The Commission for Personal Data Protection (CPDP) reviewed the results of the investigation undertaken at the National Revenue Agency (NRA) over the data breach, affecting over 5 million Bulgarian citizens, at a meeting on the 20 August 2019.
In view of the findings made by the specialized CPDP investigation task force, the Commission decided to impose a corrective measure on the personal data controller to comply with the provisions of the General Data Protection Regulation (GDPR). It should be noted that this corrective measure is imposed with a legally grounded individual administrative act issued by the supervisory authority, which is subject to judicial review.
The General Data Protection Regulation provides for the possibility, along with the remedy, to impose a property sanction, respectively fine. The imposition of a corrective measure in the form of a „pecuniary penalty" is carried out in accordance with the Administrative Violations and Sanctions Act. The procedure is initiated by the drafting and a delivery of an act for establishing an administrative violation. The specific amount of the penalty is determined after taking into account the objections made by the offender within the statutory deadline. The drafting and delivery of the act for establishing the administrative violation committed by the NRA will be done by the end of this week. As far as the deadlines in the administrative criminal proceedings are legally determined, it is expected that the specific administrative penal proceedings against the NRA to be completed by the 29th of August 2019.
