CPDP (Bulgaria) - PPN- 01-197/2022

From GDPRhub
Revision as of 08:02, 18 April 2024 by Im (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
CPDP - PPN- 01-197/2022
Authority: CPDP (Bulgaria)
Jurisdiction: Bulgaria
Relevant Law: Article 5(1)(a) GDPR
Article 5(1)(b) GDPR
Article 6(1)(c) GDPR
Type: Complaint
Outcome: Upheld
Started: 14.03.2022
Decided: 09.02.2023
Fine: 10,000 BGN
Parties: n/a
National Case Number/Name: PPN- 01-197/2022
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Bulgarian
Original Source: Bulgarian DPC (in BG)
Initial Contributor: im

The DPA fined a company 10,000 lev (€5,114,08) for the unlawful disclosure of a former employee’s data with traffic control authorities, potentially harming the data subject's reputation.

English Summary


On 29 June 2021, the data subject received an administrative violation notice from some traffic control authorities in Germany. The notice alleged that on 15 September 2020, the data subject was driving a truck owned by a company ('controller') where he used to work until 1 November 2020. The data subject contested the notice, asserting that he was on sick leave at the time, and thus, someone else from the company must have been driving the vehicle.

The notice was also sent to the company, giving them an opportunity to identify the individual who was driving the vehicle on the date of violation. The company did not dispute the circumstances outlined in the complaint and confirmed that the data subject did not use the vehicle; instead, it was leased to another party. However, the employee handling the case mistakenly identified the data subject as the responsible person for the violation, attributing it to unintentional mistake of dates. The employee disclosed the data subject's personal data to the German authorities, citing a legal obligation under Article 6(1)(e) GDPR.

As a result, the data subject has paid the fine imposed by the German authorities. After learning of the facts from the complaint filed by the data subjects against the controller, the controller expressed their regret and reimbursed the fine imposed on the data subject.

Despite this, the data subject maintained his complaint, arguing that the unintentional processing of his personal data caused him moral and non-material damages, as he was falsely identified as a law violator and had to pay a fine for an offense he did not commit.


The DPA examined the controller's argument that the processing of the data subject's information fell under Article 6(1)(c) GDPR, relating to the exercise of official authority. However, the DPA noted that the vehicle in question was in possession of a new lessee at the time, not the data subject, undermining this argument.

Additionally, the DPA found no evidence that the controller conducted an investigation to determine who was driving the company's truck on the day of the violation. Instead, the controller shared the data subject's information more than six months after his employment had ended. This failure to remove the data subject's information from the company's database could lead to stricter penalties for future violations.

The DPA highlighted that the processing violated the principles of lawfulness, fairness, and transparency outlined in Article 5(1)(a) GDPR.The controller processed the former employee's data without a suitable legal basis and took no corrective action to rectify the erroneously provided information to the third party.

Furthermore, the DPA found a violation of Article 5(1)(b) GDPR, as the data collected for a specific purpose related to the Labor Code for conclusion of an employment contract was disclosed to a third party after the termination of employment, exceeding the intended purpose.

The DPA determined that the purpose of processing in this case was the economic interest of the controller. This processing harmed the data subject, as the shared information would remain in the electronic dossier of the German authority, potentially impacting the data subject negatively in case of future violations.

As a result, the DPA imposed on controller an administrative penalty in the amount of 10,000 лв (€5,114,08).


Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Bulgarian original. Please refer to the Bulgarian original for more details.

