Up Again Hungary: Privacy and Data

Intellectual Property and Technology

1. Can an employer carry out temperature monitoring and other health checks on employees and visitors prior to them entering work premises?

Under the guidance of the Hungarian Data Protection Authority (DPA) on processing data related to the coronavirus epidemic, the introduction of mandatory measurement of body temperature and other health checks generally involving all employees is disproportionate.

If, however, on the basis of a risk assessment, the employer finds it absolutely necessary to do temperature checks for certain jobs, particularly those affected by the exposure to the disease (e.g. receptionists, or employees in a client service centre), the employer may carry out temperature screening of these employees.

The legal basis for processing special categories of data in this case would be art. 6.1.f GDPR (legitimate interest) combined with 9.2.b GDPR (legal obligation under Hungarian law – general labour law provisions require employers to provide a secure and healthy working environment for employees).

Accordingly, a balancing test should be carried out and appropriate information should be provided to the employees about the data processing in line with the provisions of GDPR. Carrying out a data protection impact assessment is also recommended.

2. Can an employer ask employees and visitors to complete a questionnaire on whether they are experiencing typical COVID-19 symptoms, have been in contact with an infected individual, or recently travelled to high risk countries?

Yes. The legal basis for processing special categories of data in this case would be art. 6.1.f GDPR (legitimate interest) combined with 9.2.b GDPR (legal obligation under Hungarian law – general labour law provisions require employers to provide a secure and healthy working environment for employees). Accordingly, a balancing test should be carried out and appropriate information should be provided to the employees about the data processing in line with the provisions of GDPR. Carrying out a data protection impact assessment is also recommended.

3. Can an employer require their employees to notify them if they or a member of their household has contracted COVID-19, or that they have the antigen?

Yes. The legal basis for processing special categories of data in this case would be art. 6.1.f GDPR (legitimate interest) combined with 9.2.b GDPR (legal obligation under Hungarian law – general labour law provisions require employers to provide a secure and healthy working environment for employees).

Accordingly, a balancing test should be carried out and appropriate information should be provided to the employees about the data processing in line with the provisions of GDPR. Carrying out a data protection impact assessment is also recommended.

4. Can an employer tell their employees that a colleague may have potentially contracted COVID-19?

There are no specific rules on this; general data protection principles shall apply. Accordingly, this should always be considered on a case-by-case basis. In general, we recommend to share this information only on a need-to-know basis, for health and safety purposes. Sharing this information with other employees who do not need to know will not be lawful.

6. Can an employer share information with a health authority about COVID-19 cases they become aware of?

There is no specific obligation for employers in this respect. Accordingly, it should be reviewed why the employer wants to share this information. If the health authority requests such information, the employer must share this with the authority.

7. Can an employer send employees’ health data to one of their affiliates outside the EEA or otherwise in another Hungary?

There must be a legitimate purpose and legal basis for such transfer. Also, the relevant provisions of GDPR must be complied with. In general, we do not recommend employers to share health data in connection with COVID-19 with their affiliates.

8. Can an employer monitor how employees move around the workplace to help keep social distancing rules?

This is not recommended, and most likely would not be proportionate.

9. Does an employer need to comply with any other GDPR principles or local privacy laws, when collecting data for the purpose of tackling COVID-19?

General data protection requirements must be met: for example, appropriate data protection notifications must be prepared for the employees. When using legitimate interest as a legal basis, a legitimate interest test shall be carried out under GDPR.

It is advisable to conduct a data protection impact assessment to analyse the risks involved and take risk-mitigation actions as required by the results of the assessment.

In addition to GDPR, the following legal instruments also apply:

  • Act 112 of 2011 on the Right of Informational Self-Determination and on Freedom of Information (Info Act)
  • Act 1 of 2012 on the Labour Code
  • Act 93 of 1993 on Labour Safety

The guidance of the Hungarian Data Protection Authority is available here.

10. What are the risks if I am in breach of the GDPR or local privacy laws?

GDPR empowers supervisory authorities to impose a fine of up to 4% of annual worldwide turnover or EUR20 million (whichever is higher).

The employee may also go to court, claiming that their privacy right was breached. However, it is more common for employees to refer their case to the DPA.