Significant Amendments to the Hungarian Privacy Act Expected; New Opinion Issued by the Hungarian Data Protection Agency
by Bálint Halász and Ákos Fekete-Győr
The president of the Hungarian National Agency for Data Protection and Freedom of Information, Attila Péterfalvi, has announced that the Hungarian Privacy Act will be significantly amended by the end of June in order to make it consistent with the EU Data Protection Directive, recent European case law and current privacy trends. While the new Hungarian Privacy Act has been in force for more than a year, certain key aspects of Hungarian DP legislation controversially remained unchanged. The agency has also issued a long-awaited opinion on the electronic surveillance of employees.
Péterfalvi delivered a welcome speech at the annual conference of Data Protection Officers in January, giving an overview of the work of the National Agency for Data Protection and Freedom of Information in 2012 before addressing the more exciting topic of amendments to the Privacy Act (Act CXII of 2011) and confirming rumours that significant amendments to the Privacy Act will be put before the Hungarian Parliament. Péterfalvi said that the Parliament is expected to vote on the amendments by the end of June. The amendments will affect core provisions of the Privacy Act, including:
- Harmonisation of grounds for data processing with Article 7 of EU DP Directive (95/46/EC);
- Introduction of new provisions on data transfers will be introduced, including the authorisation of BCRs;
- Introduction of provisions addressing cloud computing;
- Exemptions for small and medium sized enterprises from statutory registration fees;
- Addition of provisions on data breaches will be added, and
- Authorisation of sub-processor appointments by processors.
Opinion on electronic surveillance at workplace
The agency and the previous data protection commissioners have received many queries in relation to electronic surveillance devices at workplaces. Although the previous commissioners issued several relevant opinions on the application of the previous Privacy Act and landmark decisions of the Hungarian Constitutional Court to this topic, there have been significant developments in recent years. The Hungarian Parliament has not only passed a new Privacy Act but also a new Labour Code (Act I of 2012) which itself contains provisions on privacy matters, including the surveillance of employees.
The opinion of the agency on the electronic surveillance of employees addresses four key issues: the legal grounds for employee monitoring, substantive requirements on the use of electronic surveillance devices in the workplace, providing adequate notices to employees and registration and filing requirements.
Legal grounds for employee monitoring
Under the new Labour Code, an employer is entitled to monitor its employees in connection with their employment-related behaviour, something which certainly entails the processing of certain personal data. The Labour Code does not state that the employer is obliged to obtain consent from the employee, and reliance on employee consent may not be valid as per the opinion of the Article 29 Working Party. As set out in their Opinion No 15/2011, there are grounds other than consent contained in Article 7 of the EU DP Directive, which can also be used as a lawful basis for data processing. Furthermore, a CJEU ruling in joined cases C-468/10 and C-469/10 declared that Article 7(f) of the EU DP Directive—which permits processing on the grounds of legitimate interests—must be given direct effect.
The agency has concluded that employee monitoring does not necessarily require employee consent, but certain requirements must be met:
- Employee monitoring is only deemed lawful if it is essential for the fulfilment of a purpose directly related to the aim of the employment;
- The human dignity of the employee must be respected and their private life must not be monitored;
- Employees must be informed in advance about the data processing, and
- The employer must comply with the general principles set out in the Privacy Act, including the requirement of a fair and lawful purpose for data processing.
The new Labour Code provides a framework for lawful employee monitoring, but in any event, details of monitoring must be set out in a separate policy and the monitoring must also comply with principles of accountability and proportionality.
Substantive requirements on the use of electronic surveillance devices in the workplace
The Labour Code does not contain detailed provisions applicable to electronic surveillance devices, such as CCTV. Provisions relating to these devices are contained in the Personal and Property Protection Act (Act CXXXIII of 2005), which also establishes the lawful grounds for the use of electronic surveillance systems and obligatory retention periods. Although the rules of the Personal and Property Protection Act do not cover all aspects of electronic surveillance, the agency will take the act's provisions into consideration until the Labour Code’s provisions are adequately amended.
Employers are obliged to prove that their electronic surveillance systems comply with the requirements of the Privacy Act and in particular that the processing is based on a lawful purpose. CCTV surveillance must not jeopardise human dignity; therefore, cameras cannot be directed at one particular employee and cannot record his activity alone. Furthermore, an electronic surveillance system will be deemed unlawful if it is aimed at influencing employee behaviour in the workplace. CCTV surveillance is not allowed in locker rooms, showers, toilets, medical rooms and similar premises, or in rooms or locations where employees spend their breaks. However, these locations can be lawfully monitored after working hours when not in use by employees.
A camera must only aim at the designated area and only at the premises of the employer. An employer must precisely set out in its policy the purpose of installing each and every camera and the reason for monitoring for each area. It will not be enough for employers to provide employees with general information on electronic surveillance systems.
The general maximum retention period of personal data collected by electronic surveillance systems is three days. In exceptional cases, longer retention periods can be applied, but only if the employer is able to justify that special circumstances require a longer retention period. Only a limited number of staff may have access to personal data, and employers must also set out rules of access to data.
Providing adequate notices to employees
The employer must inform employees in advance about the details of the data processing. Employees must also be provided with certain particular pieces of information, including the legal grounds for data processing, the location of any CCTV cameras, the identities of any staff operating the cameras, the location where recordings are stored, the retention periods, the rights of employees and their available legal remedies.
The employer must be able to prove that employees have been adequately informed, for instance, by requesting employees to sign the notice. New joiners must be informed in a separate document which must be signed along with the employment contract.
An employer must also use visual notices in the workplace to inform employees that CCTV cameras are in operation in the area.
Registration and filing requirements
Although the agency does not keep a register on employee data, the processing of electronic surveillance data triggers a filing requirement if CCTV cameras monitor nonemployees, such as customers or suppliers.