CPDP (Bulgaria) - PNN-01-487/2021
|CPDP - PNN-01-487/2021
|Article 6(1)(a) GDPR
Article 6(1)(b) GDPR
|National Case Number/Name:
|European Case Law Identifier:
|CPDP (in BG)
According to the Bulgarian DPA, a company violated Article 6(1) GDPR by sending pre-employment arrangements to a government agency while national law only required them to share finalised employment contracts.
English Summary[edit | edit source]
Facts[edit | edit source]
The data subject applied for a vacant position at the company H.M.B. EAD (controller). After signing some paperwork, the data subject and the controller agreed to another meeting in order to finalise the employment contract. On 28 April 2021, before such meeting took place, the controller sent the papers signed by the data subject to the 'National Revenue agency' (NRA). According to Article 62(5) of the Bulgarian Labour code, an employer had to notify the NRA within three days of signing/closing the employement contract. In the end, the data subject did not complete the application procedure.
The data subject stated that she had been registered as an unemployed person on 8 February 2021 and had been granted unemployment benefits for three months. However, the benefits suddenly stopped, which is why the data subject checked with the social insurance institution for the cause of this issue. Here, she discovered that the controller had filed the signed papers as an employment contract, which had made her ineligible to receive further unemployment benefits.
The data subject filed a complaint at the Bulgarian DPA, stating that the controller unlawfully processed her data by submitting an employment contract without her knowledge. The data subject stated that she did not sign any employment contract and did not provide any personal data to the controller.
The controller stated that the allegations of the data subject were false. It stated that on 17 April 2021, the data subject had provided her CV to the controller in order to apply for a vacant job position. The controller did not deny that an employment contract had not formally been signed yet, but stated that the job-offer documents contained all the aspects of an employment contract and could therefore be regarded as such. This was also the reason why the company submitted the documents to the NRA pursuant to Article 62(5) of the Labour code. The signed documents also included a declaration of consent by the data subject to process her personal data. These documents contained several categories of personal data, such as full name, unique nationality number, address, identity card number, email, a photograph and a telephone number.
In response to these arguments, the data subject admitted that she had sent the CV and signed a consent for the processing of her data. However, she kept insisting that she did not sign any employment contract.
Holding[edit | edit source]
First, the DPA held that the data subject voluntarily disclosed her data to the controller by signing the declaration of consent for the processing of her personal data. The data subject had also started the application procedure by sending the required documentation using her personal email for the purpose of concluding the contract. In this regard, there was no breach of Articles 6(1)(a) and 6(1)(b) GDPR.
Second, the DPA determined that the documents signed by the data subject could not be seen as an employment contract. This was even admitted as such by the controller, who stated that 'no employment contract was formally signed'. The controller's argument that the job-offer documents signed by the data subject basically constituted an employment contract was unfounded. The DPA noted that the job application was only the first stage of the procedure, which ended with the signing of the employment contract. The documents also only included the signature of the data subject. The signature of the controller would have been necessary to consider the documents an employment contract. Also, the name of the controller was not even mentioned in the job-offer.
Because there was no employment contract, there was also no statutory obligation for the controller to send these documents, which contained the personal data of the data subject, to the NRA. Therefore, the DPA concluded that the personal data of the data subject had been processed without a legal basis, in violation of Article 6(1) GDPR.
Comment[edit | edit source]
In its decision not to allocate a fine, the DPA considered the following: the data controller limited the social rights of the applicant. On the other hand, this was the controller's first violation, no special category of data as per Article 9 GDPR had been processed, and the controller showed good faith in cooperating to stop the violation.
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Bulgarian original. Please refer to the Bulgarian original for more details.
