Dániel Gera September 20 2017 Intragroup transfers of HR data Schoenherr | Employment & Immigration - Hungary Dániel Gera Employment & Immigration IntroductionEmployee and HR dataGrounds for processing data – employee consentNovelties under GDPRCommentIntroductionWith the EU General Data Protection Regulation (GDPR) (2016/679) set to enter into force, data protection has become a hot topic for businesses throughout the European Union. Companies and enterprises operating in EU member states have made significant efforts to ascertain whether their data processing activities comply with the GDPR and identify areas that need to be revised to ensure compliance.One area in which all businesses – regardless of their size – handle personal data is employment, as all businesses with employees must process their employees' personal data. Unsurprisingly, organisations with legal entities and employees in several EU member states often try to centralise their human resources (HR) functions to some extent, which occasionally requires them to share employee and HR data within their group.As general awareness around personal data protection increases, several companies have faced problems with regard to intragroup transfers of employee and HR data. Although existing Hungarian law provides a stable legal environment with clear rules for employers as data processors, there is a general feeling of uncertainty around this topic, which is partly due to the upcoming changes to the legal framework.This update provides a brief review of the existing Hungarian legal framework governing HR data transfers and the possible future changes following the GDPR's implementation.Employee and HR dataTo assess the legality of intragroup transfers of employee and HR data, it is important to define these concepts and clarify the extent to which they involve the handling of personal data. Under the existing EU Data Protection Directive (95/46/EC) and the relevant Hungarian law (the Information Act), 'personal data' means "information relating to a natural person that can be identified directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his… identity".'HR-related data' is a broader concept; it can involve data on the age, qualification and remuneration of a company's staff or certain larger employee groups. Such data – if appropriately collected and anonymised – does not qualify as personal data and therefore does not require the same level of legal protection.Conversely, 'employee data' usually means data pertaining to an identifiable employee with regard to his or her remuneration, performance, age or health, among other things. Therefore, such data may be processed only if the preconditions for processing prescribed by law are fulfilled.The difference between the above concepts is reflected in the Labour Code, which provides that employers are permitted to disclose facts, data and opinion concerning an employee (ie, employee data) to third persons only:in cases specified by law; orwith the employee's consent.However, the Labour Code sets out that data pertaining to employees may be used without their consent for statistical purposes and may be disclosed for statistical use in a manner that precludes the identification of the employees to whom it pertains (ie, HR data).In conclusion, intragroup transfers of HR data do not require employee consent if the data is statistical in nature and no individual employee can be identified from it. However, employees may need to act cautiously when anonymising data, because as soon as the connection between the data and the data subject can be restored (eg, by looking at two parallel databases), employee consent could be required for the intragroup transfer.Notably, in accordance with the Information Act, an intragroup data transfer is fulfilled if personal data is made accessible to other entities within the group, even without an actual physical transfer of the data. Such transfer could, in principle, be performed only with the employee's consent.Grounds for processing data – employee consentHungarian employers' data processing activities must generally comply with both the Information Act and the Labour Code.Under the Information Act, personal data can be processed where:the data subject has consented;it is authorised by law; orthere has been a so-called 'weighing of interests'.The latter ground can constitute a legal ground in situations where obtaining the data subject's consent is impossible, but the data processing is:required for the data processor to comply with its legal obligations; orin the legitimate interests of the data processor or a third party and enforcing these interests is proportionate to the limitation of the data subject's right to privacy.According to the Labour Code, facts, data and opinions concerning employees may be disclosed to third persons only where it is authorised by law or the employee has consented.According to the common interpretation of the two laws, almost all processing of employee data must be authorised by law or the employee.The Article 29 Data Protection Working Party – an advisory body working in close cooperation with the European Commission – has addressed the matter of consent in several of its guidelines.(1)According to the working party, consent should be a freely given specific and informed indication of the data subject's wishes and his or her consent to the processing of the data. The working party pointed out that the freely given nature of consent is questionable in an employment context due to the imbalance between the parties. The working party considers that employees are seldom in a position to provide consent freely. The working party also expressed that data processing may be unlawful if employers seek to legitimise their processing activities through consent that is not freely given.While the working party may be right in believing that employees' consent is not always freely given, an extreme interpretation of this principle could lead to a complete non-acceptance of freely given consent in an employment context. This may lead to a situation in which employers cannot rely on employee consent as a basis for their data processing.This is an undesired outcome. Given that an intragroup transfer of employee data is rarely prescribed by law, under the existing Hungarian legal framework, an extremely strict interpretation of consent could deprive employers of the possibility to legally perform intragroup transfers of employee data.Novelties under GDPRThe GDPR will broaden the legal grounds of data processing and provide additional grounds, such as the legitimate interests of data processors (eg, employers).This is good news for employers as, under the GDPR – on implementing the necessary technical measures – they could renounce employee consent as a ground for undertaking an intragroup transfer and instead use the ground of a legitimate interest. However, as the working party pointed out in one of its most recent opinions,(2) a legitimate interest in itself is insufficient to override employee's rights and freedoms.Article 88 of the GDPR allows EU member states to set out more specific rules regarding the processing of employee personal data in the employment context. The Hungarian legislature has yet to adopt any such regulations and no such regulations appear in the recently published proposal to amend the Information Act with regard to the GDPR.CommentIt seems that further legislation on employee and HR data processing will be necessary, which could include an amendment to the Labour Code. Until such regulations are adopted, employers are advised to act cautiously when using employee consent as a ground for employee or HR data transfers and review their guidelines on employee consent as part of their GDPR preparation.For further information on this topic please contact Dániel Gera at Schoenherr Hungary by telephone (+36 1 8700 700) or email ([email protected]). The Schoenherr website can be accessed atwww.schoenherr.eu.Endnotes(1) Opinion 8/2011 on the processing of personal data in the employment context and Opinion 15/2011 on the definition of consent.(2) Opinion 2/2017 on data processing at work.