Bulgarian Data Protection Authority – Court Ruling (Bulgaria, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Toplofikacia Sofia EAD, the controller, is a Bulgarian company that provides heating services to its customers, both individuals and companies, in the Sofia metropolitan area. The controller submitted a request to the Ministry of Regional Development for access to several registers of personal data of the Bulgarian population. The reasoning for the request was that the access will facilitate the execution of the contracts between the controller and its customers. The Ministry of Regional Development refused to provide access to the registers that keep significant amount of personal data, including inheritance information, and advised the controller for the optional procedure under Article 125(3) of local Energy Act to seek permission from the Bulgarian Data Protection Authority. In May 2022 the controller submitted a request to the DPA asking for revocation of the Ministry's decision. In its request the company referred to the legal bases of (i) the performance of contract (Articles 6(1)(b) GDPR), (ii) the compliance with a legal obligation (Article 6(1)(c) GDPR), and (iii) a task carried out in the public interest (Article 6(1)(e) GDPR) for the requested access to the registers. The DPA carried out a corresponding analysis for each of these legal bases and decided that none of them is applicable for the controller. The DPA refused to grant permanent access to the registers and instructed the company to provide a solid justification for any future request to the Ministry. In July 2022, the controller appealed the decision of the DPA before the Administrative Court of Sofia. The Administrative Court of Sofia upheld the decision confirming the analysis of the DPA and on top of it pointing out that the registers provide information for the entire population of Bulgaria, while the company operates only in the Sofia region. Subsequently, the controller appealed the decision to the Supreme Administrative Court. The Supreme Administrative Court of Bulgaria upheld th
GDPR Articles Cited
National Law Articles
Toplofikacia Sofia EAD, the controller, is a Bulgarian company that provides heating services to its customers, both individuals and companies, in the Sofia metropolitan area. The controller submitted a request to the Ministry of Regional Development for access to several registers of personal data of the Bulgarian population. The reasoning for the request was that the access will facilitate the execution of the contracts between the controller and its customers. The Ministry of Regional Development refused to provide access to the registers that keep significant amount of personal data, including inheritance information, and advised the controller for the optional procedure under Article 125(3) of local Energy Act to seek permission from the Bulgarian Data Protection Authority. In May 2022 the controller submitted a request to the DPA asking for revocation of the Ministry's decision. In its request the company referred to the legal bases of (i) the performance of contract (Articles 6(1)(b) GDPR), (ii) the compliance with a legal obligation (Article 6(1)(c) GDPR), and (iii) a task carried out in the public interest (Article 6(1)(e) GDPR) for the requested access to the registers. The DPA carried out a corresponding analysis for each of these legal bases and decided that none of them is applicable for the controller. The DPA refused to grant permanent access to the registers and instructed the company to provide a solid justification for any future request to the Ministry. In July 2022, the controller appealed the decision of the DPA before the Administrative Court of Sofia. The Administrative Court of Sofia upheld the decision confirming the analysis of the DPA and on top of it pointing out that the registers provide information for the entire population of Bulgaria, while the company operates only in the Sofia region. Subsequently, the controller appealed the decision to the Supreme Administrative Court. The Supreme Administrative Court of Bulgaria upheld th
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Bulgarian Data Protection Authority in BG
This is the only recorded case for this entity in this jurisdiction.
Details
Ruling Date
22 November 2024
Authority
Commission for Personal Data Protection
GDPRhub ID
gdprhub-court-8642About this data
Cite as: Cookie Fines. Bulgarian Data Protection Authority - Bulgaria (2024). Retrieved from cookiefines.eu
Last updated: