Chief Inspector at the ISJC
I Legal framework – implementation, principles.
Due to the nature of their activities, the judiciary is subject to a special legal regime when processing personal data. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (the Regulation) consistently pursues the concept of limiting the supervisory powers of the general supervisory authorities for the protection of personal data in terms of the courts in the exercising of their functions as judicial authorities. Such provision is explicitly set forth in Article 55, paragraph 3 of the Regulation, according to which the supervisory authorities are not competent to supervise the activities for processing personal data performed by the courts in discharging their judicial functions. A similar approach is adopted in the provision of Article 45 (2) of Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA (the Directive), which provides that these supervisory functions must be exercised by a separate and independent body within the judiciary system. Such a regulation is motivated by the European legislator in recital 20 of Regulation (EU) 2016/679 and recital 80 of Directive (EU) 2016/680 and is an expression of the need to ensure the independence of the judiciary in the performance of their judicial duties, including decision making.
In order to harmonise the existing legal framework in the field of supervision of personal data processing in the Republic of Bulgaria with the new provisions established in the Regulation and the Directive, the Bulgarian Parliament adopted amendments to the Personal Data Protection Act (PDPA). This is the fundamental law in the Republic of Bulgaria in regulating public relations related to the protection of the rights of individuals when processing their personal data. The amendments were promulgated, according to the procedure established in the country for the adoption of legal acts, on 26 February 2019 and entered into force on 2 March 2019.
According to the amendments, the Inspectorate to the Supreme Judicial Council (ISJC) was authorised to supervise the protection of individuals in the processing of their personal data by the courts in the exercise of their functions as members of the judiciary and the prosecution and investigation bodies when processing is carried out for the purposes of the prevention, investigation, detection or prosecution of criminal offenses or the execution of penalties, including protection against threats to the public order or security and their prevention.
A clarification shall be made here concerning the place of the Prosecutor’s Office of the Republic of Bulgaria. It shall be taken into consideration that it is part of the judiciary, insofar as it is a body of the judiciary, according to the Bulgarian Constitution. The Prosecutor’s Office exercises general oversight for lawfulness by generally directing the investigation and overseeing its lawful conduct, bringing to justice the individuals who have committed crimes and upholding prosecution in criminal cases of a general nature. In the context of the relations for protection of the rights of the subjects in the processing of their personal data, the Prosecutor’s Office of the Republic of Bulgaria acts as an independent judicial body in the judiciary within the meaning of recital 80 of Directive (EU) 2016/680. Therefore, Article 17 of the Bulgarian Personal Data Protection Act explicitly provides that the competence for supervision in the processing of personal data by the Prosecutor’s Office, when acting in the exercise of its powers, is assigned to the Inspectorate to the Supreme Judicial Council.
Another very important clarification shall be made. The official powers of the Prosecutor’s Office of the Republic of Bulgaria are by their nature limited only within the framework of prevention, investigation, detection or prosecution of crimes or execution of punishments and therefore the personal data processing operations that must be performed in exercising these powers fall within the material scope of the Personal Data Protection Act and in particular the provisions in which Directive (EU) 2016/680 has been transposed.
The general courts in the country are in a different situation, as their judicial functions are related to the administration of justice in both criminal and in civil cases in the most general sense. For this reason, with regard to these courts, account should always be taken of what powers have to be exercised that are required to process personal data in the exercising of their judicial function, because the latter determines the law applicable to the operation in question. In case the processing of personal data by the court is carried out for the purposes of criminal prosecution, PDPA is applicable, and when it is related to the administration of justice in civil cases in the most general sense, Regulation (EU) 2016/679 and PDPA apply.