Decision on appeal with reg. No. PPN-01-197/14.03.2022 DECISION No. PPN- 01-197/2022 Sofia, 09.02.2023 The Commission for the Protection of Personal Data, composed of: Chairman Vencislav Karadjov and members Tsanko Tsolov and Veselin Tselkov at a regular meeting held on November 16, 2022, objectified in protocol No. 42, on the basis of Article 10, Paragraph 1 of the Law on the Protection of personal data (PLDPR) and Art. 57, §1, b. "e" of Regulation (EU) 2016/679 (GDPR), considering a complaint with reg. No.PPN-01-197/14.03.2022, in order to ruled, taking into account the following: The administrative proceedings are in accordance with Art. 38 of the Labor Code and Art. 77, §1 of Regulation (EU) 2016/679. The Commission for the Protection of Personal Data (PCPD) has been referred with a complaint PPN-01-197/14.03.2022. submitted by Mr. I.R. The complaint contains allegations of unlawful processing of personal data by the company "D." JSC with EIK-********. The complainant points out that he received an act in his name for an administrative offense committed in the Federal Republic of Germany. The act claims that on 15.09.2020 Mr. I.R. was driving a vehicle with registration number ****, owned by the company "D." AD, with address: ****, which, according to him, does not correspond to the truth. The complainant indicates that at the same time he was on sick leave (temporary incapacity for work), which was also confirmed by an inspection carried out by the Executive Agency "Main Labor Inspectorate". Mr. I.R. adds that probably a person from "D." AD used his data because the German authorities have no way of knowing who the person was driving the same vehicle. In this regard, the complainant expresses his strong concern about the situation that has arisen because he does not know what he can expect and whether this will not happen again, in view of which he wishes the CPLD assistance for his violated rights. Attached to the complaint: 1. Answer of the IA "Main Labor Inspectorate" with ex. No.****; 2. Medical protocol LKK No.***; 3. Order to terminate an employment relationship; 4. Invitation to hand over the employment record; 5. Application for termination of employment contract; 6. Invoice *****. — for used copper. services; 7. Payment order from 13.01.2022. in the amount of EUR 83.50 /the amount of the fine/; 8. Act issued by the German authorities. On the basis of Article 26 of the APC, the company "D" was notified. AD with EIK-********, for the administrative proceedings instituted before the CPLD on the complaint of Mr. I.R. According to the base Article 34, paragraph 3 of the APC, the administrator is given the opportunity to express an opinion on the complaint. On behalf of the company, through their legal representative – Adv. AD, which on the date of the violation committed on the territory of the Federal Republic of Germany – 15.09.2020, was on leave due to temporary incapacity. Moreover, on the same date, the process truck with registration number ****, which until 23.07.2020 was held by "D." AD under a lease agreement, was already used by another lessee — "V. " EOOD, with EIK ****. That is, as of the date of the violation – 15.09.2020. the truck was not used by "D" at all. AD, and already by another person, as at the same time I.R. was in hospital. Nevertheless, in the office of "D." AD has received the electronic slip from the competent authorities of the Federal Republic of Germany for the violation dated 15.09.2020. Since the violator is a legal entity, the fact sheet provides an opportunity to indicate the specific individual who was driving the motor vehicle on the date of the violation. As can be seen from the appendices to this statement, along with the appendices to it, on June 29, 2021, the employee of "D." AD P.H., instead of objecting that as of the date of the violation 15.09.2020 the truck was no longer used by the company, but by a third party, and to present the available evidence for this, she mistakenly accepted the slip and named the person responsible for the violation, I.R. It concerns an inadvertent technical error, confusion of the relevant dates, he as according to the explanations of the employee, I.R. drove the truck on 15.07.2020, and she confused this date with the date of the violation 15.09.2020. The fact that it is an inadvertent error in the dates is also confirmed by the fact that as of 15.09.2020 undisputedly, the truck was not in the possession of "D" at all. AD, but the employee did not object even in this regard – she was obviously mistaken about the dates. At the same time, she disclosed the personal data of the applicant to the competent authorities of the Federal Republic of Germany (a member state of the EU) in fulfillment of a legal obligation that applies to the administrator "D." AD (Art. 6, item 1, b. "c" of Regulation EU 2016/679 of the European Parliament and of the Council), as well as due to the need to protect the legitimate interests of the administrator (Art. 6, item 1, b ."e" from the Regulation). In addition, the applicant has consented to the processing of his personal data by the employer (Article 6, item 1, b. "a" of