Bulgaria: Challenges for employers concerning COVID-19 and the GDPR
In 2020, COVID-19 has spread across the world, affecting the privacy rights of many individuals, and therefore, creating challenges for employers who need to ensure safe work environments, whilst also not breaching their employee's personal data rights. Miglena Micheva, Managing Associate at Deloitte, discusses the issues that many employers have faced during the COVID-19 pandemic, and how the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') has impacted on employers considerations for the safety of their employees.
Never before in its democratic history had Bulgaria introduced a state of emergency and experienced an emergency pandemic situation. Their introduction was requested due to the need for emergency legislation that would give more freedom to the institutions to restrict individual rights and impose new obligations on businesses in order to limit the spread of COVID-19 in the country. Thus the observation and compliance with the orders of the Minister of Healthcare, which impose numerous obligations for employers, has become one of the main challenges for companies operating in Bulgaria. Those obligations aim to ensure safe conditions in the workplace, and some of the required measures include the introduction of a special entry regime into the premises of each company, which must guarantee that no persons with symptoms of acute respiratory diseases are allowed in the company's territory.
The compliance with such obligations is naturally accompanied by the regular processing of personal data pertaining to the health status of data subjects. This raises a number of questions regarding the application of data protection legislation, in particular the GDPR in the context of the emergency pandemic situation.
Legal basis for processing personal data
A crucial question that employers acting as personal data controllers must clarify is whether they have a legal basis for the processing of certain kinds of personal data, in particular the special categories of personal data ('sensitive data'), such as the personal data concerning health.
Order No. RD-01-402, from 15 July 2020, of the Minister of Healthcare stipulates that employers shall not allow 'persons with symptoms of acute respiratory diseases (increased body temperature, cough, difficulty breathing, loss of sense of smell or taste, etc.)' in the premises of the company. The employers also have an obligation to implement a number of anti-pandemic measures, such as disinfection, organising the workplace in a manner that allows for at least a 1.5 metre distance between persons to be kept, instructing staff on proper hand hygiene, and providing personal protective equipment. At the same time, the employers also have a general obligation under labour law to provide health and safety at work.
Even though the employers shall comply with the aforementioned obligations, this does not necessarily mean that any activities related to the processing of health data are permissible. When introducing anti-pandemic measures, the employers must assess whether every separate processing activity is lawful, and which are the applicable legal bases for processing under Article 9 of the GDPR.
In some cases, the processing of personal data is necessary for the fulfilment of the employer's obligations under labour law, and thus Article 9(2)(b) of the GDPR may be applicable. Another possible basis for processing would be Article 9(2)(h) of the GDPR when the processing is necessary for the purposes of preventive or occupational medicine. It is important to note than in Bulgaria, only the relevant health officials can refer to Article 9(2)(i) of the GDPR pertaining to processing for reasons of public interest in the area of public health. According to the Bulgarian Commission for Personal Data Protection ('CPDP'), this legal basis is inapplicable for employers.
Determining the legal basis for processing of personal data is a key step towards ensuring compliance with the GDPR. Therefore, for each of the activities discussed below, the employers must conduct a careful analysis of this important aspect before proceeding to carry out the respective activity.
Is measuring the body temperature permissible?
The data protection authorities in the EU Member States do not share a single interpretation regarding the permissibility of measuring the body temperature of persons prior to their entry into different sites. In Bulgaria, this measure was adopted by a number of public authorities, including the CPDP, immediately after the state of emergency was declared. Since the GDPR provisions apply equally to controllers from both the private and the public sector, the fact that many public authorities adopted this measure could be accepted as an argument for its permissibility and applicability to the private sector as well.
The CPDP considers that the employer can introduce body temperature measurement when its purpose is to establish whether, at a particular moment in time, a person's health condition would allow for him/her to enter the work premises. However, the employer cannot keep records of the specific measurements as there is no necessity for that and creating records of them would be excessive. Such records may be created by medical professionals, who are bound by the obligation of professional secrecy, if the processing is done for transparent and lawful purposes.
Consequently, the measurement of body temperature by employers is, in principle, an appropriate measure for the implementation of a special entry regime on the condition that the temperature values are not recorded and further processed. If necessary, information on the temperature values could be recorded and processed in an anonymised form, so that the identity of the data subjects could not be revealed. Such a hypothesis would be relevant if, for example, the company needs statistical information on the number of persons who were not allowed into its premises.
Is it permissible to require the filling-in of questionnaires?
During the pandemic, many employers, either on their own initiative or at the initiative of the corporate group of which they are a part of, introduced a requirement for persons entering the work premises to fill in questionnaires/self-declaration forms. These often include questions about the employees' or visitors' health (whether they have the COVID-19 symptoms such as increased body temperature, cough, shortness of breath), whether they have recently traveled abroad, and whether they have had contact with people diagnosed with COVID-19, etc.
The CPDP considers that there is no legal basis for the employers to request information regarding the health status of the data subjects through such questionnaires since they are of no real certifying value and constitute a high level of interference in the personal sphere of the subjects.
In view of the above, the employers in Bulgaria should reconsider their practice to require the filling-in of questionnaires, even if the company is part of a corporate group operating in other countries where questionnaires are a fully acceptable measure according to the respective supervisory authorities in these Member States. The European Data Protection Board still has not released a statement on the subject matter, and each controller should follow the recommendations of the local supervisory authority. This poses a major challenge for global companies since now they are faced with the need to analyse and comply with the requirements of multiple jurisdictions when implementing anti-pandemic measures.
What else do employers have to consider?
Before they decide to introduce new activities in the organisation (in connection with the pandemic, but also in general), including prior to the processing of personal data, the employers must make a careful analysis of the intended processing by covering a minimum checklist of aspects to take into account, such as:
- what kind of data will be processed and for what purposes, as well as whether the data is limited to what is necessary in relation to the purposes for which they are processed;
- whether there is a legal basis for processing, and if yes, what is it under the GDPR;
- where and by whom are the separate (anti-pandemic) measures implemented (in view of the differences in determining the legal basis);
- to whom will the data be transferred, i.e. who are the recipients (if any);
- whether there is a need to review the internal acts of the organisation, taking into account the type of the processed personal data and the categories of new recipients of the data;
- determining a period and place for data storage;
- providing information to the data subjects (a privacy notice);
- adding to the record of processing activities the new mechanism of personal data processing; and
- taking appropriate technical and organisational measures to ensure security.
In conclusion, the provisions of the GDPR continue to apply to the employers even in the situation of a global pandemic, and ensuring compliance with the regulation is a process that requires constant monitoring and updating. Therefore, increased attention from employees and experts on data protection is required in every organisation. If necessary, this also relates to taking adequate measures in accordance with the current regulatory requirements and recommendations in the field of personal data protection at national and European level.
Miglena Micheva Managing Associate