On 1 April 2021, the Hungarian National Authority for Data Protection and Freedom of Information (the ‘Authority’) communicated its position on vaccination data. This position applies solely to employees and only applies during the epidemic situation.
The Authority highlights that the data on vaccination may only be processed if the employer takes effective and necessary occupational safety measures based on the data collected. This means that if an employer decides to process this data, it will be obliged to take, document and, if necessary, justify occupational safety measures and decisions based on it. If the employer does not use the collected data, it will breach the principle of storage limitation, which is illegal in all cases.
As a result, the employer must prepare an occupational safety risk analysis to assess potential occupational exposure to COVID-19 infection. Data on the employee’s protection (i.e. the fact of vaccination or the fact that s/he has been infected) can only be processed if, on the basis of the risk analysis, it is necessary for certain jobs or group of employees.
The Authority mentions two extreme examples to illustrate whether it is necessary to process the data on protection:
In our opinion, there are several jobs between these two extremes where the need to process data on COVID-19 protection can be demonstrated.
Prior to this data processing, the employer has to determine its legal basis. For this, it is important to emphasise that the fact of protection qualifies as data concerning health, which belongs to a special category of personal data. In view of this, it is our opinion that the appropriate legal basis for processing data on COVID-19 protection will be the legitimate interest of the employer in fulfilling its obligation to ensure occupational safety. In order to establish legitimate interest, employer has to carry out a balancing test striking a balance between its obligation to provide occupation safety and employees’ right to privacy. It is important to note that the employee’s consent will not be regarded as appropriate legal basis, as the voluntary nature of this consent may be questionable given the subordinate relationship between employee and employer.
In addition, the employer has to prepare data processing information in which it must set out, clearly and in a sufficiently detailed manner for employees, the purpose and legal basis of data processing, the period of data retention and the scope of individuals accessing the data. Data subjects must also be informed of the possibility of exercising their rights under the GDPR and of the means of accessing remedies.
If all conditions are met, the employer may request display of the digital application provided by the Electronic Health Service Space operator, or presentation of a certificate of protection, at the most. No copies can be made of the certificate on protection, only the fact an employee is protected. If known, the duration of protection may be recorded. No further data can be lawfully collected and processed by the employer for the purpose of proving protection against COVID-19.