Data Protection in Employment – Amendments in the Bulgarian Legislation After the GDPR
As of 2 March 2019 the Bulgarian Personal Data Protection Act is amended in line with the GDPR regulations. Interestingly, this so called “implementing act” does not change much, in terms of regulation, the personal data protection climate in Bulgaria. It is safe to say that the Bulgarian personal data protection legislation is among the most stringent even before the dawn of the GDPR. Due to this, part of the regime introduced by the GDPR is more relaxed than the requirements of the previous version of the Bulgarian Personal Data Protection Act having a history as of 2002 in Bulgaria.
The main effect triggered by the mandatory application of the GDPR regulations is liaised with the sanctions provided therein. Companies processing personal data in their capacity as employers seem to be more disciplined than before the GDPR era. They begin to pay more attention and turn focus to the already existing legislation and strive to align with the mandatory personal data protection requirements in their daily practice. There are of course some amendments introduced in the domestic legislation in view of the required GDPR regulations and some of the most significant ones are related to the employment relations.
The changes in the employment relations may be separated in three main directions as reviewed below – data processed during the recruitment process and upon commencement of the employment; data processed within an established employment relationship; and data processed upon and after termination of an employment contract.
Data processed during the recruitment process and upon executing an employment contract
The categories of personal data which are necessarily disclosed and processed during the recruitment process relate only to the data needed for the selection procedure. It is unacceptable for a potential employer to require candidates to reveal too much data or data that are not relevant to the decision-making process as well as data that go too deeply into the personal life of the job applicants. For example, information on the family status of the candidate, personal identification number, hobbies and interests that are unrelated to the desired position are considered irrelevant for the purposes of recruitment and may be processed only on the basis of the data subject`s consent.
On the other hand, the list of data that the employers are statutory entitled to collect for the purposes of the establishment of an employment relationship can be derived from the documents provided by the law which are necessary for the conclusion of an employment contract, such as:
- Limited personal data from the identity document;
- Documents regarding education, scientific degree, professional qualifications and work career but only in case they are necessary for the performance of the specific type of work or the specific position/workplace for which the candidate applies;
- Document evidencing work experience only when for the position the candidate applies for requires such work experience;
- Medical examination document for starting work and after suspension of work under an employment contract for a period exceeding three months;
- A criminal record certificate, only when a statute or other normative act requires provision of such certificate;
- Permission from the labor Inspectorate in cases when the candidate is below 16 or is between 16 and 18 years old.
Evident from the above, autobiography or CV is not among the required documents. As prior to entering into force of GDPR, now even on stronger grounds, documents other than those provided for by law, is unacceptable to be required by employers. Employers are not entitled to process data other than those listed in the statutory catalogue, unless on the basis of the data subject`s consent.
Furthermore, without the consent of the job applicant, establishing a relationship with previous employers is inadmissible. Data subject`s consent remains an alternative ground for data processing when there is no other legal ground to this end but not always, considering the presumed employees’ state of dependency in the employment relation.
One of the positive effects after the GDPR is that employers ceased to perform background checks of the job applicants and to make ID copies.
The statutory storage limitation of job applicants` personal data, including such contained in CVs, collected and processed during the recruitment process, is six months after closure of the specific selection procedure for which they are initially collected, unless the applicant has given his or her explicit consent to storage for a longer period.
Data processed within an established employment relationship
The employment relationship usually develops over time and there is an increasing amount of data processed during its existence.
In the course of the employment relationship, it is inevitable that employees` personal data will be processed. This need arises from employers’ obligations in the field of employment law, social security and tax law and sometimes from the specifics of the employer’s sustainable business or other specific needs. Whether this is lawful should be assessed case-by-case. Employees` privacy in the context of employment relationships is not absolute. On the contrary, data processing does not always depend on the availability of employees` consent.
The most interesting and applicable aspects of data processing in the course of the ongoing employment relationship, among others, are related to the control and monitoring performed by the employer. Employment legislation contains relatively few rules that regulate the limits of the employer’s exercise of control and when these limits can be crossed and enter employees` personal space. There are no uniform rules regarding the techniques and methods of surveillance in the different countries. Each country itself strives to solve the problems associated with it, while adhering to the common international privacy rules.
More and more employers in Bulgaria have been using monitoring systems to control access to work, compliance with working hours and labor discipline by employees, as well as for purposes of safeguarding of employers` property.
In such cases employees must be informed by means of information boards with minimum required contents placed in a prominent place on the use of technical means of monitoring as well as provided with detailed information about the purposes, limits, results of the monitoring, possible implications, rights of the data subjects, etc.
On the other hand, when using monitoring systems at the work place employers must strive for keeping good balance between employees` right to private life and the legitimate interest pursued by the employers. The legitimate interest of employers sometimes is overridden by the prevailing interests or fundamental rights and freedoms of the data subjects and this must be taken into account when performing data processing.
It is anticipated that the Bulgarian regulatory authority, the Commission for Personal Data Protection, will establish soon enough more specific rules on the surveillance systems which will cast more clarity on the lawful and unlawful data processing at the workplace.
The issue with the control over the e-mail correspondence is also limited to its character: if the correspondence is personal, the interference of the employer or any other person will be unlawful. The employer, though, is entitled to read employees` official correspondence in view of protecting his or her rights and interests, ensuring the efficient operation of the work process or protection against possible illegal activities of his or her employees. However, when performing this type of control, a balance must always be struck between the employer’s interest and the employee’s privacy.
If the employer plans to monitor the official correspondence of its employees, it must firstly prohibit in writing the use of the official email for personal purposes, otherwise it risks violating the constitutionally guaranteed rights of the employee by disclosing the contents of his or her personal correspondence. Such provisions can be described in the employer’s internal rules.
Data processed upon and after termination of an employment contract
Some of the cases for termination of an employment relationship under the Bulgarian Labour Code undoubtedly require collection and processing of additional information about the employee concerned, including personal data. Thus, a substantial practical issue arises when the employers collect employees` health data in order to provide them with the statutory dismissal protection, if such applies.
Currently, the processing of employees` health data is generally assigned to outside labour medicine service providers and no one else has access to these so called “sensitive” personal data. Medical certificates and other documents containing personal data on the health status of the employees, if delivered to the employer, should be in closed envelopes and immediately resent to the labour medicine service provider.
By way of exception, the health data processing is permissible for the implementation of specific rights and obligations of the employer, including when dismissing employees who suffer from certain diseases, exhaustively listed by law.
Thus, upon determination of the storage limitations in employment, the employers must consider where a legislative act, a judicial act, an agreement or the commercial practice require specific terms and the specific personal data category to which such different terms may apply.
- data contained in payroll related documentation, originals of non-delivered labour books, records and certificates for their issuance: 50-51 years;
- data contained in accounting registers and financial statements: 10-11 years;
- data contained in documents subject to tax audits and needed for accounting purposes: 10-11 years.
Envisaged time limits for processing of the different categories of data
The Bulgarian statutory provisions set storage limitations applicable to personal data processed in the employment, such as: