Recently Т&М Law office won a case in front of the first court instance, which answers this seem to be rhetorical question.
In 2018th the Bulgarian Commission of Protection of Personal Data (“CPDP”) adopted decisions finding infringements of GDPR for acts that occurred before its entry into force on 25 May 2018. Often the actions in question could be interpreted as an infringement of the national Personal Data Protection Act (“PDPA”) but CPDP has not referred to these provisions. Separately, for infringements before the date of application of GDPR, the CPDP has imposed corrective measures under GDPR.
At this moment it is early for decisions of the Supreme Administrative Court (“SAC”) as a last instance but the Administrative Court Sofia – City (“ACSC”) as a first instance in such cases applied an interesting approach:
- there is a constant assumption that corrective measures under Art. 58, §2, (b) of GDPR could be applied by CPDP in its decisions following the date of entry into force of the Regulation (but prior to their introduction by an intentional amendment to the PDPA), and in some cases the infringements have been committed long before the entry into force of the GDPR;
- on the other hand, it is important to note that the court (Decision No. 2375 / 05.04.2019 on Administrative case 12373/2018, Division II, 52th formation of ACSC) has already clearly stated that prior to the entry into force of GDPR an infringement can not to be classified as an infringement under Accordingly, corrective measures under Art. 58, §2, (b) of the GDPR shall not be imposed for such classified infringement as far as they are justified by the existence of an infringement.
We will have to see what the SAC’s opinion will be on the so-formed case-law. Including the extent to which it was appropriate for the CPDP to apply the measures under Art. 58, §2, (b) of the GDPR before being introduced as coercive administrative actions and part of CPDP’s power by the amendment to the PDPA of 26.02.2019 (in Art. 84 of PDPA as a type of measure and as the competence of CPDP in Art. 38, par. 3 of PDPA).
The content of this article reflects only the authors’ views. The information given in this document concerning technical, legal or professional subject matter is for guidance only and does not constitute legal or professional advice. For detailed information you may contact its author at email@example.com