The Bulgarian Data Protection Commission released a formal clarification (“Clarification”) detailing when controllers and processors of personal data are not required to receive consent for the data processing of subjects. The Clarification was issued due to the public interest and crucial nature of this topic vis-à-vis the EU General Data Protection Regulation (GDPR).
In the Clarification, the Commission states that data processing should adhere to Article 6 of the GDPR, and explained that all legal grounds for data processing should be considered alternatives (to each other) and equal with no hierarchical link between them. It is up to the data controller to evaluate whether there is another legal ground (e.g. an agreement or legal obligation) for processing before requesting consent.
The following are the most common situations when consent is not necessary in data processing:
- There is a legal requirement for data collection based on the provisions of the Labour Code, Health Act, Accountancy Act, Social Insurance Code, etc.
- Data is collected in the course of providing administrative services by authorities.
- Data is collected for the purpose of employment relations.
- The data is necessary for the conclusion or performance of contracts, such as in provision of services.
- When data is collected, the legitimate interests of the controller prevail over the interests, rights and freedoms of the subject, such as in the case of security and video-surveillance.
- Data is transferred from one controller to another according to an assignment agreement.
- Data is transferred from a controller to a processor.
- Data is collected while photographing or video-recording a public area.
- The controller relies on legal grounds for the processing of sensitive data (e.g. health data) under Article 9 of the GDPR.
The Commission provides a non-exhaustive list of practical situations when consent is not necessary, such as in the course of the normal professional activity of:
- doctors, dentists and pharmacists;
- public authorities;
- educational institutions (kindergartens, schools and universities);
- bank and credit institutions;
- enterprises providing electronic communication services;
- courier companies;
- utility companies;
- processors of personal data (accountants and occupational medicine providers);
- hotels and tourist agencies, and others.
The Clarification is available to the public on the Commission's website.