Today, 28.08.2019, pursuant Art. 87, para. 3 of the Personal Data Protection Act, Mr Ventsislav Karadjov – Chairman of the Commission for Personal Data Protection, after an investigation regarding processing of data of DSK Bank EAD, issued a Penal Order for violation of Art. 32, § 1 (b) of Regulation (EU) 2016/679, with a view to the unauthorised access to the personal data by third parties of a total of 33 492 (thirty-three thousand four hundred ninety-two) customers of the bank in 23 270 (twenty-three thousand two hundred and seventy) credit records, containing personal data and an unlimited number of related third parties to the customers (including their spouses, vendors, descendants and guarantors). The amount of the penalty imposed is BGN 1,000,000.
During the one-month inspection undertaken by the Commission for Personal Data Protection (CPDP) over the processing of data by the bank it was established that, in the course of its everyday activity and processing, DSK Bank EAD, as a data controller, has not managed to implement the appropriate technical and organizational measures and has not provided the necessary ability to guarantee a permanent confidentiality, security, integrity, availability and sustainability of the systems and servers for processing personal data of individuals. The following personal data of customers of the Bank and related third parties has been compromised: three names, citizenship, personal identification number, permanent or current address, available copies of identity cards, containing biometric data; all personal data contained in tax documents, certifying the income and health insurance of the borrowers and third parties, as well as health status information (including some credit files containing declarations by the Work Capability Assessment Commission /WCAC/ for reduced working capacity), payment numbers bills, as well as registration numbers and dates of notarized acts with signatures.
