The COVID-19 pandemic has put employers in the Republic of Bulgaria in a delicate position. They face a difficultly achievable balance between ensuring healthy and safe working conditions and their responsibilities as data controllers.
It is important to note that the data on of COVID-19 tests, as well as the data on the vaccination status of employees fall into the special category of personal data according to Article 9, paragraph 1 of the General Data Protection Regulation (“GDPR”).
On a national level, to date the Bulgarian Commission for Personal Data Protection (“CPDP”) has issued two statements relevant to COVID-19, namely statements with registration № NPMD-17-114/ 2020 and № NPMD-17-151/2020. Statement № NPMD-17-114/2020 deals with the issue of personal data processing in case of an established infection with COVID-19 of an employee, and statement № NPMD-17-151/2020 deals with the issue of group testing of employees for COVID -19.
Testing employees. Test results
According to the statement of the CPDP, the employer may issue an order for mandatory group testing to identify infected with or carriers of COVID-19 among its employees under the terms of Article 6, paragraph 1, letter f) of the GDPR (the existence of a legitimate interest), only if the balancing test shows that its legitimate interests overrides the rights and freedoms of employees.
Firstly, the employer is not obliged to organize testing of its employees, but employers have the opportunity to organize testing of their employees.
Prior to the introduction and organization of employee testing by the employer, it is necessary to perform a preliminary balancing test (analysis). The purpose of the balancing test is to determine if the rights and freedoms of employees is overridden by the legitimate interest of the employer.
The legitimate interest of the employer is based on his obligation to protect the health of his employees, and the rights and freedoms of employees are expressed in the restriction of access to confidential information about the employee. If the result of the balancing test shows that the legitimate interests of the employer override the rights and freedoms of employees, the employer has the opportunity to prepare and issue an order according to which mandatory group testing of employees is introduced.
It should be stressed that tests should always be performed in licensed laboratories and not in a home environment.
Many employers are also interested in addressing the issue of testing costs, because as they accumulate, they increase significantly and cannot be ignored. There is no official opinion on the matter, but in view of the current legislation, it can be concluded that testing should always be at the expense of the employer. It is the obligation of the employer to ensure healthy and safe working conditions, and the introduction of group testing is precisely the fulfilment of this obligation. The obligation is on the employer and in this regard, the costs of fulfilling the obligation should be borne by the employer.
Following the issue of employee testing, the issue of sharing information with the staff in the presence of an employee with a positive COVID-19 infection should also be considered.
The CPDP provides an answer to this question with its statement № NPMD-17-114/2020. According to the statement, “The employer may provide information to the staff about the presence of an infected employee without providing data for his identification, and when such is established in an indisputable manner, on the basis of Art. 4, para. 1 of the Health and Safety at Work Act. The health authorities shall take action to identify the contact persons and examine them accordingly.”
The employer will obtain this data and process it when his employee presents a sick note to certify that he has been treated for COVID-19.
Vaccination status of employees
To date, the CPDP has not published a statement on personal data for vaccination status of employees. It should be noted that the supervisory authorities of other EU Member States have issued statements on the matter. It is important to emphasize that employers cannot process this data with the consent of the data subject, as this is prohibited by the GDPR, in view of the inequality between employer and employee.
The statements of the supervisory bodies equivalent to the CPDP in other EU Member States contradict each other, as no unified approach has been adopted.
Some supervisory bodies in the Member States consider that an employer has no right to collect and process such data, and others adopt an approach that an employer has the right to collect and process such data.
The arguments against the processing of such data are that there is no legislation on the matter in the Member States concerned and that the vaccines do not provide the vaccinated person with absolute protection against COVID-19 infection and its spread. They also point out that compliance with the basic protection measures from COVID-19 is sufficient to protect the workplace, the measures are already known to us, namely wearing masks, disinfecting the workplace, keeping a distance and avoiding crowds in one room.
The arguments for the processing of such data are that their processing belongs to the exception established in Article 9, paragraph 2, letter b) of the GDPR. The argument is based on the employer’s obligation to ensure safe working conditions, which includes preserving the health and life of the employee, as well as preventing the spread of a potentially life-threatening infection. It is in this connection that it is perceived that Article 9, paragraph 2, letter b) of the GDPR is applicable, because it states that the prohibition on processing does not apply if “processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law”.
In case the CPDP publishes a statement accepting the arguments for processing of such data, then the data’s processing should meet certain conditions. Taking into account the approach of the supervisory bodies of the Member States in which the admissibility of the processing of this data is accepted, the conditions should be:
- Carry out a balancing test, similar to the reviewed issue regarding testing of staff to detect infected or carriers of COVID-19;
- To determine and establish the purpose for which vaccination data is collected;
- The intended purpose can be achieved only through the collection of vaccination data. If compliance with the basic protection measures of COVID-19 is sufficient to achieve the purpose for which vaccination data is collected, the processing of such personal data should not be allowed.
- Avoid discrimination against unvaccinated employees;
- The employer to process as little personal data as possible, as well as to store it for the shortest possible terms. That is, an assessment must be made of how much information is needed to achieve the purpose. Will the employee present a certificate? Will a copy of it be kept? In what terms will the information be stored?
We emphasize on the condition of avoiding discrimination against unvaccinated employees, as each supervisory body of a Member State places a major emphasis on it. Employers are not allowed to take actions that discriminate against their unvaccinated employees. All of the above should be explained to employees carefully, in detail and comprehensibly.