The Inspectorate to the Supreme Judicial Council is an independent control body, internal to the judiciary. It was established with the fourth amendment of the Constitution of the Republic of Bulgaria in 2007 (SG, issue 12 of 2007). It consists of a Chief Inspector and ten inspectors elected by the Bulgarian Parliament by a two-thirds majority of members of the parliament with a term of 5 years for the Chief Inspector and 4 years for the inspectors. Individuals with extensive legal experience, with at least 10 years of specific experience in the judiciary as a judge, prosecutor or investigator at a district level and higher for the chief inspector and at least 5 years judicial, prosecutorial or investigative experience in the judiciary at district level, and higher for inspectors, may be elected as Chief inspector and inspectors. The powers of the Inspectorate are regulated in the Constitution of the Republic of Bulgaria and are further developed in the Judiciary Act. The main power of the Inspectorate, for which it was established in 2007, is to carry out inspections of the activities of the judiciary, without prejudice to the independence of judges, jurors, prosecutors and investigators in the exercise of their functions. The Inspectorate exercises such power by conducting inspections of the organisation of the administrative activity of the courts, prosecutors’ offices and investigation bodies and of the organisation on the opening, movement and completion of cases and files within the established terms. In 2012, the Inspectorate was entrusted with the power to rule on applications for delayed justice for violations of Article 6, paragraph 1 of the Convention for the Protection of Human Rights and Fundamental Freedoms, committed by the judicial authorities. Since 2015, with the fifth amendment of the Constitution of the Republic of Bulgaria (SG, issue 100 of 2015), the body has been charged with checks for integrity and conflict of interest of judges, prosecutors and investigators, of their property declarations, as well as for establishing actions that damage the prestige of the judiciary and those related to violation of the independence of judges, prosecutors and investigators. As mentioned above, by virtue of the latest legislative amendment of March 2019, the Inspectorate supervises the protection of the rights of subjects in the processing of their personal data by judicial authorities. In the exercise of its powers, the Inspectorate acts ex officio or upon the initiative of citizens, legal entities and state bodies, including judges, prosecutors and investigators. According to Article 132a, paragraph 6 of the Constitution of the Republic of Bulgaria, the Chief Inspector and the inspectors are independent in the performance of their functions and subject only to the law. Pursuant to the constitutional and legal framework, the Inspectorate adopts its own Rules of Procedure, decides which bodies to include for inspection in its annual programme and has an independent budget, which is adopted by the National Assembly within the budget of the judiciary. It is namely the listed main characteristics in the status, structure and functions of the Inspectorate to the Supreme Judicial Council – independence, autonomy and belonging to the system of the judiciary – that determine the decision of the Bulgarian Parliament to assign to the Inspectorate the powers to supervise personal data processing by the authorities of the judiciary in the Republic of Bulgaria when discharging their judicial functions.
The procedures according to which the Inspectorate exercises the powers of supervision over personal data protection are regulated in the Personal Data Protection Act and are detailed in the Rules for the organisation of the ISJC’s activity, the latter being considered a by-law. Procedures have been established for conducting preliminary consultations according to Article 36 of Regulation (EU) 2016/679, for conducting scheduled inspections provided for in the annual programme of the Inspectorate and inspections on alerts for violations of the rules on personal data protection by the judiciary (alerts also include media publications), for handling complaints from data subjects, for expressing opinions on matters of principle to the judiciary, for carrying out international cooperation, as well as for the exercise of administrative measures and imposition of sanctions.
Of the listed procedures, those related to handling complaints from data subjects and for carrying out of scheduled inspections deserve special attention.
II Review of complaints by the ISJC in 2019 and 2020. Inspections and promotion of awareness.
