Начало Услуги Магазин Портфолио Клиенти Youtube

Personal Data in the Workplace: Legal Boundaries and Common Violations

Personal Data in the Workplace – Rights, Obligations and Boundaries

What personal data may an employer process? When is consent required? Are cameras, email monitoring, and GPS on company phones lawful? Examples and guidance from the Commission for Personal Data Protection.

Approximate reading time: 2m 55s

"Under Surveillance": Does the Employer Know Too Much?

You are at work. You send a work email, make a call, enter the office. And all of this – under the watchful eye of cameras, monitoring software, or GPS on your phone.

Is this lawful? Where does the employer’s right to control end and your right to privacy begin?

In this article, we will look at when an employer has the right to collect and process employees’ personal data and when this becomes a violation of the GDPR and Bulgarian law.

 

The course "GDPR Regulation for the Protection of Personal Data“ is designed for anyone who wants to learn about the rights and obligations under the regulation, as well as its application in Bulgaria.

What personal data may the employer collect?

The employer has the right to process personal data necessary for the conclusion, performance, and termination of the employment contract. This includes:

  • full name;

  • personal identification number, ID card number;

  • correspondence address;

  • bank details (for salary payments);

  • health information – but only in strictly limited cases (e.g. sick leave, TELK);

  • data necessary for tax and social security contributions.

Any other type of data, including behavioral profiles, location, or biometric data, must be processed only when there is a legal basis.

Consent or legitimate interest?

Employee consent is not always valid in employment relationships. Why? Because there is an imbalance between the parties – the employee often has no real freedom to refuse.

That is why employers most often rely on legitimate interest (e.g. protection of property, monitoring of work processes) or a legal obligation.

Important: If the employer wants to install cameras in the office or monitor emails, they must prove that this is necessary, proportionate, and that the same goal cannot be achieved by a less invasive means.

Video surveillance in the office – is it lawful?

It is permissible if strict conditions are met:

  1. Clear purpose – e.g. security or access control;

  2. Information notice and privacy policy;

  3. No recording of break areas, toilets, kitchens, and personal lockers;

  4. Data Protection Impact Assessment (DPIA), if the surveillance is extensive.

Example from practice: The Commission for Personal Data Protection has ruled that a camera aimed at an employee’s desk, without an alternative and without an impact assessment, is a violation.

Monitoring work emails and devices

The employer may establish rules for the use of company equipment and monitor for misuse, but:

  • there must be an internal policy;

  • the employee must be informed in advance;

  • the principle of proportionality must be observed;

  • personal correspondence may not be read.

GPS tracking through a work phone or vehicle is permissible only if it is justified (e.g. logistics) and the employee has been informed in advance.

Health and sensitive data

The processing of health information is highly restricted:

  • only by designated officials (e.g. payroll staff, doctor);

  • only for a specific purpose (e.g. suitable work placement);

  • with a high degree of protection.

The employer does not have the right to request data about vaccination status, mental health, or illnesses unless this is directly related to the performance of the work and is regulated by law.

What does the Commission for Personal Data Protection say?

  • Decision 1: A private security company tracks the GPS of all its employees, including during breaks – the Commission for Personal Data Protection finds a violation of the principle of proportionality;

  • Decision 2: An employer accesses the emails of a former employee without consent and without notification – a sanction for unlawful processing;

  • Decision 3: Installing cameras in a sewing factory without information notices – the Commission for Personal Data Protection orders their removal and imposes a fine.

How can you protect your rights?

If you are an employee:

  • You have the right to know what data is collected about you and why;

  • You can request access, correction, or restriction of processing;

  • You can file a complaint with the Commission for Personal Data Protection if you suspect a violation.

If you are an employer:

  • Do not underestimate the importance of transparency and documentary justification;

  • Prepare internal policies and notices;

  • Conduct a risk assessment and review technical and organizational measures.

The course "GDPR Regulation for the Protection of Personal Data“ is designed for anyone who wants to learn about the rights and obligations under the regulation, as well as its application in Bulgaria.

The workplace is not a rule-free zone for personal data. It is a space where the balance between control and privacy must be carefully maintained.

 Want to be prepared? Sign up for our online training „GDPR and Personal Data Protection“ and learn how to comply with the law – with real-life examples and expert guidance.

Sources:

  • Regulation (EU) 2016/679 (GDPR)

  • Personal Data Protection Act

  • Commission for Personal Data Protection decisions: https://www.cpdp.bg

Често задавани въпроси

What personal data may an employer process in the workplace?
An employer may process personal data that is necessary for concluding, performing, and ending the employment contract. This can include a worker’s name, ID details, correspondence address, bank details for salary payments, and data needed for tax and social security obligations. Health data is allowed only in strictly limited cases, such as sick leave or disability-related procedures.
Is employee consent always enough for workplace data processing?
No. In employment relationships, consent is often not considered freely given because there is an imbalance between employer and employee. Employers usually rely on a legal obligation or a legitimate interest instead. If they want to process data such as video footage or email activity, they must show that the measure is necessary and proportionate.
Is video surveillance in the office lawful?
Yes, but only under strict conditions. The employer must have a clear purpose, such as security or access control, inform employees through a notice and privacy policy, and avoid recording sensitive areas like toilets, kitchens, break rooms, or personal lockers. If the surveillance is extensive, a data protection impact assessment may also be required.
Can an employer monitor work emails and company devices?
An employer may set rules for using company equipment and check for misuse, but employees must be informed in advance and the monitoring must be proportionate. An internal policy should exist, and personal correspondence may not be read. Monitoring must stay within the limits of what is necessary for the employer’s legitimate purpose.
Is GPS tracking on a work phone or vehicle allowed?
GPS tracking is allowed only if it is justified, for example for logistics or work coordination, and the employee has been informed in advance. The employer must also respect proportionality and should not track employees beyond what is necessary. The article notes that tracking all employees during breaks was found to violate this principle.
What rights do employees have if they suspect unlawful processing of their data?
Employees have the right to know what data is being collected, why it is collected, and how it is used. They can request access, correction, or restriction of processing. If they believe their data is being processed unlawfully, they can file a complaint with the Commission for Personal Data Protection.

Related Articles

  • Corporate Email and Personal Data Protection: What You Need to Know According to GDPR
    Corporate Email and Personal Data Protection: What You Need to Know According to GDPR
    Corporate email is a means of communication, but also a source of personal data.…
  • The Right to Be Forgotten, or How to Erase Your Personal Data under GDPR
    The Right to Be Forgotten, or How to Erase Your Personal Data under GDPR
    Learn how to exercise your right to erasure of personal data under GDPR and the Personal…
  • Video Surveillance and Personal Data – Rights, Laws, and Advice from the CPDP
    Video Surveillance and Personal Data – Rights, Laws, and Advice from the CPDP
    Is video surveillance in an entrance hall, store, or office legal? Find out how GDPR…
  • Online course GDPR data protection regulation
    Online course GDPR data protection regulation
    GDPR regulation training: do you need a data protection officer? Do you have a data…