What does this cover?
In October 2015 we reported on the Recommendations of the Hungarian Data Protection Authority (the HDPA), which dealt with the requirements of notices that shall be provided to data subjects prior to the start of processing their personal data. On 8 January 2016 the HDPA published its enforcement priorities for 2016 identifying two areas of focus: (1) the aforementioned data subject notice requirements (2) and data processing relating to anonymous job listings.
Data subject notice requirements
The general principles set out in the Recommendations examine the requirements of notices that shall be provided to data subjects prior to the commencement of processing their personal data. The notice given by the data controller shall:
- be clear: repeating the words of the relevant act is not adequate and the use of everyday wording is suggested;
- be readable and understandable: the notice shall be structured and easy to understand;
- align with the set of concerned data subjects: if in the course of the data processing the set of data subjects can easily be determined, then the notice shall align with the specific requirements of such data subjects;
- not be considered as a disclaimer: the notice itself is not a disclaimer, however, the information therein may have a greater impact on the data subjects’ consent (which is indeed a disclaimer). Should the notice be considered as a disclaimer, its clarity and transparency would be weakened by the details required by law;
- describe unique data processing: the document fulfils its role as a notice if it contains the unique data processing regulations concerning the specific data controller; and
- be available and accessible: the notice shall always be accessible for the data subject at the time when his/her personal data is being collected.
The implementation of the Recommendations will be a priority for the HDPA.
Anonymous job listings
Due to the lack of information available regarding the employer, and therefore the data controller, anonymous job listings are deemed illegal. More weight is given to the rights of the prospective employee as the data subject, than the employer and their preference for anonymity.
To view the HDPA's enforcement priorities, please click here (Hungarian).
For a full analysis of the Recommendations in our November 2015 article on the topic, please click here.
To view the Recommendations, please click here (Hungarian).
What action could be taken to manage risks that may arise from this development?
With the HDPA expressing an intention to focus on these two areas, as per our November alerter, as a data controller, organisations operating in Hungary should ensure they review their data processing notices and make any amendments that are necessary in light of these recommendations. In addition, organisations should ensure that no anonymous job postings are advertised in Hungary.