Data subjects may file complaints with the Inspectorate to the SJC when their rights under Regulation (EU) 2016/679 or under the law have been violated by the judiciary when processing their personal data by the court in the exercise of judicial activity or by the prosecution and investigation bodies, when processing is carried out for the purposes of prevention, investigation, detection or prosecution of criminal offenses or the execution of sentences. The rules for reviewing complaints are contained in the Personal Data Protection Act and in the Rules for the organisation of the activity of the ISJC. Data subjects may file complaints within 6 months of knowing of the breach, but no later than two years after it has been committed. Complaints are reviewed by an inspector with the Inspectorate, and they are determined on the principle of random selection. A complaint is reviewed in two stages – verification of regularity and admissibility, and examination on the merits. In case the regularity and admissibility check reveals that it does not meet explicitly defined requirements – such as three names, the unique civil number and address of the applicant are missing, it is not signed, no data about the controller are indicated, and a description of the alleged infringement is missing, including the place and period when it was committed, the nature of the data and operations used, or other circumstances in which the infringement was committed – a notice shall be sent to the applicant to remedy the irregularities in the complaint. The applicant may correct the complaint within 7 days of the notice. If he fails to do so, the complaint shall be left without the consideration of the opinion of the inspecting inspector, which is subject to appeal before the court under the Administrative Procedure Code. Anonymous complaints are also left without consideration. If the complaint meets the requirements for regularity and admissibility, the assigned inspector shall consider the case on the merits. In order to establish the facts, the inspector may request from the inspected authority any information relevant to the case and shall have access to all premises, including any equipment and means of data processing. Within three months, the applicant shall be informed of the progress of the complaint or of the results of the inspection.
A specific approach was chosen by the Bulgarian legislator on the issue of the decision, which concludes the examination of the complaint on the merits. In the first case, when the complaint is unfounded, the inspector examining it shall rule with a decision. In the second case, when he finds the complaint justified, based on an inspection of the controller, the inspector shall submit a proposal to the Inspectorate for a decision on the case, whereby, depending on the nature and extent of the violation, the Inspectorate may exercise corrective action powers by imposing on the controller any of the coercive administrative measures under the Regulation or PDPA, or to refer to the Chief Inspector for imposition of an administrative penalty. In both cases, the decision is subject to appeal before court within 14 days of receipt thereof. This approach was motivated by two reasons: first, to take into account the load of the Inspectorate to the SJC with the exercise of its other powers and, second, to ensure that decisions to enforce and impose sanctions on the judiciary will not be issued individually, but rather by the body in its entirety, thus avoiding the occurrence of contradictory practices and ensuring that similar cases are treated equally.
In 2019 and 2020, the ISJC received 40 complaints from data subjects. The inspections of the examined complaints show that the main complaints of the data subjects submitted to the ISJC are related in almost all cases to two groups of operations on personal data processing by the judiciary, namely in gathering evidence during trial and, second, in the various forms of publishing information on cases. With regard to the collection of evidence on cases, the most common complaints are that courts illegally collect and retain as evidence written documents containing personal data. The examined complaints, containing such allegations, did not reveal any violations of the rules for the protection of subjects during the processing of their personal data by the courts. The inspections of these appeals revealed that they refer to different instances where courts collect written evidence about facts related to the subject matter of the cases or on the admissibility of individual procedural actions. Cases have been reviewed where the complaints concern the collection of written evidence to establish the facts of the economic identity of a party who has applied for legal aid or the ex officio admission by the court of written evidence to establish the facts of the prosecutor’s social identity in the course of the court stage of the criminal proceedings upon objection raised for his removal. The Inspectorate found that the personal data contained in these documents were processed lawfully in the reviewed cases, as the data were collected by the bodies of the judiciary on the grounds of Article 6, paragraph 1, (c) and (d) of Regulation (EU) 2016/679, and respectively, in compliance with the requirements of domestic law, when the processing of personal data was necessary for the exercise of powers by the court for the purposes of criminal prosecution.
