S17_Banner_300x250-COPY
PrivacyCore_ad_300x250-01
CS17_Banner_300x250-COPY


by Bálint Halász and Ákos Fekete-Gy?r

The president of the Hungarian National Agency for Data Protection and Freedom of Information, Attila Péterfalvi, has announced that the Hungarian Privacy Act will be significantly amended by the end of June in order to make it consistent with the EU Data Protection Directive, recent European case law and current privacy trends. While the new Hungarian Privacy Act has been in force for more than a year, certain key aspects of Hungarian DP legislation controversially remained unchanged. The agency has also issued a long-awaited opinion on the electronic surveillance of employees.

Significant amendment to the Hungarian Privacy Act

Péterfalvi delivered a welcome speech at the annual conference of Data Protection Officers in January, giving an overview of the work of the National Agency for Data Protection and Freedom of Information in 2012 before addressing the more exciting topic of amendments to the Privacy Act (Act CXII of 2011) and confirming rumours that significant amendments to the Privacy Act will be put before the Hungarian Parliament. Péterfalvi said that the Parliament is expected to vote on the amendments by the end of June. The amendments will affect core provisions of the Privacy Act, including:

  • Harmonisation of grounds for  data processing with Article 7 of EU DP Directive (95/46/EC);
  • Introduction of new provisions on data transfers will be introduced, including the authorisation of BCRs;
  • Introduction of provisions addressing cloud computing;
  • Exemptions for small and medium sized enterprises from statutory registration fees;
  • Addition of provisions on data breaches will be added, and
  • Authorisation of sub-processor appointments by processors.

Opinion on electronic surveillance at workplace

The agency and the previous data protection commissioners have received many queries in relation to electronic surveillance devices at workplaces. Although the previous commissioners issued several relevant opinions on the application of the previous Privacy Act and landmark decisions of the Hungarian Constitutional Court to this topic, there have been significant developments in recent years. The Hungarian Parliament has not only passed a new Privacy Act but also a new Labour Code (Act I of 2012) which itself contains provisions on privacy matters, including the surveillance of employees.

The opinion of the agency on the electronic surveillance of employees addresses four key issues: the legal grounds for employee monitoring, substantive requirements on the use of electronic surveillance devices in the workplace, providing adequate notices to employees and registration and filing requirements.

Legal grounds for employee monitoring

Under the new Labour Code, an employer is entitled to monitor its employees in connection with their employment-related behaviour, something which certainly entails the processing of certain personal data. The Labour Code does not state that the employer is obliged to obtain consent from the employee, and reliance on employee consent may not be valid as per the opinion of the Article 29 Working Party. As set out in their Opinion No 15/2011, there are grounds other than consent contained in Article 7 of the EU DP Directive, which can also be used as a lawful basis for data processing. Furthermore, a CJEU ruling in joined cases C-468/10 and C-469/10 declared that Article 7(f) of the EU DP Directive—which permits processing on the grounds of legitimate interests—must be given direct effect.

The agency has concluded that employee monitoring does not necessarily require employee consent, but certain requirements must be met:

  • Employee monitoring is only deemed lawful if it is essential for the fulfilment of a purpose directly related to the aim of the employment;
  • The human dignity of the employee must be respected and their private life must not be monitored;
  • Employees must be informed in advance about the data processing, and
  • The employer must comply with the general principles set out in the Privacy Act, including the requirement of a fair and lawful purpose for data processing.

The new Labour Code provides a framework for lawful employee monitoring, but in any event, details of monitoring must be set out in a separate policy and the monitoring must also comply with principles of accountability and proportionality.

Substantive requirements on the use of electronic surveillance devices in the workplace

The Labour Code does not contain detailed provisions applicable to electronic surveillance devices, such as CCTV. Provisions relating to these devices are contained in the Personal and Property Protection Act (Act CXXXIII of 2005), which also establishes the lawful grounds for the use of electronic surveillance systems and obligatory retention periods. Although the rules of the Personal and Property Protection Act do not cover all aspects of electronic surveillance, the agency will take the act's provisions into consideration until the Labour Code’s provisions are adequately amended.

