November - December 2022 40
actions the company is not liable. In view of the violation found, they point out that the medical institution 
has "taken actions to correct the way of working in the company and to introduce additional rules and 
norms in order to ensure the confidentiality of personal data obtained in the process of work, including 
their non-disclosure", a training and instruction program has been prepared for all employees of the 
company on the application of the GDPR and the newly introduced rules by the medical institution, part 
of the changes concern the use of electronic signatures, namely: "All personal electronic signatures The 
submission of monthly activity reports with an electronic signature is carried out as follows: the person 
who owns the signature personally provides it to a member of the administration, personally enters the 
security password (pin code) and the report is submitted to the NHIF by a member of the administration 
in his presence. After submission of the report, the signature owner shall collect it. In this way, the 
electronic signature is under constant control and monitoring of the owner. Assisting with the filing of the 
report by an administrative officer in the presence of the owner of the electronic signature is optional and 
to facilitate the work of physicians. At the discretion of the physician, the physician may file the monthly 
report independently."
In conclusion, they inform that the employment relationship between the hospital and Ms K.R. is 
terminated as of 31.08.2022. They find the complaint unfounded as regards the establishment and the 
allegations to the contrary made by Dr M.M.'s legal representative unsubstantiated.
A further public hearing was held on 14.09.2022 to consider the merits of the appeal, of which the 
parties were duly notified.
The appellant N.D. - duly notified, did not appear and was not represented at the hearing before 
the Committee.
Defendant M. EAD is represented by legal advisor B.G. with power of attorney on file. The 
defendant Dr M.M. was represented by lawyer. A. with power of attorney on file.
SCC is represented by Atty. J.N. with a power of attorney presented at the hearing.
The correct name of the legal entity constituted and duly notified of the meeting, the DCC, was 
clarified at the meeting.
The defendants' representatives contest the appeal. They point to no new evidence.
Adv. A. does not support the request for the admission of S.P. as a witness.
At the request of the legal representatives of M. EAD and Dr. M.M., the examination of the 
appeal on its merits was postponed to the next meeting of the CPDL on 23.11.2022, for the attorneys' 
acquaintance. A. and legal counsel B.G. with the evidence newly collected by the CPPLD.
To clarify the case from the factual side, I.O. JSC, information was requested and in response by letter 
PPN- 01-33#69 dated 06.10.2022, that the IP address from which the vaccination status of the complainant 
was accessed on 06.01.2022 and 07.01.2022 was ****.
In the course of the proceedings, the District Prosecutor's Office - Pazardzhik replied that the pre�trial proceedings initiated in the case ***/2022 according to the inventory of the Regional Prosecutor's 
Office of the Ministry of Interior - Pazardzhik "is in its initial stage", therefore it is not possible to 
provide information on specific facts established in it.
By covering letter PPN-01-33#68 dated 29.09.2022, additional representation and relevant 
evidence, namely, certified copy of Order No. 2 dated 04.01.2021 and payment order dated 20.09.2021 
have been submitted by the DCC. In the opinion, the company has stated that "to assist its employees, the 
hospital is working towards easing some of the commitments of the
KLD DECISIONS
CPC November - December 2022 41
physicians," and one of the bases of assistance the company has undertaken is assisting with the 
application for the issuance and renewal of electronic signatures of pre-hospital physicians and "not least 
with the submission of monthly reports of pre-hospital physicians in the IPS to the NHIS." They specify 
that the submission of reports is regulated by an internal order, "with an employee of the company's 
administration assisting the doctors technically in submitting the reports", but only if the doctor wishes, 
who voluntarily provides his/her electronic signature to the employee. "They add that the medical 
establishment strives to provide all technical assistance to the medical staff, and every action taken by the 
company is to facilitate the work process, and the services offered are free of charge and have no binding
At a public hearing of the CPD held on 23.11.2022, the complaint was considered on its merits. The 
appellant N.D. - duly notified, did not appear, did not represent himself.
M.C. - duly notified, did not appear, was not represented.
The defendant M. EAD - regularly notified, was represented by legal adviser B.G. Defendant 
M.M. - regularly notified, represented by lawyer. А.
The defendant DCC - regularly notified, was represented by counsel. J.N.
Counsel for the defendants individually contest the appeal. They do not adduce any new evidence 
and have no requests for evidence. Adv. A. does not support the request for examination of a witness, stating 
that Ms K.R. also refused to testify.
