Hungary: Comprehensive and strict guidance on workplace privacy

NAIH, Hungary’s Authority for Data Protection and Freedom of Information, issued a new, comprehensive guidance on the general requirements of workplace data processing. The 41 page guidance provides detailed insight on NAIH’s approach to the most common employment-related data processing operations. NAIH’s guidance is not only stricter than EU standards but also repeals some practices commonly used in Hungary.

It is of primary importance that companies update their existing privacy consents, policies and practices in light of this new guidance. NAIH constantly reviews companies’ international data transfer mechanisms in workplace relations in Hungary and companies in violation may face severe fines and penalties. NAIH also emphasises that the approach outlined in this guidance will remain the same even after the General Data Protection Regulation (GDPR) becomes applicable on 25 May 2018.

The guidance regulates the following main topics:

• Permitted data processing purposes in the workplace. NAIH declares that it does not consider employees’ consent to data processing to be a sufficient legal basis because such consent cannot be voluntary. Therefore, companies must seek a different legal basis for collecting and using employee data. They must also redraft their privacy consents and policies accordingly. When relying on their own legitimate interests as the legal basis for data processing, employers should conduct and document a so-called “balancing test”.
• Applicable law for parent companies’ activities. NAIH states that if a Hungarian employer carries out the same or similar activities as its parent company, Hungarian rules will apply to data processing performed by the parent company (for example, data processed under whistleblowing systems operated by parent companies).
• Employee data transfers. NAIH also emphasizes that – in its opinion – exercising parent companies’ ownership rights does not require the transfer of employees’ personal data. This means that employers must find a proper legal basis for all transfers and indicate it in their privacy policies. NAIH also expects employers to transfer employees’ personal data only to those third countries that provide adequate protection, or if the employer ensures such protection by entering into EU Model Clauses or Binding Corporate Rules or by relying on the Privacy Shield.
• Privacy notices and NAIH registrations. NAIH also provides detailed rules on the expected contents of workplace privacy notices, in accordance with its former guidance on this, and clarifies which data processing operations are subject to mandatory registration with NAIH.
• Specific workplace data processing operations and employee monitoring. NAIH also provides guidance on the assessment of specific data processing operations, such as handling job applications, workplace tests, social media and background checks. In addition, its guidance analyses issues related to employee monitoring, such as the use of CCTV, company email, company laptops, internet, GPS, biometrics and whistleblowing systems.

For more information on how this new NAIH guidance affects your business, please contact us.