the Regulation) for specific purposes described in a written declaration. The fine imposed on the subject of the personal data by the competent authorities of the Federal Republic of Germany has been reimbursed to him in full and he has expressed his willingness to reach an agreement in this regard with his former employer. The aforementioned considerations from "D." JSC considers that it has not committed a violation under the CPDP and Regulation EU 2016/679 of the European Parliament and of the Council, and asks the CPDP to reject the complaint as unfounded. Attached to the opinion: 1. Form for establishing the violation, including the form, in which the data of the I.R. ; 2. Declaration of voluntary provision of personal data and their processing; 3. Declaration for provision of information under Article 6 of Regulation EU 2016/679 of the European Parliament and of the Council; 4. Tripartite agreement of 23.07.2020. to assign rights under a lease agreement; 5. Power of attorney. In connection with what was stated by the respondent, regarding the existence of an agreement reached, on the basis of Art. 43 of the Personal Data Protection Act, the complainant was given the opportunity to familiarize himself with the opinion of the administrator and to express his opinion on it, informing the CPLD whether he maintains his complaint under these circumstances. By letter No.PPN-01-197#6/18.08.2022, Mr. I.R. informs the CPDP that there is no agreement and upholds the appeal filed by him. After getting acquainted with the opinion of "D." JSC points out, for concern and anxiety, due to the lack of guarantees that this will not happen again. Another employee will make an "unintentional technical error" again. He adds that if there was an accident with the truck on the day in question – 15/09/2020, it is not clear who will be responsible. Considers it more correct that before providing information to third parties containing personal data, a check by the administrator is carried out. Regarding the declarations signed by him for the voluntary presentation and processing of personal data, his opinion is that they should be used lawfully and lawfully. Clarifies that the amount of the fine was actually reimbursed on August 2, 2022, by bank transfer from "D." AD, but his concern is related to the processing of his personal data. He has not declared that he has no other claims, as claimed by his former employer. In conclusion, he points out that the so-called "unintentional technical error" of the administrator caused him a lot of moral and non-pecuniary damage. As a full law-abiding citizen of the Republic of Bulgaria, he believes that everyone's personal data should be protected and hopes that those responsible for this "unintentional technical error" will bear their responsibility objectively. Additional clarifying information has been requested from the company in order to clarify the case from a legal and factual point of view. In response with the entry №PPN-01-197#7/26.08.2022 on the part of the administrator through his legal representative - Adv.N.N., indicate the following: 1. In cases where in "D." JSC receives notifications from a European road traffic control authority, such as the Federal Office for Freight Transport - Germany, the company's officials follow the rules outlined in the Instructions for processing received fines in "D." AD. 2. Violations of the rules have sometimes been found in connection with the work of employees of "D." AD, carrying out excesses on the territory of the European Union. Given the nature of the work, these violations are most often established on the basis of received reports of fines imposed by European control authorities. In these cases, the company pays the fines, and if culpable and illegal behavior on the part of the employee is established, property liability is realized against him under the conditions of Art. 203 et seq. of the Criminal Code. If it turns out that the fine is not due to a reason for which the employee is responsible, it remains at the expense of the employer. In principle, compliance with road traffic rules is also considered as a work obligation for drivers by virtue of their job characteristics. Therefore, their violation in some cases is grounds for realization of disciplinary liability under CT. 3. Submit an Instruction for the processing of personal data in "D." AD and to create technical and organizational measures for their protection. 4. The applicant I.R. stated to representatives of "D." DAMN he felt affected because he had to pay a fine for something he didn't do. Therefore, he has undertaken to immediately withdraw the complaint before the CPLD if the amount paid by him is reimbursed. After it was established that the complainant was indeed not at fault for the situation, he was apologized on behalf of the company and his amount was refunded. However, after receiving the amount, the applicant stated that he had actually only promised to consider withdrawing the complaint, but having done so decided not to withdraw it. Attached to the additional opinion: 1. Instructions for processing received fines in "D." AD; 2. Instruction for processing personal data in "D." AD and to create technical and organizational measures for their protection; 3. Payment document for payment of the fine from I.R. ; 4. Payment document for reimbursement of the fine paid by the driver; 5. Submissions to the written answer sheet, together with a translation into Bulgarian.  