Counsel for the respondents maintain the pleadings filed in the course of the proceedings that the 
appeal is unfounded and request the Commission to uphold the appeal against the respondents.
Counsel B.G. added that the television journalist M.C. had put forward data concerning the 
complainant N.D., but that this data was entirely in the context of the most topical public issue at the 
time, namely the Kovid epidemic, vaccination and the commitment of the political party "V." and the 
political slogan branding vaccines as experimental with an appeal to their constituents not to vaccinate 
them. It is submitted that the personal example of each member of a political party, including the 
applicant, is determinative of the health of the electorate and of society in general. In that regard, he 
considers that it is undoubtedly incumbent on both the media and the journalist to make the information 
relating to the official position of the political party 'B.' known to viewers and to the public, because the 
comparison between an official position and actual conduct is very important to make and to inform 
people what the true position of each member of that political party actually is.
Adv. A. reiterates the allegations that the electronic signature was not in the possession of Dr. 
M.M., and therefore considers that the complaint is unfounded with regard to her confidant, since the 
alleged violation could not have been committed by her.
In its capacity as an administrative authority and in relation to the need to establish the truth of 
the case, as a fundamental principle in administrative proceedings, pursuant to Article 7 of the APC, 
requiring the existence of established facts and taking into account the evidence gathered and the 
allegations made, the Commission finds that, examined on its merits, the complaint No. EAD and well 
founded in respect of Dr. M.M. and the DCC.
The subject-matter of the complaint are allegations of unlawful access to and dissemination of a
special category of data relating to the applicant's state of health and, in particular, his vaccination status, 
as identified by his name and his position as a Member of the European Parliament.
KLD DECISIONS
CPC November - December 2022 42
The data controllers in the present case are Dr M.M., with regard to access to the applicant's health 
and, in particular, vaccination status, and M. M.M. EAD, with regard to the dissemination of special 
category data relating to the applicant's state of health and, in particular, vaccination status. The 
Commission does not seek to establish a causal link between the two processing hypotheses, since the 
sources of the information are protected, and therefore Dr M.M. and M. EAD should be regarded as 
separate data controllers, in so far as there is no evidence that they jointly determined the purposes and 
means of the processing.
The procedural actions undertaken by the CPDL, including the ex officio collection of evidence, 
concern the clarification of the case from the factual side, the obligations of the administrative authority 
arising from the APC, concerning the subject of the dispute - unlawful access and dissemination of 
personal data concerning the vaccination status of the complainant. Ms M.C. was not required to disclose 
her journalistic sources of information in relation to the broadcast report, nor was such information requested 
from the other participants in the administrative proceedings.
regarding M. EAD:
From the evidence collected in the case file it is established, and it is not disputed between the 
parties in the proceedings, that on 09.01.2022 in the programme "This Sunday", broadcast on the air of 
M. TV, journalistic material was presented - a report with a subsequent commentary by a guest in the 
studio, which referred to the topic of the pandemic Covid-19 and the issues of the attitude towards: 1) 
vaccination and those vaccinated for Covid-19; 2) the anti-epidemic measures taken by the state in 
connection with the pandemic Covid-19; 3) the imminent introduction of restrictive measures on 
admission to the building of the National Assembly, after the presentation of item No. Green Certificate; 
and 4) an upcoming protest against the Green Certificate, organized by the parliamentary political party 
"V.", on 12.01.2022.
It is evident from the content of the report that the reporter and author of the programme, M.C., 
reported that the complainant N.D. was vaccinated against Covid-19 on 19 August 2021 with a vaccine 
from Janssen. The statement was made on the sidelines of the SC in an interview with the MP N.D. 
himself. The interview was dated 07.01.2022 and was broadcast two days later on the programme "This 
Sunday" on 09.01.2022 and distributed on the air of the media BTV.
The interview contained information related to the complainant's health and specifically 
vaccination status, specifically that the person was vaccinated against Covid-19 on August 19, 2021, 
with a vaccine from Janssen. The data on the applicant's vaccination status, taken together with the data 
contained in the material on the applicant's name, image and position held - Member of the European 
Parliament - are undeniably personal data within the meaning of the GDPR, in so far as the person can be 
undeniably identified. The same should qualify as a special category of data within the meaning of 
Article 9 of the GDPR, in so far as it relates to the person's state of health - 'personal data relating to the 
physical or mental state of the person, including the provision of health services, which provide 
information about his state of health' (Article 4(15) of the GDPR).
