Bivol Wins Key GDPR Case

Екип на Биволъ

The Bulgarian Commission for Personal Data Protection (CPDP) has rejected a citizen’s claim against Bivol for the disclosure of personal data, filed under Regulation 2016/679 or the GDPR, shows the decision in administrative case PPP-01-126/October 30, 2017 of the CPDP. It was published on December 3, 2018, but we give publicity to the decision today, January 28, on the occasion of the Data Protection Day.

The claim against Bivol was filed by L.L.P., in which she claimed that “any user of the Internet via the Bivol website,, can get ample information about her companies, their registration numbers, including changes made to them. In addition, there was information on the site on whether she had any accounts in the now-collapsed Corporate Commercial Bank (CCB) and what funds she had in accounts with that Bank.”

In addition, L.P.P. also filed a claim against the Sofia Municipal Council (SCC) over a PDF file with information about the termination of a co-ownership with the  Sofia Municipality, in which personal data, including the claimant’s Persona Identification Number (PIN, the Bulgarian equivalent of the social security number – editor’s note) had not been deleted.

Bivol was defended in this case by lawyer Alexander Kashumov.

The Commission finds the obvious. The data in the Bivol’s search engine, which is a copy of the Trade Register, do not violate the Protection of Personal Data Act and Regulation 2016/679 – the legendary GDPR – because they refer to the management body of a legal entity.

The Commission has not found on our site information on CCB accounts. There is such information, but it also is a copy of the official publications of the Deposit Insurance Fund after the bank secrecy was lifted by Parliament.

That is why the CPDP has decided that the claim against Bivol is untenable. Nevertheless, it has sanctioned the Sofia City Council with an “official warning” regarding the publication of the claimant’s PIN.

The decision on the sanction is even more important because if the institution got such a “strict punishment” for the disclosure of a citizen’s personal data, the media should also be treated in the same manner if they mistakenly post someone’s PIN.

Meanwhile, however, Bulgarian lawmakers just very recently adopted unacceptably restrictive rules in relation to Regulation 2016/679 which in reality give the CPDP the power to censor media, something that is not provided for in the Regulation. Respected journalist organizations and public figures have already called on Bulgarian President Rumen Radev to veto the law.

In neighboring Romania, GDPR has been already used by the government as a “bat” against our partners from Rise Romania, who are threatened by a huge fine of EUR 20 million for a publication exposing the most powerful Romanian politician, Liviu Dragnea, for corruption.

The European Commission has objected to this sanction, but has not proposed any changes to the GDPR that would deprive from such “bats” authoritarian governments tempted to use European legislation to silence the media.


If you find this article useful, support our work with a small donation.

Pay a Bivol Tax!

We will highly appreciate if you decide to support us with monthly donations keeping the option Make this donation monthly.

Select Payment Method
Personal Info

Credit Card Info
This is a secure SSL encrypted payment.

Donation Total: 5€

Извършвайки плащане Вие се съгласявате с Общите условия, които предварително сте прочели тук.

Биволъ не записва и не съхранява номера на Вашата банкова карта. Плащанията се обработват през системата Stripe. Даренията за Биволъ с банкови карти се управляват от френската неправителствена организация Data for Reporters Journalists and Investigations - DRJI.

This post is also available in: Bulgarian

Вижте също / Read Also