Blog » CAN YOU REQUEST ‘COVID-19 VACCINATED’ CERTIFICATION FROM YOUR EMPLOYEE IN HUNGARY?
CAN YOU REQUEST ‘COVID-19 VACCINATED’ CERTIFICATION FROM YOUR EMPLOYEE IN HUNGARY?
14 April 2021
In the recent weeks, a number of questions have been arisen whether the employer may know the data contained by the „immunity card”, which aim is to certify immunity to coronavirus. Is the employer entitled to request information from the employee regarding the immunity card or store the information concerning its employee? In this article we answer the above questions on the basis of the information („Information”) of Hungarian National Authority for Data Protection and Freedom of Information.
1. What does the “immunity card” certify and what kind of data does it contain?
The Government Decree 60/2021 (12 February) on certifying immunity to coronavirus (“Decree”) regulates the provisions concerning certifying immunity to coronavirus.
According to the Decree, immunity to coronavirus can be certified if
- the person recovered from COVID-19 illness within a period specified in this Decree; or
- the person has been vaccinated with a COVID-19 vaccine that is authorised in the European Union or Hungary.
Immunity to coronavirus shall be certified by either an official verification card (hereinafter “immunity card”) or a mobile application.
The immunity card, among others, contains
a) name of the person concerned,
b) passport number of the person concerned, if any,
c) number and document identifier of the permanent personal identification card of the person concerned, if any,
d) number of the immunity card,
e) date of vaccination if certifying vaccinated status,
f) expiration date of the card if certifying the fact of having recovered from infection.
2. Can the employer know its employee’s data concerning his immunity?
According to the Information, after a risk assessment, in case of certain jobs or group of persons, it might be a necessary and proportional measurement that the employer requests data from the employee related to their protection against COVID-19.
Based on the above, in certain cases, an employer is entitled to request data form its employee concerning whether he has immunity, i.e. he is recovered from coronavirus or he has been vaccinated.
The Information provides guidelines on how to determine whether the data processing concerning immunity is considered as necessary in case of certain jobs.
In case of low risk jobs (e.g. permanent home office), it cannot be concluded that the data processing is necessary. However, the data processing is necessary, e.g. if the employer deals with fixing or maintaining medical devices at the COVID-19 department of the hospital, and requests its employees to certify the fact of their immunity to avoid the infection of its employees. The data processing might be also considered as necessary if the employer is a social facility and it is necessary to know whether its employees working in the facility have immunity in order to protect the residents of the facility.
In the above cases, the aim of the data processing of the employer is to protect the life and health of the concerned employee, the other employees and the third persons with whom the said employee may come into contact (e.g. clients) and to comply with the applicable obligations of the employer.
3. What kind of immunity related data can the employer know?
If the employer, on the basis of the above, is entitled to know the fact of its employee’s immunity, the employer may only request the presentation of the immunity card or the application.
Based on the above, the employer may only know the personal data contained by the immunity card or the application.
4. Can the employer keep a record about the immunity of its employees?
If the employer, on the basis of the above, is entitled to know the data concerning the immunity of its employees, it can also keep a record of that, but it can contain only the fact that the employee justified the fact that he is protected from the coronavirus and in case this data may be established based on the presented proof then the validity period of the protection.
5. Can the employer make a copy of the immunity card?
Considering the fact that the employer, subject to certain conditions, may only request the presentation of the immunity card or the application, it cannot copy or otherwise store them and it is not entitled to transfer them to third person.
6. Which measures are necessary to the data process of the employer?
The Information underlines that the employer, as a data controller shall ensure the lawfulness of the data processing.
Taking into account that the fact of immunity shall be considered as data concerning health, therefore not only the appropriate legal basis, but the further conditions of Section 9(2) of GDPR, its point b) h) or i) in the present case (legal obligation concerning employment, purposes of occupational medicine, public interest in the area of public health) shall be demonstrated.
As it is a non-mandatory data processing, which affects the employees, the legal basis of the data processing may be basically the legitimate interest of the employer. (Section 6(1)(f) of the GDPR) In order for the reference to the legitimate interest to be applicable, the employer shall carry out a legitimate interest assessment test.
Furthermore, it shall be noted that the other rules of the GDPR are also applicable to the data processing concerning immunity, consequently e.g. the employer shall provide information according to the Section 13 of the GDPR to the employees.
The employers, if they consider it as necessary and proportional measurement based on a previous risk assessment, may lawfully know and process the data of their employees contained by the immunity card or the application.
However, the employers are not entitled to make a copy of the immunity card or the application, they cannot store them, and they are not entitled to transfer them to third persons.
Furthermore, the employers shall ensure the lawfulness of the data processing, therefore, among others, they shall inform the employees about the data processing.
Hungary: Steps Towards Differentiating Between Domestic and International Procedural Public Policy
Drawing a well-defined line of demarcation between domestic and international public policy when enforcing foreign arbitral awards sends a clear pro-arbitration message from national courts in any jurisdiction. Does Hungarian case law come close to this level of sophistication? This post analyses this question in the context of procedural public policy, and it does so based on two recent appellate court decisions rendered in the context of enforcement of arbitral awards in accordance with the New York Convention.Read more »
EU ISSUED NEW GDPR STANDARD CONTRACTUAL CLAUSES – WHEN AND HOW TO USE THEM?
During summer 2021, the European Commission published two new "standard contractual clauses" on data protection regulation, which can be applied on the one hand, to the legal relationship between data controllers and data processors covered by the GDPR , and to the transfers of personal data to third countries, on the other. In this article, we answer the questions: what these SCCs regulate, how do they differ from the previous SCCs and how can your company use the new SCCs?Read more »
CAN THE NON-COMPETITION AGREEMENT BE VALID WITHOUT A PRECISE COMPENSATION IN HUNGARY?
The non-compete agreement may provide protection of the legitimate economic interests of the employer even after the termination of employment relationship. However, the Hungarian Labour Code lays down strict requirements for the agreement. In our article we analyse a recent decision of the Supreme Court about the importance of the precise determination of the compensation, so you as an employer can conclude a valid non-compete agreement.Read more »