According to Recital 35 of the GDPR, personal data concerning the health of a data subject 
should cover any information relating to his or her physical or mental state of health in the past, present 
or future. Moreover, at the national level, the Health Act (HPA) defines 'health information' as personal 
data relating to the health, physical or mental development of individuals, as well as any other information 
contained in medical prescriptions, prescriptions, reports, certificates or other medical documentation. In 
this sense, as the Commission has already had the opportunity to rule in Opinion PNMD-01-12/2022, the 
set of all data contained in
KLD DECISIONS
CPC November - December 2022 43
certificate issued in connection with a vaccination against Covid-19, including the vaccination itself and the 
date of vaccination, as well as the vaccinated product itself, and may be disclosed directly or indirectly 
through it, fall within the scope of the term "health data" within the meaning of the GDPR and, in 
particular, "health information" within the meaning of the HIPAA.
In view of the content, nature and periodicity of the programme, as well as its dissemination and 
access, it is undisputed that the information was disseminated for journalistic purposes in connection with a 
journalistic investigation disseminated in the programme of the media service provider M. EAD. This is 
an act of processing personal data within the meaning of Article 4(2) of Regulation No 2016/679, in so 
far as, by means of the reportage and transmission at issue, the applicant's personal data were accessible 
and disseminated to an unlimited number of viewers of the media.
By argument of Art. 1 of the PDPA, the processing of personal data for journalistic purposes is 
lawful when carried out for the exercise of freedom of expression and the right to information, while 
respecting privacy. In this respect, the provision of Article 9 of the GDPR concerning the processing of 
special categories of personal data, including those relating to health status, are inapplicable by virtue of 
Article 25h, para. 3 of the PDPA according to which Articles 6, 9, 10, 30, 34 and Chapter 5 of the GDPR do 
not apply to the processing of personal data for journalistic purposes.
According to Recital 4 of Regulation (EU) 2016/679, the right to the protection of personal data 
must be considered in relation to its functions in society and in balance with other fundamental rights, 
such as freedom of expression and freedom of information, in accordance with the principle of 
proportionality, insofar as the right to the protection of personal data is not an absolute right, nor is the 
right to freedom of expression and freedom of information (Article 11 of the EU Charter of Fundamental 
Rights).
The term "journalistic purposes" is not defined by the legislator, but has been extensively 
considered and interpreted in case law. Essential to journalistic activity is the collection, analysis, 
interpretation and dissemination through the mass media of relevant and socially significant information. 
All journalistic activity is a manifestation of freedom of expression in a state governed by the rule of law, 
and restrictions on freedom of expression and information are permissible only to the extent necessary in a 
democratic society under Article 10 § 2 of the European Convention for the Protection of Human Rights 
and Fundamental Freedoms.
Starting from the concept of journalism as the practice of collecting, analyzing and interpreting 
information about current events, topics, phenomena, personalities and trends of contemporary life, 
presented in different genres and forms and disseminated to a mass audience, the conclusion is that it 
concerns the processing of personal data for journalistic purposes. By its nature, journalistic activity 
requires the dissemination of information on matters of public interest. The public dissemination of 
information for these purposes is a journalistic activity, since the very act of dissemination is an expression 
of opinion, view, judgment of the public information and its relevance to the interests of society. In order to 
process information for the purposes of journalistic activity, the information must concern matters of 
value which, in the light of the relations concerned, are of real public importance. In assessing the 
balance between the two competing rights, it is the principle of 'data minimisation' that is relevant - the 
personal data processed should be relevant, related to and limited to what is necessary in relation to the 
purposes for which it is processed, with the specific case of satisfying the public interest. Journalistic 
purposes by definition include the exercise of the right to information and freedom of expression. 
Restrictions on freedom of expression and information are only permissible to the extent necessary in a 
democratic society under Article 10(2) ECHR. By its very nature, journalistic activity requires the 
dissemination of information on matters of public interest. The publication of a report in a media broadcast 
constitutes public disclosure. The public dissemination of information for these purposes is journalistic
KLD DECISIONS
CPC November - December 2022 44
activity, since the very fact of dissemination is an expression of opinion, view, judgment of public 
information and its importance for the interests of society. In order for information to be processed for the 
purposes of journalistic activity, the information must concern matters of value which, in the light of the 
relations concerned, are of real public importance, as is the case here.