The second large group of allegations in the reviewed complaints is related to the disclosure of personal data contained in the court case materials. Particular attention should be paid to these operations. The national legislation of the Republic of Bulgaria establishes a number of hypotheses where the judiciary is obliged to provide information on their cases. For example: according to Article 181 and Article 188 of the Administrative Procedure Code of the Republic of Bulgaria, when a general administrative act or by-law are challenged before the administrative courts, the court shall publish data about the contestation, including personal data; pursuant to Article 64, paragraph 1 of the Judiciary Act of the Republic of Bulgaria: ‘The acts of the courts, except for those in criminal cases whereby the defendant is sentenced to serve a sentence, shall be published immediately upon their ruling on the website of the court in compliance with the requirements for protection of personal data and the Classified Information Protection Act’. These examples are only part of the cases in which the courts are obliged to publish information on cases, but clearly show that these operations pose a higher risk to the rights of subjects, because immediately upon the operation itself the data become publicly available. From the complaints we have considered in this regard, it was found that during the performance of these operations two main violations of the rules of personal data protection were committed. First, violations of the principle of minimising data established in Article 5, paragraph 1 (c) of Regulation (EU) 2016/679, respectively in Article 45, paragraph 1 (3) of the Personal Data Protection Act, which requires that in the respective operation only appropriate data related to and limited to what is necessary in connection with the purposes for which data are processed shall be used. In particular, in the case of disclosure operations on cases, difficulties arise from the fact that in each specific operation a balance must be found between the volume of data and the purpose of their disclosure, whereas publication of personal data in excess of what is required to achieve the respective purpose constitutes a risk to the rights of subjects. Next, when disclosing information on cases, violations of the provisions of Article 5, paragraph 2 of Regulation (EU) 2016/679, respectively of Article 45, paragraph 1, item 6 of the Personal Data Protection Act are committed; it is a duty of controllers to implement appropriate technical and organisational measures for personal data protection processed under their control. For example, in the proceedings on a complaint filed with the Inspectorate, it was found that the unclear distribution of tasks between the judicial officers responsible for sending press releases to the media is a prerequisite for the illegal disclosure of personal data as a result of inappropriate organisational data protection measures.
The task of the Inspectorate is to promote the awareness of controllers of their obligations under the Regulation, whereas part of its supervisory functions is of particular importance, because in terms of personal data processing by the courts and the Prosecutor’s Office of the Republic of Bulgaria, the latter are exempted from the obligation to designate a data protection officer. This permission is made in the regulation in order for the data protection officials, while discharging their functions, not to influence the independence of the judicial authorities in the exercise of their judicial function. As a result, the obligation to assist the judiciary in the capacity of data controllers in the performance of their judicial functions by persons with expertise in data protection law and practices, which are generally performed by data protection officials, are entrusted to the supervisory authority.
In order to complete the task of promoting the awareness of the judiciary about their obligations under Regulation (EU) 2016/679 and the Personal Data Protection Act, in 2020 the Inspectorate to the SJC set in its annual programme the implementation of twenty scheduled inspections at randomly chosen district courts. The scope of the inspections was to establish whether the courts were aware of and complied with the principle of accountability as set forth in Article 5, paragraph 2 of the Regulation. There are two reasons for conducting these inspections. First, this is a new principle and its observance is of interest to all subjects involved in the process of personal data processing. The second and more important reason is related to the content of this principle. According to Article 5, paragraph 2 of Regulation (EU) 2016/679, controllers are responsible and must be able to demonstrate compliance with the basic principles of personal data protection. Therefore, compliance with this principle is reduced to the implementation of two cumulative elements: 1. The controller shall observe and apply in practice all the principles for personal data processing, established in Article 5, paragraph 1 of the Regulation and Article 45, paragraph 1 of the Personal Data Protection Act (lawfulness, good faith and transparency, limitation of objectives, minimisation of data, accuracy, limitation on storing, integrity and confidentiality) by taking appropriate and effective measures, while being responsible for this; 2. The controller shall demonstrate and prove compliance of his behaviour with the indicated principles by maintaining and presenting proper evidence for their implementation. Actually, we use the obligation of controllers to document the means and measures they take to protect personal data processed under their control in order to establish whether and to what extent courts are able to demonstrate that they are taking sufficient and effective measures to ensure that the processing of personal data in the context of judicial activity is carried out in compliance with the principles and obligations set out in Regulation (EU) 2016/679 and the Personal Data Protection Act.
