Hungary Defines Legal Grounds For Data Processing In The Workplace


Due to the nature of employment relationships, personal employee data are processed in countless contexts every day. However, Hungarian labor regulations have very limited provisions on data processing at the workplace. Despite the fact that the data protection commissioner and the president of the data protection authority have published several opinions and recommendations on this issue, a great deal of uncertainty remains.

To provide some clarity, at the end of 2016 the President of the Hungarian National Authority for Data Protection and Freedom of Information published guidelines on the requirements of data processing in the workplace. In addition to general data protection requirements, the guidelines also summarize the requirements for certain special types of data processing at the workplace, such as camera surveillance; the monitoring of workplace telephones, computers, Internet, and e-mail accounts; GPS and biometric systems; and whistleblowing hotlines. It appears likely that data protection authority will continue to follow these comprehensive guidelines even after the General Data Protection Regulation comes into force on May 28, 2018.

The guidelines set out three main grounds for data processing under both Hungarian and EU rules, including the consent of the data subject, authorization by law, and the employer's legitimate interest.

Consent of data subjects

The consent of data subjects may serve as legal grounds for data processing only if it is voluntary (or in other words, if there is no risk of negative consequences if consent is refused). Since the hierarchical relationship between employers and employees generally precludes voluntariness both in EU and Hungarian practice, employee consent rarely constitutes sufficient legal grounds for data processing. This is particularly relevant because, in practice, the data subject's consent is often wrongly considered the strongest legal grounds for data processing.

Authorization by law

The guidelines distinguish between two types of data processing based on authorization by law: mandatory and permitted. Mandatory data processing includes data processing by the employer as stipulated by tax and social security regulations. Data processing permitted by law includes data collected in the course of operating whistleblowing hotlines or monitoring employees. However, the guidance also notes that as the employer itself determines what data are processed while monitoring its employees...

To continue reading