Like others around the world, Hungarian companies are also introducing measures to avoid and mitigate the coronavirus (COVID-19) epidemic. It is crucial to consider the related data privacy issues and ensure security of personal data when implementing such measures. Data controllers must provide proper notice to data subjects, including information regarding their rights.
Employers are increasingly delaying or minimizing travel abroad and face-to-face meetings due to the pandemic. In many places employees are requested to notify their employers about foreign travel in advance, be it personal or business travel. Employers are recording the destination and dates of employee travel in order to ensure the necessary steps are taken in cases where the employee travels to a high-risk area, which may only become apparent retrospectively. In addition companies are recording their visitors' data, mainly relating to the time of entry and exit, and with whom the visitor met. In the event an infection is established after the visit, such a record will assist in tracing back who came into contact with whom, and in ensuring the effected people can be alerted more easily.
All these measures involve processing the personal data of employees and business partners of the employers. In such cases it is essential to introduce appropriate data privacy policies and to modify how processing activities are recorded.
Companies should prepare a pandemic or contingency plan and implement associated measures to ensure personal data is processed in line with applicable domestic laws and the GDPR. First of all, the specific purpose of the data processing must be defined. In addition, the applicable legal basis for processing the data should also be clarified, which in this case may be the legitimate interest of the data controllers. As the data controller, the company should assess whether the legal basis for processing the data outweighs the data subjects’ rights, freedoms and interests.
It is also important to clarify who the data subjects are and who will have access to their personal information within or outside of the organization. In most cases it will be sufficient to appoint one or two responsible individuals within the organization in order to limit the right of access to those who need it.
Another crucial task is to define the scope of personal data that is collected. The data minimization principle has to be observed in this regard, which means that only data necessary to achieve the purpose of the data processing can be collected and stored. Data controllers also have to establish the security of the personal data processed and the storage periods. The latency period of COVID-19, which according to currently available information is 2 weeks, may serve as a reasonable basis for determining the retention period.
Satisfying these data protection requirements requires careful analysis and planning by companies, involving coordination between a range of different departments such as HR, IT, Legal, and Compliance. Further to the above measures, data controllers must provide data subjects with an adequate privacy notice regarding the data processing activities, including information regarding the data subjects' rights. In some cases, data subjects may exercise their right to object to the processing of their personal data, but data controllers may not be required to take this into account depending on the circumstances.