Employers are obliged to prove that their electronic surveillance systems comply with the requirements of the Privacy Act and in particular that the processing is based on a lawful purpose. CCTV surveillance must not jeopardise human dignity; therefore, cameras cannot be directed at one particular employee and cannot record his activity alone. Furthermore, an electronic surveillance system will be deemed unlawful if it is aimed at influencing employee behaviour in the workplace. CCTV surveillance is not allowed in locker rooms, showers, toilets, medical rooms and similar premises, or in rooms or locations where employees spend their breaks. However, these locations can be lawfully monitored after working hours when not in use by employees.

A camera must only aim at the designated area and only at the premises of the employer. An employer must precisely set out in its policy the purpose of installing each and every camera and the reason for monitoring for each area. It will not be enough for employers to provide employees with general information on electronic surveillance systems.

The general maximum retention period of personal data collected by electronic surveillance systems is three days. In exceptional cases, longer retention periods can be applied, but only if the employer is able to justify that special circumstances require a longer retention period. Only a limited number of staff may have access to personal data, and employers must also set out rules of access to data.

Providing adequate notices to employees

The employer must inform employees in advance about the details of the data processing. Employees must also be provided with certain particular pieces of information, including the legal grounds for data processing, the location of any CCTV cameras, the identities of any staff operating the cameras, the location where recordings are stored, the retention periods, the rights of employees and their available legal remedies.

The employer must be able to prove that employees have been adequately informed, for instance, by requesting employees to sign the notice. New joiners must be informed in a separate document which must be signed along with the employment contract.

An employer must also use visual notices in the workplace to inform employees that CCTV cameras are in operation in the area.

Registration and filing requirements

Although the agency does not keep a register on employee data, the processing of electronic surveillance data triggers a filing requirement if CCTV cameras monitor nonemployees, such as customers or suppliers.

Bálint Halász and Ákos Fekete-Gy?r are both members of the Bird & Bird Privacy & Data Protection Practice Group.

 

Comments

If you want to comment on this post, you need to login.

Related

Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

The Privacy Core™ Library Has Evolved

Privacy Core™ e-learning essentials just expanded to include seven new units for marketers. Keep your data safe and your staff in the know!

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Let’s Get You DPO Ready

There’s no better time to train than right now! We have all the resources you need to meet the challenges of the GDPR.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

CIPP/E + CIPM = DPO

The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for DPO readiness. Learn more today.

Learn more about IAPP certification »

Are You Ready for the GDPR?

Check out the IAPP's EU Data Protection Reform page for all the tools and resources you need.

IAPP-OneTrust PIA Platform

New U.S. Government Agency privacy impact assessments - free to IAPP members!

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

More Resources »

Europe Data Protection Intensive 2017

The Intensive is sold out! But cancellations do happen—so hurry and get on the wait list in case more seats become available.

Global Privacy Summit 2017

The world’s premier privacy conference returns with the sharpest minds, unparalleled programs and preeminent networking opportunities.

Canada Privacy Symposium 2017

The Symposium returns to Toronto this spring and registration has opened! Take advantage of Early Bird rates and join your fellow privacy pros for another stellar program.

The Privacy Bar Section Forum 2017

The Privacy Bar Section Forum returns to Washington, DC April 21, delivering renowned keynote speakers and a distinguished panel of legal and privacy experts.

Asia Privacy Forum 2017

The Forum returns to Singapore for exclusive networking and intensive education on data protection trends and challenges in the Asia Pacific region. Call for Speakers open!

Privacy. Security. Risk. 2017

This year, we're bringing P.S.R. to San Diego. The Call for Speakers is now open. Submit today and be a part of something big! Submission deadline: February 26.

Europe Data Protection Congress 2017

European policy debate, multi-level strategic thinking and thought-provoking discussion. The Call for Speakers is open until March 19.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»