In Hungary, the defense against the epidemic has entered into a phase in which measures set out by the government for reducing or preventing the spread of the epidemic are gradually relaxed. The curfew has been lifted, all stores may open and may be visited by customers under certain conditions. However, the rules for maintaining social distance - keeping a distance of 1.5 meters from one another, wearing mask, scarf or shawl when shopping or traveling by public transport - still apply.
At the same time, companies are considering reopening their sites and offices, or have already started the process. Below, we highlight the most important data privacy considerations and obligations for employers, according to the potential phases of a reopening process.
Due to the uncertainty emerging at various levels caused by the coronavirus epidemic, it is of paramount importance to have a good plan in place to orchestrate the reopening of workplaces. The plan should take into account all of the already known factors and should create "open-ended", sufficiently flexible rules, which allow for rapid adaptation to the ever changing circumstances. However, such a plan may not be realized, if the necessary information and data are not available to management, if the communication channels are not functioning adequately, if there are no procedures in place for monitoring the implementation of the plans, and if there are no individuals assigned to each task bearing responsibility for the implementation.
- Companies may obtain the necessary information from numerous sources. Provisions of applicable legislation, the guidance of authorities, the business characteristics of each sector, specialties due to the geographical location of the business unit, characteristics relating the size of the business unit, as well as the health status or the willingness to work of the employees may all be counted as relevant information. Nor should it be forgotten that, under the general rules of labor law, employees are required to inform their employer of any circumstances which may affect their employment. However, such information may contain personal data or even special categories of personal data (e.g., health data).
- Stockpiling personal data without legitimate purpose is not permissible even under the current uncertain circumstances. The principle of purpose limitation and data minimization must be applied during planning for reopening. In the course of collecting and processing data, companies may partially or entirely rely on machine related solutions, and they must consider further applicable rules if personal data is also concerned in the process.
- In line with the principles of privacy by design and privacy by default, data security must be ensured from the planning phase and companies must opt for solutions ensuring a security level proportionate to the risks.
- In line with the applicable laws, besides the enforcement of general rules of labor law and equal opportunity, it is a priority to ensure the protection of the health and safety of the employees. Therefore, in addition to business considerations, compliance with requirementsgoverning health and safety at work should be of key importance to the planning, including the enforcement of data protection rules when choosing specific health and safety related measures.
- All employers must ensure safe and healthy work conditions and that working practices do not create undue risks to employees. The appropriate measures should take into consideration the results of the re-assessment of the risks associated with the changed work conditions, the re-evaluation of workflows and may enable the involvement of occupational safety and health professionals and employees' representatives.
- Under the relevant government decrees in effect, employers are entitled to take necessary and justified means to monitor the employees' state of health during the state of emergency and for 30 days after its termination. However, applicable legislation does not define which measures are considered necessary and justified, therefore employers must consider carefully all of the relevant factors on a case by case basis, and they must be able to justify their decision appropriately in line with the principle of accountability.
- When choosing the appropriate measures for achieving the legitimate purpose - i.e. ensuring safe and healthy work conditions - employers must prioritize those measures that do not involve the processing of personal data. Solutions relying on anonymous data also meet this requirement as anonymous or anonymized data that belong to unidentified or unidentifiable persons or persons who cannot or can no longer be identified by these data fall out the scope of data protection rules.
- If achieving the legitimate purpose requires processing personal data, then the employer must favor solutions presenting less risk for the privacy of its employees and visitors.
- Employers are obliged to provide an appropriate legal basis for the lawfulness of the data processing. It is important that, in an employment relationship, the employees' consent can be relied on only to a very limited extent as an appropriate legal basis, and primarily only where the employee is by no means affected adversely by refusing to consent.
- The Hungarian Data Protection Authority (“DPA”) in its guidance on processing data related to the coronavirus epidemic requires the basic rules of pandemic data processing to be set out in the employer's pandemic/business continuity action plan, which may cover rules applicable to the reopening of business units as well. It is recommended to record in the pandemic action plan the findings on the prior assessment of, and the measures mitigating, the data protection risks of certain health and safety measures, the responsible personnel and the procedural rules for implementing and monitoring the action plan, furthermore the communication channels which enables the information to flow in a fast, accurate and up-to-date manner between the employer and employees.
- The rules of the pandemic plan should be in line with the employer's other internal rules, including those applicable to data security.
Subsequent to a planning realized with due care, the employer must implement the plan and must ensure that the rules within are complied with.
- Employers may choose from numerous measures to ensure safe and healthy work conditions and working practices that do not create undue risks to employees. In line with the above detailed principles, the available solutions may not require the processing of personal data (e.g., setting hygiene standards, sanitizing work equipment and offices, providing disinfectants, application of visual signs to maintain social distance and using glass wall for the protection of receptionists), but also, measures may require the processing of personal data provided that proper justification is in place. Such measures may include the following: monitoring the health condition of employees by questionnaires/self-assessment forms, temperature checks on employees and visitors, COVID-19 testing and mobile application alert mechanisms.
- Some measures may present a higher risk for the privacy of employees and visitors, e.g., mobile applications that register and send alerts upon coming in close proximity with an infected person or certain data processing activities applying automated decision-making. In these cases, the employer may be obliged to carry out a data protection impact assessment. Further to this, the employer may be obliged to consult with the data protection authority in advance, if it is required due to the risks of the intended data processing.
- In case the legal basis of the data processing is the legitimate interest of the employer or any third party (e.g., in case of using questionnaires), the employer must perform a legitimate interest balancing test justifying that its interest prevails over the interests, fundamental rights and freedoms of the data subjects.
- The employer is obliged to request the opinion of the works council on the planned measures or internal rules, if such council operates at the employer, 15 days prior to the adoption of the respective decision if the measures or internal rules would affect a larger group of employees.
- In any case, the employer must provide information in advance to both employees and visitors on the rules of the data processing. The principle of accountability requires that the employer should be able to demonstrate the performance of such obligation, therefore the employer should inform the data subjects in writing (including by way of electronic means) and should demand the expressed acknowledgement of such information.
- It is important, that in line with the guidance of the DPA, employers are not entitled to conduct health screenings (e.g., temperature checks, COVID-19 testing). This should be reserved for health care professionals or another person under their professional responsibility (e.g., nurse, designated employee of the human service undertaking with a special obligation of confidentiality). Employers are only entitled to be advised of the results of such screenings. Health screenings are subject to further data protection related requirements.
- Processing special categories of personal data requires increased attention to the security requirements when storing such data.
- As regards the rights of the data subjects, it is important to mention that under Government Decree No. 179/2020 (V. 4.) the exercise of these rights in relation to data processing related to the epidemic is limited and employers may only respond to such requests after the termination of the state of emergency.
- New data processing activities related to the reopening of workplaces must be recorded by the employer in the company's register of data processing activities.
Employers must continuously assess their data processing activities taking into account the spread of the coronavirus, changes in the legislative environment and other factors affecting their operation in general, and align the pandemic action plan with these changes as necessary. The assessment should cover the examination of those circumstances that required the data processing to be carried out in the first place, or whether there are solutions less intrusive, presenting less risk for the privacy of the data subjects. If the purpose has been achieved and the employer no longer needs the personal data (nor any law prescribes its mandatory retention), the personal data must be erased or anonymized.
By Csaba Vari, Head of Privacy, and Agnes Kadar, Associate, Baker McKenzie