Bivol Wins Key GDPR Case

by Екип на Биволъ

The Bulgarian Commission for Personal Data Protection (CPDP) has rejected a citizen’s claim against Bivol for the disclosure of personal data, filed under Regulation 2016/679 or the GDPR, shows the decision in administrative case PPP-01-126/October 30, 2017 of the CPDP. It was published on December 3, 2018, but we give publicity to the decision today, January 28, on the occasion of the Data Protection Day.

The claim against Bivol was filed by L.L.P., in which she claimed that “any user of the Internet via the Bivol website,, can get ample information about her companies, their registration numbers, including changes made to them. In addition, there was information on the site on whether she had any accounts in the now-collapsed Corporate Commercial Bank (CCB) and what funds she had in accounts with that Bank.”

In addition, L.P.P. also filed a claim against the Sofia Municipal Council (SCC) over a PDF file with information about the termination of a co-ownership with the  Sofia Municipality, in which personal data, including the claimant’s Persona Identification Number (PIN, the Bulgarian equivalent of the social security number – editor’s note) had not been deleted.

Bivol was defended in this case by lawyer Alexander Kashumov.

The Commission finds the obvious. The data in the Bivol’s search engine, which is a copy of the Trade Register, do not violate the Protection of Personal Data Act and Regulation 2016/679 – the legendary GDPR – because they refer to the management body of a legal entity.

The Commission has not found on our site information on CCB accounts. There is such information, but it also is a copy of the official publications of the Deposit Insurance Fund after the bank secrecy was lifted by Parliament.

That is why the CPDP has decided that the claim against Bivol is untenable. Nevertheless, it has sanctioned the Sofia City Council with an “official warning” regarding the publication of the claimant’s PIN.

Ако намирате, че статията е интересна и полезна, можете да подкрепите Биволъ с малка сума. Въведете желаната сума в полето и реквизитите на Вашата банкова карта или използвайте бутона Apple Pay/G-Pay от Вашия мобилен телефон Плащането се извършва през системата Stripe и Биволъ не съхранява номера на Вашата карта.:

Подкрепа за Биволъ

Support Bivol
Or enter your payment details below
Или станете наш редовен спомоществовател с „Данъкъ Биволъ“

The decision on the sanction is even more important because if the institution got such a “strict punishment” for the disclosure of a citizen’s personal data, the media should also be treated in the same manner if they mistakenly post someone’s PIN.

Meanwhile, however, Bulgarian lawmakers just very recently adopted unacceptably restrictive rules in relation to Regulation 2016/679 which in reality give the CPDP the power to censor media, something that is not provided for in the Regulation. Respected journalist organizations and public figures have already called on Bulgarian President Rumen Radev to veto the law.

In neighboring Romania, GDPR has been already used by the government as a “bat” against our partners from Rise Romania, who are threatened by a huge fine of EUR 20 million for a publication exposing the most powerful Romanian politician, Liviu Dragnea, for corruption.

The European Commission has objected to this sanction, but has not proposed any changes to the GDPR that would deprive from such “bats” authoritarian governments tempted to use European legislation to silence the media.


Dear Friends, thank you for reading Bivol.

If you find this article useful, support our work with a small donation.

Pay a Bivol Tax!

Become our supporter with ONE TIME TAX or a regular supporter with, MONTHLY TAX Learn more about the Bivol Tax here

This post is also available in: Bulgarian

Вижте също / Read Also