During the one-month inspection undertaken by the Commission for Personal Data Protection (CPDP) over the processing of data by the National Revenue Agency (NRA), it was established that, in the course of its internal procedures, activities and processing, the Agency, as a data controller, has not implemented the appropriate technical and organizational measures, resulting in a data breach – unauthorized access to subjects’ personal data, collected and processed by the NRA. The following categories of personal data of data subjects have been a subject of an unauthorized disclosure: names, personal identification numbers and addresses of Bulgarian citizens, telephones, e-mail addresses and other contact details, data from the annual tax returns of individuals, data on personal income tax expense on income statement, data from insurance declarations, data on health insurance premiums (NOTICE: no personal medical status or information on treatment of citizens have been disclosed), data on issued acts for administrative violations, data on completed payments of taxes and social security liabilities through Bulgarian Posts AD, as well as data on claimed and refunded VAT, which has been paid abroad.
It was found that the information, which was illegally accessed and distributed on the Internet contained personal data of a total of 6 074 140 individuals, including 4 104 786 living data subjects both Bulgarian and foreign citizens, and 1 959 598 deceased individuals.
CPDP issued a Decision, containing Orders to the NRA dated 23.08.2019 pursuant Art. 58, § 2, letter „d” in connection with Art. 57, § 1, letter „a” and Art. 83, § 2, letters „a", „c", „d", „f" and „g" of Regulation (EU) 2016/679 to take the appropriate technical and organizational measures in line with the data protection legislation in force, such as:
– Measures to enhance the protection of personal data processing in applications, providing e-services to citizens;
– Performing risk analysis of systems and processing operations, including established rules and functional obligations for the processing of every single information system;
– Carrying out impact assessments at the event of identifying „high risk” for each system, and the appropriate measures, which have to be taken;
– Performing an impact assessment on the initial launch of new information systems and applications.
The deadline for implementation of the orders is six months, starting the date when the Agency has received them.
On 28.08.2019, pursuant Art. 87, § 3 of the Personal Data Protection Act, Mr Ventsislav Karadjov – Chairman of the Commission for Personal Data Protection, issued a Penal Order to the NRA for violation of Art. 32, § 1 (b) of Regulation (EU) 2016/679, with a view to a data breach of unauthorized access, unauthorized disclosure and dissemination of personal data of individuals from the information databases maintained by the Agency. The amount of the imposed penalty is BGN 5 100 000.
The issuance of the Penal Order embodies the administrative and criminal responsibility of the NRA, as a data controller, for the unauthorized access and dissemination of personal data. The fact that this data has leaked into the public domain does not automatically mean that it has been misused, insofar as the abuse presupposes the commission of additional illegal acts that can separately be considered as crimes.
CPDP has received numerous requests for clarification on the procedure for lodging complaints and protection against misuse of personal data. The Commission would like to inform citizens that the subject of complaints and alerts regarding the breach of personal data security in the NRA is identical to the subject of the inspection carried out by the CPDP and in this context there is an obstacle to seek administrative and criminal liability for the same breach. This is a manifestation of the legal principle of ne bis in idem (no one can be pursued, trailed or punished twice for the same thing). However, this principle does not preclude the affected data subjects to seek compensation, but this can only be done judicially, in line with the general rules of procedure in the courts. For this purpose, it is not necessary to request an official document from CPDP or a specific decision issued by the Commission over a specific case.
