New rules on data processing by employers from spring 2019.
The Hungarian legislator has implemented the employment-related rules of the General Data Protection Regulation (GDPR) of the European Parliament and of the Council into the Labour Code (Mt.). The amendment, which came into force on 26 April 2019, brings significant changes to the data processing rights and obligations of employers.
On general principle, an employee may be asked to make a statement or disclose a certain document only in connection with the employment relationship (conclusion, termination or fulfilment). As a novelty, these data – limited to those necessary for their function – can also be requested by works councils and by trade unions.
The GDPR qualifies an employee’s biometric data (retina scan, fingerprint, portrait etc.) as especially sensitive data and prescribes their strict protection. The employer can process these to identify an employee, e.g. for operating an access control system, only if the data processing is required for protection of life, physical integrity or health as well as of a material interest protected by law. Material interest includes e.g. guarding explosives, chemical or nuclear material as well as property worth over HUF 50 million (approximately EUR 155,215).
The criminal personal data of a job applicant (typically a certificate of good conduct) can only be processed in order to decide whether the applicant’s employment in a chosen job function is restricted or forbidden by law or by the employer’s own decision. The employer may apply such a decision only to protect its significant material interest, a secret protected by law as well as “materials to be especially closely guarded”.
Another novelty is that in the absence of an agreement to the contrary, an employee can use the company’s computing devices exclusively for work purposes. The employer is entitled to check this, and while doing so it can – in a limited time and scope – look into any personal data (e.g. family photos, private Facebook-messages) that may be stored on the device.
To avoid a significant data protection fine and unwelcome employment law consequences, every employer is strongly advised to review their data processing practice and to modify it if necessary.
Source: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
Act I of 2012 on the Labour Code