The collective damages claim lawsuit of Digital Republic Association, representing affected data subjects, against the Bulgarian National Revenue Agency (“NRA”) filed on 4 November 2021 further to 2019 data breach incurred by the NRA has officially reopened in November 2024 and is now in process before Sofia City Court. This success comes after more than three years of suspension of the proceedings and attempts for termination. The next court hearing of the case will be on 27 February 2025. At it, the court is expected to adjudicate on among other things the period in which affected data subjects who are not involved in the litigation yet, to join it as claimants.

As a background, in 2019, the NRA incurred a data breach resulting in a significant leak of personal data with negative impact on a large number of data subjects in Bulgaria. The Bulgarian Commission for Personal Data Protection imposed a fine of BGN 5,100,000 on the NRA for failing to implement adequate security measures for personal data protection. The NRA never paid the fine, the applicable statute of limitations expired.

One of the reasons for the suspension of the litigation was a preliminary ruling sought by the Bulgarian Supreme Administrative Court from the Court of Justice of the European Union (“CJEU”) in 2023. In its ruling, the CJEU provided valuable interpretation of GDPR provisions regarding technical and organizational measures, controller’s responsibility, and non-material damages to data subjects upon a data breach. See the summary of the CJEU ruling prepared by DGKV Data Protection team at: https://dgkv.com/insights/publications/the-cjeu-interpreted-gdpr-provisions-on-technical-and-organizational-measures-controller-s-responsibility-for-their-appropriateness-and-non-material-damages-to-data-subjects