INTRODUCTION In the context of a coronavirus pandemic and unprecedented measures taken by the state to deal with the crisis, the economic situation in Bulgaria is changing at a dynamic…
The intensive spread of the coronavirus is inevitably linked to even more intensive processing of personal data. In the context of a pandemic and a state of emergency, many questions arise regarding the application of the General Data Protection Regulation (GDPR), which we will answer below.
FREQUENTLY ASKED QUESTIONS
Am I allowed to collect data concerning the health of my employees or clients?
Yes, you are allowed to do so. Although such data are a special category of data and fall under the general prohibition on processing, enshrined in Art. 9 of the GDPR, the presence of a pandemic gives grounds to collect it. In particular, in some cases, the data processing will be necessary for the purposes of carrying out the obligations of the controller under Bulgarian labor law. For instance, Art. 4, para. 1 of The Health and Safety at Work Act obliges the employer to ensure healthy and safe working conditions for its employees. Another possible ground might be Art. 9, para. 2, letter “i” the GDPR – “reasons of public interest in the area of public health”. The consent of the data subject will not be necessary in both cases.
However, this does not mean that the principles of Art. 5 of the Regulation and all other obligations of the controller cease to apply. On the contrary, processing must be kept to a minimum, be accurate and in a manner that ensures appropriate security. Moreover, considering the special category of personal data being collected, a higher standard of data protection is essential.
Can I require my employees to complete a questionnaire about recent and upcoming trips to countries affected by the virus, visits to mass events, etc.? Can I measure the temperature of office visitors?
Such measures depend on the particular case so that their proportionality can be analyzed in depth. In this regard, relevant factors are whether highly vulnerable persons work in the office, whether work responsibilities are related to frequent travel, etc. In general, the employer may ask questions about the symptoms of the virus, especially when in doubt. If questionnaires are used, data pseudonymization or anonymization should be applied. It would be unlawful to conduct systematic medical examinations (a measurement of temperature) on entry of the workplace. According to the Italian regulator, exceptions to this rule are possible – examinations can be carried out by an in-house health care specialist in the presence of a risky work environment.
However, we emphasize that, according to guidelines already published by other EU Member State regulators, an active collection of employees and clients’ data should be avoided. Instead, employers should encourage workers to self-report their suspicions, symptoms, and trips to countries affected by the virus.
If one of my employees is infected with the virus, can I inform the others?
You can inform others about the presence of an infected colleague. However, you should avoid announcing their identity.
How long can I store the data?
In view of the sensitivity of the data, it is important to apply a strict approach to the short storage periods. Therefore, if the data are recorded and stored, they should be immediately deleted/destroyed as soon as they are no longer necessary for the purposes for which they were collected. For some data, the storage period will coincide with the cancellation of the state of emergency/ end of the pandemic.
*This text does not constitute a legal advice or consultation and should not be considered sufficient to resolve specific legal issues and cases.