OneTrust_GDPRCompliance_square-banner1
PSR16_WebBanner_300x250-wCopy
DPC16_Banner_300x250-COPY


by Bálint Halász and Ákos Fekete-Gy?r

The president of the Hungarian National Agency for Data Protection and Freedom of Information, Attila Péterfalvi, has announced that the Hungarian Privacy Act will be significantly amended by the end of June in order to make it consistent with the EU Data Protection Directive, recent European case law and current privacy trends. While the new Hungarian Privacy Act has been in force for more than a year, certain key aspects of Hungarian DP legislation controversially remained unchanged. The agency has also issued a long-awaited opinion on the electronic surveillance of employees.

Significant amendment to the Hungarian Privacy Act

Péterfalvi delivered a welcome speech at the annual conference of Data Protection Officers in January, giving an overview of the work of the National Agency for Data Protection and Freedom of Information in 2012 before addressing the more exciting topic of amendments to the Privacy Act (Act CXII of 2011) and confirming rumours that significant amendments to the Privacy Act will be put before the Hungarian Parliament. Péterfalvi said that the Parliament is expected to vote on the amendments by the end of June. The amendments will affect core provisions of the Privacy Act, including:

  • Harmonisation of grounds for  data processing with Article 7 of EU DP Directive (95/46/EC);
  • Introduction of new provisions on data transfers will be introduced, including the authorisation of BCRs;
  • Introduction of provisions addressing cloud computing;
  • Exemptions for small and medium sized enterprises from statutory registration fees;
  • Addition of provisions on data breaches will be added, and
  • Authorisation of sub-processor appointments by processors.

Opinion on electronic surveillance at workplace

The agency and the previous data protection commissioners have received many queries in relation to electronic surveillance devices at workplaces. Although the previous commissioners issued several relevant opinions on the application of the previous Privacy Act and landmark decisions of the Hungarian Constitutional Court to this topic, there have been significant developments in recent years. The Hungarian Parliament has not only passed a new Privacy Act but also a new Labour Code (Act I of 2012) which itself contains provisions on privacy matters, including the surveillance of employees.

The opinion of the agency on the electronic surveillance of employees addresses four key issues: the legal grounds for employee monitoring, substantive requirements on the use of electronic surveillance devices in the workplace, providing adequate notices to employees and registration and filing requirements.

Legal grounds for employee monitoring

Under the new Labour Code, an employer is entitled to monitor its employees in connection with their employment-related behaviour, something which certainly entails the processing of certain personal data. The Labour Code does not state that the employer is obliged to obtain consent from the employee, and reliance on employee consent may not be valid as per the opinion of the Article 29 Working Party. As set out in their Opinion No 15/2011, there are grounds other than consent contained in Article 7 of the EU DP Directive, which can also be used as a lawful basis for data processing. Furthermore, a CJEU ruling in joined cases C-468/10 and C-469/10 declared that Article 7(f) of the EU DP Directive—which permits processing on the grounds of legitimate interests—must be given direct effect.

The agency has concluded that employee monitoring does not necessarily require employee consent, but certain requirements must be met:

  • Employee monitoring is only deemed lawful if it is essential for the fulfilment of a purpose directly related to the aim of the employment;
  • The human dignity of the employee must be respected and their private life must not be monitored;
  • Employees must be informed in advance about the data processing, and
  • The employer must comply with the general principles set out in the Privacy Act, including the requirement of a fair and lawful purpose for data processing.

The new Labour Code provides a framework for lawful employee monitoring, but in any event, details of monitoring must be set out in a separate policy and the monitoring must also comply with principles of accountability and proportionality.

Substantive requirements on the use of electronic surveillance devices in the workplace

The Labour Code does not contain detailed provisions applicable to electronic surveillance devices, such as CCTV. Provisions relating to these devices are contained in the Personal and Property Protection Act (Act CXXXIII of 2005), which also establishes the lawful grounds for the use of electronic surveillance systems and obligatory retention periods. Although the rules of the Personal and Property Protection Act do not cover all aspects of electronic surveillance, the agency will take the act's provisions into consideration until the Labour Code’s provisions are adequately amended.

Employers are obliged to prove that their electronic surveillance systems comply with the requirements of the Privacy Act and in particular that the processing is based on a lawful purpose. CCTV surveillance must not jeopardise human dignity; therefore, cameras cannot be directed at one particular employee and cannot record his activity alone. Furthermore, an electronic surveillance system will be deemed unlawful if it is aimed at influencing employee behaviour in the workplace. CCTV surveillance is not allowed in locker rooms, showers, toilets, medical rooms and similar premises, or in rooms or locations where employees spend their breaks. However, these locations can be lawfully monitored after working hours when not in use by employees.

A camera must only aim at the designated area and only at the premises of the employer. An employer must precisely set out in its policy the purpose of installing each and every camera and the reason for monitoring for each area. It will not be enough for employers to provide employees with general information on electronic surveillance systems.

The general maximum retention period of personal data collected by electronic surveillance systems is three days. In exceptional cases, longer retention periods can be applied, but only if the employer is able to justify that special circumstances require a longer retention period. Only a limited number of staff may have access to personal data, and employers must also set out rules of access to data.

Providing adequate notices to employees

The employer must inform employees in advance about the details of the data processing. Employees must also be provided with certain particular pieces of information, including the legal grounds for data processing, the location of any CCTV cameras, the identities of any staff operating the cameras, the location where recordings are stored, the retention periods, the rights of employees and their available legal remedies.

The employer must be able to prove that employees have been adequately informed, for instance, by requesting employees to sign the notice. New joiners must be informed in a separate document which must be signed along with the employment contract.

An employer must also use visual notices in the workplace to inform employees that CCTV cameras are in operation in the area.

Registration and filing requirements

Although the agency does not keep a register on employee data, the processing of electronic surveillance data triggers a filing requirement if CCTV cameras monitor nonemployees, such as customers or suppliers.

Bálint Halász and Ákos Fekete-Gy?r are both members of the Bird & Bird Privacy & Data Protection Practice Group.

 

Comments

If you want to comment on this post, you need to login.

Related

Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

NEW! Raise Staff Awareness

Equip all your data-handling staff to reduce privacy risk, with Privacy Core™ e-learning essentials.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

NEW! FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Schooled in Privacy

Looking to get some higher-ed in privacy? Check out these schools that include data privacy courses in their curricula.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

NEW! Raise Staff Awareness

Equip all your data-handling staff to reduce privacy risk, with Privacy Core™ e-learning essentials.

The Industry of Privacy

Take stock, compare your practices to those of other organizations, and get budget with these studies on the industry of privacy.

More Resources »

P.S.R.—One Powerhouse Program

The program is too good to miss. The speakers are world-renowned. P.S.R. brings you the best of the best in privacy and security. Don't wait: Register now!

Speak at the Intensive!

The call for proposals for our London event, the Data Protection Intensive, is now open! Submit your session idea today.

Time to Get to Work at the Congress

Thought leadership, a thriving community and unrivaled education...the Congress prepares you for the challenges ahead. Register today.

GDPR Comprehensive London: Last Chance!

The IAPP GDPR Comprehensive heads to London this fall. This is your last chance at this popular program this year!

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»