The complaint was considered at a meeting of the CPLD, objectified in Protocol No. 34 of 14.09.2022, at which a decision was made to accept it as admissible and to schedule it for consideration in an open meeting. The following are constituted as parties in the administrative proceedings: applicant - Mr. I.R. and the respondent – the administrator "D." JSC with EIK-********. At the open meeting of the Commission held on 16.11.2022, objectified in Protocol No. 42, the complainant, regularly notified, did not appear or represent himself. The defendant, regularly notified, is represented by Adv.N.N. with a power of attorney on file. A complaint considered on its merits is well-founded. The complaint of Mr. I.R. is fully compliant with the requirements for regularity, namely: there are data on the applicant, the nature of the request, date and signature. The norm of Art. 38, Para. 1 of the LLDP provides for a preclusion period for referral to the Commission - six months from the knowledge of the violation, but no later than two years from its commission. The complainant indicates that he found out about the illegal processing of his personal data after receiving a traffic violation act on the roads of the Federal Republic of Germany on 13.01.2022, which he pays. The complaint was submitted to the Commission for the Protection of Personal Data on 14.03.2022. The terms specified in Art. 38, para. 1 of the Labor Code have been met. In Article 27, paragraph 2 of the APC, the legislator binds the assessment of the admissibility of the request to the presence of the requirements specified in the text. The competence of the Commission when considering complaints is related to the protection of natural persons, in connection with the processing of their personal data by persons having the status of "personal data administrators". This requirement is an absolute procedural prerequisite, in view of which the admissibility of the appeal is assessed. The complaint is directed against "D." AD with EIK-********, which company is undoubtedly a controller of personal data within the meaning of Article 4, Item 7 of Regulation (EU) 2016/679. The complaint was filed by an individual with a legitimate legal interest. The same claims that his personal data in volume: three names and exact address, date and place of birth were unlawfully processed by the employer "D." AD by providing them to a third party "Federal Service for the Transport of Goods" FRG, for drawing up an act for an offense committed on 15.09.2020. at 01:08 a.m., representing the use of road A3 city of Zinzing, direction city of Nittendorf - FRG by motor vehicle with registration number ****, with a total weight of 18.00 tons, for which a toll of 55 €, without the same being paid, in violation of the conditions for processing in the sense of Art. 5, § 1, letters "a" and "b" of Regulation (EU) 2016/679, in connection with Art. 6, § 1 of the same. Pursuant to Art. 57, § 1, i.e. "e" of Regulation (EU) 2016/679, upon its referral, the CPLD examines complaints against acts and actions of personal data controllers that violate the rights of data subjects. Therefore, the complaint is within the competence of the CPLD. It is not in dispute between the parties, Mr. I.R. was an employee of the company "D." AD. It is not disputed that the employment contract of Mr. I.R. was terminated on 01.11.2020. with the employer "D." AD. According to the file, it is not in dispute that by virtue of Medical Protocol No.**** issued by DCC **** with Reg. No.***, Mr. I.R. was temporarily unable to work for a period of 30 days, from 01.09.2020. until 30.09.2020 reflected in hospital sheet No.***. According to the file, it is not disputed that a letter was sent by the Federal Service for the Transport of Goods to "D" for the violation found by the German transport authorities, carried out on 15.09.2020. JSC notifying them of the violation found by them and the need to pay a fine of €55. A form is attached to the letter, which is to be filled in if the person who owns the vehicle did not commit the violation and should indicate the names and address of the person who committed the violation. Accordingly, an employee of "D." AD, on 29.06.2021 sends the personal data of Mr. I.R. to the Federal Service for the Transport of Goods, FRG. in volume: three names, exact address, date and place of birth, in his capacity as the physical violator of the Federal Law on Mandatory Tolls for Highways and Main Roads (BFStrMG), on 15.09.2020. with a vehicle ****. It is clear from the evidence and information collected in the file that by 23.07.2020 truck with registration No.