On July 15, 2019 it became publicly known that about 5 000 000 Bulgarian and foreign citizens were affected by the unprecedented leak of personal data from the National Revenue Agency’s (NRA) system. This violation in the security of mass amount of personal information poses two important practical problems - what are the obligations of the NRA and how can the affected persons protect their rights.
Under the General Data Protection Regulation (GDPR) personal data is any information relating to an identified or identifiable natural person (‘data subject’). Such information could include not only name and identification number, but also any other data that may serve for the identification of a natural person. In that sense the personal data leaked from the NRA’s system, such as names, PINs (personal identification numbers), telephone numbers, information about income, health status, tax and social security information, could be classifies as ‘personal data’.
In case of personal data breach the controller must notify the competent supervisory authority, for Bulgaria the Commission for Personal Data Protection (CPDP), within 72 hours after becoming aware of the data breach. According to official statement of the CPDP and the NRA, the CPDP has received an official notification on Monday (15.07.2019) – the same day when the personal data leak became public through the media. Additional information was disclosed, that an attempt to penetrate the NRA’s system occurred on the June 29th 2019 There is still no concrete answer as to whether the revenue authority was still unaware of the date breach or was late in communicating the breach to the CPDP. If the notification was not submitted within the 72-hour period, the NRA should provide specific grounds for the delay.
Where the personal data breach is likely to result in a high risk to the rights and freedoms of the natural person, the controller must communicate a personal data breach to the data subject without undue delay. There is no clear interpretation of what amounts to a ‘high risk’, but when determining it several factors may be examined - such as the volume and nature of the personal data, the extent to which they are publicly available, etc. GDPR does not provide with specific terms for the communication; howver, under the Bulgarian Protection of Personal Data Act (PPDA) the data subjects must be informed about the personal data security breach within 7 days after the breach has been established. The notification should describe in plain and simple language the nature of the personal data breach as well as recommendations for the natural person concerned to mitigate potential adverse effects, if possible. Information about the name and contact details of the data protection officer or other contact point, from which more information may be obtained, description of the possible consequences from the breach of personal data security and description of the measures, taken or proposed by the administrator to address the personal data breach must also be provided with the notification.
Additionally, the notification must be proportionate and effective. Thus, when a large amount of information regarding an extremely high number of natural persons is leaked individual notifications may turn out ineffective or difficult to achieve. So far the operation method of the revenue authority is to inform the data subjects through official public notifications on its website. An application through which natural persons should be able to individually check if they have been affected by the personal data leak is expected to be developed within a short period of time.
Each person who considers that their personal data have been processed in violation of GDPR has the right to refer the matter to the competent supervisory authority. In the case at hand, concerning the leaked date from the NRA, this means that every affected person has the legal right to lodge a complaint to the CPDP within 6 months of becoming aware of the violation. The complaint may be lodged in writing, through fax or by electronic means. In any case CPDP must inform the complainants regarding the progress of the examination or its outcome within 3 months of the referral.
Additionally, each data subject has the right to effective judicial remedy and may appeal against actions and acts of the controller. The completion of the proceedings before the CPDP regarding the same violation and the lack of a pending court case against the decision are a prerequisite for seeking judicial protection and compensation for the damages suffered.
Under GDPR each person who has suffered material or nonmaterial damages as a result of processing that infringes the regulation has the right to receive compensation from the controller or the processor of personal damages for the damages sustained. The concept of damages should be interpreted broadly in the light of the case-law of the Court of Justice of the European Union. Material damages may be suffered from restriction of rights, discrimination, identity theft or fraud, financial loss, loss of confidentiality of personal data protected by professional secrecy, unauthorised reversal of pseudonymisation, or any other significant economic or social disadvantage for the affected natural persons. The possibility of claiming damages for non-material damages also exists. Such may be damage to the reputation, emotional distress, anxiety or other negative experiences which are a result of the breach. The data subjects may individually seek compensation for the damages sustain in court proceedings. The controller or processor of personal data may only be released from liability if it proves that it is not in any way responsible for the damages sustained.
A violation of GDPR may be established by the supervisory authority (CPDP for Bulgaria) after the receipt of a complaint from a data subject or after the receipt of data breach notification by the controller. When a violation is established, the controller may receive a administrative fines up to 10 000 Euro or for companies 2 % of the total global turnover (whichever is greater) and when the violation is particularly gross, the administrative fine may reach up to 20 000 000 Euros or for companies 4 % of the total global turnover (whichever is greater). It is important to note that the Bulgarian Personal Data Protection Act does not provide for any exceptions regarding public authorities, such as the NRA.
The high amount of the sanctions shows the determination of the European legislator to guarantee that personal data shall be processed in a lawful, fair and confidential manner with the informed consent of the data subjects.
If you have sustained damages as a result of unlawful processing of personal data, for any further assistance please do not hesitate to contact our team.
