The question towards the top of many employers’ minds nowadays – with an ever-growing sense of urgency – is whether they are allowed to ask employees if they have been vaccinated. While some employers are considering only allowing vaccinated employees back in the office, others would take a more lenient approach, offering additional days of paid leave to those in possession of an Immunity Certificate.

What is this certificate and what is it good for?

While the future of the EU’s Digital Green Certificate, proposed by the European Commission is somewhat uncertain, the Hungarian domestic certificate system is already up and running. The document has quickly become the main object of desire for many Hungarians, it being the gateway to many of the privileges that have been parts of everyday life in the pre-pandemic era: dining in the inner parts of restaurants, participating in sports events, resting in thermal pools or hotels, working out in gyms, or enjoying a night out in a cinema or theatre. What’s more, with summer approaching, a lot of people are already planning their vacations and those with a certificate may travel freely (no need for quarantining, tests, etc.), without restrictions, although at the moment only to the admittedly still relatively few countries with whom Hungary concluded a bilateral agreement on the topic (e.g. Croatia, Slovenia, and Turkey, to mention only the most popular summer destinations). Those without a certificate are currently excluded from these possibilities.

The COVID-19 Immunity Certificate is issued automatically and free of charge to people who

  • have received the first dose of vaccination against COVID-19,
  • recovered from COVID-19, that is (i) received a negative test result after a positive, or (ii) did not receive a negative test result, but 10 days have elapsed from the positive test result.

In the latter two cases the certificate is only valid for 6 months, whereas certificates of vaccinated people have no expiry date. The certificate can also be applied for by those in possession of an appropriate test result by a certified laboratory operating in Hungary demonstrating that they have anti-bodies in their system, but in this case the validity period is only 4 months from the date of the examination.

The certificate is only valid with an ID or a passport, and service providers such as restaurants, hotels, gyms, cinemas may only ask visitors/customers to show their certificate (or in the near future the mobile application, also used officially for demonstrating immunity) but are explicitly denied any further data processing (i.e. recording, copying). As we can see, people with a certificate are afforded the enjoyment of certain benefits, but service providers are not entitled to process this type of data. A logical question therefore arises: does the same apply to employers?

Hungary's Data Protection Authority (‘DPA’) issues guideline on employers processing employees’ immunity-related data

The Hungarian DPA addressed this issue in a – highly contested and quite ambiguous – guidance, concluding that employers may be allowed to ask their employees whether they are protected against COVID-19, albeit only under very limited circumstances and subject to certain conditions (and of course a separate privacy policy). Although the guideline provides some much needed clarity on certain issues, much remains to be seen, and the guideline itself emphasizes that it mostly applies to employment relationships, but not to other employment-like statuses (e.g. public sector, contractors, etc.) and hints at the need of a unified, statutory handling of the problem.

Special category of personal data - legal basis

The DPA first pointed out that the COVID-19 protection status of the employee shall be considered health data. Therefore, just as in case of other special categories of personal data, lawful data processing shall not only be based on one of the legal bases set out in Article 6(1) of the GDPR (with the exception of consent, which the DPA previously considered not to be an appropriate legal basis in the context of employment relationships in most cases), but must also be supported by one of the exceptions set out in Article9(2), points (b) [employment and social security], (h) [preventive health or occupational health purposes] or (i) [public interest in the area of public health].

Necessity, proportionality

The DPA made it clear that processing this type of health data of employees has to be necessary, proportionate, and must be based on a prior, well-documented, and objective risk assessment.

Necessity shall be assessed on a case-by-case basis, and according to the DPA only applies in case of certain high-risk occupations or groups of employees, for example maintenance workers in hospitals, social workers, employees meeting with a lot of clients. In these cases, knowledge of the protection status of employees could be crucial to avoid the infection of employees, the patients, and clients. In contrast, the guideline’s wording suggests that simple office work in most cases qualifies as a low-risk job, where necessity can hardly be established.

Complying with the proportionality and data minimisation principles of the GDPR, employers may only require employees to present their certificate or the mobile application, and are only allowed to record the fact of protection against COVID-19 (and the expiry of that protection, if applicable), but no copy shall be made and no subsequent data processing is permitted.

Purpose of the data processing

The DPA stressed that even if all of the above is complied with, these data may only be processed for complying with relevant labour law obligations, that is to ensure occupational health and safety and for work organisation purposes. As the purpose needs to be real and verifiable by the employer, the employer has to actually adopt reasonable measures in possession of the immunity data. According to the DPA, these measures include placing a protected employee’s workstation next to that of a non-protected, or offering permanent working from home for non-protected employees. The latter suggestion is quite curious, as the processing of the COVID-19 protection status of office workers seems not to be allowed under most circumstances – who are the only ones who could reasonably work from home. This makes it questionable whether office workers are a low-risk group by definition (as seemingly suggested by the DPA) or whether an objective risk assessment can – in specific cases – support the conclusion of employers lawfully processing their immunity data.

The DPA’s guideline was welcomed by many, as it answers some highly ambiguous questions about the employers’ possibilities, but unfortunately still leaves employers guessing. Whether employers are allowed to process the COVID-19 protection status of office workers, or whether offering benefits (e.g. additional paid leave) to vaccinated employees would be considered lawful from a data-protection point of view, remains to be seen.