Bulgaria – Enforcement of data protection regulations in 2021
Overview
The year 2021 can be classified as relatively dormant in terms of data protection regulatory activity in Bulgaria. Out of 22 reported significant decisions of the Commission for Personal Data Protection (CPDP), the regulator imposed a fine in only 4 cases. Even the largest fine, 5 000 lv., imposed on Ciela Norma – a legal information system provider – for breaching the data accuracy principle enshrined in Art. 5(1)(d) GDPR by mistakenly identifying a woman as a liquidator of several companies and listing her personal identification number in relation to them,[1] can be regarded as an insignificant sum in the context of data protection enforcement.
In terms of the CPDP’s internal practices, the Commission made a move towards increasing transparency and uniformity in the way it exercises its supervisory powers by publishing an Instruction on the practical implementation of supervisory powers by the CPDP in September 2021.[2] It establishes the methodology for conducting different types of investigations and aims to lay down a unified approach to conducting supervisory activities by the CPDP and its administration. In appendices to the Instruction, it also published a Methodology for determining the risk level of data security breaches (important tool for assessing data security breach notices pursuant to Art. 33 GDPR) and a Questionnaire for conducting inspections (aimed at collecting preliminary information on the context of data processing and clarifying key facts relating to the inspection).[3]
Statistics
The following key figures can be used to synthesize the CPDP’s activities in 2021. During that year the CPDP:
- Took action on 427 requests and inquiries.
- Conducted a total of 206 investigations, 68 of which were initiated following a tip and 138 after a decision by the CPDP.
- Issued 9 official warnings as per Art. 58, par. 2 GDPR.
There was a total of 22 significant cases which can be sorted into the following categories:
- Financial Services – 1
- Government – 4
- Journalism – 3
- Labour relations – 4
- Political Parties – 1
- Private enforcement – 2
- Properties within the same building – 1
- Telecommunications – 3
- Tourism – 1
- Video Surveillance – 2
Trends
In 2021, the CPDP was predominantly preoccupied with issues regarding government, labour relations, journalism and telecommunications. Overall, the CPDP shows a preference towards issuing mandatory instructions and warnings over sanctions, and the sanctions it issues tend to be small even for significant breaches.
There were two cases about unauthorized use of personal data by central and local government officials for personal purposes non-related to the exercise of their work duties. In one case, a public servant in the Ministry of the Interior made use of his status as a government official to access a non-public national database in order to find the owner of a car parked on his street and get in contact with him.[4] In another, a public servant in a municipality made unauthorized use of his access to certain documentation containing the personal data of two individuals and published that documentation of Facebook.[5] In both cases, there was a gross abuse of position by public officials in accessing and misusing personal data of citizens for purposes unrelated to their official duties. While such a scenario would normally warrant a forceful response from the data protection authority, the CPDP limited itself to only a mandatory instruction in both cases.
There were also important decisions on the balance between the right to privacy (and the right to object to the processing of personal data) and the right to freedom of expression and information. Two decisions of the CPDP in the field of journalism stand out. The first one concerns the publication of an article about criminal proceedings against a businessman on a charge of bribery of a public official, which ended with acquittal.[6] The CPDP acknowledged the fact that the article includes information about the acquittal and emphasized that the public has a right to be informed about past, as well as present, events. Because the article gave a full and objective account of the facts and concerned a matter of public interest (possible bribery of an official), the CPDP held the processing of only two names and an image (in accordance with the principle of data minimization) was lawful. On the other hand, in the second case, the article in question, which claimed a prison guard sexually harassed his female colleagues, was held to include unlawful processing of the personal data of the guard.[7] The crucial difference was that the article did not give a full and objective account of the facts – it did not include the fact that the guard’s reprimanding order was quashed by a court, and there was in fact no evidence to suggest he committed the acts described in the article. Consequently, the CPDP held the data was not processed for journalistic purposes (Art. 25h of the DPA) and there was no lawful ground for processing. Moreover, the data accuracy principle of GDPR was breached.
A decision of the Supreme Administrative Court from November 2021 [8] further elaborated on the criteria for assessing where the balance between the right to data protection and the right to freedom of expression lies. The Court puts emphasis on the principle of data minimization (Art. 5(1)(c) GDPR) as requiring journalistic outlets to include in their pieces only such personal data that is necessary and sufficient for exercising their freedom of expression. Anything more would be a disproportionate intrusion in the private life of data subjects.
The CPDP also issues opinions. Two important matters were addressed in 2021.
The first one concerns electronic signatures and the visibility of the signer’s personal identification number (PIN), a unique number assigned to each Bulgarian citizen, to everyone who views the signed document. The CPDP reviews the applicable electronic identification legislation and concludes that while PIN might be collected by the provider to identify the signature holder in an unambiguous way, there is no legal ground or necessity for the PIN to be visible as part of the electronic signature.[9]
The second opinion deals with one of the most controversial topics in the Bulgarian public discourse recently, the Digital Covid-19 Certificate, which gives information on citizens’ vaccination status – a special category of data protected under Art. 9 of GDPR – and is currently a prerequisite to accessing most public places and events. The CPDP points out that as a measure aimed at protecting the health of workers at the respective establishment, Arts. 9(2)(b), 9(2)(g) and 9(2)(i) of GDPR can be applicable as lawful grounds for processing.[10] It also stresses that the automated checking of certificates for the purpose of giving access to places, without any human decision-making, is forbidden. Furthermore, when certificates are used in this way to permit or deny access to places, the CPDP says an Art. 35 impact assessment will almost always be necessary. It concludes that to achieve a balance between Ministry of Health orders and the rights of data subjects, the results of Covid Certificate checks must not be stored.
Meanwhile, the EDPB and the EDPS also touched on the use of the Digital Covid Certificate for purposes beyond facilitating the right to free movement between Member States in a Joint Opinion.[11] The EDPB and EDPS highlight that any possible further use of the framework, the Digital Green Certificate and personal data related to it at Member States-level must respect Articles 7 and 8 of the Charter and must be in compliance with the GDPR, including Article 6(4) GDPR. This implies the need for a proper legal basis in Member State law, complying with the principles of effectiveness, necessity, proportionality and including strong and specific safeguards implemented following a proper impact assessment, in particular to avoid any risk of discrimination and to prohibit any retention of data in the context of the verification process.
[1] Decision of CPDP № ПП Н-01-871/2020, Sofia, 27.09.2021.
[2] https://www.cpdp.bg/index.php?p=news_view&aid=1795
[3] https://www.cpdp.bg/index.php?p=element&aid=1325
[4] Decision of CPDP № ПП Н-01-1238/2019, Sofia, 03.06.2021.
[5] Decision of CPDP № ПП Н-01-582/2020, Sofia, 13.08.2021.
[6] Decision of CPDP № ПП Н-01-332/2020, Sofia, 11.02.2021.[7] Decision of CPDP № ПП Н-01-1800/2019, Sofia, 13.01.2021.
[8] Decision of the Supreme Administrative Court № 11636 on case № 7104/2021 from 16.11.2021.
[9] Opinion of CPDP № ПНМД-01-11/2021/17.06.2021, Sofia.
[10] Opinion of CPDP № ПНМД-01-93/2021/06.10.2021, Sofia.
[11] EDPB-EDPS Joint Opinion 04/2021 on the Proposal for a Regulation of the European Parliament and of the Council on a framework for the issuance, verification and acceptance of interoperable certificates on vaccination, testing and recovery to facilitate free movement during the COVID-19 pandemic (Digital Green Certificate).