GDPR in Bulgaria: Doctors and Employers Need no Consent for the Processing of Personal Data
Doctors, lawyers, employers and banks do not need to ask for consent to the processing of personal data, the Commission for Protection of Personal Data specified in a special explanatory document for the new General Regulation on Personal Data Protection.
Following GDPR's entry into force on 25 May, institutions and businesses unprepared for regulation began to ask their customers for explicit confirmation that their personal data could be processed. In some cases, this is totally unnecessary and the CPPD tries to clarify things.
"It should not be forgotten that, as easily as it is given, as easily consent can be withdrawn, so the processing of personal data only on the basis of consent is not always the most appropriate choice and it is good to think about whether there is otherwise legal basis ", write the commission.
Consent is one of the grounds for collecting and processing of personal data. Notwithstanding the fact that it is mentioned first, it is important to know that all legal bases are alternative and equal, and they are not ranked in hierarchical dependence. The existence of any of them makes the processing lawful, provided that the other requirements of the Regulation are also met.
Where a data controller makes an assessment of whether to process personal data on a consent basis, he or she must examine whether there is any other legal basis for their processing, such as a legal obligation or contract, and what would be the consequences for the respective activity upon withdrawal of the consent from the person.
Some of the most common situations where the administrator should not ask for the consent of the person to process his or her personal data are the following:
1. An administrator - whether public or private, collects a certain amount of personal data in fulfillment of his or her obligation under a law, under the Health Act, the Accountancy Act, the Administrative Violations and Penalties Act, the Labor Code, the Social Security Code, the Law on the Ministry of Interior, the Civil Registration Act, the Tourism Act, the Pre-school and School Education Act, and etc.
In these cases, the legislator did not leave the discretion of the controller or the data subject, so that the consent of the person would not be freely given or would not be valid. This is particularly true for public administrators as well as for sectors where there is detailed legal regulation such as healthcare, education, banking, etc.
2. Personal data shall be collected in connection with the provision of various administrative services by state or local government bodies.
In these cases, the legal basis is the performance of a public interest task or the exercise of official authority and the requirement of consent by the persons is unnecessary.
3. Personal data shall be collected and processed for the purposes of an employment relationship.
In such cases, the employee does not have a real free choice and is unable to refuse or withdraw his consent without causing adverse consequences for him because of the obvious unequal treatment between the two parties. In addition, relationships between data subjects and their employers or appointing authorities, including in respect of the processing of personal data, are exhaustively regulated by labor law, individual and / or collective agreements. In these circumstances, the lawfulness of the processing of personal data is a legal obligation and / or the performance of a contract (depending on the hypothesis).
4. Personal data is necessary for the conclusion and performance of a contract to which the data subject is a party.
Since the main subject matter and purpose of the contract can not objectively be achieved without the provision of a certain amount of personal data, in such cases it is sufficient for the parties to enter into contractual or pre-contractual relationships, and therefore there is no need to give separate consent to the processing of personal data.
This does not exclude that consent may be used as a legal basis for the processing of personal information (contact details, etc.) for additional purposes, such as marketing and advertising, unless a legal basis is provided for in a statutory instrument. In such cases, the requirement for consent may be waived if the requirements laid down in the relevant legal act are met.
It is important to know that the controller is not entitled to bind the performance of a contract, including the provision of a service, to obtaining consent to the processing of personal data where this is not necessary for the performance of the contract, such as receiving advertisements. In such cases, the consent will not be freely given because the person does not have a real free choice and is unable to refuse or withdraw his consent without causing any adverse consequences for him.
5. Personal data is necessary to protect the legitimate interests of the controller or a third party if these interests take precedence over the interests and / or fundamental rights and freedoms of the individual.
Such hypotheses in practice include security and security measures, including video surveillance, person check and access to buildings, information security and network security actions, and so on.
Legitimate interest also exists in the processing of personal data to protect the rights of the administrator in judicial or non-judicial proceedings, for example to file a claim for non-performance of a contract or to seek liability for damages.
6. Personal data is transferred from one administrator to another as a result of the transfer of receivables (cession).
In these cases, the legal basis for the processing of personal data is the fulfillment of the legal obligation under Art. 99, paragraph 3 of the Obligations and Contracts Act. The law obliges the former creditor to pass on to the new creditor the documents in his possession which establish the claim. This circumstance also determines the transmission of personal data, as it is contained in the relevant documents. Upon receipt of the claim, the new creditor may process the data on the basis of his or her legitimate interest in collecting the amount due, including by way of enforceability. The cession should not forget the obligation of the previous creditor to notify the debtor of the transfer, which also corresponds to the obligation of transparency and the provision of information within the meaning of the general regulation.
7. Personal data shall be transmitted by the controller of the personal data processor.
The General Regulation allows administrators to attract "personal data processing" - a natural or legal person, public body, agency or other entity processing the personal data on behalf of the controller. One of the most common hypotheses of the processing of personal data is the accounting houses, the occupational medicine services, the collecting companies for collecting receivables, the IT companies supporting the information systems of companies and departments, etc.
In all these cases, the General Regulation does not require the data subjects to consent to the recruitment of a personal data processor, the discretion being left entirely to the controller.
8. A specific hypothesis of processing personal data, without the consent of the data subject, is the photographing and video capture of persons in a public place.
If it is done by someone in the course of purely personal activities, then the general regulation is not at all applicable. If the filming is part of a professional activity then the exceptions and the reliefs for academic, artistic or literary expression under Art. 85 of the GDPR. It should also be taken into account the provision of Art. 13 of the Copyright and Related Rights Act, according to which the photographer (the video operator) does not require consent from the depicted person if the image was made in the course of the public activity of the depicted person or in a public or public place, the image of the person is only a detail in a work showing a meeting, procession or landscape, or the person depicted has received a fee to pose.
9. When special categories of (sensitive) personal data such as ethnic origin, political opinions, religious beliefs, trade union membership, biometrics, health status, sexual orientation, etc. are processed, the grounds for legality are referred to in Art. 9 (2) of the GDPR.
In this respect, the processing of health data is legal if it is done for the purposes of preventive or occupational medicine, assessment of the employee's ability to work, medical diagnosis, provision of health and social care, treatment, management of health systems or social care in the field of public health, protection against serious cross-border threats to health, etc. Therefore, if processing is necessary for any of these purposes, the hospital, laboratory or pharmacy concerned has no obligation or right to request further explicit consent of the individual (the patient). Conversely, it would mean that the hospital will refuse treatment or the pharmacy - a medicine if the person does not agree. Such behavior would constitute a direct violation of the general regulation, which may be penalized by a fine or a proprietary sanction.
Example non-exhaustive list of cases where consent is not required:
In accordance with these criteria, as a general rule, individual consent, including the signing of any form of declaration, for the processing of their personal data by the administrators listed below in the course of their normal professional activity is not required. This does not include the processing of personal data for direct marketing, where consent should be the lead.
- doctors, dentists and pharmacists
- public authorities (state and municipal)
- educational establishments (kindergartens, schools and higher education institutions)
- banks and other credit institutions
- undertakings providing public electronic communications networks and / or services
courier companies and other postal operators
- utilities (electricity distribution companies, water supply and sewerage, district heating)
- personal data processors (accountants, occupational health services, etc.)
- hoteliers and travel agencies
- copying services
- journalists, photographers and video operators
- religious, political, public and trade union organizations
- and other.