Hungary declares it lawful to collect information that a worker is protected against COVID-19


The NAIH, Hungary’s data protection authority, has issued a guidance on how employers can lawfully determine whether an employee is protected against COVID-19. Employers must adapt their internal policies, privacy notices and health and safety measures to reflect the main findings of the guidance, which include the following points:

  • For certain occupations or employees, it may be a necessary and proportionate for employers to know whether the employee is protected against COVID-19 in line with labour law, occupational health and safety, and the work organisation. 

  • A worker's status as protected (i.e. either due to recovery from COVID-19 or a vaccination) constitutes health data belonging to special categories of personal data in accordance with Article 4 (15) of the GDPR. The lawfulness of the processing of this data is therefore based on one of the legal bases in Article 6 (1) of the GDPR and the additional conditions in Article 9 (2) of the GDPR, points (b), (h) or (i).

  • The employer can only ask employees to present their Coronavirus Protection Certificate and the application for a Coronavirus vaccination. The company cannot make copies of them, store them in any form and manner, or transfer them on to third parties. The employer can only record that the employee is certified as being protected against COVID-19 and can record how long this protection will last.

  • Employers must prepare an objective risk assessment on a job-by-job or employee-by-employee basis with the guiding principles of safeguarding the life and health of protected workers, other workers, and third parties (i.e. customers), and being in full compliance with their obligations. This data processing by the employer also serves the greater epidemiological interests and by extension the public interest.

  • The purpose of an employer's data processing should only be to take the necessary measures to comply with labour, occupational health and safety, and work organisation rules, and to have a clear understanding whether its workers are protected against COVID-19. Based on this information, the employer should implement concrete measures to protect workers and customers. These measures could include ordering telework for unprotected workers or placing an unprotected employee's workstation next to a protected employee's workstation. The range of data processed must be suitable for the purpose of creating a safe working environment.

  • In the case of certain low-risk jobs (e.g. permanent teleworking), it may not be necessarily to process this data. However, such data processing may be necessary if the employer's field of activity includes the repair and maintenance of medical and other equipment located in the COVID-19 wards of hospitals and where proof of protection would be required to perform these duties. The purpose of requesting the data would enable the employer to send only a protected worker to another place of work, thus avoiding infection. Similarly, it would also be necessary to process this data if the employer is a social institution whose duty to protect residents require proof that workers in the institution are protected.

For more information on this decision and data protection issues in Hungary, contact your CMS client partner or local CMS experts.