In the present case, it is indisputable that the data subject is a public figure - a Member of 
Parliament, and as such enjoys a lower level of protection of his personal data, but only and insofar as 
they are relevant and related to the functions exercised by him as a Member of Parliament and the 
positions he expresses as such and in this capacity to his constituents. It is undisputed that the personal 
data concerning the applicant's state of health as regards the vaccination against Covid-19 were 
disseminated by the media without his knowledge or consent. There is no evidence that they were made 
public by the complainant or the health authorities, but the same is irrelevant in so far as the provisions of 
Article 9 of the GDPR are inapplicable in the present case.
Public figures have a lower threshold of protection of their privacy, but interference with it is only 
permissible when there is a balance between the right to protection of privacy and the right to freedom of 
expression and information. In the present case, however, a balance has been struck. Sensitive health 
information within the meaning of the Health Act has been disclosed, namely personal data relating to the 
health, physical and mental development of the individual, as well as information relating to the individual 
contained in medical examinations, prescriptions, certificates and other medical documentation. The 
information has been disclosed and disseminated by a media outlet that is outside the scope of the persons 
entitled to process the personal data of citizens relating to their state of health as defined by the Health Act
- medical and health care institutions, state bodies competent in the field of health care and health 
insurance and relevant medical professionals.
The evidence gathered in the file and the factual situation clarified lead to the conclusion that there is 
an overriding public interest in the disclosure of the information, given the right of the public to be 
informed and the categorical position stated and promoted by the complainant against vaccination against 
Covid-19 and green certificates, which does not correspond with the actions of the MP, who was vaccinated 
on a date prior to his statements as an MP, despite urging and agitating persons to the contrary, claiming that 
vaccines "are ex
The information relates to a public figure and is necessary for the performance of a task in the public 
interest in so far as that interest would not be served without disclosure of the data. The journalistic 
material has been prepared and broadcast in a pandemic situation in which the contribution of the media 
is to provide a platform for active discussion and debate of the issue, actively seeking and clarifying 
different, including contradictory, opinions and positions, presenting the arguments of particular groups 
in society, with the emphasis on the truth, disclosure and exposition of a real factual situation, as an 
expression of the public's right to receive truthful, complete and comprehensible information to help it 
make an informed and reasonable judgement based on
The report reveals the publicly expressed opinion and statement of the complainant, not in his 
personal capacity, but as a Member of Parliament with influence and authority with the electorate, on the 
nature of the pandemic and his opposition, as a public figure, to the measures taken by the State to deal 
with the pandemic, but at the same time exercising personal conduct that is inconsistent with the publicly 
expressed opposition. In this respect, the defendant's observations can be shared. EAD that the display of 
a contradiction between conduct and publicly expressed opinion is subject to the exercise of civil control 
by the mass media for the purpose of public awareness and debate on an undeniably publicly significant
KLD DECISIONS
CPC November - December 2022 45
Topic. And while the GDPR is designed to protect the privacy of individuals, it cannot and should not be 
used as a tool to manipulate the public and cover up behaviour, such as the untruths spoken by a public 
figure on public health issues.
In the instant case, in balancing two competing rights in a pandemic setting, the disclosure of the 
individual's health status by the media was in accordance with s. 25h of the PIPEDA insofar as it was 
relevant and related to ensuring the public's right to information with the degree of protection of the 
privacy of public figures and their influence in society. Similar to the CJM's perception, it can be 
concluded that journalistic audio-visual material contributes to the development of public dialogue on health 
care policy and the accountability of democratically elected figures to their constituents, and in the 
context of Article 25h of the GDPR, is carried out in fulfilment of the public's right to information to 
information of public importance.
This is also the long-standing case-law and practice of the ECtHR. The opinion of a certain 
category of persons - public figures such as the applicant - expressed in public contributes to the 
formation of a definition of the attitudes of society as a whole, as well as influencing the choices of the 
majority of citizens, including with regard to the right to make an informed decision on vaccination. It is 
because of this specific public position and influence of these individuals that they should be subject to 
more intense public criticism in order to ensure the public's right to seek and receive accurate and truthful 
information on issues of importance to society, which in a pandemic context is undoubtedly the issue of 
vaccination against Covid-19. The public has the right to be informed of the actions and deeds of these 
individuals so that every citizen can form an opinion about the individual and the positions they express in 
the context of the actual and factual actions that contradict them.
