Rights of Data Controllers to request information on health COVID-19 status, in the context of Bulgarian and European legislation

The continuing developments of the COVID-19 pandemic and the availability of vaccines against the virus have raised new questions regarding public relations in order to strike a balance between protecting public health and respecting citizens’ rights and freedoms.

Following the current trend, where EU Member States are in active discussion regarding the adoption of rules for admission to public venues only to vaccinated individuals, including the workplace, the topic is gaining increasing levels of publicity in the Bulgarian public debate.

As a result of the implementation of the COVID-19 vaccination policy, vaccinated individuals receive an EU Digital COVID-19 Certificate. Such a certificate may only be issued under three different circumstances – upon completion of the vaccination cycle, upon proven viral clearance, and in the presence of a negative antigen or PCR test. From a purely practical point of view, the most widespread among these hypotheses is the Certificate certifying the completion of the vaccination cycle. In the context of the General Data Protection Regulation (GDPR), this information by its nature constitutes a special category of personal data as it contains data on the health and status of the individual. This has created a need to clarify to citizens and businesses on the circumstances where it is permissible to request such information and who has the authorization to do so.

As a result of increased public interest in the subject and considering the receipt of a number of letters from organizations and citizens regarding the lawful processing of data on vaccination status, the Commission for Personal Data Protection (CPDP) issued a Statement on 06.10.2021 on the processing of data regarding the vaccination status of individuals, which aims to provide clarity and guidance on the conditions under which it is lawful to request information on the health COVID-19 status of data subjects.

It is clarified that Digital vaccination certificates are recognized according to the EU Digital COVID Certificate Regulation, which is directly applicable in all EU Member States starting 01.07.2021 and is set to apply until 30.06.2022. However, the Regulation’s stated purpose for issuing these certificates is explicit – to facilitate and make safe the free movement of citizens within the EU during the COVID-19 pandemic.

With the exception of the above-mentioned purposes for which the processing of data from vaccination certificates is permissible, the Commission clarifies that there is no regulation at the national level governing the wider use of personal data present in the EU Digital COVID Certificate.

Thus, for any other purpose of processing, the Data Controllers should justify their activities with a suitable legal basis from the General Data Protection Regulation. This, in turn, raises a number of practical questions about the applicability of information from the EU Digital COVID-19 Certificate in the widely discussed introduction of restrictions on access to public venues and/or workplaces by persons who do not hold such a certificate. In this regard, the CPDP provides several practical examples – cases where administrators decide to collect and store the information obtained from the certificates or introduce digital verification of QR codes, regardless of whether the scanning information is stored or not. Undoubtedly, such activities constitute processing of sensitive personal data and fall under the GDPR.

Therefore, the CPDP clarifies that, as a measure designed to protect the health and safety of staff – Art. 9, par. 2, point “b” of the GDPR may provide an appropriate legal basis for the lawful processing of the data from the Digital Certificates. The conditions present in Art. 9 par. 2 point “g” or Art. 9 par. 2 point “i” of the GDPR could also constitute sufficient legal grounds if national law requires a wider use of the Certificates.

However, in order to guarantee the fundamental rights and freedoms of citizens, the Commission clarifies that the invocation of these legal grounds should be accepted subject to certain conditions. In addition to providing data subjects (employees, visitors, etc.) with the mandatory prior information on the purposes and retention periods of the processed personal data, the persons who will have access to it, the technical and organizational measures, etc., Data Controllers should also make a specific assessment of the impact which such processing will have on the lawful rights and freedoms of the Data Subjects.

The CPDP makes several practical suggestions in order to provide such a balance.

With regard to employers, a practical example is given with the processing of summarised anonymous data. In view of the need to comply with the Minister of Health’s orders introducing anti-epidemic measures, the CPDP suggests that employers consider processing only aggregated (summary) data on the vaccination status of individuals to assist them in carrying out risk assessments in ensuring healthy and safe working conditions.

Aggregated data, which does not permit health information to be linked to individuals, can be considered anonymous, i.e. it does not fall under the processing restrictions set out in the GDPR. Examples of such aggregated data are: storing data on the percentage of employees who have been vaccinated against COVID-19 within a certain time period or the percentage of employees without vaccination against COVID-19 or those with unknown vaccination status. Occupational Health Offices in possession of individuals’ vaccination status may be tasked with compiling such summary data. However, in order to ensure that aggregated data is anonymous, they should always refer to groups of individuals that are large enough to exclude the possibility of identifying a specific individual. Another option for the supply of such aggregated data by administrators is to conduct anonymous surveys, e.g. among the employees of an administrator.

The Commission also provides another example that is applicable to all Data Controllers. Where Controllers verify Certificates solely by checking the document itself, without scanning or otherwise recording the data from the document, this activity does not fall within the scope of the GDPR. However, the requirement to share sensitive medical information constitutes an interference with the fundamental right to privacy, which is protected by Article 7 of the EU Charter of Fundamental Rights. Consequently, the requirements of lawfulness, necessity and proportionality should be respected. Therefore, citizens should not be obliged to make their Certificates available for inspection, but this can only be done on a voluntary basis. Finally, the Commission clarifies that the refusal to provide such information cannot justify a restriction of citizens’ rights and freedoms.

Given the sensitive nature of the topic of citizens’ vaccination status and the discussed implications for individuals who do not yet have the EU Digital COVID Certificate, the CPDP Statement takes a balanced approach to the concept of processing sensitive personal data. It is clear that to the extent that there are certain legal possibilities to process data from the EU Digital COVID Certificate for broader purposes, such processing should be limited as much as possible in order to preserve the rights and freedoms of citizens.

Insofar as the topic also concerns a broader range of public relations than data protection, the Commission proposes that a public debate as broadly as possible must be organized, involving other public authorities, citizens and organizations. In the Commission’s view, such an approach would facilitate the adoption of the necessary legally binding acts at a national level to grant the necessary authorisations in a way that achieves the necessary consensus between the protection of public health and respect for citizens’ rights and freedoms.

Author: Ivan Volodiev and Aleksander Arshinkov