First significant GDPR fines imposed in Bulgaria

Last week the Bulgarian Data Protection Commission (“BDPC”) issued the first two significant for local standards fines under the GDPR for leakage of personal data.

The fine of BGN 5.1 million (€2.6 million) sanctions the violation by the National Revenue Agency (the “Agency”) of its obligation to ensure data security of processing of personal data pursuant to Article 32 GDPR.* A Bulgarian cybersecurity employee has been arrested and charged with effecting a hacker attack in which personal data of approximately 5 million individuals were stolen and made public. The stolen information includes names, email addresses, information about income, tax declarations, medical insurance payments, and loans.

This cyberattack has triggered the debate about the level of Bulgarian cybersecurity standards. Though the country’s Prime Minister said the arrested man was a “wizard” hacker, some of the experts who have inspected the stolen data have commented that the tactics used were relatively basic, and were more indicative of a lack of adequate protection than of the hacker’s abilities.

In principle, fines of up to €10 million, or in the case of an undertaking, up to 2% of its total worldwide annual turnover of the preceding financial year, whichever is higher, may be issued for such violations.** However, according to the Bulgarian regulator, the “responsible behavior” of the Agency was viewed favorably when calculating the relatively low fine. Nevertheless, the Agency stated that will appeal the sanction before the court because the leakage had resulted from a crime and, in view of the Agency, not from its own fault. Such appeal will postpone the entry into force of the sanction with more than a year since the appeal is subject to hearing in two court instances. In addition, it was largely discussed in the media and social networks that even the court upheld the fine, its payment will be a pure virtual transfer between state budget accounts of the Agency and the BDPC. Thus, the sanction will not be an effective preventive measure against new infringements.

The second fine, amounting to BGN 1 million (€511,000), was imposed on DSK Bank, the second largest bank in Bulgaria, also for breach of Article 32 GDPR. In contrast to the former case, DSK suffered a non-digital theft of data (i.e. no hacker attack), second, the stolen data have not been made public and, third, the regulator and the public became aware of the data breach from the DSK report (while the Agency data breach was leaked to the press). For the moment it remains unclear how many persons have gained access to the stolen database, comprising over 23,000 credit records relating to over 33,000 bank customers including personal data such as names, citizenships, identification numbers, addresses, copies of identity cards and biometric data.

DSK announced that it does not intent to appeal the fine and is fully committed to cooperate with the BDPC for further improvement of its technical and organizational measures to ensure the protection of information security.


* Article 32 of GDPR obligates data controllers and processors, after taking into account, among others, the risk of varying likelihood and severity for the rights and freedoms of natural persons, to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.

** Article 83 (4) (a) GDPR.