DATA PROTECTION NEWSLETTER 2019/1.

DATA PROTECTION NEWSLETTER 2019/1.

AMENDMENDTS OF LAWS IN ORDER TO EXECUTE THE DATA PROTECTION REFORM OF THE EU, OR THE FUTURE REGULATION OF DRAFT OF ‘GDPR’ OMNIBUS LAW

Regulation regarding computer-, and mobile phone use at workplaces and rules of employer’s data processing in connection with extracts from the penal register are to be amended; as well as legislation of direct marketing activities. Furthermore, laws regarding the retain-time of video camera records and laws concerning the sphere of data processed in the course of so called ‘whistleblowing’ systems are to be modified.

The so called “GDPR Omnibus Law”, submitted before the Parliament concerns 86 specific laws altogether, and there shall not be any proposals filed to the draft legislation, it will enter into force soon, therefore – on the basis of the text and reasoning of the given bill – we hereby present a summary about the major modifications which could concern our Clients’ everyday activities.

1. Amendment of Act I of 2012 on the Labor Code (hereinafter:  ‘Labor Code’)

1. a)             Written notification on the circumstances of restrictions of personality rights

Article 9 (2) of Labor Code is modified in a way, that the legislator, additionally to the previous regulation, orders the requirement of written notification in relation to the requirement of prior notification, i.e. the means and conditions of any restriction of personality rights, and the expected duration thereof shall be communicated in writing to the employees affected in advance.

Due to the provisions of GDPR, in practice, Employers have already been informing the employees about the data processing in workplaces, about the transfer of contact persons’ data or about the rights relating to the camera surveillance operating in the office in writing, however, the written communication is going to be inevitable with regard to the requirements of laws of restriction of personality rights, therefore who has still not acted in this way, it shall act accordingly without delay.

1. b)             Data disclosure and declarations, which may be requested in order to enforce employer’s claims deriving from the Labor Code.

Provisions regarding data processing are to be regulated in a new, separate chapter titled “Data processing”. The employer – further to the previous – is entitled to request a declaration or a personal data disclosure from the employer from now on, which is essential from the aspect of the enforcement of a claim arising from the Labor Code; in addition, the works councils and trade unions may request the provision of such declarations or such data disclosure.
In such cases, even the presentation of the document may be required (Sub-section (3) Section 10 of the Labor Code. The Employer shall inform the Employee in writing about these data disclosures – including the data processing regarding aptitude test in workplace.

1. c)              Processing of biometric data for the purpose of employee’s identification

The amendment contains the feasibility and conditions of processing biometric data, as a data identifying the employee.  In order to identify the affected person, the biometric data may be processed in the event, if it is required to hinder an unauthorized access to any object or data, which would cause serious or mass, irreversible harm in the employee’s or third persons’ life, physical integrity or health or would infringe major legitimate interest protected by laws in the upper specified way. The amendment completely specifies the scope of such major interest. That could be for example an interest of protecting classified data with at least marked with “Confidential!” classification or the interest of protection of particularly considerable amount of value as per the Criminal Code.

1. d)             Processing of criminal personal data (extract from the penal register)

The Labor Code amendment empowers the employer in a wider sphere than previously to process the criminal personal data of the employee for the purpose, that the employer does not restrict or exclude the employment in the position of such employee. The new regulation is also applicable to the person intending to establish a working relationship, consequently, an extract from the penal register may be requested from a candidate for a position in cases set forth in the Labor Code and in laws pertaining thereto.

The following provision appears as a new element: the Employer – within the framework of laws – has the right to solely specify the restricting or excluding conditions pertaining to such position, however, it shall state the conditions of data processing in writing and in advance.

Nevertheless, – pursuant to the decree of the Data Protection Authority (NAIH) dated January 22, 2019 and disclosed on its webpage – based on the legitimate interest of the Employer, following the processing of prior interest assessment, there is nothing which would hinder the Employer to access the extract from the penal register and convince on its content  in the event, that the  lawful interest of employers has higher priority than the right of employees relating to the protection of personal data. However, the given extract shall not be copied in this case either. The decree is available in details on the following link:

https://www.naih.hu/files/NAIH_2019_1073_erkolcsi_biz.pdf.

1. e)             The use of company computer, laptop, phone and further IT equipment’s at workplaces

It is contained in the Labor Code amendment, that the IT equipment provided for work by the employer – unless agreed otherwise – may exclusively be used by the employee in order to fulfil the working relationship. During the monitoring of the employer, it may have access to data stored on the IT equipment and relating to the fulfilment of the working relationship. This provision shall apply in the event, that the employee uses its own IT equipment during the fulfilment of the working relationship as well.

Regardless of the obligatory application of GDPR (as from May 25, 2018), it had also been previously reasonable to set out the rules of the use of the IT equipment of the company (PC, laptop, mobile phone, tablet, GPS etc.) in an internal policy or in an order of the employer, however, it will be inevitable following the new regulation entering into force. In the event of lack of the aforesaid regulation, these equipment shall not be used for private purposes, therefore the children’s graduation photos or the pictures from the holidays shall not be lawfully stored thereon.

