Significant fines imposed by the Bulgarian Commission for Personal Data Protection


Earlier in 2019 the Bulgarian data protection supervisory authority – the Bulgarian Commission for Personal Data Protection (“CPDP”)- imposed the first significant fines under the GDPR. The sanctions served as landmark cases in the post GDPR era due to the fact that they were of a significant amount and they were imposed to organizations in both the public and the private sectors – first one of the banks operating in Bulgaria suffered a fine amounting to BGN 1 000 000 (approximately 500 000 EUR) and shortly afterwards the Bulgarian tax authority – the National Revenue Agency (“NRA”) was fined with BGN 5 100 000 (approximately 2 550 000 EUR).

Fine in the public sector 

The NRA was subject to a cyberattack, which led to unauthorized access and disclosure of personal data of more than 5 000 000 (five million) individuals. As a result of the cyberattack, certain parts of the NRA’s databases were spread online and were made publicly accessible. The information included names, physical addresses, personal identification numbers, tax and social security information, as well as other data which concerned both Bulgarian and non-Bulgarian citizens, who have been subjects to registration at the NRA. 

Considering future risks for data subjects, the CPDP issued an order, imposing to the NRA: (i) to implement immediate measures for increasing of the cybersecurity levels; (ii) to conduct analysis and risk assessment of the data processing systems and operations; and (iii) to conduct assessments for future implementation of new information systems and applications. These measures were part of a bigger strategy of both the NRA and the CPDP to mitigate any damages, which may arise from the data breach, which has occurred. In addition to these measures the NRA undertook actions for notifying data subjects, who may be exposed to a high risk due to leakage of their personal data. 

The data breach gave sufficient grounds to the CPDP to proceed further and to impose a fine on the NRA for not implementing sufficient technical and organizational measures for protection of the online databases. The fine is subject to appeal before the local courts.

In the present case there was no clue leading to an “inside job” and the access to the information was obtained entirely remotely (allegedly by an employee of a Bulgarian cybersecurity company). This raised questions about the meaning “sufficient” measures in online environment, considering the rapid pace of technology development, and the growing numbers of Black-hat hackers.

Another point was raised regarding effectiveness of fines in the public sector, which result in transferring public funds from one authority’s budget to another, taking into account that art. 83, item 7 of the GDPR leaves this matter at the Member States’ discretion.

Significant fine imposed on one of the banks in Bulgaria

In parallel with the NRA’s data leak, one of the Bulgarian banks also published information that certain data of its customers has been subject to unauthorized access. The data breach in this second landmark case was not due to low cybersecurity measures and even was not conducted remotely. The data was accessed unlawfully by a third person, who has obtained control over a hard drive, which contained personal information of more than 30 000 people including personal identification numbers, personal documents, physical addresses, etc. 

The CPDP, after being notified by the bank, initiated investigation, which resulted in imposing a fine, amounting to BGN 1 000 000 (approximately 500 000 EUR). The said fine was imposed due to the bank’s failure to comply with the formal requirement of art. 32 of the GDPR – to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.

What are the main conclusions?

Personal data has become a desired business asset to be attacked in both digital and physical environment. The types of information have expanded and are now not only limited to financial information, but many other details, which could serve to create personal profile of the respective person, identity theft, etc. 

Furthermore, businesses should not focus solely on digital or solely on physical protection of devices/documents, containing personal data. One should seek balance in ensuring both types of protection and implementing respective procedures. 


Article provided by: Mitko Karushkov and Mario Arabistanov (Kambourov and Partners, Bulgaria)


Discover more about the Cloud Privacy Check(CPC) / Data Privacy Compliance(DPC) project

Director CPC project: Dr. Tobias Hö


What is the INPLP?

INPLP is a not-for-profit international network of qualified professionals providing expert counsel on legal and compliance issues relating to data privacy and associated matters. INPLP provides targeted and concise guidance, multi-jurisdictional views and practical information to address the ever-increasing and intensifying field of data protection challenges. INPLP fulfils its mission by sharing know-how, conducting joint research into data processing practices and engaging proactively in international cooperation in both the private and public sectors.