IAPP-GDPR Web Banners-300x250-FINAL

In a recent case, the Hungarian Authority for Data Protection and Freedom of Information (Nemzeti Adatvédelmi és Információszabadság Hatóság or NAIH) investigated a case where a company had to access its employee’s laptop for compliance reasons and imposed a fine of HUF 1,500,000 (approximately 5,000 euros) for unlawful data processing.

Whose Data Is It Anyway?

The employee, a project manager at the company, received a company laptop he was also permitted to use for private purposes if it did not hinder the efficiency of his work. After the company’s managing director noticed that the employee printed documents that contained a competitor’s logo, he became suspicious that the employee may have had unauthorised contact with competitors and requested access to his laptop to make a backup of the data stored on it. The employee denied such access because he stored private and trade union data on the computer. After a lengthy dispute involving lawyers and also the police, the employee was granted time to save and delete his private data; however, the company claimed that as part of the process, the employee was also trying to delete confidential business information from the laptop. To verify its suspicion, the company engaged an IT specialist to recover all the deleted data.

As part of a subsequent disciplinary proceeding, the managing director revealed to the employee that among the recovered data, they also found nude photos, bank account data, health data, private correspondence and names of trade union members. The managing director requested the employee make a declaration that he is identifiable on the nude photos so that such photos can be considered as private; otherwise, the company should disclose these photos as part of the disciplinary proceeding. The employee refused to declare this, after which he was dismissed from his position by extraordinary termination.

The Regulator Intervenes

The employee submitted a complaint to the NAIH regarding the data processing practices of the employer. In its investigation, the NAIH found the following deficiencies in the company’s IT policy and internal procedures:

  • Besides the information on the technical measures applied for the monitoring, employees must also be informed of the privacy aspects of the monitoring; e.g., purpose of data processing, the data controller, data retention periods, data privacy rights and remedies.
  • An IT policy must detail how the employer can access a company device and what kind of rights it may have; e.g., the possibility and the purpose of data recovery, the frequency and scope of back-up copies.
  • The IT policy must either prohibit or enable the private use of company assets, without any reservations. In this particular case, the IT policy of the employer enabled the private use of company assets to the extent such use did not hinder the efficiency of the work. However, the NAIH considered this provision too vague and suggests a “yes-no” approach instead. In addition, the NAIH also emphasised that even if the private use is not permitted, the employer should not access the files of employees which are stored on a company laptop for private purposes, even if such storage is in breach of the IT policy.
  • In this particular case, the employer’s IT policy contained prohibition on storing adult content and unauthorised third-party software on the company’s assets. The NAIH criticised the general definition of “inappropriate content” in the IT policy and implied that storing private nude photos on the laptop may not constitute “inappropriate content” at all. It is worth noting that this is the first time when the NAIH scrutinises the wording of an internal policy so sophistically.
  • The NAIH found that the employer’s IT policy was not disclosed to the employees properly; although it was available on the intranet, the employer could not prove that the employers have fully read its contents. The employer could not prove that it held training to employees and sent the relevant policies via email either. Consequently, companies must always properly document the receipt of similar policies and training.
  • The actual monitoring must always be a “last resort.” In this particular case, the suspicion regarding the unauthorised contact with competitors should have been investigated at first by the verification of the print-logger, the e-mail traffic on the company network devices of the employer, which may contain trace of such communication.

However, the question remains how to comply with this requirement if a malicious employee circumvents these “customary” company channels and tries to compromise the employer’s assets otherwise, and the company needs to intervene immediately to protect its confidential data.

  • Employees must have the right to prepare for the disposal of their private files before the employer is accessing their computer. (Unfortunately, the NAIH does not analyse how to comply with this requirement in the event of immediate access, in order to protect the employer’s assets, and any delay would jeopardise the results of the investigation.)
  • The employer must ensure that the monitoring does not affect the private data of the employees. As part of such obligation, the employer should have classified the recovered data in the presence of the employee either as employment-related or private file. The private data obtained in addition to company data from the recovered data content should have been immediately and irrevocably deleted.

Again, the question remains what happens if a malicious employer is trying to hide some compromising files by classifying them as private, in order to hinder the employer’s investigation.

  • The recovered data must be analysed for the purpose for which it was originally accessed, i.e. to verify whether the employer has unlawfully disclosed confidential information. In this particular case, the NAIH criticised that the employer stored the recovered data for months but did not make any analysis on it, as originally intended during the first access to the laptop.

It is worth noting that the NAIH’s decision in this particular case was appealed before court, and the court ordered the NAIH to pass a new decision due to the inappropriate reference to the applicable laws. However, the initial decision may provide an insight –despite certain open questions highlighted above—into the issues which the NAIH may look into in case of similar investigations. Therefore, companies are advised to review and amend their internal policies and data processing practices on the basis of the above findings of the NAIH. If they violate data privacy rules, NAIH can fine them between HUF 100,000 (370 euros) and HUF 10,000,000 (37,037 euros).


Written By

Marton Domokos


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Spots Going Fast

With the top minds in the field leading this exceptional program, it's no wonder it's filling quickly. Register now to secure your spot.

Be Part of Something Big: Join the Summit

Registration is open for the Global Privacy Summit 2016. Discounted early bird rates available for a short time, register today!

Data Protection Intensive Returns to London

Registration is now open for the IAPP Europe Data Protection Intensive in London. Check out the program!

P.S.R. Call for Speakers Open!

P.S.R. is THE privacy + cloud security event of the year, and you can take a leading role. Propose a session for this year's program.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»