Bulgaria: The Commission for Personal Data Protection in Bulgaria has done little for the protection of personal data - 1.35 million euro were spent instead

Support our work: become a Friend of Statewatch from as little as £1/€1 per month.

These are the findings in a report done by the National Audit Office about the Commission's activities for the period January 1, 2003 - December 31, 2005. The results of the audit report were announced on January 30, 2007. The report finds that the Commission for Personal Data Protection (CPDP) has been busy mainly with buying vehicles and looking for premises for the last three years. The main purposes for which the CPDP was established - protection of citizens' personal data, imposing sanctions in cases of violations, and keeping a register of the personal data administrators - were left behind. Since its establishment in 2002, the CPDP has completed 17 investigations at citizens' complaints. During its existence, CPDP has imposed no sanctions; the register of personal data administrators has not been created.

The audit report on the work of the Bulgarian CPDP can be found on the web site of the National Audit Office at: http://www.bulnao.government.bg/pages.html?catID=18. Unfortunately, it is available only in Bulgarian.

Here follows a translation of the NAO press release about the findings in the audit report:

"Through its activities during the audited period (January 1, 2003 - December 31, 2005), the CPDP and its administration did not ensure adequate protection for the physical bodies in the processing of their personal data. Purposeful, systematized efforts are required for the overcoming of the backwardness and the achievement of efficient protection of personal data.

Despite the legal requirements, the CPDP did not function as a permanent working body since the main part of its staff has predominantly maintained working relations with other employers.

For the three and a half years since its establishment, the CPDP has not actually started its activities for the protection of citizens' personal data, has not adopted a policy, strategy, and the goals for the development of these activities. In practice, it has not respected the law. The CPDP:

- does not exercise effective control over the activities of the personal data administrators. The Register of personal data administrators and the personal data registers which they keep is still not public and contains insignificant number of registered administrators. In 2005, the incoming registration requests of personal data administrators were processed within the legally prescribed timeframes. However, a great number of the requests submitted in 2003 and 2004 was not registered and processed. The problem with the administrators who had sent incomplete or wrong registration forms by mail in 2003 has not been addressed yet.

- no legal provisions regulate the registration procedure, and the CPDP has not adopted written rules, procedures and methodology for exercising control over the activities of the administrators. The objects of control are not explicitly defined, the types of control activities and their scope are not explicitly defined, the powers of the controllers are defined vaguely and incompletely.

- the main emphasis of the control activities is on the investigations after submitted complaints and signals, not on preliminary and current check-ups on risk administrators.

- is not effective and efficient at the review of physical bodies' complaints. The processing of the complaints is delayed and the interested persons are not duly informed about the decisions taken by the CPDP.

- does not apply principles of economy and efficiency in the management and spending of its resources. The development and maintenance of major systems - financial management and control, task assignment and supervision, evaluation of the implementation of the tasks - necessary for the correct management of resources has not been finished. The budget has not been spent economically.

The National Audit Office submitted around 50 recommendations for the improvement of the effectiveness and efficiency of the activities in cases of illegal access to personal d

Our work is only possible with your support.
Become a Friend of Statewatch from as little as £1/€1 per month.


Spotted an error? If you've spotted a problem with this page, just click once to let us know.

Report error