In the ECtHR's decision in the case of Katya Kasabova and Bozhidar Bozhkov v. Bulgaria 
concerning a sanction decision against journalists for reporting on a long-established corrupt practice in 
admissions to elite high schools in the city of Sofia. The ECtHR court stressed that too strict an attitude 
towards the professional conduct of journalists could lead to the frustration of their obligations to inform 
the public and concluded that the Bulgarian court's interference in their right to expression was not 
"necessary in a democratic society".
The ECtHR's decision in Yordanov and Toshev (journalists) v. Bulgaria is similar. Upholding the 
opinion expressed above in Kasabova and Bozhkov v. Bulgaria, the Court adds that in seeking the right 
balance between the protection of freedom of expression enshrined in Article 10 and the protection of the 
reputation of the persons against whom the accusations are made, which is one aspect of the right to 
privacy protected by Article 8 of the Convention, the vital role of a "public watchdog" that the press plays 
in a democratic society is of particular importance. While it must not overstep certain boundaries, in 
particular with regard to the reputation and rights of others, it has a duty - in a manner consistent with its 
duties and responsibilities - to convey information and ideas on political and other matters of public 
concern. The Court stresses that "the sanctions imposed by the national authorities are capable of deterring 
the press from engaging in debate on matters of legitimate public interest" and revealing the truth. 
Moreover, the Court links the freedom to disseminate information to the right of everyone and of society 
as a whole to be informed and emphasizes the duty of the media to provide information on matters of 
public interest. (See also in this sense the Decision of the CC of the Republic of Bulgaria No. 8/2019 of 
the CC in Case No. 4/2019).
Beyond any reasonable doubt in this case is the existence of a heightened public interest in the 
information contained in the report. Regulation 2016/679 gives enhanced protection to individuals in 
relation to the processing of personal data, but also strikes a balance with other fundamental rights, in 
particular freedom of expression and information, as those rights are provided for in
KLD DECISIONS
CPC November - December 2022 46
in the CPPCC and HOPES. For the reasons set out above, given the particular factual situation and the 
person's status as a public figure, the Committee finds that the dissemination of information about the 
person's health status regarding the Covid-19 vaccination is in the public interest and the public's right to 
be informed.
The publication in this case of such information is part and parcel of the task of the media in a 
democratic society, insofar as the information presented is true and provoked, as evidenced by the report, 
by the false information the person presents. The complainant's actions and the calls he made against 
vaccination and the statements made in the report in question, and not only there, that he would never have 
this 'liquid', do not correspond to the complainant's actual actions and are liable to mislead the public, 
given his status as a public figure and the impact he has on some of the citizens of the Republic of Bulgaria.
In this regard, the Commission considers that the processing is lawful and in accordance w i t h 
Art. 1 of the PDPA and there is no violation as alleged by the complainant, given that the consent of the 
person is not an element of the lawfulness of the processing of personal data for journalistic purposes, but 
the processing is carried out for the exercise of freedom of expression and the right to information in a 
democratic society.
regarding Dr. M.M.:
The above grounds for lawfulness of the processing of personal data by the media are irrelevant to 
the processing of personal data by Dr. M.M. The exemptions provided for the processing of personal data 
for journalistic purposes are inapplicable to Dr M.M. in her capacity as data controller.
It is undisputed from the evidence on file that on 06.01.2022 and 07.01.2022, Dr M.M.'s personal 
electronic signature was used to access details of Mr N.D.'s vaccination status, namely date of registration of 
immunisation, national reference number of immunisation, sequence of dose, date of next vaccination and 
availability of certificate. The data access channel was immuno.his.bg, the login to the system was done 
via a qualified electronic signature, after checking whether the doctor concerned had an active registration 
with the Bulgarian Medical Association. It is undisputed that the access was made from the IP address 
*******, an external IP address of the medical institution of the Medical Centre where Dr M.M. worked 
at the date of access.
The evidence is undoubtedly a special category relating to a person's state of health, for the reasons 
set out above. With regard to the latter, the GDPR introduces a prohibition on their processing (Article 9(1) 
GDPR), while allowing for explicit and limitative exceptions (Article 9(2) GDPR). In the present case, there 
is no evidence in the file of the existence of any of the exceptions introduced by the legislator in Article 
9(2)(a) to (j) in respect of Dr M.M. The data were accessed without the person's knowledge or consent, as 
the defendant was not Mr N.D.'s personal and/or attending physician, was not a patient of the medical 
establishment, and had not performed any medical examinations or manipulations at the medical 
establishment.
