The DPC team successfully defended their client in a dispute over the application of personal data protection rules in processing genetic data. The dispute was heard before three successive instances: the Commission for Personal Data Protection, The Sofia City Administrative Court and the Supreme Administrative Court (SAC), with the outcome in all three cases being in favour of our client. The key issues involved in the dispute were as follows:

• On what legal grounds can genetic data, considered sensitive under the General Data Protection Regulation (GDPR), be processed where processing is part of a contract and the contract has been performed? Can the personal data controller justify a legitimate interest in storing such data after the expiration of the contract in order to defend itself against possible legal claims filed by the counterparty? Is this interest considered to prevail over the rights, freedoms and interests of the data subject concerned, and has this issue been assessed by the legislator itself in GDPR? Is the controller released from the obligation to conduct a balancing test when justifying its legitimate interest for defense against possible legal claims in order to assess the balance between its own interest and the data subject rights, freedoms and interests?
• What are the storage periods for genetic data, and can they be set by the controller by analogy with the rules of medical standards for handling and storing genetic data, although these are not directly related to the controller’s activities?
• Given the above, should the right to erasure exercised by the data subject be enforced after the contract has been performed?
• Does GDPR provide equivalent protection for human rights as the one provided for by the European Convention on Human Rights (ECHR)?

In its final decision SAC held that:

• Genetic data may be processed based on legitimate interest after the performance of the contract in order to defend against both filed and possible future legal claims. Moreover, such legitimate interest is overriding interest in favor of the controller, where the European legislator itself has assessed the balance of interests, and the controller is thus released form the obligation to conduct a balancing test;
• The controller may set time limits the latter deems appropriate for its activity, and the controller is not prevented from applying medical standards by analogy, even in cases where the controller itself is not their direct addressee, as this is the closest regulation applicable to its activity;
• The right to erasure may not be enforced in view of the above circumstances, regardless of the fact that the contract has been performed;
• GDPR and EU law generally provide “equivalent protection” for fundamental human rights as the one provided for by ECHR, as stated in the case law of the European Court of Human Rights with the presumption in Bosphorus Hava Yollari Turizm Ve Ticaret Anonim Erketi v. Ireland, Appeal No. 45036/98.

SAC thus fully accepted the arguments presented by DPC, and our team has contributed to generating modern case law on key issues related to the application of GDPR and ECHR.

The favourable outcome is a result of the joint teamwork of Martin Zahariev, PhD, Desislava Krusteva, Radoslava Makshutova and Donka Stoyanova.

‍