In this brief, D’ORNANO PARTNERS’ legal expert in Hungary, Blanka Börzsönyi, is pleased to provide an analysis concerning the processing of employee data in light of the GDPR and recent technological evolution.

 

Privacy in the employment context – New practices in light of the GDPR and changing technologies


25 May 2018, the effective date of the EU Regulation 2016/679 (the “GDPR”), brought a new era in privacy related matters. In addition, recent technological developments impact data processing in a way, that diligent employers – among others – must reconsider their employee data processing practices. To contribute to employers’ awareness regarding the above, we summarize below the focus points that require attention.[1]

 


Legal basis of data processing – Employers beware

Before 25 May 2018, consent was the “most popular” basis of data processing among employers, but now they must beware: under the GDPR consent must be freely given, specific, informed, and unambiguous. The form of the consent may be a statement or an affirmative action.
In employment relationships generally, it is highly doubted that consent may be freely given, unless employees can refuse to grant it without consequences. Therefore, employers should consider referring to their legal obligations (e.g., for the purpose of tax calculation), the performance of a contract (e.g., in the case of processing the payment of the salary), or legitimate interest as the legal basis of processing their employee’s data.[2]

 


Core considerations regarding data procession at work scenarios

SCENARIO EMPLOYERS TO MAKE SURE THAT
Monitoring of social media profiles and activity
  • During the recruitment process:

·       the account examined is related to business purposes;

·       data collected and processed would be necessary and relevant for the job applied for; and

·       applicants are not required to “friend” the potential employer.

  • During in-employment screening:

·       profiles are not checked on a generalised basis;

·       employers are not required to grant access to information shared by them;

·       employees are not required to utilise a social media profile provided by the employer (or a “non-work” private account may be maintained.

Processing operations resulting from monitoring ICT usage at the workplace (or the workplace itself)
  • preventive (and not detective) measures are applied;
  • all available additional actions are taken to mitigate or reduce the volume of data processing;
  • acceptable use policies and privacy policies are implemented and communicated;
  • in case of cloud-based office applications (e.g., calendars), employees can designate private spaces which are not accessible to the employers;
  • the requirement of subsidiarity is met;[3]
  • data deriving from the continuous monitoring of the exit and entrance times of the employees (via, e.g., an access control system set-up originally to prevent unauthorised access, based on the legitimate interest of the employer) is not used for employee evaluation;
Processing operations resulting from monitoring ICT usage outside the workplace
  • The following technologies are not utilized (as such would be disproportionate) in the case of remote working: logging keystrokes, mouse movements, screen capturing;
  • Regarding bring your own device (“BYOD”) solutions, those sections of the device that are used only for private purposes may not be accessed by the employer;
  • BYOD solutions include measures to distinguish between private and business use of the device, and that business data is securely transferred between the device and the employee’s network;
  • facial recognition techniques are not used in video monitoring systems;
  • using vehicle telematics, where personal use is allowed, an opt-out possibility is offered to the employer (e.g., location tracking can be turned off in special circumstances).


General axis of compliance

  • Data processing must take place under appropriate conditions, and be transparent, lawful, proportionate, necessary, for a real and present interest
  • Transparency is ensured through effective communication on the processing, provided to the employees prior to the start of the processing.
  • The fundamental principles of data protection (e.g., proportionality, subsidiarity and data minimisation) must be kept.
  • Consent is unlikely to be accepted as the legal basis of processing, in the employment context. Instead, performance of a contract and legitimate interest may be evoked provided that the requirements set out above points are met.

 


Legislation in Hungary

The GDPR is directly applicable in Hungary, therefore, diligent employers must read it together with the Hungarian labour and data protection regime especially Act I of 2012 on the Labour Code and Act CXII of 2011 on Informational Self-determination and Freedom of Information prior to, during and after the course of employment.
Modification to the relevant sectorial acts and regulations are under way, therefore, their status should be followed to gain a complete understanding of data protection issues.


[1] While the conclusions of the 2002 Working Document on the surveillance of electronic communications in the workplace and Opinion 8/2001 on the processing of personal data in the employment context remain valid, the present paper is based on and aims to summarize only consideration points in addition to the foregoing, namely those enshrined in Opinion 2/2017 of the Article 29 Data Protection Working Party.

[2] In this case it is a pre-requisite that the processing is necessary for a legitimate purpose and complies with the generally applicable data protection principles, such as the principle of proportionality and subsidiarity. Compliance with these requirements may be analysed and confirmed by a Data Protection Impact Assessment.

[3] This means for example, that continuous monitoring should be switched with the blocking of certain websites (if the latter solution is available).


For further information, please contact Blanka Börzsönyi, Managing Associate in our law firm in Hungary.

PARIS – BELGRADE – BUCHAREST – BUDAPEST

d’Ornano Partners Vörösmarty tér 4, 1051 Budapest, Hungary
+36 1 411 7400 – budapest@dornano-partners.com – www.dornano-partners.com