Bulgaria: Personal data protection risks of employee diversity and inclusion programs
In recent years, the issue of creating a working environment complete with diversity and inclusion has been increasingly raised. Nikolay Zisov and Deyan Terziev, from BOYANOV & Co., provide an overview of how the implementation of a diversity and inclusion program relates to provisions within data protection law, such as the data minimisation principles and purpose limitation.
The terms 'diversity' and 'inclusion' are typically used together and refer to the inclusion in the work staff of employees belonging to categories of persons who are often discriminated against based on their sex, race, ethnicity, and sexual orientation, etc. 'Diversity' is used mainly in demographic terms (how many and what people are employed), and 'inclusion' refers to the equal opportunity of each person to contribute and influence every part or level of the work environment. For example, from the point of view of 'diversity', it is possible that an employer has hired 50% women and 50% men, but there may be lack of 'inclusion' because the management is made up only of men.
Usually, diversity and inclusion programs operate within multinational groups of companies which strive to implement them locally in Bulgaria. For example, the programs may aim at achieving a certain percentage of employees (locally or globally) who belong to a religion or ethnic group, as well as inclusion of such persons at different work process levels, including by respecting their customs and traditions. Such initiatives, however, often face legal challenges in Bulgaria, especially in view of compliance with the applicable personal data protection laws.
In the implementation of diversity and inclusion programs it is necessary to collect certain categories of sensitive information about the individuals – their ethnicity, race, religion, etc. According to the requirements of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') this would be permissible either when required by law, which is rather rare in Bulgaria, or with the express consent of the persons.
Consent is not always an appropriate legal basis in the employment context. One of the requirements for the validity of consent is for it to be freely given. In this regard, consent would not typically provide a valid legal ground for the processing of personal data in cases where there is a clear imbalance between the data subject and the controller. With a view to the guidelines of the European Data Protection Board, such imbalance would typically exist in an employee - employer relationship. Therefore, employee consents collected may be null and void if the employer has not taken extra precautions to meet the necessary requirements.
With regard to the non-sensitive categories of personal data, another possible legal basis for their processing could be the employer's 'legitimate interest'. However, this ground is not absolute and should be balanced with the fundamental rights and interests of the data subjects, and such balance tests must be properly documented by the employer in order to comply with the principle of accountability. When applying the 'legitimate interests' legal basis, the data subjects have the right to object. In the event of exercising this right, the employer can continue processing the personal data only if it proves that there is a compelling legitimate interest, i.e., if such interest of the employer has a significant prevalence over the rights and freedoms of the person who objected – in the context of inclusion and diversity programs, it would be unlikely for the legitimate interests of the employer to be that 'compelling', hence the right to object would usually be equal to an absolute opt-out option for the employee from the processing activities.
In view of the applicable Bulgarian labour law, inclusion and diversity information must be collected voluntarily, even if such voluntariness does not formally meet the definition of freely-given consent already mentioned above. In the general case, where there is no legal obligation for the employer to process such data, the employee's refusal to provide it should not lead to disciplinary or other sanctions for the employee.
Lawfulness and purpose limitation
The processing of personal data for inclusion and diversity purposes will be permissible only to the extent that the relevant specific purpose and the processing itself is lawful.
In this regard, it is important to discuss the applicable requirements of the Bulgarian anti-discrimination legislation, the violation of which could also lead to sanctions for violating the GDPR. The Bulgarian Protection against Discrimination Act contains a long list of so-called 'protected characteristics' that are relevant to these programs – sex, race, nationality, ethnicity, citizenship, origin, religion, personal status, disability, and sexual orientation, etc. Forbidden discrimination will be any less favorable treatment of a person, on the basis of such a protective feature, compared to another person in similar circumstances.
Even though such programs are often directed against potentially discriminatory practices, it is possible to carry out forbidden discrimination by collecting information about the persons that affects a protected characteristic, if this leads to different treatment of any employees in Bulgaria. This will be the case even when, on the basis of such information, the different treatment is positive and aimed at improving the situation of persons who are often discriminated against. In such cases, as an indirect result, this would cause reverse discrimination against all persons who do not fall into such category.
In accordance with the GDPR principle of data minimisation, the collection of personal data is not permitted where anonymous information would be sufficient. In this regard, if different treatment of employees on the basis of one of the protected characteristics of anti-discrimination legislation is not allowed, it should be carefully assessed whether the employer should collect the relevant information in a way that allows to associate it to individual employees instead of compiling statistics.
Information collected anonymously is not treated by law as personal data – respectively, the GDPR will not apply if the individuals' anonymity is ensured. However, depending on the number of employees and the specific organisation of work, it is not always possible to achieve sufficient anonymity – the assessment will have to be made carefully on a case-by-case basis.
Processing personal data on gender in Bulgaria
The gender and biological sex of employees are often discussed in the course of implementing diversity and inclusion programs in Bulgaria. According to the rather strict case law of the Constitutional Court, the Bulgarian legal order does not recogniwe the concept of gender as a matter of self-identification of individuals in addition to their biological sex. Accordingly, it is debatable to what extent the processing of personal data on gender would be compliant with the data protection principle of legality, as well as whether it would be proportionate in view of the principle of data minimization, if such information is legally irrelevant in Bulgaria, which could, on the other hand, also lead to infringement of the GDPR.
In conclusion, diversity and inclusion programs should be implemented in Bulgaria only after employers carry out a careful preliminary analysis on the complex interaction among the applicable anti-discrimination, data protection and labor law requirements. Otherwise, the respective practice may lead to significant administrative sanctions under the GDPR and other applicable regulations.