**** is owned by "D." AD, as after this date, by virtue of a tripartite agreement between "L." Ltd., "D." AD and "V." EOOD, the same passes under the management of the lessor and "V." Ltd. That is, as of September 15, 2020. the truck was no longer used by the administrator "D." AD, while at the same time Mr. I.R. was on sick leave. Indeed, Mr. I.R. on 16.04.2020 has signed the "Declaration for Voluntary Provision of Personal Data and Their Processing", with which he declares the provision of personal data to the employer "D." AD for the occurrence, implementation or termination of his employment and insurance obligations (Article 1.1 of the Declaration). Also, Mr. I.R. has given his consent to the processing of his personal data by "D." AD, in its capacity as an employer, objectified in the "Declaration for provision of information under Article 13 of Regulation (EU) 2016/679 of the EC and the Council of 27.04.2016." Pursuant to Article 6 §1 of the GDPR, the processing of personal data is lawful, only and to the extent that at least one of the conditions specified from letters "a" to "f" of the same paragraph is applicable. It is clear from the evidence and information collected in the case file that, in the capacity of an employer under an employment contract, the administrator processes the personal data of Mr. I.R. on the basis of Art. 6, §1, b."b" of the GDPR - "the processing is necessary for the performance of a contract to which the data subject is a party, or to take steps at the request of the data subject before concluding a contract" . On the next place. Pursuant to the declarations submitted by Mr. I.R., the administrator processes the personal data on the basis of Art. 6, §1, b. "a" of the GDPR - "the data subject has given consent to the processing of his personal data for a or more specific goals”. However, it should be noted that the provision of the personal data of Mr. I.R. to the administrator Federal Service for the Transport of Goods – FRG, for violation of the Federal Law on Mandatory Tolls for Highways and Main Roads (BFStrMG), on 15.09.2020. carried out with MPS ****, does not fall within the hypotheses of Article 6, §1 b."a" and "b" of the GDPR, for the legality of the processing. This is because the employer has no obligation, under the employment relationship, to provide the personal data of its employees to third parties for whom there is no legal basis for providing this data related to employment law. Next, the consent expressed in the two declarations of 04/16/2020 also does not objectify the fact that the same was given for these purposes, since Art. 6, §1 b. "a" points to one or more specific purposes. It is necessary to note that even if there is consent to provide personal data for these purposes, there should be additional objective prerequisites for this. i.e. that the subject exercised his work activity with the means of transport provided to him, as a result of which he committed a violation of the traffic rules on the day and place in question. In the specific case, the person was on sick leave on the specified date. With regard to the claims that the administrator has the grounds specified in Art. 6, §1, b. "e" of the GDPR - "the processing is necessary for the purposes of the legitimate interests of the administrator or a third party, except when such interests prevail have the interests or fundamental rights and freedoms of the data subject that require the protection of personal data, in particular where the data subject is a child”. Referring to the existence of a legitimate interest of the administrator in the processing by providing it to a third party, it should be pointed out that, as the administrator himself notes, on 15.09.2020. The motor vehicle with registration No.**** was in the possession of the new lessee "V." EOOD, which is not the employer of Mr. I.R. and there are no records of other contractual relations with him. According to the administrative file, no evidence was provided for the fact that Mr. I.R. was aware of the information received from his former employer about a violation committed on September 15, 2020, for which "D." JSC considered that he was the physical perpetrator of the violation. No evidence has been presented by the administrator for an inspection carried out by him to establish the person who drove the official truck with registration number **** on 15.09.2020. The possibility of disciplinary liability of the data subject is precluded by termination of the employment relationship on 01.11.2020. The letter with which the Federal Service for the Transport of Goods, Cologne - FRG informed the company about the violation is dated 11.01.2021, i.e. after termination of the legal relationship with Mr. I.R. The above, as well as the circumstances that the truck, as of 23.07.2020 has been disposed of by "B." Ltd., and Mr. I.R. was in hospital, which circumstances were undisputedly known to the administrator, determine the conclusion of a violation of the principles specified in Art. 5, § 1, b. "a" and "b" in connection with Art. 6, § 1 of GDPR, for the processing of personal data in a lawful, transparent and conscientious manner by the administrator, so that they are not processed in a manner incompatible with these purposes. The personal data of Mr. I.R. were provided to the Federal Service