The objective of inspections is to summarise and analyse the information gathered during their inspections, and on the basis thereof the Inspectorate shall prepare general recommendations to the judiciary. We believe that this is a good approach in raising awareness among the judiciary about the obligations they have both to comply with the principle of accountability and a number of other obligations set out in Regulation (EU) 2016/679 and the Personal Data Protection Act.
When conducting the inspections, the Inspectorate of the Supreme Judicial Council admitted that the judiciary will be able to demonstrate compliance with the principle of accountability if they identify the nature, scope and purposes for which they process personal data in the context of judicial activity and have prepared documents for the measures taken by them to protect the rights of the subjects in at least the following four directions:
- In relations with data subjects – the controller should have taken measures to comply with the principles of lawfulness, good faith and transparency. In order for the processing to be lawful within the meaning of the Regulation, it must be carried out on any of the grounds established in Article 6 thereof for the ‘ordinary’ categories of personal data, or Article 9 for the ‘special’ categories of personal data, or according to Article 49 of PPDA for the exercise of the power of a competent authority for the purposes of criminal prosecution. Insofar as in the context of the judicial activity the regional courts in the Republic of Bulgaria process personal data for the implementation of their powers or obligations related to the administration of justice, these operations are performed on the grounds established in the laws applicable to this activity in the country. Therefore, compliance with this aspect of the principle can be monitored indirectly by the described scope, objectives and nature of the data, as well as by the stated reasons for their processing, which the controller has documented. Specific attention shall be given to the requirement of transparency in relations with data subjects. The principle of transparency is regulated in Article 5, paragraph 1, point 1 of Regulation (EU) 2016/679, but it does not apply when processing is carried out for the purposes of criminal prosecution. It requires that all information and communication relating to the processing of personal data is easily accessible and comprehensible and that clear and unambiguous wording is used. In particular, this principle applies to the information received by data subjects on the identity of the controller and the purposes of the processing, and to additional information ensuring fair and transparent processing of data in respect of the individuals concerned and their right to receive confirmation and notification of the contents of personal data related to them that is being processed. Individuals shall be informed of the risks, rules, guarantees and rights associated with the processing of personal data and of the ways in which they may exercise their rights with regard to the processing. District courts should be able to prove that they take measures to comply with the principle of transparency in the processing of personal data in civil cases and comply with their obligations to inform data subjects about the personal data they process in the context of their judicial activities under Article 13 and Article 14 of Regulation (EU) 2016/679, while more limited information is provided for the processing of personal data for the purposes of the criminal prosecution of subjects.
In this regard, we verified whether courts have adopted a transparency policy and whether they are taking action to publish the necessary information to data subjects on the court’s website, or have taken action to communicate it in another appropriate manner.
- Creating an appropriate level of security of personal data – based on Article 5, paragraph 1, point (f) of Regulation (EU) 2016/679, the controller shall establish an appropriate level of data protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, by applying appropriate technical or organisational measures. By virtue of Article 24, paragraph 1 of the Regulation, the obligation of the controller is to establish in his activity appropriate measures for data protection and to document them. They should take into account the nature, scope, objectives and context of the processing, as well as the risks to the rights of the data subjects. The compliance of the measures with the risks arising during the processing in the context of the judicial activity shall be carried out in compliance with the requirements of Article 32, paragraph 2 of Regulation (EU) 2016/679. According to this provision, the assessment of the appropriate level of security shall take into account, in particular, the risks of accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to transferred, stored or otherwise processed personal data.
In this regard, we verified whether the courts have prepared an analysis of the risks to the rights of subjects in the processing of their personal data in the context of judicial activity and whether they have adopted internal rules on technical and organisational measures for personal data protection.
- Proper settlement of the relations with the supervisory body – according to Article 31 of Regulation (EU) 2016/679, a general obligation for controllers to cooperate with supervisors is set forth. This obligation has various specific dimensions in the Regulation and the Personal Data Protection Act. Such is the obligation of the controller under Article 33 of the Regulation to notify the supervisory authority without delay in case of breach of personal data security.
