On March 10, 2020, the Hungarian National Authority for Data Protection and Freedom of Information (“NAIH”) issued guidance on data protection and COVID-19. The NAIH highlights that controllers processing personal data in the context of their efforts to prevent the spread of COVID-19 must comply with the GDPR as well as Hungarian data protection law. The guidance applies to public and private organisations, their employees and contractors, as well as other third parties (e.g. clients, visitors). The NAIH emphasises that any kind of data processing under the current circumstances has to adhere to the principles of the GDPR, especially that of accountability.
1. Purpose limitation
The collection and processing of personal data can only be deemed necessary if the purpose cannot be achieved by any other means, and in every case it has to be evaluated whether there is another, less invasive solution.
2. Data minimization and Lawfulness
If the collection of personal data is deemed absolutely necessary, the controller has to define the exact purpose and legal basis of this. The collection, processing and storage of the data has to be proportionate to the purpose of such activities.
The controller must provide the data subject with the information required under Article 13 GDPR and Section 16 of the Hungarian data protection law. If the data is collected on the basis of Article 6(1)(f) GDPR, the controller has to show that the importance of the purpose outweighs the importance of individual rights.
4. Specific requirements
The NAIH identified a number of requirements that are relevant under the current circumstances.
I. Data processing related to employment
Employers must ensure they provide a safe working environment, which includes the planning and operation of data protection procedures. Within this framework, employers are required to:
- Create a business continuity plan, which should include the necessary steps to reduce the spread of infection, what to do in case infection appears, evaluation of risks to data protection, internal responsibilities and appropriate communication channels;
- Provide detailed information concerning the coronavirus, and what to do in the case of a suspected infection;
- If necessary, cancel or postpone business travel and events, and provide the opportunity to work from home; and
- Alert employees that in the interest of protecting their own and their colleagues’ health, they must report any suspected contact with the coronavirus and seek medical advice as soon as possible.
If an employee reports that they have potentially been in contact with the virus, or the employer suspects that the employee may be at risk based on information provided by them, the employer can record data concerning said report or suspicion. This includes collecting information about whether the employee visited countries considered to be at risk and the date of travel; whether the employee was in contact with anyone who has visited those countries recently, and details of any further assistance provided by the employer. The NAIH deems it acceptable to use questionnaires, if the employer decides these are necessary and proportionate, but the NAIH also emphasises that the questionnaires cannot contain questions or data relating to medical history, and they cannot require the employee to attach medical documents. Article 6(1)(f) GDPR, or in the case of public institutions Article 6(1)(e), can provide a legal basis for this. With regards to medical data, taking into account the provisions described above, Article 9(2)(b) GDPR can be used as a legal basis.
However, importantly, the NAIH does not think it proportionate for employers to implement general and compulsory checks using medical diagnostic devices (e.g. thermometers) on employees, as the data collection concerning the coronavirus is the responsibility of healthcare providers and medical professionals.
In case the employer, after evaluating all information available to it, decides that certain employees who have had an increased chance of exposure must get tested by a medical professional, the employer can rely on Article 6(1)(f) or (e), Article 9(2)(h) and Article 9(3) of the GDPR. In these cases, the employer is only entitled to find out the result of the test and no other medical information.
II. Healthcare providers and medical professionals
Healthcare providers and medical professionals are required to follow the data protection regulations applicable to them, including the duties under Article 6(1)(c) GDPR and Article 9(2)(i) GDPR. Under Section 25 of NM order 18/1998. (VI. 3.) , healthcare providers must report and keep records of patients with infectious diseases and patients suspected of carrying infectious diseases under certain circumstances (one of these circumstances is a SARS-coronavirus outbreak). There is further guidance for medical professionals about containing the spread of the coronavirus.
III. Employees’ duties
Employees are required to cooperate and, based on the principles of good faith and integrity, to inform their employers if they are aware of any risk of infection which might affect their workplace, their colleagues or third parties. The employee in these cases is entitled to rely on their rights under Chapter III of the GDPR, and the employer must provide for this.
IV. Third parties
The NAIH emphasises that in relation to third parties (e.g. clients, visitors), employers must ensure that:
- The business continuity plan includes enhanced checks on visitors, the evaluation of data protection risks in relation to this, and provides appropriate communication channels;
- Information is provided to clients and visitors concerning the coronavirus, and that they should inform personnel at the point of entrance if they are at risk of having contracted coronavirus.
In terms of data protection, the same rules apply to third parties as to employees under part I of this guidance.
Finally, the guidance notes that it is a criminal offence to not follow legislation concerning the spread of infectious diseases, and those who infect others on purpose can be held guilty of causing Grievous Bodily Harm or Grievous Bodily Harm Causing Death. Under these circumstances, the police are authorised to use CCTV footage in their criminal investigations.
The publication of the NAIH guidance follows the publication of similar statements by other EEA regulators, including those of France, Denmark, Spain, Iceland, Ireland, Italy, Luxembourg, the Netherlands, Norway, Poland, Slovenia, Slovakia and the UK. Covington will continue to monitor developments in this area.