The Hungarian parliament has adopted a new package of amendments to various sector-specific laws to ensure their GDPR compliance. This GDPR Omnibus Act affects some 86 sectoral laws and enters into force on 26 April 2019.
The amendments affect a wide number of key sectors and activities, including employment, HR, financial services, commercial and marketing activities, the health sector and the rules regarding the establishment of CCTV security cameras. The most important legislative changes affect CCTV operations, the processing of health and genetic data, whistleblowing, workplace privacy, employee monitoring, background checks, trading and marketing activities, money laundering and financial institutions.
These legislative changes include:
- Amendments to employment law
- Data protection notices to employees. Employers should inform their employees in a data protection notice of any restriction of their personal rights. Notification may also be made in the workplace using a customary and generally known method (e.g. in writing, or publication on intranet and e-mail).
- No copies. The GDPR Omnibus Act clarifies that employers should take notes on information that has been requested from employees, instead of copying the actual documents.
- Biometric identification. Employers may use biometric identification to prevent unauthorised access to information, if such access seriously or irreversibly jeopardises the life, health or significant interests of individuals (e.g. information regarding classified data, explosives, hazardous substances, assets with a value exceeding HUF 50 million or EUR 160,000).
- Background checks. An employer is permitted to establish exclusion or restriction criteria for a particular position and can process an applicant’s criminal data to verify his background. Such criteria are legitimate only if the employee's position poses a potential threat to the employer's financial interests, is privy to secrets (e.g. trade secrets) or exercises significant interests protected by law and defined by the GDPR Omnibus Act (e.g. safe storage of firearms, ammunition, explosives, poisonous, hazardous or biological substances, and nuclear materials).
Employers should inform employees and applicants about background checks and the exclusion or restriction criteria for a particular position in writing, via email, intranet, or a recruitment website.
- Employee monitoring. The GDPR Omnibus Act prohibits employees from using by default an employer’s IT tools (e.g. a computer, telephone, or Wi-Fi network) for private purposes. Employers and employees should explicitly agree on the private use that is permissible. Employers can monitor the work-related activities of employees, including the processing of any related personal data, provided that the HR data protection notice contains all appropriate information on this and specifically the technical means of this processing. Employers cannot process private data, unless such processing is required to verify a restriction on the private use of IT tools. The above measure also applies to BYOD (Bring Your Own Device) practices.
Employers are advised to review the employment agreement and introduce provisions for the private use of devices.
- Whistleblowing. The GDPR Omnibus Act clarifies the profile of people who can be classified as whistleblowers. As a new rule, companies are permitted to process sensitive data and personal criminal record data in the reporting system and transfer this information to the employer organisation’s lawyer or an external organisation. Companies should revise their reporting systems, transfer mechanisms and data protection documentation accordingly.
- CCTV and entry systems. Companies using entry systems, security cameras and CCTV must document in their data protection notices the legitimate interest for using these systems, and include detailed specifications of the purpose of the processing (e.g. protection of classified information, storage of dangerous substances). The GDPR Omnibus Act also repeals former restrictions on the data-retention period. Companies can use their own discretion to determine the retention time of the relevant data and recordings, keeping in mind the GDPR’s principle on storage limitation. If access has been made to data or recordings, the company should take minutes on the specific circumstances of each case. Companies must reflect the above changes in their data protection notices and internal security procedures.
- Changes to rules for condominium camera monitoring. Condominium operators must inform people entering and staying in a building of any CCTV use, and include the privacy protection policy and contact details of the operator. When providing copies of the recordings, operators must identify the recorded image, the name of the person authorising the copies, and the reason and time for viewing the data. Condominiums should revise their data protection notices, internal security procedures, and record keeping practices accordingly.
Health and personal identification data – including the promotion of health preservation, improvement and maintenance, and enforcement of patient rights – may be processed for purposes not prescribed by law with the non-written consent of affected persons, which makes electronic health services, personalisation and health cloud services easier to maintain.
If additional copies of health data (i.e. after the first copy of the same data request) are required, a fee can be levied by the health organisation reflecting the costs of processing. (This policy will be specified in an upcoming ministerial decree).
- Genetic data. Companies may transfer only anonymised, encoded or pseudonymous genetic samples or data to a third country for human genetic testing. They should also use the appropriate safeguards required by the GDPR (e.g. BCRs, Privacy Shield, EC Model Clauses etc). It is not permitted to transfer the coding key. The same applies for importing genetic samples or data. The local health administration should be notified of the transfer of genetic samples and data to a third country and the transfer should be made in a manner where personal identification is impossible. Companies should revise their data transfer mechanisms accordingly.
Organisations are not entitled to collect and use names and addresses for direct marketing purposes from official public databases of citizens, publicly available databases (e. g. lawfully published official name-and-address registers, phonebooks, directories, statistical lists), and organisations with the same activity. Additionally, organisations must not use the data of clients, supporters or persons with whom they have contact for marketing purposes. Data requests for scientific research, opinion polling and market research purposes are permitted and have not been affected by the Act. The “opt-in” system for direct marketing messages under the Hungarian Advertising Act and the Hungarian e-Commerce Act remain unchanged, as does the legal uncertainty regarding the legal basis for data processing (i.e. consent versus legitimate business interest).
Organisations performing direct marketing, market research or polling activities must revise their marketing operations (for both opt-in or opt-out systems), data protection notices, databases and consent management policies.
- Amendments to money laundering and financial institutions laws
The amendments in the GDPR Omnibus Act stipulates that service providers subject to money laundering legislation may copy personal documents specified by law for the following purposes: preventing and combatting money laundering and terrorist financing, fulfilment of obligations under the Money Laundering Act, fulfilment of customer identification obligations and effective supervision of client-monitoring activities. Copies cannot include personal identification numbers.
Financial service providers and other organisations subject to money laundering obligations (e.g. real estate managing enterprises, trusts, auditors, etc.) should revise their document management and copying practices and reflect such changes in their data protection notices and internal documents.
When a customer makes a complaint or suggestion in a merchant's customer comment book (vásárlók könyve), the merchant must remove the page containing the complaint or suggestion, keep it in a secure place, and hand it over to the authority if requested.
- Cooperation with local authorities, and procedural changes. A notary of the local government may also assist the Hungarian Authority for Data Protection and Freedom of Information (NAIH) to audit the data processing operations of a company. The GDPR Omnibus Act increases the procedural deadline of NAIH from 120 days to 150 days. The NAIH, in principle, issues warnings for the first time. However, this does not exclude the issuance of fines.
For more information on this eAlert and data protection regulations in Hungary, feel free to contact one of the following local CMS experts.