According to information published on the website of the National Revenue Agency (NRA), 3% of the information contained in the Agency’s database was subject to unlawful access and unlawful disclosure. The personal data of about 5.1 million Bulgarian citizens have been made public.
Some of the disclosed information contains:
- Data from annual tax returns of natural persons
- Data from records of income received by natural persons
- Data from social security declarations
- Data regarding health insurance status Data regarding issued acts of administrative violations
- Data regarding tax and social security payments made via Bulgarian Posts AD
- Data from VAT refund paid abroad
- Data from the international exchange of tax information for Bulgarian residents
Data received ex officio from other institutions, such as the Customs Agency, the Employment Agency, the Social Assistance Agency, the NHIF, etc.
After a joint meeting between the leadership of the NRA and the Commission for Personal Data Protection (CPDP), held on the 17th of July 2019, it was decided that the NRA will prepare and publish on its website an application by which citizens could check if their personal data have been unlawfully made public. Every natural person can check if it is affected by the incident at https://check.nra.bg/.
The rights of the affected persons include:
- Submitting a complaint before the Personal Data Protection Commission
In case of violation of their rights under Regulation (EU) 2016/679 and the Personal Data Protection Act (PDPA), the data subject shall have the right to bring the infringement before CPDP within six months after having become aware of the infringement but not later than two years after its commission. The Commission does not have the power to award compensation to subjects. The supervisory authority verifies the facts and circumstances and ascertains whether or not the subject’s rights have been violated. In the event that it ascertains that the subject’s rights have been violated, the supervisory authority may apply some of the measures provided in art.58, Paragraph 2 of Regulation (EU) 2016/679 (ex. to temporarily ban data processing, etc.) or under art. 80, Paragraph 1, items 3, 4 and 5 of the PDPA and in addition to these measures / or instead of them / to impose an administrative fine in accordance with art. 83 of Regulation (EU) 2016/679, as well as Chapter Nine of the PDPA.
- Appeal before the court to establish the violation
Any person, who considers that their rights under Regulation (EU) 2016/679 and PDPA have been violated, may appeal actions and acts of the personal data controller before the court in accordance with the Administrative Procedure Code.
- Claim for the award of compensation
In order for a natural person to make use of the opportunity to claim compensation, he or she must have suffered damages as a result of the unlawful processing of personal data by the controller. Therefore, in order for such liability to arise, it must be established that the data were processed unlawfully by the controller, that pecuniary or non-material damage occurred to the natural person, and that there is a causal link between the unlawful processing of the data and the damage.
- Notification to the prosecutor’s office in the presence of data/ doubt for the commitment of a crime