DECISION No. ппН-01-487/2021 Sofia, 01.12.2022 The Commission for the Protection of Personal Data (CPDP) composed of: Chairman: Vencislav Karadjov and members: Tsanko Tsolov, Maria Mateva and Veselin Tselkov at a meeting held on 12.10.2022, based on Art. 10, para. 1 of the Personal Data Protection Act in connection with Art. 57, § 1, letter "f" of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons in connection with the processing of personal data and on the free movement of such data (Regulation , GDPR), examined the merits of complaint No. PPN-01-487/24.06.2021. The administrative proceedings are in accordance with Art. 38 of the Personal Data Protection Act (PAPA). The Commission for the Protection of Personal Data was referred to a complaint filed by A.D., alleging unlawful processing of her personal data by "H.M.B." EAD in connection with an employment contract registered on 28/04/2021 with the National Revenue Agency (NAA), which it claims it did not sign. The complainant is categorical that she has no labor-legal relations with the company and did not provide her personal data to "H.M.B." EAD. She adds that on 08.02.2021 she registered with the "Labor Bureau" - Serdika as an unemployed person, and for the period from 04.02.2021 to 03.06.2021 she was granted unemployment compensation, which she received for three months . She found out about the alleged violation during an inquiry at the National Insurance Institute, after she did not receive compensation for the last month of the term. Requests the commission to investigate the case, impose a sanction on "H.M.B." EAD, termination of the contract and reimbursement of the amounts for unemployment compensation, which she did not receive due to misuse of her personal data by the company. Relevant evidence is attached to the complaint. The complaint was also addressed to the National Revenue Agency, from where it was forwarded for consideration by the CPDP with an accompanying letter with reg. No. PPN-01-487#1/06.07.2021, in which it was specified that after a check in the information arrays of The NRA has established that on 28.04.2021 "H.M.B." EAD submitted a notification under Art. 62, para. 5 of the Labor Code for an employment contract concluded with the applicant with a date of conclusion of 28.04.2021, and on 10.05.2021 the company submitted an application to delete the notification. In view of the principles of equality of the parties and truthfulness advocated in the administrative process, "H.M.B." EAD has been informed about the administrative proceedings initiated in the case, it has been given the opportunity to engage in a written opinion on the allegations presented in the complaint and to present evidence relevant to the case. In response, an opinion was filed about the groundlessness of the appeal. The company disputes the statements made by the complainant as false. They inform that on 17.04.2021, electronically, the applicant submitted a resume to apply for a vacant position in the company, an interview was conducted with the applicant, the latter filled out a declaration of consent for the processing of her personal data by the company for the purposes of concluding an employment contract, as well as a job offer signed by both parties. They do not deny that an employment contract has not been formally signed, but they claim that the job offer contains the requisites of an employment contract and can be considered as such, which is why the company submitted a notification to the National Revenue Agency under Art. 62, para. 5 of CT. They add that after the candidate did not appear on the date agreed between the parties - 07.05.2021 "to form/receive the remaining documents, he should report to work on 10.05.2021" and after he does not answer calls the company has submitted an application to the NRA to cancel the registered employment contract. Relevant evidence is attached to the opinion. The Commission for the Protection of Personal Data is an independent state body that protects individuals in the processing of their personal data and access to such data, as well as control of compliance with the GDPR and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons in connection with the processing of personal data and on the free movement of such data. In order to exercise its powers, the Commission should be validly referred. The complaint must contain the required details: data about the complainant, the nature of the request, date and signature, the passively legitimized party is indicated and the period of establishment of the violation, in view of which the complaint is regular. The subject of the complaint are allegations of unlawful processing of the complainant's personal data by "H.MB." EAD in connection with an employment contract registered with the National Revenue Agency on 28.04.2021. The commission was referred to on 24.06.2021, two months after the alleged violation was committed, which makes it necessary to conclude that the complaint was submitted within the time limit under Art. 38, para. 1 of the Labor Code. The complaint was filed by a natural person with a legal interest against a proper party - a personal data administrator, such as "H.M.B." EAD indisputably owns within the meaning of Art. 4, para. 7 of the General Regulation EU 2016/679 in relation to the applicant, given the evidence collected in the case file and the fact that