Introduction
Obligation to report potential infections
Body temperature measurement
Acquired immunity
Making vaccination compulsory
Comment
The outbreak of covid-19 has not only radically changed the way employees work in many sectors but has also posed major challenges to employers in the area of data protection in Hungary.
The primary and overriding task of employers was to create a workplace that did not compromise health and safety of employees. Employers have had to pay particular attention to the separation of potentially infected colleagues from healthy ones and other similar measures, which were difficult to imagine without data processing activities. Since the appreciation of data protection as an area of law, the entry into force of the EU General Data Protection Regulation (GDPR) and the more significant rise of data protection law in Hungary, employers had never been confronted with the kind of data processing activity that disease prevention required.
Given the relatively recent nature of the legislation (the GDPR had been in force for less than two years at the time of the outbreak) and the lack of well-established case law, employers and their advisors were faced with an entirely new situation when trying to develop their data management practices in the context of the pandemic. This article summarises the key points that employers have had to consider in relation to data protection, based on the emerging practices of the data protection authority, when taking measures to combat the spread of covid-19.
Obligation to report potential infections
At the beginning of the pandemic, data protection professionals were aware of the fact that if someone was potentially or actually infected, this information qualified as health data.
Health data falls into the special categories of personal data for which, as a general rule, processing is prohibited with the exception of the cases provided for in article 9(2) of the GDPR.(1) Such an exception is the fulfilment of a legal obligation relating to employment. Since the employer has a legal obligation to provide a working environment that does not jeopardise the health and safety of its employees, personal data relating to infection can be processed.(2)
The primary consideration of employers is to screen out the potentially or actually infected people in the workplace for the benefit of other workers. Based on the principles of good faith and fairness, as well as the principle of cooperation set out in the legislation on labour relations,(3) the employee may be obliged to inform the employer in the event of an infection or suspected infection. Stemming from the principle of accountability, such notification can be recorded by the employer, which indeed has been encouraged. In that case, the employer may record the employee's identification data, the notification made and the action taken in response to the notification, according to the guidance issued by the Hungarian National Authority for Data Protection and Freedom of Information (NAIH).(4)
Many employers introduced body temperature measurements for their employees during the first and second waves of the pandemic, which constituted another processing activity.(5) Since elevated body temperature was not at this time a clear symptom of a covid-19 infection, its general use was still considered to be an unlawful data processing activity at the beginning of the pandemic, according to the NAIH. As the pandemic progressed, the NAIH revised its opinion and, in a position paper, set out the conditions for the use of diagnostic screening tools related to body temperature measurement.(6)
Accordingly, controllers may use temperature measurement only:
- when someone enters the area under control;
- in relation to all persons entering the area;
- without identification for this purpose; and
- without data recording.
Since the assessment of a person's medical condition is a medical issue, in the case of a (low) fever, the employer (acting as the controller) may only make a decision on the entry into the area.
As the pandemic progressed further, the introduction of immunity certificates raised more questions for employers.(7) Do employers have the right or obligation to know whether an employee has an immunity certificate to fulfil their obligations in the field of workplace safety? It is certain that it may be in the interest of employers to do so, as the existence of an immunity certificate may also provide them with a form of assurance that they have complied with labour safety requirements. According to the NAIH,(8) there is no obstacle in doing so, but its sole purpose may be to ensure that employers comply with their legal obligations. Accordingly, this cannot be the basis for other measures (eg, dismissal). If an employer decides to request an immunity certificate, it must document the reasons for doing so and the measures taken.
However, due to the purpose limitation principle, personal data on immunity may only be requested from employees that have been identified through the completion of an occupational health and safety risk assessment as having been exposed to the risk of infection. In line with the principle of data minimisation, employers are only allowed to know the personal data contained in the immunity certificate or application. The NAIH has emphasised that employers are only allowed to require the presentation of an immunity certificate or application, and that the content thereof cannot be recorded. The monitoring and the end date of immunity, however, can be recorded.
In the healthcare sector and at certain state and municipal institutions, the legislature has made vaccination mandatory.(9) In the private sector and other institutions, employers have sole discretion over whether to mandate the shots for employees. From a data protection perspective, the legislature has not left decision-makers alone entirely, as Government Decree No. 598/2021 (X.28) on the protection of workplaces against covid-19 sets out the provisions in relation to the certificate of vaccination uptake and authorises employers to process data in this context.
Accordingly, employees are obliged to prove their vaccination status by presenting an official identity card and one of the documents specified in the decree (eg, an immunity certificate or an EU digital covid-19 certificate) if the employer requires. Employers may process the personal data contained in the documents presented, including a contraindication to vaccination.
This data can be retained until the end of the state of emergency by operation of law. However, in the case of an employment dispute, the retention period of this data may be justified for a longer period (three or five years), in which case the legal basis for the processing of data must be reviewed.
Data processing activities in the context of covid-19 containment require a strategy that has been well thought out by employers, which most companies have developed spontaneously during the course of the pandemic. Developing and properly documenting this strategy and the specific measures taken is an obligation for companies under the law, in particular based on the principle of accountability enshrined in data protection law.
While the data protection authority has tried to provide guidance, as illustrated above, the number of published covid-19-related cases in Hungary is still low. In the coming months and years, the case law is expected to develop and provide guidance to employers on developing good data management practices. If the strategy is kept up to date, it could also serve as a guide for businesses in similar emergencies in the future.
For further information on this topic please contact Dániel Gera or Dorottya Gindl at Schoenherr Hungary by telephone (+36 1 8700 700) or email ([email protected] or [email protected]). The Schoenherr website can be accessed at www.schoenherr.eu.
Endnotes
(1) Regulation (EU) 2016/679 of the European Parliament and of the Council on the GDPR.
(2) Pursuant to articles 6(1)(f) and 9(2)(b) of the GDPR.
(3) The requirement of cooperation is not only stipulated in Act I of 2012 on the Labour Code, but also in section 60(3) of Act XCIII of 1993 on Occupational Safety and Health, which requires the employee to cooperate with the employer in the performance of official measures taken to maintain a healthy and safe working environment and in the implementation of the employer's measures to eliminate hazards.
(4) NAIH guidance on the data processing activity in relation to the covid-19 pandemic (NAIH/2020/2586).
(5) According to article 4(2) of the GDPR, any operation on data, including access to data, constitutes processing.
(6) NAIH guidance concerning certain data processing operations related to the measurement of body temperature during the period of epidemiological readiness, introduced with the health emergency in view of the novel coronavirus pandemic (NAIH: NAIH/2020/7465).
(7) It was introduced by Government Decree 60/2021 (II.12.) on the certification of immunity against covid-19.
(8) NAIH-3903-1/2021 Guidance.
(9) Government Decree 449/2021 (29.VII.); Government Decree 599/2021 (28.X.); Government Decree 634.