Skip to main content

Significant fines imposed by the Bulgarian Commission for Personal Data Protection


Earlier in 2019 the Bulgarian data protection supervisory authority – the Bulgarian Commission for Personal Data Protection (“CPDP”)- imposed the first significant fines under the GDPR. The sanctions served as landmark cases in the post GDPR era due to the fact that they were of a significant amount and they were imposed to organizations in both the public and the private sectors – first one of the banks operating in Bulgaria suffered a fine amounting to BGN 1 000 000 (approximately 500 000 EUR) and shortly afterwards the Bulgarian tax authority – the National Revenue Agency (“NRA”) was fined with BGN 5 100 000 (approximately 2 550 000 EUR).

Fine in the public sector 

The NRA was subject to a cyberattack, which led to unauthorized access and disclosure of personal data of more than 5 000 000 (five million) individuals. As a result of the cyberattack, certain parts of the NRA’s databases were spread online and were made publicly accessible. The information included names, physical addresses, personal identification numbers, tax and social security information, as well as other data which concerned both Bulgarian and non-Bulgarian citizens, who have been subjects to registration at the NRA. 

Considering future risks for data subjects, the CPDP issued an order, imposing to the NRA: (i) to implement immediate measures for increasing of the cybersecurity levels; (ii) to conduct analysis and risk assessment of the data processing systems and operations; and (iii) to conduct assessments for future implementation of new information systems and applications. These measures were part of a bigger strategy of both the NRA and the CPDP to mitigate any damages, which may arise from the data breach, which has occurred. In addition to these measures the NRA undertook actions for notifying data subjects, who may be exposed to a high risk due to leakage of their personal data. 

The data breach gave sufficient grounds to the CPDP to proceed further and to impose a fine on the NRA for not implementing sufficient technical and organizational measures for protection of the online databases. The fine is subject to appeal before the local courts.

In the present case there was no clue leading to an “inside job” and the access to the information was obtained entirely remotely (allegedly by an employee of a Bulgarian cybersecurity company). This raised questions about the meaning “sufficient” measures in online environment, considering the rapid pace of technology development, and the growing numbers of Black-hat hackers.

Another point was raised regarding effectiveness of fines in the public sector, which result in transferring public funds from one authority’s budget to another, taking into account that art. 83, item 7 of the GDPR leaves this matter at the Member States’ discretion.

Significant fine imposed on one of the banks in Bulgaria

In parallel with the NRA’s data leak, one of the Bulgarian banks also published information that certain data of its customers has been subject to unauthorized access. The data breach in this second landmark case was not due to low cybersecurity measures and even was not conducted remotely. The data was accessed unlawfully by a third person, who has obtained control over a hard drive, which contained personal information of more than 30 000 people including personal identification numbers, personal documents, physical addresses, etc. 

The CPDP, after being notified by the bank, initiated investigation, which resulted in imposing a fine, amounting to BGN 1 000 000 (approximately 500 000 EUR). The said fine was imposed due to the bank’s failure to comply with the formal requirement of art. 32 of the GDPR – to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.

What are the main conclusions?

Personal data has become a desired business asset to be attacked in both digital and physical environment. The types of information have expanded and are now not only limited to financial information, but many other details, which could serve to create personal profile of the respective person, identity theft, etc. 

Furthermore, businesses should not focus solely on digital or solely on physical protection of devices/documents, containing personal data. One should seek balance in ensuring both types of protection and implementing respective procedures. 


Article provided by: Mitko Karushkov and Mario Arabistanov (Kambourov and Partners, Bulgaria)

Cloud Privacy Check (CPC). Data Privacy Compliance in the Cloud Made Easy

Understand Cloud and Data Protection Law in only 4 easy steps. Plus highly relevant legal information for 33 countries. Provided by EuroCloud and 53 European lawyers.


About Us

EuroCloud is an independent non-profit organization and consists of a two-tier setup where organisations form all European countries can apply to participate in as long as they respect the EuroCloud Statutes.

To act as a true European player, all programs that are developed are intended to be European activities. These European programs are the strength of EuroCloud as a whole. Respect to local cultures along with the will to promote a real European spirit.