it is a legal entity that only determines the purposes and means of processing personal data. Referred to is competent to rule - CPLD, which according to its powers under Art. 10, para. 1 of the Labor Code in connection with Art. 57, § 1, letter "f" of Regulation (EU) 2016/679, examines complaints submitted by a data subject against acts and actions of personal data controllers that violate the rights of natural persons related to personal data processing, as there are no exceptions under Art. 2, § 2, letter "c" and Art. 55, § 3 of Regulation (EU) 2016/679 given the fact that the case does not concern processing activities carried out by an individual in the course of purely personal or domestic activities and/or activities carried out by courts in the performance of their judicial functions. It is beyond the commission's competence to rule on the compensation requested by the complainant for the committed violation and lost benefits, which she can claim in court. For the stated reasons and given the absence of the negative prerequisites under Art. 27, paragraph 2 of the APC, at a meeting of the commission held on 20.07.2022, the complaint was accepted as admissible and the following parties were constituted as parties to the proceedings: complainant - A.D. and defendant - "H.M.B." EAD. An open hearing is scheduled to consider the merits of the complaint on 12.10.2022 at 1:00 p.m., of which the parties are regularly notified. In order to clarify the case from the factual side and distribute the burden of proof in the trial, the defendant is required to submit a certified copy of the employee appointment procedure introduced in the company. In response and with accompanying letter PPN-01-487#11/02.09.2022, the company provided a certified copy of the procedure for appointing a new employee dated November 2020. The complainant was provided with the written opinion expressed by the defendant and attached evidence with instructions to clarify whether he contests the same, or whether he supports the complaint submitted to the CPLD. In response PPN-01-487#13/06.10.2022, the complainant indicates that she agrees with the facts presented by the company regarding the personal data provided by her - CV and signed declaration of consent for the processing of her personal data was sent. However, she is categorical that she did not sign an employment contract, but only "saw what conditions they offered". At an open meeting of the CPLD held on 12.10.2022, the complaint was examined on its merits. The applicant A.D. - regularly notified, does not appear and is not represented at the meeting. The defendant "H.M.B." EAD is represented by Adv. M. with a power of attorney presented at the meeting and a valid lawyer's card. Lawyer M. contests the appeal. Finds the referral to the CPLD to be irregular, with arguments for lack of information on the person's permanent address and a specific specified date of knowledge of the violation. The claims of Adv. M. are unfounded. It can be seen from the materials on the file that permanent address data is available, contained in a copy of an identity document attached to the complaint. With regard to the allegations of the complainant's failure to indicate a specific date of knowledge of the violation, it should be noted that formally the text does not explicitly state a date. However, a clearly defined period of time in which the person became aware of the violation is indicated, with a detailed chronology of events and evidence attached in this regard, which is why the complaint is regular, and the objection of the advocate. M. unfounded. The Commission, in the terms of the official commencement, established a specific date of the alleged violation - 28.04.2021, and insofar as the supervisory authority was notified on 24.06.2021, two months after the alleged violation, the formalization on a specific date of knowledge of the violation is unnecessary, insofar as it is clear from the evidence on the file that the complaint was submitted within a period of 6 months from the knowledge of the violation, but no later than two years from its commission. In essence, Adv. M. finds the appeal groundless, maintaining the arguments set forth in a written opinion filed on the file. In its capacity as an administrative body and in connection with the need to establish the truth of the case, as a basic principle in administrative proceedings, according to Art. 7 of the APC, requiring the existence of established actual facts, and considering the evidence collected and the allegations made, the commission accepts that the substantively examined appeal No. ППН-01- 487/24.06.2021 is partially justified. The subject of the complaint are allegations of unlawful processing of the complainant's personal data by "H.MB." EAD and providing them to the National Revenue Agency on 28.04.2021 for registering an employment contract with parties A.D. - worker and "H.M.B." EAD - employer. The parties do not dispute, and from the evidence collected in the case file it was established that the applicant applied for a vacant position in the company's store, namely a sales associate in store I. - Sofia, announced on the website. It was established that on 17.04.2021, electronically, the applicant sent her resume to apply for the position, and subsequently on 22 April 2021 - a signed job offer and a filled-in blank declaration of consent