In the course of the proceedings, Dr. M.M.'s legal representative alleges that a procedure was 
established that required the physician to physically provide this electronic signature, including 
allegations that the electronic signature was issued for official purposes. However, the facts alleged by 
counsel have not been established in the course of these proceedings; to the contrary, the evidence 
gathered by Borika plc and the internal rules and procedures, including the manager's order, establish first 
that the signature was issued to Dr M.M. in her personal capacity, notwithstanding that it was obtained by 
an attorney with Dr M.M.'s authorisation, and the procedures that have been set up at the hospital do not 
require the provision and storage of the electronic signature by the hospital employee, namely the head 
nurse, but only support the work of the doctors, and at their request.
KLD DECISIONS
CPC November - December 2022 47
Evidence in the record establishes that Dr. M.M.'s gross negligence with respect to the storage 
and use of her personal electronic signature resulted in unauthorized access to sensitive personal data 
about the complainant related to her vaccination status. Responsibility for the latter lies with the data 
controller, Dr M.M., in so far as the signature used for access is personal and the responsibility for its use 
and storage is also personal. However, in the present case, Dr. M.M. did not take appropriate measures to 
ensure and was able to demonstrate that the personal data of the complainant were processed/accessed in 
accordance with the GDPR. The allegations that the provision of the signature for use by an employee of 
the administration of the medical establishment was in fulfilment of a duty imposed on Dr M.M. by the 
medical establishment at which she worked cannot be credited as relevant and true. In the first place, 
there is no evidence to that effect; her allegations are disputed by the medical establishment, which 
categorically indicates that the company provides each physician with assistance in the administration of 
services, but at the physician's request and initiative, and not under obligation. Separately, even if the 
converse were true, insofar as the signature is personal, it is the data controller, in this case Dr. M.M., 
w h o s h o u l d determine the purposes, means and manner in which personal data will be 
processed/accessed through her electronic signature. Moreover, a specific category of personal data is 
accessed through the signature - health-related, and therefore the controls and measures put in place by 
the controller should be heightened. These are not present in this case at all, therefore the error 
committed by Dr. M.M. should be qualified as such under Article 32 par. 1 and 2 of the GDPR, as there is 
no undisputed evidence to hold her liable for the access actually made. It is a fact that, by means of the 
electronic signature, not on one occasion but on two consecutive dates, the applicant's sensitive personal 
data were unlawfully and without justification accessed in an electronic environment from the IP address 
of the medical institution where Dr M.M. M.M., who claims that she only became aware of the 
infringement after she was notified by the CPT of the present proceedings, i.e. months after the 
infringement took place.
The allegations that another person misused and improperly accessed the personal data using Dr. 
M.M.'s electronic signature, even if well-founded, although there is no such evidence in the file, cannot 
sanitise the infringement, in so far as it is the responsibility of the controller (Article 32(1) and (2) 
GDPR) to apply measures appropriate to prevent the unlawful processing of personal data, having regard 
to the scope, context and purposes of the processing, as well as the risks of varying likelihood and 
severity to the rights of natural persons. There are no measures at all in this case, a circumstance which is 
confirmed by the legal representative of Dr M.M., who states that her confidante does not use her 
signature, or regulate access to immuno.his.bg, a huge database of sensitive personal data, access to which 
is regulated and restricted, provided by means of a qualified electronic signature, after verification of 
whether the doctor concerned holds an active registration with the Bulgarian Medical Association. It is 
undisputed that Dr. M.M. did not organize the storage of the signature, which is the input for the database 
containing information on the health conditions of the persons, respectively did not create, nor did she 
apply appropriate technical and organizational measures, did not make an assessment, did not evaluate 
the risks associated with the use of the signature and access to this special category of personal data.
Taking into account the established violation, the fact that it concerns the processing of a special 
category of data and the fact that the act is not a one-off and is completed, the Commission considers 
appropriate, effective and dissuasive the exercise of corrective power under Art. 1 and 2 of the GDPR. 
The corrective measures under Article 58(1)(a), (c), (d), (e), (f), (g), (h) and (j) of the GDPR are inapplicable 
because of the nature of the infringement, those under Article 58(2)(b) are disproportionate and those 
under (d) are inappropriate given the actions taken by Dr M.M. to control her electronic signature after the 
infringement was established.
