Hungary's Authority for Data Protection and Freedom of Information (NAIH) has just handed down two decisions on the processing of data for criminal checks and biometric information vis-à-vis the EU's General Data Protection Regulation (GDPR). According to legal analysts, these interpretations answer questions that have been debated in Hungary ever since the GDPR's implementation in 2018.

Criminal checks must be based on legal obligation or legitimate interest

The NAIH passed a ruling on the legality of conducting criminal-record checks on individuals. In Hungary, employers can check someone’s criminal background by requesting a “certificate of clean criminal record” (erkölcsi bizonyítvány), which is an official public document that is authentic for 90 days after its issuance. With the passage of the GDPR, it was uncertain whether employers could request these certificates.

Hungary’s Authority for Data Protection and Freedom of Information (NAIH), however, recently confirmed that these records can be obtained only in the following situations:

• For certain sensitive jobs (e.g. public services, childcare), sector-specific laws authorise the generation of these certificates, which lists the relevant laws on the official request forms. In this situation, the legal basis for generating these certificates can be found in Article 6 (1) c) of the GDPR, which allows for such data processing when a data controller must comply with a legal obligation.

• In other cases, employers must prove that it is in their legitimate interest to receive a clean criminal record certificate on an employee in accordance with Article 6 (1) f) of the GDPR. The NAIH confirms that Act XLVII of 2009 on Act XLVII of 2009 on the Registration System of Criminal and Biometric Data serves as the authorisation for this under Article 9 (2) b) of the GDPR.

If a company decides to request such certificates from applicants and employees, this must be reflected in its data protection notices, which must include justification by way of a legitimate-interest test. Employers, for example, may request such certificates if a given job requires specific confidentiality requirements or is a sensitive financial position. The NAIH emphasises that employers must not make copies of these certificates. Also, a company's previous routines and privacy notices must be checked to make sure they fall in line with this new interpretation.

Biometric Access Control Systems in the workplace

The NAIH also reviewed whether employers can use biometric access control systems, and decided that employee consent for the use of such systems can be considered a legal basis for accessing them only in very exceptional circumstances (i.e. if the employees can deny such consent without any consequences or retaliation). Before processing biometric data, employers must prove their legitimate interest, and identify a legal basis under Article 9 (2) of the GDPR. Healthcare organisations, for example, may use biometric access control systems in their laboratories if the public health risk of their research justifies it. In this case, however, the NAIH emphasises the importance of conducting a data protection impact assessment and determining if security measures are adequate (e.g. biometric data must be stored on an employee's entry card, and not in a central database).

Organisations that intend to process biometric data should include this fact in their data protection notices and check that their data storage procedures are consistent with the new guidance.