for the Transport of Goods, Cologne - Germany, on 29.06.2021, i.e. more than six months after the termination of the legal relationship with the employer. It should be noted that the administrator did not take any follow-up actions, after establishing the factual situation, to remove the data for Mr. I.R., who continues to be a violator of the Federal Service for the Transport of Goods, Cologne - Federal Republic of Germany, which, in the event of a subsequent violation, could be perceived as a relapse and the person could be sanctioned more severely than the law. It is necessary to state that no information was provided during the administrative proceedings to establish the actual offender, to emphasize the controller's responsible behavior towards the data subject.
The Commission for the Protection of Personal Data is the competent authority within the meaning of Article 6 of the Personal Data Protection Act in connection with violations in the processing of the personal data of natural persons. Competence is both a right of the authority and its obligation to exercise its powers arising from the law. The Commission has operational independence, assessing which of its corrective powers under Art. 58, §. 2 of Regulation (EU) 2016/679 is appropriate to implement in each specific case. The assessment is based on considerations of purposefulness, expediency and effectiveness of the decision, and an act should be enacted that protects the public interest to the fullest extent. The powers under Art. 58, §. 2 of Regulation (EU) 2016/679, with the exception of those specified in b. "i", have the nature of coercive administrative measures, the purpose of which is to prevent the commission of a violation or, if the commission has begun, to stop it, thus the behavior required by law is objectified.
The administrative penalty "fine" or "property penalty" in the sense of Art. 58, §. 2 of Regulation (EU) 2016/679, b. "i" has a punitive nature. Regarding the application of the appropriate corrective measure under Art. 58, §. 2 of Regulation (EU) 2016/679, the nature, gravity and consequences of the infringement should be taken into account, assessing all the facts relevant to the case and their causal relationship. The specified powers are relevant for a case in which the administrators have not fulfilled their obligation, which they can remedy by performing the omitted actions within the given time and objectifying the behavior required by law. In this case, there is no omission, but more actions have been taken, which necessitates the conclusion of the inapplicability of this authority. The established specific violation was completed with the act of providing the personal data of Mr. I.R. to a third party without reason.
Thus, the illegally provided personal data served to identify the offender of the violation found by the Federal Service, for which a fine of 55.00 € was provided, which, together with the fees, reached the amount of 83.50 €, paid personally by Mr. I.R ., for a violation of the Federal Law on Mandatory Tolls for Highways and Main Roads (BFStrMG) - FRG, committed on 15.09.2020, with a motor vehicle ****, a period during which the person was on proven sick leave, which the motor vehicle except for the above , as of that date had already been granted to another lessee "B." Ltd.
Accordingly, the applicant's personal data provided in this way constitutes a violation of the principles of lawful, good faith and transparent processing, in relation to the subject of the data, which, collected for the purposes of the employment relationship, are further processed in a manner incompatible with these purposes (Art. Art. 5, § 1, b. "a" and "b" of the GDPR), in connection with Art. 6, § 1 of the GDPR.
In connection with the above, the granting of a deadline for remedying the violation appears to be inapplicable and, in this regard, the illegal processing is irreversible.
On the basis of the above and taking into account the fact that the violation of the rules for the processing of personal data has been completed and its consequences for the applicant are present, only the pecuniary sanction, as a measure of administrative coercion, is the most appropriate, expedient and effective measure, given which the Commission finds that it should impose on personal data controllers "D." JSC, administrative punishment – property sanction, as a corrective measure under Art. 58, §. 2, b. "i" of Regulation (EU) 2016/679, for violation of the provisions of Art. 5, § 1, b. "a" and b. "b", in relation to art. 6, § 1 of the GDPR, in relation to art. 38, para. 3 of the GDPR, as the sanction is an expedient and effective measure to protect the public interest. The Commission finds that the pecuniary sanction will have the necessary corrective effect on the administrator and will contribute to his subsequent compliance with the established legal order.
When determining the amount of the penalty, according to Art. 83, §2 of Regulation (EU) 2016/679, the following elements should be taken into account in relation to what was done by "D." AD:
