After more than a year of the Covid pandemic, there is hope that vaccinations will allow us to beat the virus and get back to normal life. We will be able return to our workplaces, meet our colleagues face to face and work together more efficiently. However, this is not yet possible, since not all of us are vaccinated or have existing immunity to Covid.
Employers (and also employees) quite rightly want to get back to “normal” working practices as soon as possible; however, employers are responsible for ensuring a healthy and secure working environment for their employees. How can they meet that obligation? The simplest way is to organise work according to which employees have immunity to Covid and which employees do not. Mere knowledge of this data qualifies as data processing, indeed as the processing of a special category of personal data, for which data processing is only permitted in a very limited number of cases. The new statement by the Hungarian Data Protection Authority gives employers guidance on whether they may process their employees’ data, and if so, how they should proceed with the data processing.
The main points of the statement
In general, processing data on employee immunity is not permitted. In a risk analysis, employers must decide whether it is necessary for them to know about employee immunity for specific jobs. Employers may not discriminate between employees with different types of immunity, whether due to the vaccination or due to an earlier illness. Indeed, employers are not even permitted to know about it. Employers are only entitled to check an employee’s immunity certificate or application, without making a copy of it, and note the fact that the employee has immunity and the end date of immunity if it is stated in the certificate.
Data on immunity may only be processed once the legal grounds and the aim of data processing are specified. Suitable measures for achieving the aim of data processing must be taken and also documented by the employer. The aforementioned risk analysis is also essential before data processing can take place. Before beginning with the data processing, employees must be properly informed about it.
During the data processing, all GDPR requirements must be met, especially data transparency, accuracy and security.
Possible further developments
The statement by the Data Protection Authority highlights that legislation on the issue is needed. It is possible the legislator will rule differently from the Authority on the matter. It is also possible that when there are changes in the pandemic situation, the Authority will take a different view and this statement will no longer be applicable.
By Edina Czegledy, Counsel, and Ildiko Angeli, Associate, Noerr