The Hungarian data protection authority (NAIH) has issued a guidance to organisations regarding the processing of personal data vis-à-vis procedures for preventing the spread of the coronavirus. Compared to the guidelines set down by Italian and French data protection authorities, NAIH is following a more practical approach in line with the Irish data protection authority’s guidance.
According to NAIH, organisations can introduce a specific questionnaire and collect the following information:
when an individual reports exposure or when the organisation believes that the individual was subject to possible coronavirus exposure;
when the individual visited certain high-risk areas or was in contact with people from high-risk areas.
Based on this information, the organisation can take preventive measures, such as instructing an employee to visit the company doctor, requesting self-quarantine, or prohibiting a visitor from entering its premises.
The questionnaire must not contain information on the health history of any individual, and people should not attach health records to it.
To ensure that the above data collection is lawful, organisations must:
- Provide a detailed information notice for employees on the nature of the coronavirus (e.g. infection sources, incubation period, how it spreads, its symptoms, preventive measures, whom to contact when they believe that they were exposed to the coronavirus, etc.).
- Prepare a pandemic business continuity plan, which outlines preventive steps, measures to be taken in case of infection, data protection risks, the allocation of liabilities inside the organisation, and communication channels.
Reorganise business travel and events and ensure remote working.
Prepare a data protection notice, which sets out the purpose and legal basis for data processing, the data retention period, and the people authorised to access any personal data collected.
Prepare a legitimate interest-balancing test (érdekmérlegelési teszt) to prove whether the interests motivating data processing is more significant than the privacy rights of the people concerned.
NAIH also outlines the possible legal basis for data processing [Articles 6 (1) e), f) and 9 (2) b) of the GDPR], which includes legitimate interests, forwarding the public interest, the exercise of official authority, and labour law obligations to ensure healthy and safe working conditions for employees.
According to Article 9 (2) h) of the GDPR, employers can introduce mandatory diagnostics or screenings only with the assistance or supervision of healthcare professionals. Any other general and mandatory diagnostics or screenings (e.g. forced temperature checks) are unlawful.
NAIH also declares that it is the obligation of every employee to inform his employer and any other third party with whom he is in contact at work of any health risks, including being infected or having previous contact with an infected person; and – in this case – to report to a healthcare professional immediately.
NAIH’s guidance is available here (only in Hungarian).
For more information on this guidance, contact your regular CMS advisor or local CMS experts: Dora Petranyi, Marton Domokos and Katalin Horvath.