2011
Excerpt from AIP annual report Access to Information in Bulgaria 2011
In 2011 again, the protection of personal data was the subject of some of the cases referred to AIP for legal help and consultation. The people who addressed AIP for assistance in the area were both citizens whose rights were infringed and personal data administrators who needed advice on how to correctly apply the requirements under the Personal Data Protection Act (PDPA). In the current report we would like to pay attention to two specific topics in the protection of the personal data which had been commented by the AIP legal team.
Protection of Personal Data in Street Video Surveillance
Analysis of problems related to Video Surveillance and personal data was part of the last year's report. Then the problems were related to the processing of data collected via CCTV positioned at public places for security purposes. In 2011, the lawfulness of collecting and processing data collected from CCTV was a topic of discussion again. The context was a little different though. AIP legal team was addressed by journalists from the private TV7 to comment on the following case: A private company sells specialized equipment for secret surveillance – spy cameras, listening and tracking devices, etc. The company has an Internet site showing the efficiency of the equipment. Spy cameras were installed at several public places in Sofia, streaming live images of people and buildings. The testing software allows for a big zoom of the cameras without any blur options which gives the possibility to recognize the passing-buyers and even images in the windows of the targeted buildings. A reasonable question in this case was if the live streaming including real time images of people and vehicles was a violation of the provisions of the PDPA.
In the summer of 2011, the Commission for Personal Data Protection was addressed with a request for an official statement on a similar case by the Google Ireland Ltd. The Commission was requested for interpretation of the PDPA with regard to the future plans of the Google Ireland to collect street images in Bulgaria for the purposes of the product Street View. The images would be uploaded in Google Maps and would be accessible to the customers from all over the world. The images are to be taken by a camera installed at the roof of a car driving in the streets.
In its statement[1] No. 3949 as of October 4, 2011, the Commission for Personal Data Protection assumes that in order for the provisions of the Bulgarian personal data protection legislation to be fulfilled, the administrators should inform the public about the dates of the shooting, the length of the shooting, the schedules and the routes, as well as the places where the cameras would be used. The administrators are also obliged to inform the public about the type of the data that are going to be collected, the rights of the physical persons with regard to the processing of their personal data (right of access to information, of objection, the possibility for removing and deleting images, as well as the means by which they could exercise their rights). Furthermore, measures for blurring the images of physical persons should be taken, especially at places falling under special regime under Art. 5, Para 1 of the PDPA like: religious temples, hospital/clinics, headquarters of political parties, public places which would reveal the sexual orientation and/or the interests of certain physical bodies. The images of physical bodies taken in these specific cases should be completely blurred.
Protection of Personal Data in TV Games, Lotteries, and Direct Marketing
Out of the cases referred to AIP for legal help, several frequent violations of the PDPA related to the personal data processing for the purposes of TV games, lotteries, and direct marketing.
The Administrator of Personal Data is Not Always Known
Citizens should be able to unambiguously identify who approached them which is sometimes difficult. In one of the cases referred to AIP for legal help, a citizen has received an sms on his mobile phone with offers to take part in a TV game. Simultaneously, an advertisement was going on one of the TVs for the same lottery game. It was not clear which is the legal entity behind that game, consequently, it is not clear who is the data processing administrator. The sms recipient has to guess if it is the TV itself, an advertising company, or a production house.
Personal Data Processed After the Expiration of the Initially Announced Time Period
The above case is an example of violation of another provision of the PDPA. It turned out that the citizen had taken voluntarily part in another game providing his Unified Personal Number. Apparently, the data had been saved for future games. Thus, the provision of Art. 2, Para. 2, Item 2 of the PDPA was violated. It obligates the administrators to process collected data for specific, precisely defined, and legal purposes. After that the data should be deleted.
Physical Persons Targets of Unsolicited Commercial Communications Are Not Always Informed About their Right to Refuse to Receive Such Communication
Interesting is the case when the XBank used data from a public register to offer its bank services. The bank copied the registers of lawyers from the web site of the National Bureau for Legal Help (three names, registration number in the Sofia Bar Association, address, and phone number) and sent out personal letters to the lawyers offering them a deposit program. One of the recipient lawyers took this approach as unlawful use of his personal data by the bank since he had not given consent for such processing. He addressed the Commission for Personal Data Protection. The Commission assumed that the provision of Art. 34a of the PDPA is violated. The bank, in its capacity of personal data controller had processed the data of the targets of its direct marketing without informing them for their right to refuse commercial communications as required by the provision of Art 34a, Para. 1, Item 2 and Para. 2 of the PDPA. The case was also heard by two instances in the court. The justices upheld the arguments of the Commission. In their Decision No. 15546 as of November, 25, 2011, a Five-member panel of the Supreme Administrative Court emphasized that the data used by the bank had been taken from a public register but nevertheless the data processing should be in compliance with the requirements provided by the Personal Data Protection Act. The condition for processing the data as provided by Art. 4, Para. 1, Item 7 of the PDPA had not been present, thus the bank had unlawfully processed the data. The court also emphasized that in order for the requirements of the PDPA to be fulfilled, it was enough that the personal data administrators informed the citizens about their right to object against the processing of their data.
