- Yesterday the Hungarian Data Protection Authority (NAIH) issued a guidance on the data processing activities in connection with the Coronavirus epidemic (COVID-19).
- Zoltán Kozma and Márk Almásy, experts of DLA Piper Hungary reviewed the main findings of NAIH relevant for employers.
The employer is responsible for a secure and healthy working environment, as well as for planning and creating the data processing activities in connection with this obligation. In the course of ensuring such requirements, the following measures are expected from employers:
- design of a so-called pandemic/business continuity plan containing the following: preventive measures for minimising vulnerability to the risk of infection; applicable measures in case of the occurrence of a potential infection; preliminary assessment of data protection aspects of the applied measures; intra-organisational allocation of responsibilities; creating channels for the effective and appropriate communication to data subjects;
- providing detailed information to employees on the Coronavirus (source of infection, means of spread, incubation period, symptoms, prevention) and the contact person they should look for in the case of assumed contact with the Coronavirus;
- reorganisation of business travels, events, providing home office to employees;
- urging employees to notify without delay the contact person appointed by the employer in case of a potential contact with the Coronavirus.
As for the legal basis, the employer may collect personal data from its employees under art. 6.1.f GDPR (legitimate interest) combined with 9.2.b GDPR (legal obligation in the field of employment).
Should the employee make a notification to the employer or the employer establish the suspicion of the contact with the Coronavirus, the employer may record – via questionnaires as well – the following data:
- date of notification;
- personal data necessary for the identification of the affected employee;
- the fact that the travel of the employee – even if it was for personal reasons – overlaps with the territories (countries) and dates determined in the communication of the employer;
- whether the employee was in contact with persons coming from territories determined in the communication of the employer; and
- measures applied by the employer.
The employer may only collect the above data if a preliminary risk assessment was performed in which the employer came to the conclusion that the measure to be applied is necessary and a proportionate restriction of the privacy of the employees. However, the Authority expressly emphasizes that the questionnaires may not contain data relating to the employee’s medical history, and employers may not prescribe the attachment of medical documentation.
In addition to the above, NAIH establishes that having regard to the current state of the epidemic situation in Hungary, using diagnostics equipment (in particular, but without limitation temperature measurement) for all employees in general is not proportionate. It is the duty of healthcare professionals and other authorities to collect and assess data regarding the symptoms of Coronavirus. The introduction of such diagnostic measures is lawful only if the employee makes an individual notification to the employer, or on a case-by-case basis only provided that (i) it is in compliance with the legal basis set out in art. 6.1.f. or e. and with the requirements set out in art. 9.2.h and 9.3 of the GDPR and the employer deems this essential on the basis of a risk assessment. Examinations can only be performed by healthcare professionals, and the employer may be eligible to learn the results of such examinations.