According to an information letter issued by the Hungarian National Authority for Data Protection and Freedom of Information (NAIH) on 1 April 2021, employers can only request proof of protection against COVID-19 (e.g. proof of having the vaccine or recovered from COVID19) in certain jobs and after an appropriate risk analysis. If the employer has an appropriate legal basis to process the immunity data, he is obliged to put appropriate measures in place in order to protect its employees against COVID-19 infection. According to the NAIH, the legislator should further precise the requirements for justifying the immunity against COVID-19 in employment relationships.
NAIH also highlights that such data justifying the recovery from the coronavirus disease or the fact of vaccination constitutes health data, which is a sensitive personal data under GDPR. According to NAIH, such data cannot be processed in general, but it has to be specifically assessed in which jobs or range of employees such data processing is considered as necessary and proportionate (e.g. jogs where employee are more exposed to COVID19 infection, or where employees have close contacts with people at higher risk).
It is also highlighted that the employer can only request to present the application of the National eHealth Infrastructure (EESZT) or the immunity certificate, but may not make any copy of them.
At the end of April, the Hungarian Government allowed access to certain services for persons who have already obtained the so-called immunity card (e.g. visiting zoo, hotels, sitting inside a restaurant, etc.). According to the relevant Government decree, service providers are required to ask the consumers to present their immunity card upon entrance. Service providers failing to request the presentation of immunity card may be fined from HUF 100,000 to HUF 1 million, or in the worst-case scenario, they may be locked for up to one year.
According to the president of the Hungarian National Authority for Data Protection and Freedom of Information, requesting to present the immunity card for the use of certain services does not raise any concern from data protection perspective as it is not accompanied by data recording.