KLD DECISIONS
CPC November - December 2022 48
In determining the amount of the fine, the circumstances that the violation was the first found by 
the CPMP with respect to this administrator, as well as the workload and commitment of Dr. M.M. and 
of physicians in general in the pandemic, should be qualified as mitigating factors. As aggravating factors, 
the Commission considers that the data accessed are special category and that this is a repeated 
infringement committed in conditions of negligence on the part of the controller.
with regard to the DCC
The evidence in the record, the allegations of the defendants, including those of SCC, also 
evidence a violation by the facility of Article 32 of the GDPR regarding the facility's practices for 
allowing the use of electronic signatures of physicians for the processing of sensitive personal health�related data, including access to such data. It is undisputed that the medical establishment, as a separate 
controller of personal data, had not, as of the date of the breach, January 2022, established appropriate 
technical and organizational measures for the processing of sensitive personal data by the administration 
of the medical establishment, or that those established were not able to ensure and demonstrate that the 
processing was carried out in accordance with the GDPR, moreover, that there was a lack of training and 
supervision regarding the procedure, albeit not formally prescribed, which, apparently from the evidence, 
has established itself as an unregulated and unregulated pra It is a fact that the infrastructure/IP address 
of the DCC was used for the unauthorized access, which did not establish a proper control mechanism. It 
is a fact that after initiation of the present proceedings, the company has "taken steps to correct the way of 
working in the company" and has put in place a training and briefing programme for all the employees of 
the company on the application of the GDPR and the rules newly introduced by the hospital, part of the 
changes relate to the use of electronic signatures, namely, "All personal electronic signatures are to be 
stored only by their owners, and the responsibility for storage is entirely theirs. The submission of monthly 
activity reports with an electronic signature shall be carried out as follows: the person who owns the 
signature shall personally provide it to an administrative officer, personally enter the security password 
(pin code) and in his presence the report shall be submitted to the NHIF by an administrative officer. After 
submitting the report, the owner of the signature picks it up. In this way the electronic signature is under 
constant control and monitoring of the owner. Assisting with the filing of the report by an administrative 
officer in the presence of the owner of the electronic signature is optional and to facilitate the work of 
physicians. At the discretion of the doctor, he may submit the monthly report independently." The fact is 
that the additional measures introduced cannot sanitise the inaction on the part of the health 
establishment, which by its passive behaviour contributed to the infringement committed, but are 
grounds for imposing a remedy under Article 58,
§ 2, point "b" of the GDPR - a formal warning to the company in view of the fact that, although at a later 
stage, the measures were reviewed and updated in accordance with its obligation under Art. 1 of the GDPR. 
The imposition of a sanction on the administrator of the DCC is disproportionate in so far as the 
administrator is not directly involved in the infringement committed, but by its passive behaviour has 
created further preconditions for its commission.
Guided by the above and pursuant to Art. 38, para. 3 of the Personal Data Protection Act, the 
Commission for Personal Data Protection,
DECIDE:
1. Declares complaint pPN-01-33/17.01.2022 unfounded with respect to M. EAD.
2. Declares the complaint well founded in respect of Dr M.M.
3. Pursuant to Article 83(4)(a) in conjunction with Article 58(2)(i)
KLD DECISIONS
CPC November - December 2022 49
of Regulation (EU) 2016/679 imposes on Dr. M.M. with ID******, as a personal data controller, a 
fine of BGN 500 (five hundred leva) for violation of Article 32, § 1 and 2 of the Regulation.
4. Declares that the complaint is well-founded with respect to DCC.
5. On the basis of Article 58, § 2, letter "b" of the GDPR, issues an official warning to the 
SCC with the UIC *********, as a personal data controller, for violation of Article 32, § 1 and 2 of 
the GDPR.
The decision is subject to appeal within 14 days of its delivery through the Commission for 
Personal Data Protection before the Administrative Court of Sofia - city.
After the judgment has entered into force, the amount of the penalty imposed shall be paid by bank 
transfer:
BNB Bank - Central Bank, IBAN: BG18BNBG96613000158601, BIC BNBGBGSD
Commission for Personal Data Protection, BULSTAT 130961721.
PRESENTER: MEMBERS:
Ventsislav Karadzhov /p/ Tsanko Tsolov /p/ 
MariaMateva /p