Personal Data in the Workplace: Legal Boundaries and Common Violations

Approximate reading time: 2m 55s

"Under Surveillance": Does the Employer Know Too Much?

You are at work. You send a work email, make a call, enter the office. And all of this – under the watchful eye of cameras, monitoring software, or GPS on your phone.

Is this lawful? Where does the employer’s right to control end and your right to privacy begin?

In this article, we will look at when an employer has the right to collect and process employees’ personal data and when this becomes a violation of the GDPR and Bulgarian law.

The course "GDPR Regulation for the Protection of Personal Data“ is designed for anyone who wants to learn about the rights and obligations under the regulation, as well as its application in Bulgaria.

What personal data may the employer collect?

The employer has the right to process personal data necessary for the conclusion, performance, and termination of the employment contract. This includes:

• full name;

• personal identification number, ID card number;

• correspondence address;

• bank details (for salary payments);

• health information – but only in strictly limited cases (e.g. sick leave, TELK);

• data necessary for tax and social security contributions.

Any other type of data, including behavioral profiles, location, or biometric data, must be processed only when there is a legal basis.

Consent or legitimate interest?

Employee consent is not always valid in employment relationships. Why? Because there is an imbalance between the parties – the employee often has no real freedom to refuse.

That is why employers most often rely on legitimate interest (e.g. protection of property, monitoring of work processes) or a legal obligation.

Important: If the employer wants to install cameras in the office or monitor emails, they must prove that this is necessary, proportionate, and that the same goal cannot be achieved by a less invasive means.

Video surveillance in the office – is it lawful?

It is permissible if strict conditions are met:

1. Clear purpose – e.g. security or access control;

2. Information notice and privacy policy;

3. No recording of break areas, toilets, kitchens, and personal lockers;

4. Data Protection Impact Assessment (DPIA), if the surveillance is extensive.

Example from practice: The Commission for Personal Data Protection has ruled that a camera aimed at an employee’s desk, without an alternative and without an impact assessment, is a violation.

Monitoring work emails and devices

The employer may establish rules for the use of company equipment and monitor for misuse, but:

• there must be an internal policy;

• the employee must be informed in advance;

• the principle of proportionality must be observed;

• personal correspondence may not be read.

GPS tracking through a work phone or vehicle is permissible only if it is justified (e.g. logistics) and the employee has been informed in advance.

Health and sensitive data

The processing of health information is highly restricted:

• only by designated officials (e.g. payroll staff, doctor);

• only for a specific purpose (e.g. suitable work placement);

• with a high degree of protection.

The employer does not have the right to request data about vaccination status, mental health, or illnesses unless this is directly related to the performance of the work and is regulated by law.

What does the Commission for Personal Data Protection say?

• Decision 1: A private security company tracks the GPS of all its employees, including during breaks – the Commission for Personal Data Protection finds a violation of the principle of proportionality;

• Decision 2: An employer accesses the emails of a former employee without consent and without notification – a sanction for unlawful processing;

• Decision 3: Installing cameras in a sewing factory without information notices – the Commission for Personal Data Protection orders their removal and imposes a fine.

How can you protect your rights?

If you are an employee:

• You have the right to know what data is collected about you and why;

• You can request access, correction, or restriction of processing;

• You can file a complaint with the Commission for Personal Data Protection if you suspect a violation.

If you are an employer:

• Do not underestimate the importance of transparency and documentary justification;

• Prepare internal policies and notices;

• Conduct a risk assessment and review technical and organizational measures.

The course "GDPR Regulation for the Protection of Personal Data“ is designed for anyone who wants to learn about the rights and obligations under the regulation, as well as its application in Bulgaria.

The workplace is not a rule-free zone for personal data. It is a space where the balance between control and privacy must be carefully maintained.

 Want to be prepared? Sign up for our online training „GDPR and Personal Data Protection“ and learn how to comply with the law – with real-life examples and expert guidance.

Sources:

• Regulation (EU) 2016/679 (GDPR)

• Personal Data Protection Act

• Commission for Personal Data Protection decisions: https://www.cpdp.bg