for the processing of personal data data for the purposes of concluding an employment contract. The documents contain data in volume - three names, uniform civil number, address, identity card number, e-mail address, photo and telephone number of the applicant, the same personal data regarding Mrs. A .D. to what extent by means of them the person can be indisputably individualized. The cited documents, respectively the data contained in them, were sent to the company from the e-mail of the complainant, also indicated in her complaint to the CPLD, therefore it follows that they were provided voluntarily by the person. The allegations presented in the complaint to the CPLD that Mrs. A.D. did not provide her personal data to the company, are in contradiction with the evidence collected in the file, after familiarizing herself with which the complainant confirms the fact of having sent a CV and a declaration of consent to the company. In this regard, the complaint in the part concerning allegations that the person did not provide his personal data to a company should be dismissed as unfounded, insofar as it is established that data were processed - collected by the company on the basis of Art. 6, § 1, letters "a" and "b" of the GDPR - with the consent of the person and to take steps at the request of the data subject before concluding a contract in the conditions of a pre-contractual relationship between the parties, initiated by the applicant through a CV sent to application for filling an announced vacant position in the company's store. However, in its remaining part, concerning the allegations of processing the complainant's personal data for sending the data to the National Revenue Agency for a registered employment contract without such having been concluded, the complaint is well-founded. From the evidence collected in the course of the administrative proceedings, it was established beyond doubt that on 28.04.2021 a notification was submitted to the National Revenue Agency under Art. 62, para. 5 of the Labor Code for the employment contract concluded on 28.04.2021 between A.D. - worker and "H.M.B." EAD - employer. On 10.05.2021, the company submitted to the National Revenue Agency a notification to delete the submitted notification of a concluded employment contract. Declaration form No. 1 "Insured person data" has not been submitted. The order and content of the notification under Art. 62, para. 5 of the CT, the same regulated respectively by Ordinance No. 5 of December 29, 2002, issued by the Minister of Labor and Social Policy and Ordinance No. H-8/29.12.2005 on the content, terms, manner and order of submitting data by the employers, insurers for the persons insured by them. According to the cited by-laws, the notification contains data about the worker and the employee in a volume of three names and a single civil number, the same personal data about the natural person given the fact that the person can be indisputably individualized. Normatively, it is determined that the notification is submitted within three days of signing/concluding the employment contract. It can be seen from the evidence collected in the case file that the data of Mrs. A.D., contained in the notice of conclusion of the employment contract, were provided by "H.M.B." EAD of the NRA, and given the fact that the provision is a form of processing of personal data, applicable to this processing are the provisions of the General Data Protection Regulation and the GDPR, regulating relations regarding the processing of personal data. The claims of the complainant that her personal data were processed - provided by the company to the National Revenue Agency without her knowledge and consent to register an employment contract between the parties, without such having been concluded, are well founded. The company has not provided evidence to the contrary, on the contrary, it indicates that "an employment contract has not been formally signed". Evidence of the existence of the concluded employment contract registered in the National Revenue Agency was not presented, therefore, considering the categorical statements of the complainant that she did not conclude one, and the company's statements that the employment contract registered in the National Revenue Agency was not signed, the conclusion follows that it is not available consent of the data subject to the processing of his personal data for the conclusion of an employment contract, from which a legal obligation arises for the administrator to process the data of the individual for the purposes of submitting a notification to the National Revenue Agency, despite the existence of pre-contractual relations between the parties. In this regard, it should be noted that the company's claims of pre-contractual relations with the complainant do not justify a different conclusion, as the employment contract registered with the agency was not concluded at the time of the provision of the complainant's personal data by the company to the NRA. Pursuant to Art. 62 par. 1 of the Labor Code, the employment contract shall be concluded in writing, which is a condition for its validity, and with mandatory content in it for the circumstances under Art. 66 par. 1 of CT, i.e. in order for such a contract to exist, it must be objectified in a document reflecting the matching declarations of will / agreements / of the parties