COVID-19 and GDPR: Are employers allowed to request information on their employees’ health status?


Undoubtedly, the main priority for the Bulgarian state and the business at this point is to limit the spread of the COVID-19 virus by implementing a variety of measures. The employers are requested, among their other obligations, to update their risk assessments for the workplaces and to implement action plans in cases where an affected employee has been detected or it is established that employees have been in contact with a sick person. 

Those obligations inevitably raise the issue of processing employees’ personal data. Employers collect sensitive personal data when they ask their employees to provide information on their or their relatives’ health status (including whether some symptoms of the disease have been displayed). Employers may turn out to be processing personal data when they inform other employees that some of their colleagues are ill.

Should then employers be worried in such cases that their processing of employees’ personal data might be considered a breach of the General Data Protection Regulation (GDPR)?

No. Employers are entitled to lawfully process personal data in time of emergency of state and in the outbreak of a pandemic.

The employer may receive and process information if an employee has symptoms of a life-threatening illness on the basis of processing sensitive personal data when necessary for reasons of substantial public interest.

When the employer collects information if the employee has recently travelled to a risk destination where there is an extensive spread of COVID-19, it may do so in order to protect the vital interests of the employee and his colleagues.

In some cases, the processing of the personal data may be based on the employer’s legal obligations. For example, employers have to implement a procedure to be followed when there is an established case of an ill employee or when employees have been in contact with a sick individual. This is part of the employers’ obligation to put in place organizational measures for the management of the pandemic. Respectively, employers will have to collect and retain personal health data for their ill employees.

It goes without saying that when employers inform their employees and/or partners that a colleague has been diagnosed with the disease, no information is to be provided to identify the patient. Employers are further prohibited to discuss with other employees the health status of the sick colleague, including how the treatment is evolving.

The state of emergency does not release employers from their obligations under the GDPR. Therefore, the lawful processing of employees’ personal data for the management of the pandemic outbreak is to be reflected in the internal data protection documents as well. Employers have to:

  • Supplement the register of processing activities under their responsibility to include the new process;
  • Provide employees with information on the processing of their personal data for the newly identified purpose – management of COVID-19’ outbreak.

For further information contact:

Ilya Komarevski, partner

Mileslava Bogdanova-Misheva, senior associate