The Commission for Personal Data Protection (CPDP, „the Commission“) published two separate statements concerning processing of employees’ personal data by their employers in compliance with Regulation (EU) 2016/679 („the Regulation“) in the Covid-19 situation, in particular:
Organizing group testing of employees upon completion of balancing test
Within its statement the Commission analyzed the measures which employers may undertake to ensure healthy and safe working conditions in a Covid-19 epidemic situation. The Commission expressly state that since Bulgarian legislation does not provide for obligations of employers to perform tests, they are only allowed to organize tests, but not to actually perform them. Therefore, employers do not have legitimate need to process health related data, including genetic data contained in the PCR-test samples.
The Commission concluded that an employer, led by its legitimate interest to ensure business continuity, may undertake measures to preserve employees’ health in the epidemic crisis situation by organizing their group testing.
In this regard, the CPDP states that for the purposes of test organization, the employer may rely on its legitimate interest (Art. 6, para 1, item „f“ of the Regulation) as a legal ground for processing data. The CPDP reminds that for relying on this legal ground, the employer must first perform a balancing test and only if the balancing test shows that employer’s interest prevail, the employer may proceed with issuing an order that binds its employees to undergo a PCR-test for Covid-19.
The employer may only process health data at a later stage, if and when an employee submits a sick leave note to certify that he/she was treated for Covid-19. Until that moment, the employer does not need and is therefore not entitled to process employees’ health data.
Limitations on requesting health data from employees working from home
The Commission is referred to rule whether employers are allowed to require employees who work from home to provide information on whether they or their family members suffer from Covid-19, as well as if they undergo quarantine measures under suspicion of contagion. To express its position, the Commission once again relied on the measures that employers are allowed to implement to ensure safe working conditions in the epidemic situation.
The Commission held that employers’ powers only refer to the working premises. Since the matter refers to the health condition of employees who work from home, employers’ supervision cannot be spread over home and family lives of employees. In this regard, there is no applicable legal ground for the employer to require any such information from employees, due to the fact that these employees are isolated and do not pose a threat to their colleagues’ health. It is also added that other facts such as work regime and meetings between employees must be taken int account, as well the possibility that the employee in question may not be aware of him/her being contagious.
The measures which employers may and shall implement consist of access control mechanism, inclusive of temperature check of employees who visit the office in order to prohibit the entrance of employees with respiratory disease symptoms from the premises.
Within the statement it is underlined that information concerning health of employees who work from home may be processes when that information has been made publicly available by the data subject (Art. 9, para. 2, item “e” of the Regulation), as well as in cases where the employee submits a sick leave note to certify that he/she is treated for Covid-19. Information on household members being ill may be processed, if any such information is contained in the sick leave note. Until being provided with a sick leave note, the employer does not need to process health data on individuals working from home.
According to the Commission’s statement, the employer may provide information to other employees about one of their colleagues being ill, if this is positively confirmed, but without providing data to identify the individual, i.e. without reference to his/her name. Only health authorities are allowed to identify a contagious individual, to track his contacts and to organize testing of these individuals.
The two statements of the Commission undoubtedly contribute to the further understanding of various matters related to employers’ entitlement to gather and process employees’ data in the situation of epidemic emergency. However, the Commission does not provide detailed guidance as regards processing data of employees who actually visit their work places, especially concerning their health data, information for their travel and visits abroad, data on recent contacts, etc.
The statements expressly state that they are only to provide consultancy and clarifications as regards the interpretation of applicable legislation. It is further elaborated that any particular data processing must have a valid legal ground and that the processing must comply with data protection principles as stated in Art. 5 of the Regulation.
In view of the above, prior to undertaking any particular processing, employers must carefully consider whether it is admissible to process personal data for the purposes of ensuring healthy and safe working condition or otherwise preventing the spread of Covid-19.
How can we help?
KPMG team remains at your disposal should you have any questions or need of assistance concerning the powers and obligations of employers in the situation of epidemic emergency.
© 2021 KPMG Bulgaria EOOD, a Bulgarian limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
KPMG International Cooperative (“KPMG International”) is a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm.