Over the last few months, we have seen organizations impose various obligations on their employees, visitors and customers to combat the spread of COVID-19. The underlying measures first began with completed health questionnaires, moved to requiring temperature checks of people entering buildings, along with the installation of thermal cameras at office entrances, and now there are regular blood tests for employees whose presence is essential for business continuity.
How did the Hungarian government strengthen data controllers’ position further?
On May 4, the Hungarian government introduced further provisions in Decree No. 179/2020 that strengthen the legal basis of COVID-19-related data processing operations.
The government decree restricts the protection and rights of data subjects concerning anti-pandemic measures in the following ways:
- Data controllers’ measures under Articles 15 through 22 of the EU General Data Protection Regulation as pertaining to personal data processed for the purpose of preventing, discovering, analyzing and investigating the novel coronavirus and stopping its spread must be suspended until the end of the country’s COVID-19 state of emergency.
- If an individual submits a request for access to erasure, rectification and restriction of the processing of their personal data related to COVID-19 or lodges an objection against the processing of their personal data related to COVID-19, the data controller (i.e., hospitals, government bodies, emergency management offices) is not required to take any steps until the end of the state of emergency.
- The data protection authority and courts can only process complaints submitted now beginning on the first day after the state of emergency ends.
Does the GDPR allow the full suspension of a subject’s access rights?
Article 23 1(e) of the GDPR (Restrictions) enables member states to restrict the scope of the obligations and rights provided for in Articles 12 through 22 if such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard public health.
In some cases, it is realistic that the fulfillment of a subject’s access requests during a pandemic may hinder public health tasks. A hospital or a municipality may be underresourced, and it must allocate people who usually deal with data protection matters to other pandemic-related tasks. However, it is questionable whether suspending the exercise of all types of data protection rights, including in ongoing procedures, for an indefinite period of the state of emergency is proportionate or necessary at all. For example, private companies usually have dedicated privacy resources that regularly handle subjects’ access requests, often via automated processes, so their fulfillment might not require unreasonable efforts from their side. Controversially, the decree states that organizations “must” suspend the measures to be taken concerning access requests; this would mean that even if a company can keep its ordinary course of business in answering requests, it may not legally be able to do so.
Even if the legislator assumed that the engulfment of a subject’s access rights genuinely hindered the fight against COVID-19, less restrictive measures would also be available. The decree could have provided additional time to answer data subjects’ requests or introduce a leniency period in the event of a delay. The total suspension of data subjects’ access rights is debatable because trust and transparency regarding data processing play a key role in the operation of an organization, in particular during the COVID-19 pandemic, and these principles greatly depend on the fulfillment of a subject’s access rights.
How much time does it take to draw up a personalized privacy notice?
The new decree contains other clauses that restrict the rights of data subjects. ontrollers that process data for the purpose of preventing, discovering, analyzing and investigating the COVID-19 virus and stopping its spread no longer need to provide data subjects with personalized information as listed in Articles 13 and 14 of the GDPR. Instead, data controllers are required only to issue a privacy notice that contains the purpose, legal basis and extent of the data processing and to publish this notice electronically so that it is available to the data subject.
The GDPR is clear that data privacy information must be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language. These principles are of utmost importance because the personal data that may be collected to limit and prevent the spread of the virus may be of extremely sensitive nature (e.g., health information and data on family members in the individual’s household), and the processing may have significant consequences (e.g. locking out a contractor with a fever who cannot perform its service as a result). Organizations may also be required to provide health information on request to the competent governmental institutions on those people who are infected or suspected of being infected with COVID-19, together with the same data of their contacts. In these cases, there is a clear imbalance between the data subjects and controllers.
Therefore, individuals must understand what personal data is required from them and what the potential outcome of the processing in question will be. If the privacy notice does not contain information on the above data processing operations, this might lead to a breach of the essential requirement in the transparency guidelines of the former Article 29 Working Party, which provides that individuals “should not be taken by surprise at a later point about the ways in which their personal data has been used.”
Following the two-year GDPR compliance, it may be reasonable to expect every organization to be prepared to draw up at least a privacy notice when it is considering taking up a new data processing operation, such as the installation of thermal cameras.
What will happen once the COVID-19 state of emergency ends?
Access requests and complaints by subjects also provide important insights into the main privacy concerns on COVID-19-related data processing operations. If individuals can freely submit access requests or complaints only when the state of emergency in Hungary ends, organizations will only learn of the key takeaways at a later stage. However, as they may want to maintain their protective measures to prevent a second wave of infections, it is of primary importance that they update their privacy practices in consideration of individuals’ and regulators’ expectations. This is merely another aspect of why it is not necessary to suspend the GDPR in the fight against COVID-19.
Photo by Fusion Medical Animation on Unsplash