On 15 November 2016, the Hungarian Data Protection and Freedom of Information Authority (Hungarian DPA) released a comprehensive guidance about the basic requirements of data processing in the employment context. The guidance summarizes the Hungarian DPA’s current practice concerning the processing of employee data. It covers job applications, fitness checks, whistleblowing, employee monitoring, use of biometric entry systems and investigations.
General employee data processing requirements
The guidance says that the purpose limitation and the necessity of data processing are essential requirements for the processing of employee data. Data processed in the employment context must provide substantive information and be necessary for the establishment, maintenance and termination of employment relationship. Processing purposes must be clearly specified and disclosed to the data subject employees. The fairness of data processing requires the employer to observe the personal – including privacy – rights of the employees.
The guidance confirms that employers may not rely on consent as a legal basis for the processing of employee data – unless the employee has a genuine free choice and is subsequently able to withdraw the consent without detriment. The Hungarian DPA holds the view that this is only rarely the case in the employment context, due the subordinate relationship among the employer and the employee. The employer must therefore rely on other legal bases to process employee data in the employment context, such as a statutory legal basis or the legitimate interest test based on Article 7 (f) of the European Data Protection Directive. If relying on the latter, the employer must define its legitimate interests pursued, conduct the test, document it, and then disclose the legitimate interest test’s result to the employees. The employer must develop its internal by-laws regarding the details of data processing activities based on its legitimate interests and provide proof that the data processing complies with the law. In the context of investigations, the guidance says that the principle of proportionality and the presence of the employee when inspecting his/her e-mails or records might be important safeguards of the data subject employees’ interests.
In relation to data transfers, the guidance confirms that affiliate companies in the same corporate group are “third persons”. Providing to them access to employee data is considered a “data transfer”. Also, generally, the owner of the employer cannot have access to employee data processed by the employer, unless such access is duly legitimized. If the employer cannot legitimize such data transfers by explicit consent – because its voluntary nature may be questioned – the employer must ensure the adequacy of employee data transfers abroad. The guidance says that Privacy Shield is a valid data transfer mechanism to ensure the adequacy of data transfers to the United States.
The employer must provide a privacy notice to its employees about the processing of their data, including the monitoring measures applied. The guidance refers back to the recommendation of the Hungarian DPA released on 9 October 2015, which details the data subject notice requirements. In relation to each processing purpose, the employer must provide information on the scope of persons having access to the employee data.
The guidance says that employee data processing is exempt from registration with the Hungarian DPA if done in the context of any contractual relationship relating to employment, where such data processing is based on statutory provisions. However, the Hungarian DPA has now changed its previous practice relating to job applicants, saying that job applicants’ data processing must be registered with the Hungarian DPA, unless the data is obtained directly from the data subject, is used only for the purpose of the job application and is not disclosed to “third persons.”
The guidance makes it clear that, based on the Hungarian DPA’s interpretation of applicable law requirements, Hungarian laws will apply to the data processing activities of subsidiaries located in other EEA countries and in third countries, if the processed data relates to a Hungarian employment relationship. The Hungarian DPA bases its position on Article 4 (1)(a) of the EU Privacy Directive and the Costeja decision of the EU Court of Justice in Case C‑131/12, extending the scope of he Directive’s application. The Hungarian DPA will deem the data use to occur in Hungary and that local data subjects are affected, such that Hungarian law applies to the processing activities of foreign subsidiaries. This includes also the use of whistleblowing schemes whose operation is extended to Hungary. The Hungarian DPA will not accept the argumentation that such data processing takes place in a third country (e.g. by the head of the corporate group) if data processing occurs in the context of employment in Hungary.
Specific Employee Data Processing Requirements
The guidance also covers several specific data processing activities typically occurring at the workplace. Those are summarized below.
Job applications, fitness and background checks
The guidance states that “anonymous” job advertisements, which do not disclose the employer’s identity, are illegal because the applicant has no information about the identity of the data controller. In its practice, the Hungarian DPA takes the view that the data subject rights of job applicants always prevail over the employer’s interest in remaining anonymous.
Job applications may be stored only until the end of the particular application process and related records (including the application or notes taken by the employer) must be deleted, unless the applicant subsequently consents to the retention of that data for a lawful purpose (such as future job openings). The employer must inform the applicant about the outcome of the job application process.
The guidance also confirms that the employer has the right to check public records of social networking sites for information about job applicants. However, the employer may not save or store the applicant’s social networking profile, check any information disclosed in closed groups on such sites or ask third persons to do so. The employer must provide prior notice to the candidate that it will check social network sites and public activities of an applicant. Information which the employer derives from such sites may be checked or used only if it is relevant in the context of the employment decision.
The employer must transparently inform employees about the purpose of fitness checks, as well as about the scope of personal data processed. If the check is conducted by a third person (e.g. a medical practitioner), then the employer may not access the fitness check records, but may only be told whether the employee is fit or unfit for a particular job position. The Hungarian DPA considers that psychometric and personality tests are prohibited and may be conducted only in an anonymized format.
Relative to criminal background checks, the employer must rely on and accept the criminal record certificate (“Hatósági Erkölcsi Bizonyítvány” in Hungarian) provided by the candidate. (Said certificate does not indicate convictions or past convictions subject to a criminal record exemption.) The employer may not obtain data directly from the criminal register or request the candidate to present a copy of his/her full criminal register records to the employer.
Employee Monitoring
In the context of CCTV surveillance, the guidance confirms that covert monitoring is illegal; use of CCTV must be clearly announced. The employer may not monitor public areas via CCTV. CCTV records generally may be stored for three working days or that period specified by Act CXXXIII of 2005 on Security Services. The employer may keep the CCTV records beyond that period only if it can justify doing so based on the legitimate interest test. The employer must implement detailed by-laws concerning CCTV monitoring and disclose those to the employees.
Monitoring of e-mail must be legitimized by the legitimate interests and the conditions of e-mail checks must be regulated by the employer in detail. In order to secure the legitimate interest and rights of employees, each relevant employee must be informed about and be present when the e-mail check is conducted. The employer may not check the contents of employees’ private e-mails.
If the employer permits the private use of an employer owned laptop, it must provide a separate hard disk partition, because the employer is not authorized to check or image employees’ private files. The employer must secure that private files are excluded from imaging and checks. The employer must implement by-laws stating the details and purposes of checks based on the result of the legitimate interest test.
The monitoring of internet use is permitted on the basis of the legitimate interest test. The monitoring measures should record only the visited website addresses, without recording the activities of the employee on that site. The detailed conditions of internet use monitoring must be specified in internal by-laws of the employer.
Biometric systems
The guidance says that the use of biometric entry systems can be justified only in exceptional cases. Generally, biometric time-recording systems may not be used because less restrictive means / alternatives are available for employee data processing.
Whistleblowing
The Hungarian DPA confirms that adopting a code of conduct is not a precondition to implementing a whistleblowing scheme in Hungary.
The notice about the operation of the whistleblowing scheme must be published in the Hungarian language. However, such publication via an intranet site does not comply with the employee notice requirement.
Data processing through the operation of whistleblowing schemes must be registered with the Hungarian DPA.
*******
The guidance mentions that the entry into force of the General Data Protection Regulation will not cause any substantive changes in the requirements articulated by the Hungarian DPA.
The Hungarian DPA did not set any specific deadline for compliance with the requirements articulated by the notice. Employers can expect that the Hungarian DPA will examine their compliance with data protection requirements. Hungarian employers are therefore strongly advised to review their current privacy practices and check their internal regulations and by-laws for compliance.