Fining practice
Trend: Have the national data protection authorities in Bulgaria focused on certain types of non-compliance with data protection law so far or have the authorities announced that they will investigate certain types of non-compliance more closely in the future (e.g. incorrect use of cookie banners, monitoring of employees - possibly also due to - Covid related home office, etc.)? Do you see a focus on certain industries/sectors? If so, which ones?
It appears that proceedings before the Bulgarian Commission for Personal Data Protection ("Комисия за защита на личните данни", “CPDP”) are most often initiated on the basis of complaints from data subjects and it cannot be clearly concluded whether the CPDP deliberately focuses on certain types of violations. However, it can be observed that most of the fines have been issued mainly due to violation of the principles of the processing of personal data (Art. 5 of the GDPR), or insufficient legal basis for data processing (Art. 6 GDPR), or due to inappropriate level of security (Art. 32 GDPR), as well as matters related to failure on the part of controllers to respond in compliance with the statutory requirements to data subjects' requests for the exercising of their rights.
An analysis of the complaints received by the CPDP shows that the sectors in which complaints were predominantly lodged are: video surveillance (highest and still increasing number of complaints), bank and credit services (relatively constant number of complaints), state affairs (the number of complaints against state authorities has significantly increased), employment relations (the number of complaints is undergoing increase), telecommunications and media services (decreasing number of complaints), political entities (decreasing number of complaints), education, insurance etc.
Overall, what was the most significant fine in Bulgaria to date (please specify recipient, amount, type of violation, sector, brief summary)? Has the fine been challenged in court? If yes: With success or what is the status of the proceedings?
The highest GDPR fine in Bulgaria to date was imposed on the Bulgarian National Revenue Agency ("NRA"). The main government revenue authority was fined approx. EUR 2,550,000 by the CPDP in August 2019, for failing to implement appropriate technical and organisational measures for the protection of personal data. This resulted in the unauthorised access to and dissemination of 6,074,140 individuals' personal data. The NRA appealed the decision before the Sofia City Administrative Court, which finally dismissed the case due to expiration of the absolute statute of limitations.
A number of the affected data subjects brought claims against the state of Bulgaria for damages resulting from the data leakage. Most of the proceedings on these claims are now delayed as the Bulgarian Supreme Administrative Court referred the matter to the Court of Justice of the European Union (“CJEU”) with a request for a preliminary ruling on questions related to the liability for violation of the GDPR in case of a data breach which results from criminal activity (Case C‑340/21). On 14 December 2023, the CJEU issued its judgement on the case, ruling, inter alia that Articles 24 and 32 of the GDPR must be interpreted as meaning that unauthorised disclosure of personal data or unauthorised access to those data by a “third party”, within the meaning of Article 4(10) of that regulation, are not sufficient, in themselves, for it to be held that the technical and organisational measures implemented by the controller in question were not “appropriate”, within the meaning of Articles 24 and 32. The appropriateness of the technical and organisational measures implemented by the controller under that article must be assessed by the national courts in a concrete manner, by taking into account the risks associated with the processing concerned and by assessing whether the nature, content and implementation of those measures are appropriate to those risks.
Organisation of authorities and course of fine proceedings in Bulgaria
How is the data protection authority organised in Bulgaria? In particular: What is the annual budget? How many staff are employed? Is the authority assigned to a specific ministry? If so, which one?
The CPDP is the supervisory authority responsible for the rightful application of the GDPR and compliance with the Bulgarian Personal Data Protection Act.
- The CPDP is an independent supervisory authority with its own budget.
- The CPDP consists of a chairman and four members. The CPDP is supported by a special staff and a general administration staff. The total number of staff is 117 people (there has been an increase in the staff number due to assigning CPDP with responsibilities on the new law implementing the Whistleblowing Directive).
- The chairman and members of the CPDP are elected by the National Assembly following a nomination by the Council of Ministers, for a term of five years. The CPDP is organized into four directorates. These include Resource Management and Administrative Legal Services Directorate, Legal Affairs and Internal Cooperation Directorate, Legal Proceedings and Supervision Directorate, and Legal Analysis, Information and Control Activities Directorate.
- The annual budget of the CPDP for 2023 was BGN 6,985,000 (approx. EUR 3,571,374).
