Since the GDPR has come into effect last year, we studied the impact of the European Union’s data protection reform to workplace data protection several times on our blog. In April, the Parliament passed a law setting out a number of modalities to implement GDPR.
According to the amendment of the Labour Code from April, the employer may require an employee to make a statement or to disclose personal data only if such is deemed necessary for the conclusion, fulfilment or cessation (termination) of the employment relationship or for the enforcement of claims based on the Labour Code. As a result of the amendment, the prohibition that making a statement or disclosing information should not violate the employee’s personal rights has been deleted.
Under the new regulations, the employer is required to inform the employee in writing of the processing of personal data – such notification may be done via publishing the information by means considered customary for and commonly known at the workplace.
Processing of criminal records
GDPR enables processing of personal data related to criminal history only if expressly provided for by Member State legislation. So far, this has been regulated in Hungarian legislation rather narrowly, excluding almost all jobs from the investigation of criminal records.
Under the new regulation, the criminal records of an employee or prospective employee may be processed by the employer for the purpose of examining whether criteria limiting or excluding a certain position to be filled by the employee are met. Such conditions may be specified by law or by the employer; but the latter is entitled to do so only if it is necessary for the purpose of
- securing classified information protected by law
- protection of significant economic interests of the employer
- safeguarding of firearms, ammunition, explosives,
- safeguarding of toxic or dangerous chemical or biological agents,
- safeguarding of nuclear materials.
These exceptions allow the employer to require a certificate of criminal record to a much wider extent than under the previous regulations based on exhaustive job listings as ‘protection of significant economic interest of the employer’ may require such measures in case of hiring a CFO; a chief accountant; a purchasing manager; or even a warehouse keeper or a cashier.
Employers shall specify restrictive or prohibitive criteria for filling any vacancy that justify the processing of criminal data in advance and in writing. In particular, employers shall specify vacancies for which they may require the presentation of criminal records and for all such vacancies, a legitimate interest opinion shall be prepared that considers legitimate interests of the employer against the fundamental rights and freedoms of employees.
Inspection of employees
The use of a camera surveillance system has been a common practice to inspect employees for the purposes set out in the Act on Personal and Property Protection and Private Detective Practices (namely for the protection of human life, bodily harm and personal freedom, safeguarding of hazardous substances, protection of trade; payment and bank secret and the protection of property). New rules confirm the possibility of using tools to monitor the conduct of employees in connection with the employment.
Furthermore, the employer is allowed to inspect IT equipment provided by the employer for the purpose of work. Many employer policies have already included what now the law confirms; namely that employees may use IT devices provided by their employers solely for work purposes – unless there is an agreement to the contrary. It is important to note that, as it has been the case earlier, employers may not inspect information contained on these devices that are not related to the employment relationship.
Processing of biometric data
The amendment of the Labour Code specified the cases in which biometrical data (i.e., according to GDPR, personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data) may be processed. Under the new regulation, biometric data can be processed when it is necessary to prevent unauthorized access that could pose a threat of serious or massive, irreversible harm to the life, safety or health of an employee or third parties or to legitimate interest protected by law. The law identifies certain legitimate interests as per the above: the safeguarding of firearms, ammunition, explosives, toxic or dangerous chemical or biological materials, and nuclear material, or the protection of a value above 50 million Hungarian Forints. So, for an ordinary office worker, requiring fingerprint authentication is most probably unlawful – unless it is the office of a brokerage company or bank.