In order to comply with this obligation, we verified whether the courts had established a procedure for notifying the supervisory authority in the event of a breach of personal data security.
- Performance of other obligations of the controller to ensure accountability – on the grounds of Article 30 of Regulation (EU) 2016/679, courts are required to keep a register of the processing activities for which they are responsible. The content and form of this register is legally defined in the Regulation and in the Personal Data Protection Act. The controller shall provide the register to the supervisory authority upon request. The register of processing activities is a useful tool for performing an analysis of possible complications that may arise from data processing, whether planned or existing. It facilitates the actual assessment of the risk that the processing activities carried out by the controller could pose to the rights and freedoms of individuals. In addition, it facilitates the identification and implementation of appropriate personal data security measures.
During our inspections, we monitored whether courts maintain registers of personal data processing activities for the purposes of judicial activity in civil and criminal cases.
The following are some important conclusions we made:
It was found that almost all inspected courts were active in establishing measures to protect the personal data processed under their control. They are able to prove that they comply with the principle of transparency under Article 5, paragraph 1, point 1 of the Regulation in that they have performed an analysis of the risks to the rights of the subjects in the processing of their personal data in the context of the judicial activity of the court and have established policies on the level of technical and organisational measures in processing personal data, that they are capable of notifying the competent supervisory authority in case of violation of the security of personal data, and that they maintain registers of the activities for processing personal data on the grounds of Article 30 of Regulation (EU) 2016/679.
Naturally, in some cases we found omissions:
- In some courts, we found inconsistencies and inaccuracies in the content of transparency policies. As indicated, they aim to inform data subjects about the risks, rules, guarantees and rights related to the processing of personal data and the ways in which subjects can exercise their rights with regard to processing. However, in some cases it was found that the information contained in the transparency policies on the rights of data subjects (in particular the right to complain to a competent supervisory authority) was incomplete.
- With regards to the applied personal data security measures, we found that a significant number of courts have not conducted risk analysis on the grounds of Article 32, paragraph 2 of Regulation (EU) 2016/679.
- With regards to measures for cooperation with the supervisory authority, it has been established that exceptions are courts that have not adopted procedures for cooperation with the supervisory authorities in the field of personal data protection.
- On the occasion of the special reporting requirements, it was established that a significant number of courts have not fulfilled their obligation to keep a register of the activities for processing personal data on the grounds of Article 30 of Regulation (EU) 2016/679. This may be due to the fact that this obligation did not exist under the repealed legal framework in the field of personal data protection.
In accordance with these findings and after preparing a detailed analysis of the acts of the planned inspections, the Inspectorate will develop guidelines to raise awareness in courts on the content of transparency policy, the obligation of the judiciary to prepare an analysis of risks arising from processing in the context of the administration of justice, in particular the risks of accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to transferred, stored or otherwise processed personal data. The guidelines for raising the awareness of the courts will emphasise the obligation of the judicial authorities to prepare procedures for notifying the competent supervisory authority in case of violation of the security of personal data, according to Article 33 of Regulation (EU) 2016/679, as well as regarding the obligation of the judicial authorities to prepare registers on the activities for processing personal data carried out under their control on the grounds of Article 30 of the Regulation, as well as their meaning and content. This obligation could not have been fulfilled earlier, as only by conducting inspections could the actual status of the data protection controllers be established in the cases in which they exercise administration of justice.
It is important to address a very important issue that does not yet have an unambiguous solution. It refers to the concept of ‘judicial functions’. Regulation (EU) 2016/679 uses this term in its Article 55, paragraph 3, in order to limit the competence of the general supervisory bodies with regard to the processing of personal data by the courts in the performance of their judicial functions. However, the Regulation does not define the content of this concept. The same applies to Directive 2016/680. This situation leads to serious contradictions in practice, as the different interpretation of the term ‘judicial functions’ calls into question the competence of the supervisory authorities.
