On November 22, 2024, the Commission for Personal Data Protection (CPDP) published its decision No. PPN-02-191/2023 of July 26, 2024, in which it imposed a fine of BGN 20,000 (approx. $10,790) against a company for violating the General Data Protection Regulation (GDPR).

Background to the decision

The CPDP outlined that the complainant, an employee of Company C, alleged that Company C used their personal data, including their ID number, three names, and exact address, in a training manual for an electronic system test environment. The complainant further alleged that the manual was distributed to other new employees and sold by Company C. The CPDP also clarified that Company S.E. was used to create the training manuals.

Findings of the CPDP

The CPDP found that Company C acted as the controller of the processing activity, while Company S.E. was a data processor.

Moreover, the CPDP found that Company C violated:

• Article 6(1) of the GDPR by processing the personal data of the complainant without a legal basis and, in particular, there was no evidence that the processing was related to the employment activity of the complainant; and
• Articles 5(1)(a) and 5(1)(b) of the GDPR by distributing the personal data of the complainant in a manner incompatible with the specific, explicitly indicated, and legitimate purposes.

Outcomes

Following the above, the CPDP imposed a fine of BGN 20,000 (approx. $10,790) on Company C and ordered it to:

• verify that the processing of data has been suspended and delete the personal data that was processed unlawfully; and
• submit to the CPDP, within one month of entry into force of the decision, proof of the implementation of the abovementioned order.

Moreover, the CPDP ordered Company S.E. to delete all personal data of the complainant.

You can read the decision, only available in Bulgarian, here.