Bulgarian National Revenue Agency fined BGN 5.1 million

On 28/Aug/2019, National Revenue Agency received a privacy fine of BGN 5,100,000. The enforcement authority (Bulgarian Data Protection Commission) has cited these legal provisions in imposing the fine on National Revenue Agency: Article 32 GDPR/GDPR/


Date of enforcement action:
Jurisdiction: Fine imposed:
Bulgaria Flag for Bulgaria, which is the jurisdiction taking enforcement action BGN 5,100,000 (US$2,900,000)
Defendant company or entity: Industry segment:
National Revenue Agency Government /

Case summary

The Bulgarian Data Protection Commission imposed a BGN 5.1 million fine upon the National Revenue Agency with regard to a significant data breach, under which millions of tax payer records were released to the public. The fine was issued on 28 August 2019, and was accompanied by specific orders intended to improve the technical and organisational safeguards at the National Revenue Agency. 

In the course of a one-month audit of the Bulgarian National Revenue Agency (NRA), it was found that, in the course of its activities, the Agency, as a data controller, had not implemented appropriate technical and organisational measures in its operations.

As a result, certain incidents of unauthorised access and disclosure occurred, via which the following categories of personal data were disseminated:

  • names
  • personal identification numbers and addresses of Bulgarian citizens
  • telephone numbers
  • e-mail addresses and other contact information
  • data from annual tax returns
  • data relating to income paid to employees
  • data from social security declarations
  • data relating to health insurance contributions

The Commission has found that the information that was illegally accessed and disseminated on the Internet, constituting a data breach. The affected records contained personal data of a total of 6,074,140 individuals, including 4,104,786 living individuals. The records related to both Bulgarian citizens and foreign citizens.

By Decision of 23.08.2019, the Commission issued orders to the National Revenue Agency, requiring it to implement appropriate technical and organisation measures. These included:

  • Measures to enhance the protection of personal data processing in e-services applications to citizens;
  • Performing risk analysis of systems and processing operations, including established rules and functional obligations for the operation of each information system;
  • Carrying out an impact assessment of the identified “high risk” for each system and the measures taken;
  • Performing an impact assessment on the initial launch of new information systems and applications.

The National Revenue Agency has six months to comply with these orders.

On 28/Aug/2019, based on Art. 87, para. 3 of the Law on Protection of Personal Data, Ventsislav Karadjov – Chairman of the Commission for Protection of Personal Data, issued a Penal Order to the NRA for violation of Art. 32, § 1 (b) the GDPR in light of the unauthorized access, unauthorized disclosure and dissemination of personal data to individuals from the information databases maintained by the Agency. The amount of the sanction imposed is BGN 5,100,000.

The issuance of the penal decree confirms the administrative and criminal responsibility of the NRA, as the controller of personal data, for the unauthorized access and dissemination of personal data. The fact that this data was leaked into the public domain does not automatically mean that it has been misused, since the misuse presupposes the commission of additional acts that are in themselves separate crimes.

[The fine imposed represents less than US$ 1 dollar per natural person or data subject affected by the unauthorised disclosure of their personal data and records.]

(Bulgarian Data Protection Commission, Official Release)

Applicable legal provisions

Enforcement information

Enforcement authority: Type of enforcement action:
Bulgarian Data Protection Commission Flag for Bulgaria, which is the jurisdiction taking enforcement action Penalty notice
Subject to appeal?
Not known

Cite this fine in your work

Data Privacy Fines Index. (2019-08-28 02:20) Bulgarian National Revenue Agency fined BGN 5.1 million. dataprivacyfines.com. Retrieved from https://dataprivacyfines.com/fine/bulgarian-national-revenue-agency-fined-bgn-5-1-million/

Entry last updated: 2020-01-12 11:14 GMT.