What rules should an employer follow regarding the processing of data on the immunisation of employees against Covid-19? The Hungarian Data Protection Authority (NAIH) answers employers’ questions in a guide on provisions that only apply to the current epidemiological situation.
The immunisation status of an employee is personal data and as such enjoys special protection under the GDPR. The employer may need, depending on the nature of the activity, to ask the employees concerned to submit an application for vaccination against Covid-19 or their “Coronavirus Protection Certificate”.
The employee can obtain this certificate, introduced by decree of 12 February 2021, after inoculation with a vaccine authorised in Hungary and/or the EU or six months after contracting Covid-19. The employer is not allowed to make a copy of it, to keep it in any form or to pass it on to a third party. The employer may only record the fact that the employee is immune to Covid-19.
An objective assessment of the risks of contamination
In addition, the employer must carry out an objective assessment of the risks of contamination for each job or employee, with the protection of health and safety at work as the guiding principle. In this context, the employer’s data processing must be proportionate to its objective. This means that the employer must take the necessary measures to create a safe working environment. He must comply with his obligations in this respect and know whether his employees are immune to the coronavirus. Depending on the results of the assessment, the employer must take concrete measures, such as teleworking for non-immune employees.
At the beginning of the year, the NAIH had authorised the taking of body temperature of employees on their way to work. The employer was required not to process data relating to the identity of the individual. The employer was not allowed to record, store or transmit the temperature data.
Sources: Hungarian Data Protection Authority (NAIH) / UIMM
To find out more (in Hungarian)