In 2011 again, the protection of personal data was the subject of some of the cases referred to AIP for legal help and consultation. The people who addressed AIP for assistance in the area were both citizens whose rights were infringed and personal data administrators who needed advice on how to correctly apply the requirements under the Personal Data Protection Act (PDPA). In the current report we would like to pay attention to two specific topics in the protection of the personal data which had been commented by the AIP legal team.
Protection of Personal Data in Street Video Surveillance
Analysis of problems related to Video Surveillance and personal data was part of the last year's report. Then the problems were related to the processing of data collected via CCTV positioned at public places for security purposes. In 2011, the lawfulness of collecting and processing data collected from CCTV was a topic of discussion again. The context was a little different though. AIP legal team was addressed by journalists from the private TV7 to comment on the following case: A private company sells specialized equipment for secret surveillance – spy cameras, listening and tracking devices, etc. The company has an Internet site showing the efficiency of the equipment. Spy cameras were installed at several public places in Sofia, streaming live images of people and buildings. The testing software allows for a big zoom of the cameras without any blur options which gives the possibility to recognize the passing-buyers and even images in the windows of the targeted buildings. A reasonable question in this case was if the live streaming including real time images of people and vehicles was a violation of the provisions of the PDPA.
In the summer of 2011, the Commission for Personal Data Protection was addressed with a request for an official statement on a similar case by the Google Ireland Ltd. The Commission was requested for interpretation of the PDPA with regard to the future plans of the Google Ireland to collect street images in Bulgaria for the purposes of the product Street View. The images would be uploaded in Google Maps and would be accessible to the customers from all over the world. The images are to be taken by a camera installed at the roof of a car driving in the streets.
In its statement[1] No. 3949 as of October 4, 2011, the Commission for Personal Data Protection assumes that in order for the provisions of the Bulgarian personal data protection legislation to be fulfilled, the administrators should inform the public about the dates of the shooting, the length of the shooting, the schedules and the routes, as well as the places where the cameras would be used. The administrators are also obliged to inform the public about the type of the data that are going to be collected, the rights of the physical persons with regard to the processing of their personal data (right of access to information, of objection, the possibility for removing and deleting images, as well as the means by which they could exercise their rights). Furthermore, measures for blurring the images of physical persons should be taken, especially at places falling under special regime under Art. 5, Para 1 of the PDPA like: religious temples, hospital/clinics, headquarters of political parties, public places which would reveal the sexual orientation and/or the interests of certain physical bodies. The images of physical bodies taken in these specific cases should be completely blurred.
Protection of Personal Data in TV Games, Lotteries, and Direct Marketing
Out of the cases referred to AIP for legal help, several frequent violations of the PDPA related to the personal data processing for the purposes of TV games, lotteries, and direct marketing.
The Administrator of Personal Data is Not Always Known
Citizens should be able to unambiguously identify who approached them which is sometimes difficult. In one of the cases referred to AIP for legal help, a citizen has received an sms on his mobile phone with offers to take part in a TV game. Simultaneously, an advertisement was going on one of the TVs for the same lottery game. It was not clear which is the legal entity behind that game, consequently, it is not clear who is the data processing administrator. The sms recipient has to guess if it is the TV itself, an advertising company, or a production house.
Personal Data Processed After the Expiration of the Initially Announced Time Period
The above case is an example of violation of another provision of the PDPA. It turned out that the citizen had taken voluntarily part in another game providing his Unified Personal Number. Apparently, the data had been saved for future games. Thus, the provision of Art. 2, Para. 2, Item 2 of the PDPA was violated. It obligates the administrators to process collected data for specific, precisely defined, and legal purposes. After that the data should be deleted.
Physical Persons Targets of Unsolicited Commercial Communications Are Not Always Informed About their Right to Refuse to Receive Such Communication
Interesting is the case when the XBank used data from a public register to offer its bank services. The bank copied the registers of lawyers from the web site of the National Bureau for Legal Help (three names, registration number in the Sofia Bar Association, address, and phone number) and sent out personal letters to the lawyers offering them a deposit program. One of the recipient lawyers took this approach as unlawful use of his personal data by the bank since he had not given consent for such processing. He addressed the Commission for Personal Data Protection. The Commission assumed that the provision of Art. 34a of the PDPA is violated. The bank, in its capacity of personal data controller had processed the data of the targets of its direct marketing without informing them for their right to refuse commercial communications as required by the provision of Art 34a, Para. 1, Item 2 and Para. 2 of the PDPA. The case was also heard by two instances in the court. The justices upheld the arguments of the Commission. In their Decision No. 15546 as of November, 25, 2011, a Five-member panel of the Supreme Administrative Court emphasized that the data used by the bank had been taken from a public register but nevertheless the data processing should be in compliance with the requirements provided by the Personal Data Protection Act. The condition for processing the data as provided by Art. 4, Para. 1, Item 7 of the PDPA had not been present, thus the bank had unlawfully processed the data. The court also emphasized that in order for the requirements of the PDPA to be fulfilled, it was enough that the personal data administrators informed the citizens about their right to object against the processing of their data.
[1] The text of the Statement (in Bulgarian) is available on the CPDP web site: http://www.cpdp.bg/index.php?p=element_view&aid=670