Zoltán Balázs Kovács prepared a summary of the opinion paper of the Hungarian Data Protection Authority (DPA) issued on 10 March 2020 on some of the data protection implications of the situation caused by the pandemic, in the context of employment. Also, you will find below some thoughts about working from home (“home office”) and a brief summary of the Governmental Decrees aiming at mitigating the consequences of the pandemic, including the amendment of the Labour Code.
Employers have to face a number of issues in the current situation, some of which have data protection implications. Below you will find a brief summary of the data protection issues which are typically arising as a result of the pandemic, in a Q&A format.
With regard to question no. I below, we will discuss the content of the information paper issued by the Hungarian data protection authority on this subject a few days ago, and will then briefly address those data protection issues related to working at home (“home office”), which can be regarded as the main issues. Also, you can read below a summary of the amendment of the Labour Code, also due to the pandemic.
I. Employer’s measures (posting questionnaires, body temperature monitoring) with regards to employees, persons doing work under a contractual relationship and customers, visitors
1. Will personal data (special personal data) be processed if the employer performs a body temperature check or orders the filling out of questionnaires on the symptoms of e.g. individual workers or on the countries they have visited in the past?
Yes. In view of this, it is important to comply with the relevant data protection requirements. The processing of personal data can only be justified if the legitimate purpose cannot be achieved without data processing and it is always necessary to examine whether the purpose of the processing can be achieved in a less restrictive way. If data processing is necessary, the exact purpose and legal basis of the processing have to be determined. It should also be taken into account that only data that is strictly necessary to achieve this objective is processed. It is also important that the employer provides data subjects with adequate information about the processing and ensures the security of the data.
2. What does the above mean in practice?
Before starting the processing, the employer is obliged to identify the purpose of the processing, which in this case is to maintain a safe and healthy work environment. (It should be noted that maintaining a safe work environment is the employer's legal obligation.) The data protection authority specifies the legitimate interest of the employer (Article 6 (1) (f) of the GDPR) as a legal basis of data processing, in which case a so-called “balancing test” must be prepared before processing. The balancing test is to demonstrate why the employer's legitimate interest pursued by the data processing precedes the data subjects’ personal rights. In view of the fact that health data would also be processed, a legal basis out of those in Article 9 of the GDPR must also be specified (see questions 5 and 7 below).
In addition to identifying the purpose and legal basis of the processing and carrying out the balancing test, the employer is required to provide the information as required by Article 13 of the GDPR (e.g. to employees).
Ensuring data security means that an adequate level of both physical and IT security has to be ensured. The "appropriate level" is not defined in law and must always be designed according to the nature of the processing and the risks posed by the processing.
3. What measures can the employer be expected to take in the current situation according to the Data Protection Authority?
- Preparation of a pandemic (business continuity) plan (in which it is proposed to address the following issues: presentation of measures to reduce risk, measures to be taken when infection occurs, prior analysis of the data protection risks of the measures used, settlement of responsibilities within the organisation, description of communication channels for information, reporting to the designated person of any suspected contact with coronavirus and calling an occupational doctor or general practitioner);
- Drawing up information on the most important information on the coronavirus and making it available to the employees (characteristics of infection, how it is spread, incubation period, symptoms, prevention, list of things to do in case of detection of symptoms);
- Reorganising business trips, providing opportunities to work from home.
4. What can an employer do if an employee reports any potential exposure to the virus?
The employer may record (i) the date of notification, (ii) the name of the employer concerned, (iii) the fact that the place and time of the trip abroad, including for private purposes, coincide with the countries listed in the employer's information paper and (iv) the fact of contact with a person coming from a designated risk area and (v) the measures taken by the employer (e.g. providing for a doctor's appointment, the granting of a voluntary home quarantine).
For the above circle of data, the authority also considers it acceptable to have the employees fill in questionnaires where the employer concludes, on the basis of the prior risk assessment, that this method restricts the privacy of the employees in a necessary and proportionate way. At the same time, the authority draws attention to the fact that the questionnaire may not contain data on the health history of the data subject, nor may the employer require the submission of medical records.
5. What is the legal basis of the processing referred to in question 4 above?
In the authority’s view, in the case of an employer operating in the private sector, the legal basis of the processing is the legitimate interest of the employer (Article 6 (1) (f) of the GDPR) and Article 9 (2) b) of the GDPR (since the employer's obligation under labour law is to ensure healthy and safe work conditions for the workers).
6. Can the employer order a body temperature check for all employees?
The authority does not consider it proportionate to order a screening test carried out by means of a diagnostic device in a general way, given that the collection and evaluation of the information concerning the symptoms of the coronavirus is the responsibility of healthcare professionals and authorities.
7. Is it possible to use another legal basis for data processing?
In the authority's view, where, on the basis of the employee’s notification or on the basis of a risk analysis carried out by the employer, the employer considers it essential to carry out the processing in regard of certain jobs that are specifically exposed to the virus, the employer may allude to Article 6 (1) f) of the GDPR (legitimate interest of the employer) and simultaneously to Article 9 (2) h) of the GDPR (“processing is necessary for the purposes of preventive of occupational medicine”), in which case, the employer may order a health inspection only by a health professional. In this case, the employer may have access only to the result of the inspection.