How does a fine procedure work in Bulgaria? In particular: can the authority itself impose fines? How does the procedure work (e.g., notification as to the opening of proceedings (public/addressed to the company alone?), notification as to the intention to impose a fine (public/addressed to companies alone?), formal penalty notice)? What legal remedies are possible against an imposed fine?
- Administrative sanctions (including fines) are imposed directly by the CPDP as part of its administrative proceedings.
- Administrative proceedings are governed by general national law, in particular the Bulgarian Administrative Violations and Penalties Act and the Bulgarian Administrative Procedure Code. The authority shall initiate proceedings at the request of a data subject or may initiate proceedings on its own merits. If the facts of the case require more clarification, the CPDP may request that the involved parties provide additional proof/information. The respective data controller or data processor may provide its views on both factual and legal aspects of the case. The authority must carefully consider these before reaching its decision.
- Companies may appeal the decisions of the CPDP with the competent administrative courts within 14 days of being notified.
When fines are imposed by the data protection authority: Where does the money go? (e.g., the state treasury, the authority's budget)?
The proceeds from fines imposed by the CPDP are credited to the budget of the CPDP.
Is there a common, official calculation methodology for fines in Bulgaria (such as the fining models in the Netherlands or Germany)?
There is no publicly available common calculation methodology. The CPDP refers to the Art. 29 Working Party’s WP 253 Guidelines on the application and setting of administrative fines.
Can public authorities be fined in Bulgaria? If they can: Where does this money go?
Yes, public authorities may be fined in Bulgaria. The money is credited to the budget of the CPDP.
In Bulgaria, does the data protection authority publish information on cases involving individual fines, including fines imposed or other procedural steps (e.g. on its website or in its annual report)? Are the affected companies identifiable in such publications?
Yes, there is a section on the CPDP’s website where decisions are made publicly available. Furthermore, information on the decisions is published in the CPDP’s monthly newsletter, which is available online. A summary of the CPDP’s decisions is included in its annual report. The parties involved are generally not identifiable, unless the case is of public interest. Sanctioned entities are generally not anonymised in press releases.
If no information on individual fine cases is published: does the data protection authority provide aggregated information on the total number of cases and/or the total amount of fines?
- The CPDP provides aggregated information on the total number of cases reviewed in its annual reports. In 2023, the CPDP received 925 complaints from individuals alleging violations of personal data processing and the exercising of rights. The number of complaints is higher compared to 2022 (about 770 complaints) and 2021 (about 840 complaints).
- The total amount of the fines imposed amount to: in 2023 – BGN 90,900 (approx. EUR 46,500); in 2022 – BGN 247,500 (approx. EUR 126,545); in 2021 – BGN 112 150 (approx. EUR 57,340); in 2020 – BGN 87,063 (approx. EUR 44,515); in 2019 – BGN 6,106,000 (approx. EUR 3,121,950) (this apparently higher annual amount is due to the financial sanction imposed on the National Revenue Agency in 2019 and another significant sanction imposed on a Bulgarian bank in 2019).
Other legal consequences of non-compliance in Bulgaria
Does Bulgaria have model declaratory proceedings/class actions in data protection law, i.e., are several data subjects able to join forces and take legal action together against the data controller?
- Class actions have been a possibility under the Bulgarian Civil Procedure Code since March 2008. Within class action proceedings, it is possible to obtain a decision establishing the fact of the infringement. Such a judgment makes it much easier for claimants to pursue their individual claims for compensation, as they do not need to prove the fact of the infringement and the fact that the controller is at fault. Nevertheless, class actions are not common in Bulgaria. There is a tendency towards seeking compensation through individual claims rather than filing a class action.
- There are a few rulings of Bulgarian courts related to the leakage of personal data from the databases of the NRA, in which the courts have dismissed the review of class actions brought based on the opinion that class actions can only be brought in relation to equality (i.e., in civil proceedings) and not in subordination (i.e., relations with public bodies such as the NRA).
What is more relevant in Bulgaria: fines from authorities or court proceedings such as claims for damages or injunctions? Can a trend be discerned for the coming years?
Court proceedings related to claims for damages are less common. This is most likely due to litigation costs, lengthy proceedings, as well as lack of established common/uniform judicial practice in this area.
Fines imposed by the CPDP are more common, mostly due to the gravity of the fines and their general preventive effect.
Based on how actively the CPDP pursues data protection infringements, it can be assumed that its role in enforcing the GDPR will continue to be crucial in the foreseeable future.