1. f)              The written form of SharePoint, Intranet and other similar pages

The new Labor Code supplements the provisions regarding the written form in a way, that the declaration shall also be considered as written in the future, if it is published by means considered customary for and commonly known in the area.

Accordingly, if the Employer publishes the newest regulation regarding camera surveillance on an internal intranet page, and the given intranet page is known, often and easily used by employees, then each specimen of the copies are not necessary to be printed and handed over to the employee; it is adequate if the regulation is uploaded to the intranet. Certainly, it is necessary in the present case as well, that the Employee has acknowledged the communication, for example: ticking a check-box or filling out a test with multiple-choice questions.

2. Amendment of Act CXIX of 1995 on the use of name and address information serving the purposes of research and direct marketing

In harmony with the provisions of GDPR Preamble 47, the processing of personal data with the direct marketing aim may be considered as data processing based on legitimate interest, therefore the processing of personal data related to direct marketing may be based on the legal ground by Point f) of Sub-section (1) of Article 6 of the GDPR, thus it may be based on the legitimate interest.. The amendment of the present Act repeals the previous provisions regarding direct marketing, therefore the data processors may ground their processes on the provisions of the GDPR. However, a prior interest assessment is recommended to be carried out prior to the commencement of data processing in harmony with the relating data protection recommendations.

3. Amendment of Act CXXXIII of 2005 on security services and on the activities of private investigators

Several detailed rules concerning electronic surveillance, and entrance control systems have been repealed by the legislator. The deadlines regarding the retain-time of the records were abrogated, thus it is not definitely necessary to destroy the records following 3 working days, furthermore the exhaustive list was abrogated which had set out those purposes (areas), for which a surveillance system may have been applied. The amendment, however, sets forth some provisions with regard to the content and form of the protocol prepared in the sphere of the operation of electronic surveillance system.

In the practice it means that for example the Data processor shall conduct a prior interest assessment, prior to the application of a camera surveillance system, and shall bring its own decisions about the application of the system, the purpose of data processing, the period of the retain-time of records and about the access thereto on the basis of the results of the given test. All of these are reasonable to be settled in a uniform internal policy.

The legislator deleted the provisions regarding the consent of the natural person in the course of the assessment of legal basis of electronic surveillance systems, thereby it provides the operator of the electronic surveillance system the data processing on the basis of legitimate interest, in accordance with the relevant authority recommendations and practice.

It is relevant that in the future, the security guard may apply an electronic surveillance system exclusively in private area, however, the amendment has repealed the provisions, which had considered the security guard as data processor during its security activity or operating remote monitoring system or safety technology system aiming data and informatics protection.

4. Amendment of Act CLXV of 2013 on complaints and general interest notifications

Due to the termination of the data protection register, the whistleblowing systems are not necessary to be notified to the Data Protection Authority, therefore it has been abrogated from the new regulation. It is considered as an important modification, that the operator of the whistleblowing system – opposing the prior regulation – is entitled to process sensitive data and criminal personal data. The operator of the whistleblowing system has already been processing such data in the practice, because e.g. a notification about a sexual abuse at the workplace could have contained such data. The regulation has settled the prohibition of processing sensitive data until now, moreover the operator of the whistleblowing system cannot affect the content of the notification, so that the clarification of the law was well-founded.

5. Amendment of Act XLVII of 1997 on processing and protection of health data and personal data in relation thereto

It is an important and essential modification, that in harmony with the GDPR regulation, no written consent is needed for processing health data in the future, however, the consent is still needed; it shall be based on adequate information, shall be made voluntarily, shall contain unequivocally expressed intent and the proper declaration shall be made in a satisfactory justifiable way.

The Hungarian legislator supplements the health data definition of GDPR in the amendment of the present act, and brings the cause and the circumstances of death of the deceased person into the course of health data, thus it is qualified as personal health data.

The personal data aiming the identification of the subject of health data is furthermore qualified as personal identification data, which the data processor controls together with the health data as a part of the health documentation with the purpose identical therewith or inseparable therefrom.

The processor of the health data shall provide access thereto, and the issuance of a copy from the personal data free of charge, however it may demand a fee for further copies; the amount thereof will be regulated by a ministerial order.

It is of high importance for our Office, that our Clients are provided appropriate information and therefore have up-to-date information about the amendments of laws concerning them.

Thus we highlighted the most relevant modifications of ’GDPR Omnibus Law’ above, which, in our opinion, are relevant for our clients; we did not cover all single amendment of laws. The bill and the reasoning of ’GDPR Omnibus Law’ is accessible from the link below: https://www.parlament.hu/irom41/04479/04479.pdf

In case you have any questions arisen in connection to the above newsletter, or you have any questions with regard to any laws relating data protection, please, do not hesitate to contact Germus and Partners Attorneys-at-Law, which has wide expertise, theoretical and practical experience in the area of data protection laws and is able to elaborate practice-, and client-oriented solutions.

The above settled information is exclusively informative and cannot be considered as a legal consultancy provided by Germus and Partners Attorneys-at-Law or any attorney, or trainee lawyer thereof.

You can contact us at the below e-mail at any time, we are at your kind disposal: office@germus.hu