8. Is the employee obliged to inform the employer if he/she is aware of a health risk to the workplace or other workers?
In the authority's view, it follows from the obligation to cooperate and the principle of good faith and decency that there is a general obligation to provide information.
9. What about non-workers (e.g. visitors, customers)?
The authority underlines the obligation to pay close attention to the assessment of data protection risks in advance, to inform the data subjects as per the GDPR and to ensure that detailed information is drawn up and made available to the data subjects, which contains the most important information on the coronavirus and an explicit warning to the visitors to indicate before entry if they may have had any previous contact with the virus. As regards the legal basis for data processing, in the authority’s view, the legal bases as per questions 5 and 7 above apply.
II. Working from home (Home office)
It is important that the employer needs to have certain policies (even in the absence of any working from home), such as a security policy, device use policy, incident (data breach) policy, etc., which have been duly published at the work place.
What should the employer pay attention to from a data protection point of view when allowing or ordering work from home?
The main issue in such cases is the maintenance of data security (requiring the level of IT and physical security as required by the employer), including the following:
- the use of strong passwords on the devices used for work, as required by the employer,
- the use of encryption in respect of documents stored on the devices or sent by email, to the extent as required by the employer,
- if connection to the Internet via wi-fi from home occurs, the use of a strong wi-fi password as required by the employer or the use of a VPN with a strong end-to-end encryption,
- use of such software only, which has been authorized by the employer (e.g. operating system, antivirus, firewall) and for which there is a manufacturer support,
- the devices are used exclusively by the employee and no other person has access to them,
- the use of a multi-step authentication to enter the employer's system,
- if a security incident occurs, the employee must immediately inform the employer so that the employer can assess whether a data breach has occurred and take the necessary measures as soon as possible (in accordance with the employer's (data protection) incident policy),
- the apartment where the home office is located must have an adequate level of physical security (entry phone, security lock, and, if appropriate, alarm) and, where appropriate, a fire-proof safe in which confidential paper-based documents are to be placed.
It is important that the employer should enforce as many of the requirements as possible by way of IT settings (e.g. if the password is not strong enough, the employee will not be able to use the employer's system).
III. Summary of the relevant provisions of Government Decree 47/2020 („Decree”) aimed at mitigating the economic consequences of the coronavirus pandemic
1. Payment moratorium for credits and loans
In case of credit, loan and financial leasing agreements that are concluded with creditors providing such services regularly as their business (i.e. financial institutions), the debtors are entitled to a payment moratorium for their obligations during the term of the state of emergency declared by the Government. The moratorium currently ends on December 31, 2020, unless it is extended by the Government.
Further detailed rules can be expected from the Government in connection with the technicalities of the Decree and it is likely that the Hungarian National Bank will also issue guidelines or detailed rules governing this. It can also be expected that the financial institutions will share their view on this and may contact their customers regarding how the payment moratorium will actually work.
2. Modifications concerning social contributions related to wages
According to the Decree, in the industries of tourism, hospitality, entertainment, lottery, film, performing arts, event management and sports, employers are exempt from certain social contributions related to the payment of wages.
3. Modifications concerning the application of the Labour Code
The below provisions of the Labour Code are amended for the duration of the state of emergency plus 30 days:
(i) the employer has more flexibility in modifying the work schedule (in Hungarian: „munkaidő-beosztás”) even after it was disclosed to the employees;
(ii) the employer can unilaterally order the employee to work from home;
(iii) the employer may carry out reasonable and necessary measures in order to safeguard the health of employees.
4. Deviation from the Labour Code
By way of agreement, the employer and the employee may deviate from the provisions of the Labour Code. Under the wording of the Decree, we understand that a deviation is only possible (even to the detriment of the employee) if the deviation is justified by the keeping of the prohibitions and restrictions in the current state of emergency. Also, the agreement on any such deviation will only be effective for a period of 30 days following the end of the state of emergency.
IV. Additional measures aimed at mitigating the economic consequences of the coronavirus pandemic
The Hungarian Government issued additional decrees on 23 March, 2020 on further measures aiming at mitigating the negative consequences. Such measures are as follows:
(i) certain further small businesses will be exempted from the “KATA” flat tax payment obligation (e.g. hairdressers, artists, etc.) until June 30, 2020;
(ii) a deferral of the “KATA” tax debts incurred before March 1. It will be sufficient to pay such taxes in the quarter following the end of the state of emergency;
(iii) similarly to the tourism and hospitality industries, Hungarian media service providers will be exempt from certain tax burdens, to compensate for their loss of advertising revenues;
(iv) evictions and seizures are suspended;
(v) tax executions are also suspended and it will be sufficient to pay the existing tax debts after the end of the emergency period;
(vi) the extension of certain childcare entitlements (“GYES”, “GYET”, “GYED”) which would expire during the emergency period. Mothers are kept in their current status for the duration of the emergency period.
The above content does not constitute legal advice; it merely provides a general summary of the above issues and some of their legal aspects.