In Hungary, immunity to COVID-19 may be verified on the basis of Government Decree 60/2021 by way of an immunity certificate or the mobile app of the National eHealth Infrastructure (EESZT). While in principle both methods may establish immunity based on either vaccination or recovery from the illness, only the immunity certificate has been available for use since February 2021, as the EESZT mobile app is currently still in its introductory phase.
At this moment, presentation of the immunity certificate may be lawfully requested by employers or specific service providers. Either way, the disclosure of personal data – in particular, health data – is unavoidable when complying with such a request.
Although there is no specific data protection legislation or established decision-making practice in the matter, key advice has already been provided by the Hungarian Data Protection Authority (NAIH) regarding the limits of requesting such disclosure of personal data.
Verifying Immunity Towards Service Providers
Hungarian law currently allows those who are able to verify their immunity by presenting their immunity certificate upon entrance to use specific types of services (theaters, gyms, indoor dining, etc.).
During a press interview in late April, NAIH President Attila Peterfalvi confirmed that the above-mentioned method of verifying immunity does not raise any data protection concerns since data processing by the service provider is limited to checking the existence and validity of the certificate, and does not involve the recording of any personal data. He also emphasized that such data processing is prescribed by law, which provides an adequate legal basis according to the GDPR.
Verifying Immunity Towards Employers
Since the beginning of the pandemic, the NAIH has given high priority to addressing the lawfulness of processing employee health data by employers (e.g., by providing guidance on mandating measurement of employees’ body temperature).
In its latest information notice, the NAIH specifically focuses on the ability of employers to process information related to their employees’ immunity certificates. The information notice points out that, as they are responsible for the lawfulness of the data processing, employers must first and foremost be able to identify the purpose and lawful basis of their data processing activities.
As to the lawful basis, the NAIH stresses that the fact of immunity to COVID-19 (either due to vaccination or recovery) shall qualify as data concerning health – one of the special categories of personal data. The NAIH emphasizes that, when unable to verify the lawful basis in accordance with Article 6(1) and 9(2) Points b), h), or i) of the GDPR, the processing of immunity data by employers shall be prohibited.
Nevertheless, according to the Hungarian Labor Code, it is also the employer’s responsibility to provide a safe and healthy work environment. In order to achieve this goal, requesting verification of immunity from employees may be a necessary and proportionate measure for specific types of jobs or employee groups, but only when based on an appropriate risk analysis.
From a data protection viewpoint, the risk analysis and the measures introduced by employers based thereon should accord with the principles outlined in Article 5 of the GDPR. For example, the purpose of data processing shall be real (immunity cannot be checked without any reason and the measures must actually be introduced), data processing shall be limited to what is necessary for the given purpose (only the immunity data should be processed), and measures should be proportionate (only the fact and expiry of immunity can be recorded, and copies cannot be made).
In addition, the information notice declares that all other obligations of data controllers set forth by the GDPR must be met by employers when processing employee immunity data.
In conclusion, presentation of the immunity certificate and data processing activities related thereto do not seem to raise any privacy issues if service providers and employers stay within the boundaries set out by law. No significant changes may be expected in relation to this when the Digital Green Passport is introduced by the EU this June.
Nevertheless, as the NAIH also points out in its information notice, the Hungarian legislature still needs to create unambiguous legal provisions regarding the possibility of checking immunity for other types of working hierarchical relationships.
By Peter Berethalmi, Partner, and Zsuzsanna Lukacs, Associate, Nagy & Trocsanyi