Global menu

Our global pages

Close

Coronavirus – COVID-19 and data protection for employers - Hungary

  • Hungary
  • Coronavirus
  • Coronavirus - Country overview
  • Coronavirus - Data and Cyber Security issues
  • Coronavirus - Workforce issues

30-04-2020

Can employees be required to provide data about their travels abroad or health?

What information can be requested?

Can employers do a thermometer test?

In response to concerns, the National Data Protection Authority (Authority) has recently issued an information letter (in Hungarian) about data protection issues and Covid-19.

Our briefing summarizes the key points of this leaflet.

____________________________________________

National Data Protection Authority response to coronavirus

We are aware that the employers’ primary responsibility is to ensure their business operations keep running during the coronavirus epidemic. However, employers should not forget to comply with the data protection laws while introducing their measures. Employers as data processors should also pay attention to prepare privacy notices and documentation.

Employers are required to apply the General Data Protection Regulation (GDPR) when processing personal data relating to coronavirus. It is important for the employers to consider whether it is necessary to obtain privacy data from employees, such as data about travels abroad or health data, or whether there is another solution that has less impact on the privacy of employees. If the employer deems necessary to process such personal data, the purpose and legal basis for processing should be identified.

Employers are required to prepare a privacy notice of all data processing purpose. Among others, it must include the purpose of data processing, the legal basis of data processing, the duration of data processing and the persons entitled to access the data. Where the processing is based on a legitimate interest of the employer or third persons, it must be demonstrated, by a legitimate interest assessment proving that the interest pursued by the employer or third person are more important than the interests or fundamental rights and freedoms of the data subject.

The Authority has identified measures that are expected from the employers in the given situation, which includes the planning and operation of data protection procedures.

Employer requirements in Hungary during COVID-19

Within this framework, employers are required to:

a. Create a business continuity plan, which should include the necessary steps to reduce the spread of infection, what to do in case infection appears, evaluation of risks to data protection and appropriate communication channels for employees and third persons entering the workplace.

b. Provide detailed information concerning the coronavirus (prevention of infection, spread of the virus, symptoms) and who to turn to in the case of a suspected infection.

c. If necessary, restructuring of business, business travel and events, and if possible, provide the opportunity to work from home.

d. Alert employees that in the interest of protecting their own and their colleagues’ health, they must report to the appointed person any suspected contact with the coronavirus and seek medical advice as soon as possible.

The Authority deems it acceptable to use questionnaires for identifying the danger of possible infections. In the employees’ reports and questionnaires used by the employer it is reasonable to include the employee’s identification data, whether the employee travelled abroad, the date and place of travel, whether the employee was in contact with anyone who has visited any country at risk and details of any further assistance provided by the employer for example possibility to turn to an occupational doctor or allowing voluntary isolation at home for the employee. However, the Authority also emphasises that the questionnaires cannot contain data relating to medical history, and they cannot require the employee to attach medical documents.

Are medical checks necessary for employers?

In addition, the Authority highlights that it does not deem proportionate for employers to implement general and compulsory checks using medical diagnostic devices such as thermometers on employees, since collection and evaluation of information related to the symptoms of coronavirus and drawing conclusions from them is the task of health care professionals and authorities.

For the processing of the above personal data the Authority deems Article 6(1)(f) of GDPR (the legitimate interest of the employers or third parties) the appropriate legal basis. With regards to medical data, taking into account the employers’ responsibility to provide a safe working environment, Article 9(2)(b) of GDPR can be used as a legal basis.

In addition, according to the Government Decree 47/2020 on March 18, adopted as part of a series of emergency measures due to Coronavirus, it is possible to the employers to take any measure which is necessary and justified in order to check the worker's state of health during the state of emergency and within 30 days after.

As per the Authority’s guidance, it is possible to carry out checks and process personal data when third parties (e.g. clients, visitors) enter into the employer’s building based on the above grounds. However, the Authority emphasises that the employers must ensure that the business continuity plan includes enhanced checks on visitors, the evaluation of data protection risks in relation to this and provides appropriate notices to third parties. Information is provided to clients and visitors concerning the coronavirus, and that they should inform personnel at the point of entrance if they are at risk of having contacted coronavirus.

Attention should also be made to the retention period of personal data and providing information of it.