Hungary: GDPR guideline in the context of the coronavirus crisis

The Hungarian Data Protection Authority has issued a guideline on the data processing of the employers in the recent epidemic situation (“Guideline”). The guideline also contains suggestions on the specific protection measures at the workplace.

SPECIFIC PROTECTION MEASURES AT THE WORKPLACE

Analyse your company’s readiness: “What steps have we taken?” and set up internal processes: “What steps will we take?”. The Guideline suggests in particular:

• Consider and possibly require increased hygiene on the part of the employees and distribute disinfectants. In sensitive areas (e.g. in healthcare) further protective measures might be required, such as providing respiratory masks or protective clothing;
• Consider and possibly introduce new protection measures that may prevent virus transmission, e.g. restricting presence in the workplace (working from home office), limiting/restricting foreign business trips and participation in work-related events, meetings, etc.;
• Place informative bulletins throughout the company premises, sanitary facilities, intranet or at company meetings to increase awareness of the protection measures;
• Prepare the so called pandemic/business continuity plan, which may include the notification of employees in connection with the most important information regarding coronavirus, measures intended to restrain the spread of the virus and procedural rules that shall be followed in case of occurred symptoms.

CONTROL MEASURES AT THE WORKING PLACE

1. What employers might request from their employers?

• Employers might oblige their employees to notify them in the case they are infected or potentially have been infected by the corona virus (e.g. by meeting a person who is infected).
• Employers may ask the employees for completion of a questionnaire on certain personal data in connection with the coronavirus (e.g. travelling and cross-border movements, contacting with persons arriving from risk zones, measures made by the employer in respect of the affected employees).

2. What employers should refrain from?

• processing of the health documentation of the employees (e.g. result of the coronavirus test);
• processing of the medical history of the employees;
• general prescription of obligatory health screening (including measure of fever).

CONDITIONS FOR ALLPICATION OF THE CONTROL MEASURES FROM THE GDPR POINT OF VIEW

• Induction of control measures means processing of personal data of the employees. Therefore, prior to the application of the control measures, a privacy notice according to Article 13 of GDPR shall be drafted and provided to the employees.
• The data to be processed are deemed to be health data. According to the Guideline, the legal basis of the data processing shall be the legitimate interest of the employer set forth in article 6 (1) f) and furthermore Article 9 (2) b) GDPR. Consequently, employers shall carry out an interest balancing test in order to prove their legitimate interest to the data processing.