In 2020 the Hungarian DPA (‘NAIH’) published several documents on data protection issues around the COVID-19 pandemic.
On 1 April 2021, the NAIH published a new guidance which elaborates on certain issues around the so-called immunity certificate which is automatically sent by the government to people who either received vaccine or were diagnosed with SARS-CoV-2 and recovered from the disease (in Hungarian). The scope of the guidance is the processing of the information on employees’ immunity cards, being either a plastic card or a mobile application, by employers.
The key takeaways are the following:
However, the NAIH stresses that other types of working hierarchical relationships, e.g., civil law contracts under Act V of 2013 on the Civil Code or employment in the public sector under special sectoral legislation, are subject to different rules depending on the relationship, and therefore the NAIH states that the legislator should adopt statutory provisions which uniformly regulate the requirements for certifying the fact of immunity regardless of the types of working relationships.
“With regard to the legal basis, the Authority notes that the fact of immunity, i.e. either the recovery from COVID-19 or the fact of vaccination, is health data falling under the scope of special categories of personal data pursuant to Article 4(15) of the GDPR.”
Accordingly, the NAIH notes that, in addition to one of the legal bases under Article 6(1) of the GDPR, the existence of one of the additional conditions set out in Article 9(2) of the GDPR, in particular points (b), (h) or (i), would be required.
The circumstances referred to in Article 9(2) of the GDPR are the following (in a shortened, extracted form):
(b) employment and social security and social protection;
(h) preventive health or occupational health purposes, assessment of the working capacity of the employee;
(i) public interest in the area of public health, such as protection against serious cross-border threats to health.
In previous guidance and enforcement decisions the NAIH made it clear that in the field of employment consent can be used as the legal basis of processing of personal data only in exceptional circumstances. The NAIH seems to confirm this approach as the guidance does not mention Article 9(2)(a) of the GDPR (explicit consent) in the list of circumstances in which health data may be processed.
The NAIH considers the processing of immunity related information can be lawful only under limited circumstances:
The NAIH also points out that “[the] purpose must be real and verifiable by the employer (i.e., if the employer decides to process this data, it must take actions and document the actions taken on the basis of this data).” According to the NAIH, such reasonable action may be, for example, if the employer orders remote working for employees who do not have immunity or places workstations of employees without immunity next to workstations of employees already having immunity.
The NAIH also provides some examples when it is deemed to be necessary to process the above data. For example, in the case of certain low-risk job positions, e.g., permanent teleworking, there is no necessity. However, data processing may be considered necessary, for example, if the employer’s activities include the repair and maintenance of medical and other equipment used in COVID-19 wards in hospitals then this is considered to pass the necessity test. The same applies to staff of a social institution in nursing homes where it is of utmost importance to keep the risk of contamination as low as possible, so such employers have to know which employees have immunity.
The NAIH has clearly stated that employers are not entitled to make copies of plastic cards as only the fact of immunity and its duration can be collected from employees.
The NAIH also provides examples where the necessity requirement is existing, but these examples only fit specific types of businesses. For example, if an employee enters a COVID-19 ward in a hospital the necessity is existing. We believe that there are many other scenarios where it would be necessary to process data on immunity to ensure healthy and safe working conditions. Such a common situation occurs when employees are working close to each other on a production line, in which case it is reasonable to expect that only those individuals are grouped together who already have immunity.
Overall, it is positive that the NAIH has spoken out on this topic and it does not categorically exclude the processing of the fact of immunity. So businesses have certain alignments points if they wish to take action based on the immunity status to maintain business continuity.