In April 2019 – almost one year after the EU General Data Protection Regulation (GDPR) entered into force – Parliament adopted a new law amending several sectorial laws concerning the processing of personal data. In particular, the new law has amended the Labour Code's general provisions on the processing of employee data.
Since employers must process their employees' personal data, efforts to comply with the GDPR led to uncertainty for many practitioners. This was particularly true in Hungary, where parts of the existing national regulation did not align with the GDPR.
The new law aims to provide clarity in these areas and has amended the Labour Code's general rules. It has also introduced a new chapter which sets out general rules on the handling of employee data. Rather than analysing all of the implications brought about by the new law, this article focuses on three important aspects that will affect most employers.
One of the new general rules sets out that employers may handle employees' personal data insofar as it is necessary for reasons relating to:
- the establishment, performance or termination of the employment relationship; or
- the enforcement of legal claims arising from the employment relationship.
This rule merely defines the general purpose of employers' data processing and does not provide a legal basis therefor. Thus, such legal basis must be established based on Section 6 of the GDPR (lawfulness of processing).
Most employers' data processing activities will likely be based on Articles 6(1)(b)(c) and (f) of the GDPR, which means that processing is usually:
- necessary for the performance of a contract or compliance with a legal obligation; or
- based on the employer's legitimate interests.
An important (albeit minor) clarification is that in accordance with the data minimisation principle, employers may request employees to present certain documents certifying their personal data (eg, qualifications), but cannot make copies of such documents for their records. This conforms with earlier guidelines published by the Hungarian Data Protection Authority (NAIH), which opposed employers' practice of keeping copies of employee identification cards and other documents.
Before the GDPR's entry into force, the control and monitoring of employees during work hours in a manner which restricted their personality rights (eg, image rights, right to privacy or right to freedom of expression) was an accepted practice. However, the Labour Code set out certain guarantees regarding the restriction of personality rights (ie, they could be restricted only if this was deemed necessary for reasons relating to the purpose of an employment relationship and if such restriction was proportionate to achieving its objective). As such, before the GDPR's entry into force, employers had to inform employees in advance of any restrictions affecting their personal rights (typically all monitoring and surveillance measures).
According to the amended laws, employers must now also inform employees in writing about the circumstances supporting the necessity and proportionality of any restrictions of their personality rights.
In practice, this will mean that employers using monitoring or surveillance methods which restrict employees' personality rights (eg, GPS tracking devices, email monitoring or video surveillance) will have to adapt their employee information notices accordingly or ensure that such information is provided to employees in advance.
The new rules also clarify that employees may be checked or monitored only in connection with the performance of their duties and that IT or computer equipment may be used for monitoring purposes. The rules clarify that unless the parties agree otherwise, IT or computer equipment received from the employer may be used only for professional purposes. This provision aims to prevent situations in which employees' right to privacy hinders employers from conducting investigations by accessing the content of devices provided to employees.
The amended Labour Code sets out general rules regarding the handling of employees' sensitive data, such as biometric and criminal data.
According to the new rules, an employee's biometric data may be processed or used to identify the employee only if it is:
- justified because it prevents unauthorised access to objects or data which could affect other parties' lives, health or physical safety; or
- necessary for the protection of other significant interests prescribed by law.
The rules governing the processing of employee criminal records have been heavily debated since the GDPR's entry into force. Before the GDPR, it was widespread practice for employers to request an attestation of clean criminal records from candidates, even where there was no explicit legal provision allowing them to do so.
The NAIH had long since been critical of this practice and stressed that the handling of such data by employers may constitute a disproportionate restriction of employees' right to privacy. This was particularly disturbing when, for example, employers wanted candidates for cashier positions to present a certificate of their clean criminal record despite no explicit provision allowing them to do so.
Although in one of its later opinions the NAIH admitted that employers may have a legitimate interest in processing such data, it may be lawful only insofar as it is authorised by law or a collective agreement providing for appropriate safeguards as per Article 9(2)(b) of the GDPR.
The amended Labour Code allows employers to process employees' or candidates' criminal data to establish if such circumstance does not exclude their employment in a given position. Such an exclusion can be established by law or the employer itself if the employment would jeopardise the employer's significant financial interests or legally protected business secrets.
Employers must establish such ground for exclusion and the related data processing rules in writing.
Although the amendments to the existing rules on the processing of employee data have been eagerly awaited, many practitioners have expressed their disappointment. Specifically, the new rules seem to have addressed the most pressing issues, such as the handling of criminal data, but left several areas unregulated.
At the same time, the general concept behind the current legal framework in data protection is that processors (ie, employers) should develop their own rules to govern their data processing activities. In this sense, these new rules provide a good platform for employers and their advisers to further elaborate their existing policies and practices.
This article was first published by the International Law Office, a premium online legal update service for major companies and law firms worldwide.. Register for a free subscription.