Due to the GDPR, the Hungarian Parliament passed a law on 1 April concerning changes to a number of acts containing data protection provisions. The Hungarian Labour Code is one of the laws that has been changed. The new law is expected to be published soon and its rules, which affect quite a number of data controllers, will become applicable on the 15th day following their publication. It can be expected that the new rules will become effective around 1 May.
Below follows a summary of the major changes to the Labour Code.
Processing of employees’ biometric data
Under the Act, an employee’s biometric data may be processed for the purposes of identification of the individual if this is necessary for the prevention of obtaining unauthorized access to an asset or data which would threaten in a serious or massive way with an irreversible
- a) harm to the employee’s or someone else’s life, physical integrity or health; or
- b) infringement of a considerable interest protected by an act of law.
Considerable protected interests are, in particular, as follows:
- a) the interest to protect qualified data classified at least as “Confidential”;
- b) the interest to store guns and explosives in a safe way;
- c) the interest to store poisonous or hazardous chemicals and biological substances in a safe way;
- d) the interest to store nuclear substances in a safe way; and
- e) the interest to keep assets with a value of more than HUF 50 million (about EUR 155,000) in a safe way.
Since the Act uses the term "in particular", the above list is not exhaustive.
Based on the above, and also taking into account the reasoning attached to the Act, in the absence of the above conditions it is a question of whether the employee’s consent may exceptionally serve as a valid legal basis for the processing of the employees’ biometric data if, for example, the employer makes sure that the employees may freely choose out of the options to use the electronic entry system either by way of using an electronic card or a biometric scanner. Pursuant to the Hungarian Data Protection Authority's practice so far, the employee’s consent may exceptionally serve as a valid legal basis for such processing, provided that the employee suffers no sanction of any kind if he/she chooses the use of an electronic card instead of biometric identification.
Things to consider:
The employer that processes the biometric data of employees has to review the processing to see if it can be maintained or if there is a need to modify the practice. (This applies even if the Act had not been adopted, provided that this issue was not dealt with before.) Furthermore, employers that intend to process the biometric data of employees will need to proceed in light of the above.
Processing of the employees’ criminal data
Based on the Act, the employer may process the criminal data of the employee, or the person wishing to enter into an employment agreement with the employer, for the purposes of examining if an act of law or the employer does not restrict or prohibit the employment of the relevant person in the respective filled position or wished to be filled position.
The employer may set a restrictive or prohibitive condition if the employment of the relevant person in the respective position would pose a risk to:
- a) the employer’s considerable monetary interest;
- b) secrets protected by law; or
- c) the safe storage of guns, explosives, poisonous or hazardous chemicals, biological substances and nuclear substances.
The employer has to determine in writing in advance the restrictive or prohibitive condition serving as a basis for the processing of criminal data as well as the conditions for the processing of such data.
It is worth noting that pursuant to the relevant practice of the Hungarian Data Protection Authority, even if a criminal certificate may be processed, employers may only require employees to show them the criminal certificate but they may not make a copy of the document. The reason for this is that “the copy made of the criminal certificate does not prove that it is a certified copy of a valid, authority-issued public deed, thus, a copy is not suitable to prove that the data it contains are authentic data… The making of a copy and the keeping of it is not necessary for proving a clean criminal record in the context of the respective job, thus, there is no lawful purpose for the practice of making a copy of authority-issued criminal certificates.”
In our view, the authority will most probably uphold its practice as described above.
Things to consider:
The employer that processes the criminal data of employees has to review the processing to see if it can be maintained or if there is a need to modify the practice. (This applies even if the Act had not been adopted, provided that this issue was not dealt with before.) Furthermore, the employer that intends to process the criminal data of employees will need to proceed in light of the above.
Use of IT devices by employees
An employee’s behaviour linked to his/her employment may be surveilled and the employer may also use information technology devices for such purpose. The employer has to inform the employees of the use of such devices in writing in advance. Pursuant to the Act, unless the parties agree otherwise, the employee may only use the devices the employer has provided to him/her for the purposes of work.
During an inspection by the employer, the employer may only have access to such data stored on the devices used for the purposes of work, which are related to the work. This applies even if, based on the parties’ agreement, the employee uses his/her own devices for the purposes of work.
Things to consider:
The employer that applies a policy concerning the use of IT devices has to review the processing activity to see if it can be maintained or if there is a need to modify the practice. (This applies even if the Act had not been adopted, provided that this issue was not dealt with before.)Furthermore, the employer that applies no such policy is advised to prepare one.