14 April 2021

In the recent weeks, a number of questions have been arisen whether the employer may know the data contained by the „immunity card”, which aim is to certify immunity to coronavirus. Is the employer entitled to request information from the employee regarding the immunity card or store the information concerning its employee? In this article we answer the above questions on the basis of the information („Information”) of Hungarian National Authority for Data Protection and Freedom of Information.

1. What does the “immunity card” certify and what kind of data does it contain?

The Government Decree 60/2021 (12 February) on certifying immunity to coronavirus (“Decree”) regulates the provisions concerning certifying immunity to coronavirus.

According to the Decree, immunity to coronavirus can be certified if

  1. the person recovered from COVID-19 illness within a period specified in this Decree; or
  2. the person has been vaccinated with a COVID-19 vaccine that is authorised in the European Union or Hungary.

Immunity to coronavirus shall be certified by either an official verification card (hereinafter “immunity card”) or a mobile application.

The immunity card, among others, contains[1]

a) name of the person concerned,

b) passport number of the person concerned, if any,

c) number and document identifier of the permanent personal identification card of the person concerned, if any,

d) number of the immunity card,

e) date of vaccination if certifying vaccinated status,

f) expiration date of the card if certifying the fact of having recovered from infection.

2. Can the employer know its employee’s data concerning his immunity?

According to the Information, after a risk assessment, in case of certain jobs or group of persons, it might be a necessary and proportional measurement that the employer requests data from the employee related to their protection against COVID-19.

Based on the above, in certain cases, an employer is entitled to request data form its employee concerning whether he has immunity, i.e. he is recovered from coronavirus or he has been vaccinated.

The Information provides guidelines on how to determine whether the data processing concerning immunity is considered as necessary in case of certain jobs.

In case of low risk jobs (e.g. permanent home office), it cannot be concluded that the data processing is necessary. However, the data processing is necessary, e.g. if the employer deals with fixing or maintaining medical devices at the COVID-19 department of the hospital, and requests its employees to certify the fact of their immunity to avoid the infection of its employees. The data processing might be also considered as necessary if the employer is a social facility and it is necessary to know whether its employees working in the facility have immunity in order to protect the residents of the facility.

In the above cases, the aim of the data processing of the employer is to protect the life and health of the concerned employee, the other employees and the third persons with whom the said employee may come into contact (e.g. clients) and to comply with the applicable obligations of the employer.

3. What kind of immunity related data can the employer know?

If the employer, on the basis of the above, is entitled to know the fact of its employee’s immunity, the employer may only request the presentation of the immunity card or the application.

Based on the above, the employer may only know the personal data contained by the immunity card or the application.

4. Can the employer keep a record about the immunity of its employees?

If the employer, on the basis of the above, is entitled to know the data concerning the immunity of its employees, it can also keep a record of that, but it can contain only the fact that the employee justified the fact that he is protected from the coronavirus and in case this data may be established based on the presented proof then the validity period of the protection.

5. Can the employer make a copy of the immunity card?

Considering the fact that the employer, subject to certain conditions, may only request the presentation of the immunity card or the application, it cannot copy or otherwise store them and it is not entitled to transfer them to third person.

6. Which measures are necessary to the data process of the employer?

The Information underlines that the employer, as a data controller shall ensure the lawfulness of the data processing.

Taking into account that the fact of immunity shall be considered as data concerning health, therefore not only the appropriate legal basis[2], but the further conditions of Section 9(2) of GDPR, its point b) h) or i) in the present case (legal obligation concerning employment, purposes of occupational medicine, public interest in the area of public health) shall be demonstrated.

As it is a non-mandatory data processing, which affects the employees, the legal basis of the data processing may be basically the legitimate interest of the employer. (Section 6(1)(f) of the GDPR) In order for the reference to the legitimate interest to be applicable, the employer shall carry out a legitimate interest assessment test.

Furthermore, it shall be noted that the other rules of the GDPR are also applicable to the data processing concerning immunity, consequently e.g. the employer shall provide information according to the Section 13 of the GDPR to the employees.

7. Summary

The employers, if they consider it as necessary and proportional measurement based on a previous risk assessment, may lawfully know and process the data of their employees contained by the immunity card or the application.

However, the employers are not entitled to make a copy of the immunity card or the application, they cannot store them, and they are not entitled to transfer them to third persons.

Furthermore, the employers shall ensure the lawfulness of the data processing, therefore, among others, they shall inform the employees about the data processing.


[1] Section 2(1) of the Decree

[2] Section 6(1) of the GDPR