Can employers ask to see COVID-19 Immunity Certificates in Hungary?

An increasingly urgent question for employers in Hungary right now is whether they’re allowed to ask employees if they’ve been vaccinated. While some employers are considering only allowing vaccinated employees back in the office, others would prefer a more lenient approach, offering additional days of paid leave to those who have an Immunity Certificate. The data protection experts of Taylor Wessing Hungary elaborated on the issue.

The Immunity Certificate is only valid with an ID or a passport, and certificate holders are currently the only ones enjoying certain privileges: they can visit restaurants, hotels, gyms, cinemas and these service providers may only ask their customers to show their certificate (or the mobile application also used officially for demonstrating immunity) but are explicitly denied any further data processing (i.e. recording, copying).

So, people with Immunity Certificates are clearly afforded the enjoyment of certain benefits, but service providers are not entitled to process this type of data. A logical question therefore arises: does the same apply to employers?

The Hungarian DPA addressed this issue in a highly contested, quite ambiguous guidance.

The DPA concluded that employers may be allowed to ask their employees whether they are protected against COVID-19, albeit only under very limited circumstances and subject to certain conditions (and, of course, a separate privacy policy and the appropriate legal bases seeing that it is a special category of personal data). Although the guidance provides some much needed clarity on certain issues, much remains to be seen, and the guideline itself emphasises that it mostly applies to employment relationships, but not to other employment-like statuses (e.g. public sector, contractors, etc.). It also hints at the need for a unified, statutory handling of the problem.

• read also: What can you do in Hungary with or without the immunity certificate?

The DPA made it clear that processing this type of health data of employees has to be necessary, proportionate, and must be based on a prior, well-documented, and objective risk assessment.

Necessity shall be assessed on a case-by-case basis, and according to the DPA, only applies in case of certain high-risk occupations or groups of employees. Examples of this include maintenance workers in hospitals, social workers and employees meeting with a lot of clients.

In these cases, knowledge of the protection status of employees could be crucial to avoid the infection of employees, the patients, and clients. In contrast, the guidance’s wording suggests that simple office work in most cases qualifies as a low-risk job, where necessity can hardly be established.

“Complying with the proportionality and data minimisation principles of the GDPR, employers may only require employees to present their Immunity Certificate or the mobile application, and they may only be allowed to record the fact of protection against COVID-19 (and the expiry of that protection, if applicable), but no copy shall be made and no subsequent data processing is permitted,” says Kinga Harza, Associate at Taylor Wessing.

The DPA stressed that even if all the above is complied with, these data may only be processed for complying with relevant labour law obligations, that is to ensure occupational health and safety and for work organisation purposes. As the purpose needs to be real and verifiable by the employer, the employer has to actually adopt reasonable measures in possession of the immunity data. According to the DPA, these measures include placing a protected employee’s workstation next to that of a non-protected, or offering permanent working from home for non-protected employees.

The latter suggestion is quite curious, as processing the COVID-19 protection status of office workers – who are the only ones who could reasonably work from home – seems not to be allowed under most circumstances.

This makes it questionable whether office workers are a low-risk group by definition (as seemingly suggested by the DPA) or whether an objective risk assessment can, in specific cases, support the conclusion of employers lawfully processing their immunity data.

“The DPA’s guidance was welcomed by many, as it answers some highly ambiguous questions about the employers’ possibilities, but unfortunately still leaves employers guessing. Whether employers are allowed to process the COVID-19 protection status of office workers, or whether offering benefits (e.g. additional paid leave) to vaccinated employees would be considered lawful from a data protection point of view, remains to be seen,” concludes Dániel Ódor, Head of Taylor Wessing’s Data Protection Practice in Budapest.

Read alsoEuro 2020: foreigners visiting will be treated as diplomatically protected persons

Source: Press release