to it, which is certified by its signature by each of them / argument from Art. 180 of the Civil Code. In the case under consideration, it was undoubtedly established that there was no employment contract signed by both parties. The defendant's arguments that the "job offer actually contains the details of an employment contract and can be accepted as such" signed by the complainant are groundless. First of all, according to the Procedure for appointing a new employee presented by the company, it is clear that the "job offer" is only the first stage of the procedure, which ends with the signing of another document - an employment contract, which is why it is clear that even the defendant does not identify the submission of an offer signed by the candidate for work with an employment contract. Moreover, the offer, although it contains information about the position, working hours, term of the contract, date of starting work, amount of remuneration and place of work, bears the signature of only the job candidate. The offer does not bear the signature of the employer, and it should be noted that the name of the employer is not indicated in the offer, therefore it cannot be considered an employment contract, but is rather part of the pre-contractual relations between the parties within the framework of the scheduled by the company procedure for appointing employees. Apart from the above, there is no mandatory requisite of the employment contract - data for the parties. In the offer, only two names of the worker are indicated, without a social security number, and there is no information about the employer at all, which is why the defendant's view that the job offer can be considered an employment contract between the parties and a reason for providing the data cannot be accepted in the NRA for its registration. In view of the above, there is no legally established obligation of the company, as an employer, whatever quality in this case the latter did not prove to possess in relation to Ms. A.D., to submit a notification to the National Revenue Agency under Art. 62, para. 5 of the CT containing the applicant's personal data. In the specific case, none of the other conditions for the admissibility of the processing are present, as evidence to the contrary has not been committed, nor has such been claimed by the defendant. The hypothesis of the existence of a legitimate interest of the administrator, which is preferable to the interest of the affected natural person, is not applicable. The remaining conditions are irrelevant - they are applicable in other, different and incompatible with the present hypotheses concerning the processing of personal data for the protection of vital interests related to the life and health of the data subject, the performance of a task of public interest, as well as in the exercise of official powers , which are not delegated to the company. From an analysis of the collected evidence, it is necessary to conclude that the applicant's personal data were processed - provided to the National Revenue Agency for registration for an employment contract without one having been signed by the parties, in violation of Art. 6, § 1 of the Regulation, without any of the conditions specified in the regulation for the legality of the processing being present, as the rights of the person referred to the CPLD were violated. When determining the type of corrective measure under Art. 58, § 2 of the GDPR, which should be imposed by the CPLD for the found violation, as mitigating circumstances it should be taken into account that: the rights of an individual have been violated; the company took actions to delete the notification 12 days after its registration and even before referral to the CPLD and initiation of the current administrative proceedings; the administrator assists the CPDP in clarifying the factual situation; in relation to the company, there are no sanctions decisions issued by the CPLD. The company processed the applicant's data in pre-contractual relationships on a legal basis. Circumstances should be qualified as aggravating circumstances that: data for the person's unique civil number were processed, and as a result of the registration, the applicant's rights in the social sphere were limited - unemployment benefits were suspended; the violation became known to the CPLD as a result of a referral by the victim. The circumstances under Art. 83, § 2, letters "b" and "i" of the Regulation are irrelevant insofar as it concerns an administrator - a legal entity that is not guilty, and at the time of committing the violation of approved codes of conduct, respectively approved certification mechanisms are not introduced. In view of the nature of the detected violation, the commission considers that the corrective measures under Art. 58, § 2, letters "a", "c", "d", "e", "f", "g", "h" and "j" of the Regulation are inapplicable and inappropriate in this case. Given the fact that the violation is the first for the administrator, the imposition of a sanction is excessive, considering the exercise of corrective authority under Art. 58, § 2, letter "b" of the GDPR - an official warning, especially since the processed data is not a special category within the meaning of Art. 9 of the GDPR and has been provided to a state authority that has them, and the administrator has cooperated in good faith to stop the violation.