In this brief, D’ORNANO PARTNERS’ legal expert in Hungary, Blanka Börzsönyi, is pleased to provide an analysis concerning the processing of employee data in light of the GDPR and recent technological evolution.
Privacy in the employment context – New practices in light of the GDPR and changing technologies
25 May 2018, the effective date of the EU Regulation 2016/679 (the “GDPR”), brought a new era in privacy related matters. In addition, recent technological developments impact data processing in a way, that diligent employers – among others – must reconsider their employee data processing practices. To contribute to employers’ awareness regarding the above, we summarize below the focus points that require attention.
Legal basis of data processing – Employers beware
Before 25 May 2018, consent was the “most popular” basis of data processing among employers, but now they must beware: under the GDPR consent must be freely given, specific, informed, and unambiguous. The form of the consent may be a statement or an affirmative action.
In employment relationships generally, it is highly doubted that consent may be freely given, unless employees can refuse to grant it without consequences. Therefore, employers should consider referring to their legal obligations (e.g., for the purpose of tax calculation), the performance of a contract (e.g., in the case of processing the payment of the salary), or legitimate interest as the legal basis of processing their employee’s data.
Core considerations regarding data procession at work scenarios
|SCENARIO||EMPLOYERS TO MAKE SURE THAT|
|Monitoring of social media profiles and activity||
· the account examined is related to business purposes;
· data collected and processed would be necessary and relevant for the job applied for; and
· applicants are not required to “friend” the potential employer.
· profiles are not checked on a generalised basis;
· employers are not required to grant access to information shared by them;
· employees are not required to utilise a social media profile provided by the employer (or a “non-work” private account may be maintained.
|Processing operations resulting from monitoring ICT usage at the workplace (or the workplace itself)||
|Processing operations resulting from monitoring ICT usage outside the workplace||
General axis of compliance
- Data processing must take place under appropriate conditions, and be transparent, lawful, proportionate, necessary, for a real and present interest
- Transparency is ensured through effective communication on the processing, provided to the employees prior to the start of the processing.
- The fundamental principles of data protection (e.g., proportionality, subsidiarity and data minimisation) must be kept.
- Consent is unlikely to be accepted as the legal basis of processing, in the employment context. Instead, performance of a contract and legitimate interest may be evoked provided that the requirements set out above points are met.
Legislation in Hungary
The GDPR is directly applicable in Hungary, therefore, diligent employers must read it together with the Hungarian labour and data protection regime especially Act I of 2012 on the Labour Code and Act CXII of 2011 on Informational Self-determination and Freedom of Information prior to, during and after the course of employment.
Modification to the relevant sectorial acts and regulations are under way, therefore, their status should be followed to gain a complete understanding of data protection issues.
 While the conclusions of the 2002 Working Document on the surveillance of electronic communications in the workplace and Opinion 8/2001 on the processing of personal data in the employment context remain valid, the present paper is based on and aims to summarize only consideration points in addition to the foregoing, namely those enshrined in Opinion 2/2017 of the Article 29 Data Protection Working Party.
 In this case it is a pre-requisite that the processing is necessary for a legitimate purpose and complies with the generally applicable data protection principles, such as the principle of proportionality and subsidiarity. Compliance with these requirements may be analysed and confirmed by a Data Protection Impact Assessment.
 This means for example, that continuous monitoring should be switched with the blocking of certain websites (if the latter solution is available).
For further information, please contact Blanka Börzsönyi, Managing Associate in our law firm in Hungary.
PARIS – BELGRADE – BUCHAREST – BUDAPEST
d’Ornano Partners Vörösmarty tér 4, 1051 Budapest, Hungary
+36 1 411 7400 – firstname.lastname@example.org – www.dornano-partners.com