According to one of the concepts, the term ‘judicial functions’ shall not be limited to the question of whether the processing of personal data has a direct impact on the ruling on a particular case. For example, providing journalists with access to case documents ensures the publicity and transparency of the judiciary and promotes public confidence in the courts. The principle of transparency is one of the main pillars of a democratic state and is inextricably linked to the judiciary. Therefore, the provision of information in cases based on the court’s internal rules on access to information, which aim to achieve publicity and transparency in specific cases, is part of that judicial function.
The other concept is that the processing of data by the court administration within the established internal rules for providing information to the media would not constitute exercise of judicial functions, because it is not an individual decision of the judge hearing the case, but rather compliance of internal organisational rules. These rules have been adopted by the President of the Court and apply to a large number of cases brought before the Court. In this sense, the inspection of the general supervision body as to whether data processing operations under the rules on journalists’ access to information is compatible with the Regulation because it does not affect independent judicial decision-making on specific cases.
In this regard, a serious example can be cited from the practice of the Inspectorate at the SJC where supervision was questioned.
Two individuals charged with bribery filed complaints with the Inspectorate against the actions of a specific court of the Republic of Bulgaria, complaining that the rationale of the sentence against them were sent electronically to almost all media in the country, and for unclear reasons the media in question were provided with complete content with all contained personal data. The specific issue is that the complainants have also filed a complaint with the Commission for Personal Data Protection, which is a general supervisory body for personal data protection in the Republic of Bulgaria. The provision of the rationale of the sentence was made to inform the public on the movement of the criminal proceedings, which received a wide response throughout the country. In this case, the Inspectorate accepted that it, and not the joint supervisory body, was competent to carry out an inspection, because the disclosure was part of the court’s actions in pending court proceedings and the supervision of these actions should not be carried out by the general data protection supervisory authority.
The Commission for Personal Data Protection, in turn, found that the examination of the appeal would not affect the independence of the particular court, because the operation of providing the rationale for the sentence to the media does not belong to the ‘judicial function’ of the court.
The result was that the court was sanctioned by imposing a coercive administrative measure by the two supervisory authorities in the country for the same personal data processing operation. The administrator only appealed the decision of the Commission for Personal Data Protection in court, and it was declared null and void by the Sofia City Administrative Court .
A question was referred to the Court of Justice of the European Union for a preliminary ruling on the scope of the concept of ‘judicial function’. It was instituted on a reference for a preliminary ruling from Rechtbank Midden-Nederland (Netherlands), received on 29 May 2020. The defendant is Autoriteit Persoonsgegevens (Data Protection Administration). The question referred for a preliminary ruling is: ‘Is Article 55 (3) of the General Data Protection Regulation to be interpreted as meaning that ‘processing operations of courts acting in their judicial capacity’ can be understood to mean the provision by a judicial authority of access to procedural documents containing personal data, where such access is granted by making copies of those procedural documents available to a journalist, as described in the present order for reference?’
Ensuring the protection of individuals in the processing of their personal data is an ongoing process. In this regard, resolving the issue of the scope of the competence of the supervisory authorities with regard to the processing of personal data by the courts in the performance of their judicial functions will significantly contribute to the development of supervisory practice for the protection of personal data. That fact puts us in a situation to look forward to the judgment of the Court of Justice of the European Union in Case C-245/20.
As far as is concerns the Inspectorate to the Supreme Judicial Council, acting in its capacity as a supervisory body, it shall be underlined that it will proceed to face the challenges related to the personal data protection as outlined in the Regulation and the Personal Data Protection Act. Further to that it will develop a law practice that will be subject to judicial review. As our experience shows by now, the Bulgarian legislator has justifiably entrusted to this independent body, internal to the judiciary, the supervision of compliance with personal data protection requirements by the court and the prosecutor’s office, in cases in which they act as independent bodies within the judiciary.