In 2020 the Hungarian DPA (‘NAIH’) published several documents on data protection issues around the COVID-19 pandemic.
On 1 April 2021, the NAIH published a new guidance which elaborates on certain issues around the so-called immunity certificate which is automatically sent by the government to people who either received vaccine or were diagnosed with SARS-CoV-2 and recovered from the disease (in Hungarian). The scope of the guidance is the processing of the information on employees’ immunity cards, being either a plastic card or a mobile application, by employers.
The key takeaways are the following:
- The scope is limited to employment relationships covered by the Hungarian Labour Code, so it does not address contractors and other business relationships.
- The fact that an individual holds an immunity certificate, i.e., the (assumed) immunity of an employee, is their health data.
- The processing of this data is possible based on one of the legal bases under Article 6(1) of the GDPR, and if one of the circumstances set out in Article 9(2)(b), (h) or (i) is also existing.
- The processing of the fact of the immunity must not be arbitrary, i.e., if the employer processes this personal data, it is required to take the necessary measures and document these.
- A necessity assessment must be done on a job-by-job or employee-by-employee basis.
- The plastic card certifying the fact of immunity cannot be copied.
- Only the fact of immunity and the expiry may be processed.
1. Scope of the guidance
According to the NAIH, the guidance is “first and foremost applicable to the legal relations covered by Act I of 2012 on the Labour Code and the provisions contained therein apply only to the current pandemic situation, i.e. the situation existing at the time of its publication.
However, the NAIH stresses that other types of working hierarchical relationships, e.g., civil law contracts under Act V of 2013 on the Civil Code or employment in the public sector under special sectoral legislation, are subject to different rules depending on the relationship, and therefore the NAIH states that the legislator should adopt statutory provisions which uniformly regulate the requirements for certifying the fact of immunity regardless of the types of working relationships.
2. The fact of immunity is health data
According to the NAIH, the fact of immunity is health data falling under special categories of data:
“With regard to the legal basis, the Authority notes that the fact of immunity, i.e. either the recovery from COVID-19 or the fact of vaccination, is health data falling under the scope of special categories of personal data pursuant to Article 4(15) of the GDPR.”
Accordingly, the NAIH notes that, in addition to one of the legal bases under Article 6(1) of the GDPR, the existence of one of the additional conditions set out in Article 9(2) of the GDPR, in particular points (b), (h) or (i), would be required.
The circumstances referred to in Article 9(2) of the GDPR are the following (in a shortened, extracted form):
(b) employment and social security and social protection;
(h) preventive health or occupational health purposes, assessment of the working capacity of the employee;
(i) public interest in the area of public health, such as protection against serious cross-border threats to health.
In previous guidance and enforcement decisions the NAIH made it clear that in the field of employment consent can be used as the legal basis of processing of personal data only in exceptional circumstances. The NAIH seems to confirm this approach as the guidance does not mention Article 9(2)(a) of the GDPR (explicit consent) in the list of circumstances in which health data may be processed.
3. Purpose of processing and necessity-proportionality test
The NAIH considers the processing of immunity related information can be lawful only under limited circumstances:
- for labour law, occupational health and safety, and work organisation purposes;
- based on a risk assessment on the biological exposures at the workplace that pose a risk to the health and safety of employees;
- for certain positions or categories of employees;
- if there is an actual practical purpose for processing of data, the principles of accountability and data minimisation are complied with, processing helps to protect the life and health of employees and others, or processing is necessary because an employer has to comply with relevant obligations.
The NAIH also points out that “[the] purpose must be real and verifiable by the employer (i.e., if the employer decides to process this data, it must take actions and document the actions taken on the basis of this data).” According to the NAIH, such reasonable action may be, for example, if the employer orders remote working for employees who do not have immunity or places workstations of employees without immunity next to workstations of employees already having immunity.
The NAIH also provides some examples when it is deemed to be necessary to process the above data. For example, in the case of certain low-risk job positions, e.g., permanent teleworking, there is no necessity. However, data processing may be considered necessary, for example, if the employer’s activities include the repair and maintenance of medical and other equipment used in COVID-19 wards in hospitals then this is considered to pass the necessity test. The same applies to staff of a social institution in nursing homes where it is of utmost importance to keep the risk of contamination as low as possible, so such employers have to know which employees have immunity.
4. Scope of personal data that may be processed
According to the NAIH, employers may process only the data displayed in the mobile application and printed on the plastic card, as defined in Government Decree 60/2021 (II. 12.) on the proof of immunity against coronavirus.
The NAIH has clearly stated that employers are not entitled to make copies of plastic cards as only the fact of immunity and its duration can be collected from employees.
The NAIH considers the processing of data in this context to be lawful in limited cases. The scope of the guidance is limited to employment relationships, so it does not address the situation of other types of working hierarchical relationships, which may lead to legal uncertainty. It needs no explanation that the spread of the virus within a work organisation is not limited to certain types of staff, which will mean challenges if businesses would like to extend the collection of immunity related data for other types of staff and visitors.
The NAIH also provides examples where the necessity requirement is existing, but these examples only fit specific types of businesses. For example, if an employee enters a COVID-19 ward in a hospital the necessity is existing. We believe that there are many other scenarios where it would be necessary to process data on immunity to ensure healthy and safe working conditions. Such a common situation occurs when employees are working close to each other on a production line, in which case it is reasonable to expect that only those individuals are grouped together who already have immunity.
Overall, it is positive that the NAIH has spoken out on this topic and it does not categorically exclude the processing of the fact of immunity. So businesses have certain alignments points if they wish to take action based on the immunity status to maintain business continuity.