Bulgarian Data Protection Authority – Court Ruling (Bulgaria, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The Bulgarian Data Protection Authority ruled that Toplofikacia Sofia EAD cannot access personal data registers for heating service contracts. This matters because it shows that companies need a strong reason to access personal data, especially when it concerns the entire population. The ruling emphasizes the importance of justifying data requests.
What happened
Toplofikacia Sofia EAD requested access to personal data registers to help with heating service contracts.
Who was affected
Customers of Toplofikacia Sofia EAD, both individuals and companies in Sofia.
What the authority found
The authority decided that Toplofikacia Sofia EAD did not have a valid legal basis for accessing the personal data registers.
Why this matters
This decision highlights that companies must provide solid justifications for accessing personal data. It serves as a reminder for businesses to carefully consider their data access requests.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
Toplofikacia Sofia EAD, the controller, is a Bulgarian company that provides heating services to its customers, both individuals and companies, in the Sofia metropolitan area. The controller submitted a request to the Ministry of Regional Development for access to several registers of personal data of the Bulgarian population. The reasoning for the request was that the access will facilitate the execution of the contracts between the controller and its customers. The Ministry of Regional Development refused to provide access to the registers that keep significant amount of personal data, including inheritance information, and advised the controller for the optional procedure under Article 125(3) of local Energy Act to seek permission from the Bulgarian Data Protection Authority. In May 2022 the controller submitted a request to the DPA asking for revocation of the Ministry's decision. In its request the company referred to the legal bases of (i) the performance of contract (Articles 6(1)(b) GDPR), (ii) the compliance with a legal obligation (Article 6(1)(c) GDPR), and (iii) a task carried out in the public interest (Article 6(1)(e) GDPR) for the requested access to the registers. The DPA carried out a corresponding analysis for each of these legal bases and decided that none of them is applicable for the controller. The DPA refused to grant permanent access to the registers and instructed the company to provide a solid justification for any future request to the Ministry. In July 2022, the controller appealed the decision of the DPA before the Administrative Court of Sofia. The Administrative Court of Sofia upheld the decision confirming the analysis of the DPA and on top of it pointing out that the registers provide information for the entire population of Bulgaria, while the company operates only in the Sofia region. Subsequently, the controller appealed the decision to the Supreme Administrative Court. The Supreme Administrative Court of Bulgaria upheld th
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Bulgarian Data Protection Authority in BG
This is the only recorded case for this entity in this jurisdiction.
Details
Ruling Date
22 November 2024
Authority
Commission for Personal Data Protection
GDPRhub ID
gdprhub-court-8642About this data
Cite as: Cookie Fines. Bulgarian Data Protection Authority - Bulgaria (2024). Retrieved from cookiefines.eu
Last updated: