Fining practice
Trend: to date, have the national data protection authorities in Bulgaria focused on certain types of non-compliance with data protection law, or have the authorities stated that they will investigate certain types of non-compliance more closely in future? Do you see a focus on certain industries/sectors? If so, which ones?
It cannot be clearly concluded whether the Bulgarian Commission for Personal Data Protection ("Комисия за защита на личните данни", “CPDP”) deliberately focuses on certain types of violations. However, it may be observed that most of the fines have been issued mainly due to violation of the principles of the processing of personal data (Art. 5 of the GDPR), or insufficient legal basis for data processing (Art. 6 GDPR), or due to inappropriate level of security (Art. 32 GDPR), as well as matters related to failure on the part of controllers to respond in compliance with the statutory requirements to data subjects' requests for the exercising of their rights.
An analysis of complaints received by the CPDP shows that the sectors and/or controllers against which complaints were predominantly lodged are: CCTV operators, banks and credit institutions, state bodies, political entities, telecommunications, media, healthcare, courier services, companies performing direct marketing, etc.
Overall, what was the most significant fine in Bulgaria to date (please specify the recipient, the amount, the type of violation, the sector, and provide a brief summary)? Has the fine been challenged in court? If it has: was this successful, or what is the status of the proceedings?
The highest GDPR fine in Bulgaria to date was imposed on the Bulgarian National Revenue Agency ("NRA"), the main government tax authority which was fined approx. EUR 2,550,000 by the CPDP in August 2019, for failing to implement appropriate technical and organisational measures. This resulted in unauthorised access to and dissemination of 6,074,140 individuals' personal data. The NRA appealed the decision; however, the outcome of the lawsuit is as yet unknown. A number of the affected data subjects brought claims against the state of Bulgaria for damages resulting from the data leakage. Most of the proceedings on these claims are now delayed as the Bulgarian Supreme Administrative Court referred the matter to the European Court of Justice with a request for a preliminary ruling on questions related to the liability for violation of the GDPR in case of a data breach which results from criminal activity. To date, there is no publicly available information on the development of the proceedings before the ECJ.
Organisation of authorities, procedure and publicising of fine proceedings
How is the data protection authority organised in Bulgaria? In particular: what is the annual budget? How many staff are employed? Is the authority assigned to a specific ministry? If so, which one?
The CPDP is the supervisory authority responsible for the rightful application of the GDPR and compliance with the Bulgarian Personal Data Protection Act (the "PDPA"). The CPDP is an independent supervisory authority with its own budget.
The CPDP consists of a chairman and four members. The CPDP is supported by a special staff and a general administration staff. The total number of staff is 83 people (including five elective positions - the chairperson and the four members). The chairperson and members of the CPDP are elected by the National Assembly following a nomination by the Council of Ministers, for a term of five years. The CPDP is organized into four directorates. These include Resource Management and Administrative Legal Services Directorate, Legal Affairs and Internal Cooperation Directorate, Legal Proceedings and Supervision Directorate, and Legal Analysis, Information and Control Activities Directorate.
The annual budget of the CPDP for 2022 was BGN 3,032,700 (approx. EUR 1,551,000).
How does a fine procedure work in Bulgaria? In particular: can the authority itself impose fines? How does the procedure work (e.g., notification as to the opening of proceedings (public/addressed to the company alone?), notification as to the intention to impose a fine (public/addressed to companies alone?), formal penalty notice)? What legal remedies are possible against an imposed fine?
Fines may be imposed directly by the CPDP as part of its administrative proceedings.
Administrative proceedings are governed by national law, in particular the Bulgarian Administrative Violations and Penalties Act and the Bulgarian Administrative Procedure Code. The authority initiates proceedings at the request of a data subject or may initiate proceedings on its own merits. If the facts of the case require more clarification, the CPDP may request that the involved parties provide additional proof/information. The respective data controller or data processor may provide its views on both factual and legal aspects of the case. The authority carefully considers these before reaching its decision. This may, inter alia, involve the imposing of an administrative fine for data protection violations.
Companies may appeal against administrative fines with the competent administrative courts within 14 days of being notified.
When fines are imposed by the data protection authority: Where does the money go? (e.g., State treasury, the budget belonging to the authority)?
The proceeds from any pecuniary penalties and fines imposed by the Commission are credited to the budget of the CPDP.
Is there a common, official calculation methodology for fines in Bulgaria (such as the fining models in the Netherlands or Germany)?
There is no publicly available common calculation methodology. The CPDP refers to the Art. 29 Working Party’s WP 253 Guidelines on the application and setting of administrative fines.
Can public authorities be fined in Bulgaria? If they can: Where does this money go?
Yes. The money is credited to the budget of the CPDP.
In Bulgaria, does the data protection authority publish information on cases involving individual fines, including fines imposed or other procedural steps (e.g. on its website or in its annual report)? Are the affected companies identifiable in such publications?
Yes, there is a section on the CPDP’s website where decisions are made publicly available. Furthermore, information on the decisions is published in the CPDP’s monthly newsletter, which is available online. A summary of the CPDP’s decisions is included in its annual report. The involved parties are generally not identifiable unless the case is of public interest. Fined entities are generally not anonymised in press releases.
If no information on individual fine cases is published: does the data protection authority provide aggregated information on the total number of cases and/or the total amount of fines? What were the annual figures from 2019?
The CPDP provides aggregated information on the cases reviewed in its annual reports.
In 2021, the CPDP received more than 840 complaints from individuals alleging violations of personal data processing and the exercising of rights. The number of complaints is higher compared to 2020 when the complaints were approximately 680.
In 2021, sanctions amounting to BGN 319,000 (approx. EUR 163,100) were imposed by the CPDP.
Other legal consequences of non-compliance
Does Bulgaria have model declaratory proceedings/class actions in data protection law, i.e., are several data subjects able join forces and take legal action together against the data controller?
Class actions have been a possibility under the Bulgarian Civil Procedure Code since March 2008. Within class action proceedings, it is possible to obtain a decision establishing the fact of the infringement. Such a judgment makes it much easier for claimants to pursue their individual claims for compensation, as they do not need to prove the fact of the infringement and the fact that the controller is at fault. Nevertheless, class actions are not common in Bulgaria. There is a tendency towards seeking compensation through individual claims rather than filing a class action.
There are a few rulings of Bulgarian courts related to the leakage of personal data from the databases of the NRA, in which the courts have dismissed the review of class actions brought based on the opinion that class actions can be brought only in relation to equality (i.e., in civil proceedings) and not in subordination (i.e., relations with public bodies such as the NRA).
What is more relevant in Bulgaria: fines from authorities or court proceedings such as claims for damages or injunctions? Can a trend be discerned for the coming years?
Court proceedings are less common. This is most likely due to litigation costs, lengthy proceedings and a lack of established common/uniform judicial practice in this area.
The fines imposed by the CPDP are more common, mostly due to the gravity of the fines and their general preventive effect.
Based on how actively the CPDP pursues data protection infringements, it may be assumed that its role in enforcing the GDPR will continue to be crucial in the foreseeable future.
Social Media cookies collect information about you sharing information from our website via social media tools, or analytics to understand your browsing between social media tools or our Social Media campaigns and our own websites. We do this to optimise the mix of channels to provide you with our content. Details concerning the tools in use are in our privacy policy.