a) In the specific case, the principles for processing personal data in the sense of the Regulation were violated, that the data were collected for specific purposes in relation to the Labor Code, that they were processed lawfully in good faith and in a transparent manner towards the data subject. Personal data are processed for purposes other than those for which they were provided, by providing them to third parties. Regarding the information provided to the Federal Service for the Transport of Goods, Cologne - FRG, there is no data that it has been deleted or corrected from the service's arrays at the moment. The purpose of processing is the controller's economic interest. One person was affected by the processing, and with regard to the damage it can be stated that, although the amount of the fine paid by him was reimbursed, the information that he was the perpetrator of a violation in the electronic file of the Federal Office for the Transport of Goods, Cologne – FRG, will continue to appear, which in the event of a repeated violation will be negatively reflected on the data subject;
b) It was established in the administrative proceedings that the violations were committed intentionally, by an employee of the administrator;
c) There is no evidence that the administrator has taken technical and organizational measures to correct or remove the information erroneously provided to the Federal Service for the Transport of Goods, Cologne - FRG. There is no data on the employee's corresponding disciplinary punishment;
d) The degree of responsibility of the administrator is higher than usual, given the fact that he processes personal data related to persons with whom he no longer has a contractual relationship. Accordingly, the level of introduced technical and organizational measures should be higher and in accordance with the financial and technical capabilities available;
e) The lack of previous violations by the administrator of the Regulation has been reported;
f) The administrator has provided the necessary cooperation with the supervisory authority in order to remedy the violation and mitigate the consequences for the data subject.
g) The affected personal data are not of the category of special, in the sense of Art. 9, § 1 of the Regulation. They are not related to the behavior of the data subject within the meaning of Article 10 of the Regulation;
h) Violations became known to the supervisory authority from the information in the complaint. The administrator did not notify the violation due to non-acceptance of such violation.
i) The administrator has not been imposed the measures under Art. 58, §2, in connection with the same subject of the processing;
j) Circumstances under this letter are irrelevant, insofar as at the time of committing the violations no codes of conduct have been adopted by the administrators, correspondingly approved certification mechanisms have been introduced;
k) As an aggravating circumstance, it should be considered that the violations were completed by the act of their commission and are irreparable, they are consequential, and as such they led to a negative interference in the personal life of the applicant, given their nature.
For completeness, it should be stated that the administrator has 2143 employees, according to information for 09/2022. and has an annual turnover of BGN 259,382,000, according to information for 2021. the enterprise does not fall under Article 3 of the Law on Small and Medium Enterprises.
Based on the criteria under Art. 83, §2 of the GDPR, the property status of the administrator (the same does not fall into the category of small and medium-sized enterprises in the sense of the Law on Small and Medium-sized Enterprises), the Commission for the Protection of Personal Data finds that the determination of the amount of the sanction of BGN 10,000.00 (ten thousand BGN) appears to be fair and justified and a deterrent.
In the course of the proceedings, no requests were made for the recognition of costs, therefore the Commission for the Protection of Personal Data is not required to rule on this issue.
Motivated by the above and on the basis of Article 38, Paragraph 3 of the GDPR, in connection with Article 58, §2 of Regulation (EU) 2016/679, the Commission for the Protection of Personal Data
1. Announces a complaint with reg. No. PPN-01-197/14.03.2022. filed by Mr. I.R., as well-founded.
2. In connection with item 1 and on the basis of Art. 83, §5, letter "a", in conjunction with Art. 58, §2, letter "i" of Regulation (EU) 2016/679, for violation of Art. .5, §. 1, letters "a" and "b", in connection with Article 6, §1 of Regulation (EU) 2016/679, imposes on the administrator "D." JSC with EIK-********, with registered office and address of management: ****, administrative penalty – property sanction in the amount of BGN 10,000.00 (ten thousand BGN).
This Decision is subject to appeal within 14 days of its notification through the CPLD, before the Administrative Court - Sofia.
After the decision enters into force, the amount of the imposed penalty should be transferred by bank transfer to:
BNB Bank – CU;
IBAN: BG18BNBG96613000158601;
Commission for the protection of personal data, BULSTAT 130961721.