Speedy AD – Court Ruling (Bulgaria, 2022)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A Bulgarian court ruled that a courier company mishandled personal data by delivering a package to the wrong person. This is important because it shows the need for strict identity verification to protect personal information. The ruling highlights the company's responsibility to ensure data is processed lawfully.
What happened
Speedy AD delivered a parcel containing personal data to someone other than the intended recipient.
Who was affected
The intended recipient of the parcel, whose personal data was mishandled by the courier company.
What the authority found
The court found that the courier company failed to verify the recipient's identity, violating GDPR's data protection requirements.
Why this matters
This ruling stresses the importance of identity verification in handling personal data. Companies must implement proper measures to ensure data is delivered to the correct individuals, safeguarding privacy.
GDPR Articles Cited
National Law Articles
A data subject filed a complaint with the Bulgarian DPA because a courier, Speedy AD (the controller) had delivered a parcel addressed to them to another person, which was located at the address and is not the addressee. On 04.09.2021, for the data subject was prepared and sent a parcel, which parcel contained a form letter with personal data- two names, an address and a telephone number in connection with an organised service action for the car of the data subject. On the same date, the data subject has informed the controller, that did not reside at the address indicated for delivery and die not indicate a new address for redirection of the shipment. The parcel was delivered by a courier of Speedy AD on 5.09.2019, despite a timely phone call from the addressee on 4.09.2019 that they not live at the address. It was delivered to an unknown person who signed instead of the data subject.The employee of the controller did not perform identity verification and did not reflect this properly in the system of the controller. The Bulgarian Supreme Administrative Court (ВАС) finds that the data on the bill of lading and in the shipment - two names, mobile phone number, address of previous residence, the capacity of the data subject as the owner of a specific and individualized vehicle, constitute personal data. The acts of receiving, storing and transmitting personal data in the context of the delivery of a shipment constitute processing of personal data. The statutory requirement that postal items be provided to recipients in person constitutes a measure to protect the personal data subject in order to verify the identity of the recipient and to ensure the lawfulness of the processing of personal data as a response to the obligations of the controller to put in place appropriate technical and organisational measures within the meaning of Articles 24 and 25 GDPR. The Bulgarian Data Protection Authority (CPDP) found a breach of Article 5(1)(a) GDPR and Article 5(1)(f) GDP
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Speedy AD in BG
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Speedy AD - Bulgaria (2022). Retrieved from cookiefines.eu
Last updated: