The Bulgarian Data Protection Authority Issued Opinions on the Processing of Personal Data by Employers During the COVID-19 Pandemic
The first opinion1 deals with the anonymized group testing of employees for COVID-19 (the so-called Pool PCR testing) when it is performed after an order of the employer.
The CPDP analyzes the European Data Protection Board's statement on the processing of personal data in the context of the COVID-19 pandemic (adopted on 19 March 2020), according to which "the possibility for employers to carry out medical examinations (including testing) of their employees depends on the rules in the national legislation in the field of employment or health and safety." Since no such possibility exists in the Bulgarian legislation, the CPDP recognises that Bulgarian employers have the right only to organize the testing for COVID-19 in specialized laboratories, but not to conduct such testing themselves.
Therefore, the employer does not process employees’ personal data concerning health. The controller of the data extracted through the Pool PCR tests would in fact be the licensed laboratories which process the data on the grounds provided for in Article 9(2) of Regulation (EU) 2016/679, including public interest.
On the other hand, according to the CPDP, in order for the employer to lawfully issue an order requiring its employees to be tested, they must first carry out a balance of interests test, as reflected in Article 6(1)(b) of Regulation (EU) 2016/679. The employer must establish that their legitimate interests of planning and ensuring continuity of the labour process take precedence over the rights and freedoms of the data subjects (the employees). Only then they can proceed with the issuance of an act obliging the employees to undergo a PCR test for COVID-19 as a measure to preserve their health.
The second opinion2 reflects on the processing of personal data concerning the health of employees working from home and the ability of the employer to inform their employees, if an employee is infected with COVID-19 virus.
According to the CPDP, during a state of emergency, employers can check the temperature of their employees and introduce an access regime on the territory of their office, if the undertaking’s activities require so. In the opinion of the CPDP, these measures are not applicable for in-home conditions as the control of the employer cannot spread out to the home of the employees and their families. Accordingly, the employer does not have legal grounds to request information concerning the health of its employees who are working from home (neither concerning their family members’ health) as at that time they are in social isolation and do not pose a threat to the health of their colleagues. The only time when the employer has legal basis to process such data is if the employee manifestly makes the data public (pursuant to Article 9(2)(e) of Regulation (EU) 2016/679) or if he or she submits a sick leave to his employer (pursuant to Article 9(2)(b) of Regulation (EU) 2016/679).
The employer may provide information to its employees about an infected employee, where the infection is established in an undisputed manner, but the CPDP prohibits employers from providing data that may lead to the identification of the employee. As noted in expert analyses on the topic3, in small and medium enterprises this prohibition may not be possible to fulfill due to the small staff.
According to the CPDP, the health authorities are the ones empowered to process the data regarding the identity of the infected people, to trace their contacts and respectively to examine them. Such operations should not be performed by employers.
1Opinion of the CPDP Reg. No SNM-17-151/2020 From 15.05.2020
2Opinion of the CPDP Reg. No SNM-17-114/2020 From 26.05.2020
3Zahariev, M., Dr., “Regarding the Admissibility of the Performance of Certain Data Processing Operations by Employers in the Conditions of the Covid-19 Pandemic
Article provided by: George Dimitrov and Desislava Krusteva (Dimitrov, Petrov & Co., Bulgaria)
Discover more about INPLP, the INPLP-Members and the GDPR-FINE database
Dr. Tobias Höllwarth (Managing Director INPLP)