Bulgaria is currently embroiled in a scandal involving unauthorized video surveillance footage from laser hair removal procedures. The footage has reportedly surfaced on adult websites globally. A similar case was subsequently uncovered within a gynecological practice. Beyond the ethical outrage and the trauma inflicted upon the victims, these incidents reveal a complex matrix of violations across administrative, civil, and criminal law - further complicated by the nuances of special categories of data and EU data protection legislation.
The Liability Framework in Bulgaria
Victims of unauthorized surveillance in Bulgaria have three distinct legal paths for redress:
- Administrative Sanctions - The Commission for Personal Data Protection (CPDP) may impose significant fines. However, for small (neighborhood) salons, such penalties often lead to insolvency or the stripping of assets, rendering the decision a moral victory rather than a financial one.
- Criminal Prosecution - Under the Bulgarian Penal Code (Art. 339a), the use of special technical means for clandestine information gathering is a criminal offense.
- Civil Litigation: The most realistic path for a victim is a claim under the Law on Obligations and Contracts. To circumvent the issue of "empty shell" companies, claims may attempt to establish the personal liability of the manager or owner who installed the devices. However, this requires victims to have sufficient resources for litigation (potentially via class actions), and the outcome remains precarious if defendants transfer their assets prior to the filing of the claims.
The Limits of Legitimate Interest: Can Quality of Service Justify Surveillance?
The possibility for a controller to invoke "legitimate interest" under the GDPR to prove the correct execution of a procedure or to defend against unfounded client claims is a noteworthy point of contention. (Current attempts by violators to justify surveillance as "security activity" are entirely groundless and do not merit legal analysis).
According to settled CJEU case law and EDPB Guidelines (3/2019), a controller’s legitimate interest cannot override the fundamental rights of the subject when filming occurs in spaces where individuals have an objective and reasonable expectation of privacy (such as massage or depilation rooms).
Even if defense against legal claims is a valid objective, it violates the principle of "data minimization," as less invasive means exist to prove service quality (e.g., informed consent, procedure protocols, or medical documentation). Any filming of intimate areas without explicit, specific, and freely given consent - outside of strictly regulated medical purposes - is considered disproportionate and should automatically exclude legitimate interest as a valid legal basis.
The Threshold of Sensitive Data
A compelling legal question raised by data privacy experts in Bulgaria is whether video footage of a client in a state of partial or full nudity constitutes a "special category of data" under Article 9 of the GDPR. While raw video footage is generally not considered sensitive per se, the context of a cosmetic procedure may reveal data concerning a person's health status and/or sexual orientation.
In the Lindenapotheke (C-21/23) ruling, the CJEU reinforced a broad interpretation of health data. This triggers the prohibition on processing unless a specific derogation is met (such as the explicit consent of the individuals being filmed).
The ruling in OT v Vyriausioji tarnybinės etikos komisija (C-184/20) is also pivotal here, as it supports the classification of data as sensitive if it reveals the sexual orientation of the data subjects. Although that case originally concerned the disclosure of private interests, the CJEU's emphasis on the severity of the interference with the right to private life supports the argument that the mere loss of control over such intimate data constitutes a compensable harm.
Furthermore, the fear of future data misuse - such as the potential uploading of intimate footage to adult platforms is sufficient to claim non-material damages. The victim is not required to prove that the recording was actually disseminated; the psychological distress caused by the possibility of dissemination is a recognized harm.
In C-184/20, the CJEU effectively held that if data allows for the indirect revelation of sensitive information, it must be treated with the highest level of protection. In a cosmetic setting, unauthorized filming often captures intimate physical characteristics relating to an individual’s private and sexual life. Consequently, such processing could be perceived not merely as a violation of Article 6 GDPR (Lawfulness), but as a material breach of Article 9, carrying significantly higher sanctions.
***
In conclusion, against the backdrop of extensive EU regulation and continuous technological evolution, our society remains largely unaware of its rights, business obligations, and available ways for protection. As AI begins to use our faces directly for discriminatory purposes without the need for us to ever step foot in a cosmetic salon - are we truly prepared for what comes next?
By Irena Georgieva, Managing Partner, PPG Lawyers
