Izi Asset Management – Court Ruling (Bulgaria, 2025)

A data subject initiated proceedings in front of the Administrative Court of Sofia - City against Izi Asset Management (the controller) due to the refusal of the controller to provide them with a copy of a consumer credit agreement in accordance with Article 15 GDPR. The data subject’s representative, an attorney, contacted the controller via email to request the copies. The controller based its refusal on an alleged lack of explicit power of attorney on the part of the data subject’s representative. The court found that the controller’s refusal was unlawful. It noted that the request was valid under Article 15 GDPR, since the representative already indicated the power of attorney with an express right to file a complaint on the data subject’s behalf. The court noted that there were no grounds to require the submission of additional evidence by the representative of the data subject. Furthermore, it emphasised the obligations of the controller to provide information to the data subject under Article 12 GDPR. Therefore, the court revoked the controller’s decision to terminate the proceedings with the data subject regarding the provisions of the requested copies, and referred the case back to the controller for a decision on the merits of the request.