Hungary: Protection of Employees' Personal Data in Light of the Introduction of Binding Corporate Rules

Background

The previous Hungarian Labour Code and the previous Act on Data Protection were enacted in 1992 and 1993, respectively. While the Act on Data Protection regulated this field progressively, the previous Labour Code contained only one general clause relating to the handling of employees’ personal data.

Since then new laws have been enacted in both fields – the new Act on Data Protection in 2011 and the new Labour Code in 2012.

Core areas of data protection in employment law

Regulations on handling the personal data of employees need to address two main areas: (i) the exact scope of data that the employer may handle (in other words, the limits of the employees’ right to privacy at the workplace), and (ii) the ways the employer must handle the personal data to which it is entitled.

Scope of data to be handled – privacy

The general rule is that data may only be handled with the data subject’s consent or specific authorisation of law. In addition to this general rule, the Labour Code stipulates that employees may be required to disclose information or data only if the disclosure does not violate their personal rights and is deemed necessary for the conclusion, fulfillment, or termination of employment. This means that the employees’ tax and social security numbers may be requested and subsequently handled by the employer, but the employees’ contacts on social networks or other personal data not related to the employment cannot be requested and handled by the employer at all. If such data is in the possession of the employer, it can only be handled upon the employee’s consent.

The Labour Code stipulates that the employer must inform employees when handling their personal data and prescribes the conditions for sharing that data with third parties. As a growing number of employers make use of third party service providers to perform some of their obligations which require the transfer of certain personal data of their employees (such as payroll and tax administration), the new Labour Code has introduced a rule, allowing employers to transfer their employees’ data to third-party data processors for specific purposes only if they have notified the employees in advance.

The practices of the data protection commissioner and its successor – the national data protection authority – established the most important principles concerning the employees’ right to privacy. Generally, employees must be informed in advance and provide their consent to all potential means of tracking them to be used by the employer, including GPS, phone call tracking systems, or simply checking employee internet use. Employees’ private lives may not be subject to any control. These principles remain intact under the new regulations.

Handling employees’ personal data – data transfers

Another important aspect of employee personal data protection pertains to the handling of personal data or information that the employer already lawfully possessed. In this regard, one of the most problematic areas is the transfer of data to third countries. The increasing number of companies operating globally which outsource their internal functional areas to shared service centers has made it increasingly important to find a solution to this problem.

Introduction of binding corporate rules

A recent amendment to the Hungarian Act on Data Protection (“Amendment”) introduced the concept of binding corporate rules (“BCRs”) into Hungarian law. BCRs are basically a group-wide internal policy on intra-group data transfers, and as such it will likely be a practical tool to regulate and allow data transfers within a company group. Companies using BCRs will not need to obtain separate approval for each personal data transfer within their group. The use of BCRs will therefore help to reduce administrative costs and strengthen as well as harmonise internal data processing practices. The use of BCRs is a progressive tool for intra-group data transfers, as they can be adapted to the day-to day operation of company groups. Finally BCRs are binding and enforceable for all members and employees of the company group, regardless of their place of residence.

Since 1 October 2015 and as a result of the Amendment, the Hungarian Data Protection Act officially accepts BCRs as adequate protection in cases of data transfers outside the EU/EEA. This important milestone will obviously affect the data handling practices of many multinational corporations. With the proper implementation of BCRs, storing employee data and keeping employee records in servers located outside Hungary will no longer create concerns.

The use of BCRs is a progressive tool for intra-group data transfers, as they can be adapted to the day-to day operation of company groups.

author: Dániel Gera