Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Bulgaria: CPDP fines administrator BGN 10,000 for unlawful data processing
On February 9, 2023, the Commission for Personal Data Protection (CPDP) published its decision in complaint No. PPN-01-197/14.03.2022 in which it imposed a fine of BGN 10,000 (approx. $5,550) on an unnamed administrator for violations of the General Data Protection Regulation (GDPR), following a complaint submitted by an individual.
Background to the decision
The CPDP noted that the complainant pointed out that they received an administrative notification in his name for an administrative offense committed in Germany, stating that they were driving a vehicle owned by the administrator on a specific date, which was untrue. The complainant indicated that at that time, they were on sick leave and that this was confirmed by an inspection. Additionally, the complainant expressed concern that the administrator probably shared their personal data with the German authorities.
The administrator responded by stating that the vehicle at that specific date was already being used by another company. Furthermore, the administrator explained that they mistakenly disclosed the complainant's personal data to the German authorities as they confused the date when the complainant drove the vehicle and the date of the violation in Germany.
Findings of the CPDP
The CPDP held that the administrator illegally provided personal data to the German authorities to aid in identifying the offender, in violation of Articles 5(1)(a) and 5(1)(b) of the GDPR in connection with Article 6(1)(a) of the GDPR. This is because the CPDP found that this violated the principles of lawfulness, good faith, and transparent processing.
Outcomes
In light of the above, the CPDP imposed the abovementioned fine on the administrator.
You can read the decision, only available in Bulgarian, here.