Can employers ask to see COVID-19 Immunity Certificates?

Briefing

An increasingly urgent question for employers right now is whether they're allowed to ask employees if they've been vaccinated. While some employers are considering only allowing vaccinated employees back in the office, others would prefer a more lenient approach, offering additional days of paid leave to those who have an Immunity Certificate.

What is an Immunity Certificate and what is it good for?

While the future of the EU’s Digital Green Certificate, proposed by the European Commission is somewhat uncertain, the Hungarian domestic certificate system is already up and running. The Immunity Certificate document has quickly become the main object of desire for many Hungarians, as it's a gateway to many of the privileges that have been parts of everyday life in the pre-pandemic era:

dining inside restaurants
participating in sports events
relaxing in thermal pools or hotels
working out in gyms, or
enjoying a night out at the cinema or theatre.

What’s more, with summer approaching, a lot of people are already planning their vacations and those with a certificate may travel freely and without restrictions (no need for quarantining, tests etc), although admittedly, only to the relatively few countries with whom Hungary has concluded a bilateral agreement on travel (ie Croatia, Slovenia, and Turkey, to mention only the most popular summer destinations). Those without a certificate are currently excluded from these possibilities.

The COVID-19 Immunity Certificate is issued automatically and free of charge to people who:

have received the first dose of vaccination against COVID-19, or
recovered from COVID-19 (ie received a negative test result after a positive), or did not receive a negative test result, but 10 days have elapsed from the positive test result.

In these two scenarios, the certificate is only valid for six months, whereas certificates of vaccinated people have no expiry date. The Immunity Certificate can also be applied for by those with an appropriate test result from a certified laboratory operating in Hungary that demonstrates they have anti-bodies in their system, but in this case, the validity period is only four months from the date of the examination.

The Immunity Certificate is only valid with an ID or a passport, and service providers such as restaurants, hotels, gyms, cinemas may only ask patrons to show their certificate (or in the near future, the mobile application also used officially for demonstrating immunity) but are explicitly denied any further data processing (ie recording, copying).

So, people with Immunity Certificates are clearly afforded the enjoyment of certain benefits, but service providers are not entitled to process this type of data. A logical question therefore arises: does the same apply to employers?

Hungary's Data Protection Authority (DPA) issues guideline on employers processing employees’ immunity-related data

The Hungarian DPA addressed this issue in a highly contested, quite ambiguous guidance. The DPA concluded that employers may be allowed to ask their employees whether they are protected against COVID-19, albeit only under very limited circumstances and subject to certain conditions (and, of course, a separate privacy policy). Although the guidance provides some much needed clarity on certain issues, much remains to be seen, and the guideline itself emphasises that it mostly applies to employment relationships, but not to other employment-like statuses (eg public sector, contractors etc). It also hints at the need for a unified, statutory handling of the problem.

Special category of personal data - legal basis

The DPA first pointed out that the COVID-19 protection status of the employee shall be considered health data. Therefore, like other special categories of personal data, lawful data processing shall not only be based on one of the legal bases set out in Article 6(1) of the GDPR, but must also be supported by one of the exceptions set out in Article9(2), points (b) [employment and social security], (h) [preventive health or occupational health purposes] or (i) [public interest in the area of public health]. The exception here is consent, which the DPA previously considered not to be an appropriate legal basis in the context of employment relationships in most cases.

Necessity, proportionality

The DPA made it clear that processing this type of health data of employees has to be necessary, proportionate, and must be based on a prior, well-documented, and objective risk assessment.

Necessity shall be assessed on a case-by-case basis, and according to the DPA, only applies in case of certain high-risk occupations or groups of employees. Examples of this include:

maintenance workers in hospitals
social workers, and
employees meeting with a lot of clients.

In these cases, knowledge of the protection status of employees could be crucial to avoid the infection of employees, the patients, and clients. In contrast, the guidance’s wording suggests that simple office work in most cases qualifies as a low-risk job, where necessity can hardly be established.

Complying with the proportionality and data minimisation principles of the GDPR, employers may only require employees to present their Immunity Certificate or the mobile application, and they may only be allowed to record the fact of protection against COVID-19 (and the expiry of that protection, if applicable), but no copy would be made and no subsequent data processing would be permitted.

Purpose of the data processing

The DPA stressed that even if all the above is complied with, these data may only be processed for complying with relevant labour law obligations, that is to ensure occupational health and safety and for work organisation purposes. As the purpose needs to be real and verifiable by the employer, the employer has to actually adopt reasonable measures in possession of the immunity data. According to the DPA, these measures include placing a protected employee’s workstation next to that of a non-protected, or offering permanent working from home for non-protected employees.

The latter suggestion is quite curious, as processing the COVID-19 protection status of office workers – who are the only ones who could reasonably work from home – seems not to be allowed under most circumstances. This makes it questionable whether office workers are a low-risk group by definition (as seemingly suggested by the DPA) or whether an objective risk assessment can, in specific cases, support the conclusion of employers lawfully processing their immunity data.

The DPA’s guidance was welcomed by many, as it answers some highly ambiguous questions about the employers’ possibilities, but unfortunately still leaves employers guessing. Whether employers are allowed to process the COVID-19 protection status of office workers, or whether offering benefits (eg additional paid leave) to vaccinated employees would be considered lawful from a data protection point of view, remains to be seen.