New Whistleblowing Law Generates New Data Privacy Issues in Hungary
The law takes effect in January, and employers should take heed
By Márton Domokos
From January 2014, a new whistleblowing law—Act CLXV of 2013 on Complaints and Public Interest Disclosure (Whistleblowing Act)—will be introduced for employers and/or their parent companies in Hungary. The new law, which replaces 2009 legislation, will particularly affect the processing of personal data under such procedures and the employers’ disclosure obligations. It also incorporates the practice of NAIH (the Authority for Data Protection and Freedom of Information) on whistleblowing hotlines. However, the new law also creates new data privacy issues, such as the practical implementation of some of its provisions remain ambiguous. The key changes and issues are the following.
The whistleblowing system must be based on the employer’s publicly available code of ethics. In addition, the employer must publish on its website—in Hungarian—a detailed description of its procedural rules for whistleblowing. However, the Whistleblowing Act does not provide any practical guidance on the possible limits of such disclosure. Obviously, for confidentiality purposes, employers may be reluctant to disclose their internal rules, so they will have to decide how to draft a code of ethics and the relevant procedural rules that will be accessible for anyone as required by the law, yet it has to remain effective, enforceable and tailored to the company’s activity.
Notification Obligations to the NAIH
Employers now must register their whistleblowing procedure with NAIH in the Data Protection Registry (Adatvédelmi Nyilvántartás). Formerly, this was just a recommendation by the NAIH. As a result, most of the companies decided on staying “under the radar.” The data processing under the whistleblowing hotline can commence only when the registration is made. The NAIH makes the registration within eight days; if it fails to do so, data processing can commence.
Permitted Data Transfers
As regards data transfers, the Whistleblowing Act is very practical: it automatically allows transferring personal data to competent authorities, courts and any entity involved in the investigation. However, the Whistleblowing Act does not define whether this includes authorities that may have competence under extra-territorial laws; e.g., FCPA, UK Bribery Act 2010, so it would be worth regulating the possibility for such transfer, if needed, in the relevant internal rules of the employer. Moreover, personal data can be transferred outside the European Economic Area only if a written data transfer agreement is concluded and personal data is afforded an “adequate level of protection,” as required by EU law. Hungarian legislation does not define what “as required by EU law” includes. In practice, it refers to whether the European Commission has determined that the third country ensures an adequate level of protection, the Safe Harbour principles are applied or an “EU Model Clause” is concluded in respect of the data transfer.
Prohibition on Sensitive Data Processing
The Whistleblowing Act sets forth that no sensitive data may be processed as part of the whistleblowing procedure. This is an absolutely unreasonable restriction—for example, the criminal records of the investigated person may be relevant, and it may also be unavoidable to process data revealing racial, national or ethnic origin, political opinions and any affiliation with political parties, religious or philosophical beliefs in case of the investigation of a discrimination case. Information on the trade-union membership of the people involved may also be necessary to obtain. In addition, personal data concerning sex life may be important in a workplace harassment case, and data on health or addictions could be important to investigate the motives of a reported person.
Employers can refuse to investigate reports of events which became known to the whistleblower more than six months earlier or where the damage in the public interest or justified private interest is not proportionate to the potential restriction of the rights of the persons affected. This six months “limitation period” may be unreasonable from a practical point of view—even if the employer has the discretion whether it applies. The typical crimes that are targeted by the whistleblowing systems, like bribery, may remain undisclosed for a longer period of time.
The subjects of the report must be notified of the report—except for information relating to the whistleblower that is treated as confidential—and their data privacy rights and remedies once the investigation commences. The notification may, in exceptional cases, be delayed if the investigation would be jeopardised by the subject being notified promptly. The subject of the report must have the right to provide statements and evidence, also through a lawyer.
Reports must be investigated within 30 days, which can be extended to a maximum of three months in exceptional circumstances where the report is not made anonymously and the whistleblower is notified at the same time. Again, this three-month month period may be unreasonably short—especially in more complex cases, which may be reported through a whistleblowing hotline, like in the fields of accounting, internal accounting controls and auditing matters.
Obligations Toward Authorities
The employer must notify the relevant criminal authorities if its investigation concludes that criminal proceedings need to be initiated. Some commentaries interpret this as a “notification obligation” for the employer, which may prevent the proper investigation and resolution in a particular case: employees may not be motivated to cooperate and disclose all facts to the employer because even if they do so, they will still end up in a criminal proceeding. However, the text of the law can be interpreted in a way that it eventually enables the employer to decide at its own discretion about the “need” of a criminal proceeding. Such proceeding may not be necessary, for example, in case of financial crimes, where the reimbursement of the damage and labour-law sanctions could be sufficient punishment for the perpetrator.
The employer must destroy all data relating to the investigation within 60 days if it concludes that the report is baseless or that no action is necessary. Otherwise, it may process data by closing the investigation in a binding and enforceable manner. It is worth noting that the Whistleblowing Act does not regulate the case where data retention may be necessary for a longer term—especially for compliance purposes, archival of documents in official proceedings, etc.
Data Privacy Information
In the whistleblowing procedure, employees must be given clear and detailed privacy information, including the list of the personal data processed, the identification of the data controller(s) and the data processor(s), the duration of the data processing, who can access the data, if there is any data transfer to a third country and the rights and remedies of the relevant persons.
The adoption of the Whistleblowing Act is a significant step because it is likely to enhance the compliant operation of whistleblowing hotlines in Hungary. Nevertheless, certain impractical provisions may be difficult to comply with, and employers need to assess every possible deviation very carefully. If they violate data privacy rules, NAIH can fine them between HUF 100,000 (c. €370) and HUF 10,000,000 (c. €37,037).
Márton Domokos is a lawyer with CMS Cameron McKenna LLP in Budapest. Areas of specialisation: legal advisor for the IT sector, data protection and privacy law, internet law, general commercial contracts, corporate restructuring, mergers and acquisitions. As part of his data privacy and regulatory expertise, Márton has specific knowledge of and continuously monitors the regulatory developments in the field of cloud computing and cookie use in Hungary. Recently, he spent six months secondment period at the CEE headquarters of a multinational American technology and services conglomerate as a member of the legal department being responsible for the region. He can be reached at firstname.lastname@example.org.