Do I need consent to process employee data?

Like in the practice of the European Data Protection Board, under the practice of the Hungarian data protection authority, employee’s consent can serve as legal basis for processing only in exceptional cases. This is because in the context of employment which is without doubt a relationship of dependency, the voluntary nature of consent is doubtful. There are certain processing activities which could be based on the employee’s consent, however, caution is advised for the employer when they wish to base a processing on the employee’s consent. When the employee can freely give his/her consent and if he/she decides to not give consent to the processing, he/she should not be exposed to any potential sanctions by the employer.

Most processing activities that take place within the context of employment have a legal basis other than the employee’s consent. For example, data that the employer processes for payroll purposes are processed on the basis of the employer’s legal obligation (Article 6 (1) (c), GDPR) and, respectively, the employment agreement the employer concluded with the employee (Article 6 (1) (b), GDPR). Furthermore, if the employer decides to set up, for example, a CCTV or a whistleblowing system at the workplace, it is the employer’s legitimate interest (Article 6 (1) (f), GDPR) which would serve as legal basis for processing. If processing is based on legitimate interest, a so-called balancing test (also known as necessity and proportionality test) has to be prepared prior to the commencement of processing.

It is also worth mentioning that when it comes to the processing of special categories of data (e.g. employee’s health data), a legal basis out of those indicated in Article 9, GDPR must also be carefully selected.

What are the privacy and data protection issues inherent in alcohol / drug testing?

Under the Labour Code, employees may be subject to check/supervision in the course of their employment-related conduct. In this context, the employer may use technical means, of which the employee must be informed in writing in advance. The employee’s privacy may under no circumstance be monitored.

If duly justified, necessary and proportionate, the employer may carry out alcohol testing at the workplace. In this case, the employer’s legitimate interest can be the legal basis of processing data for the purposes of alcohol testing. This means that a balancing test has to be carried out before engaging in any processing activities. The balancing test has to be carried out in accordance with the practice of the European Data Protection Board.

In addition, the employer has to draw up a policy on alcohol testing with procedural rules and information on data processing, and communicate it to the employees concerned in advance.

Private employers may not lawfully carry out drug tests because it would interfere with the employee’s privacy. This is because if a drug test is performed, the employer could draw certain conclusions as to the private life of the employee (due to the fact that drugs typically leave human body more slowly than alcohol), which is unlawful under Hungarian law.

How can I legitimately monitor employees’ email, internet usage and social media?

Under the Labour Code,

1. An employee may be subject to check/supervision in the course of his/her employment-related conduct. In this context, the employer may use technical means, of which the employee must be informed in writing in advance.   
2. Unless otherwise agreed, the employee may use the information technology, computer or system (“device”) provided by the employer for the performance of the employment relationship only for the purpose of performing the employment relationship.
3. The employer may, in the course of its control, inspect data relating to the employment relationship stored on the device used for the performance of the employment relationship.
4. For the purposes of the right of inspection under paragraph (3), data necessary for the purpose of checking compliance with the restriction set out in paragraph (2) are considered employment-related data.
5. Paragraph (3) applies if, by agreement between the parties, the employee uses his/her own device for the performance of the employment relationship.

Below follows a summary of the practice of the Hungarian data protection authority when it comes to the monitoring by the employer of the work emails of employees. The below applies accordingly to the monitoring of the use of the Internet too. The use of social media by the employees should not be monitored since it relates to the employees’ privacy.

Employers may only monitor the use of work emails based on a proper legal basis (which, depending on the individual case, may be the legitimate interest of the employer – in which case a balancing test must be prepared in advance – or the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller). The employer is not entitled to inspect the contents of private emails even if the employees have been informed in advance of the possibility of the monitoring/review and even if the use of the official work email for private purposes was or was not allowed.

It is highly recommended separating professional and private emails as much as possible. The professional email system can be reserved solely for professional emails. Employees can be asked to send private emails via a personal email address (such as Hotmail or Gmail) and not via their official work email.

The employer has to prepare internal rules (an internal policy) on the use and monitoring/review of official work emails. Such rules should cover, among others:

• whether the official work email account may be used for private purposes,
• the rules governing the backup and retention of files on email accounts, and when the emails and files are permanently deleted,
• the detailed rules for monitoring/review by the employer of the use of email accounts.

It is recommended for the employer to remind the employees regularly about the rules on the work email account (e.g. every six months a notice appears in the mail system informing the employee that he/she is not allowed to send private messages when using the official work email account).

In the internal rules/policy, the employer must specify the purposes and interests for which the email account may be monitored/reviewed. These interests must be real and genuine and relevant to the employer’s activities, the market situation and the employees’ job functions. In addition, the employer must inform the respective employee about the specific purpose before actually reviewing the use of a specific email account.

The employer has to develop a gradual system of monitoring, taking into account the principle of gradual inspection, which allows for adequate protection of personal data and minimises the impact of the control/review on the privacy of employees. For instance, as a first step, it may be sufficient enough to check the email address and the subject of the email only, which may show that it is a private email. If the employer does not allow the private use of the email account and the inspection is merely to establish whether the employees have complied with this rule, it is also sufficient to check the email address and subject of the email.

This can be followed by a more detailed, higher level of inspection. However, care must be taken to ensure that this is gradual and necessary for the purpose of the review. For instance, if the employer has an idea of the possible date and time of a suspicious email, the employer should focus on emails sent/received at that point in time. Also, if e.g. the employer suspects that the suspicious email had a larger attachment, then it should focus on emails with larger attachments.

The presence of the employee must be ensured when checking his/her email account so that the employee can indicate before viewing the contents of an email that they contain personal data.

Employers must provide detailed information of data processing to the employees in advance that include, among others:

• the purposes and interests of the employer for which the email account can be checked,
• who, on behalf of the employer, may carry out the check/review,
• the rules according to which the review may be carried out (respecting the principle of gradualism) and the procedure to be followed,
• what rights and remedies the employee has in relation to the processing of data in connection with the monitoring of the official work email account.

The information to the employees must include general information on the above, and also information particular to the individual case before commencing the actual review.

In some exceptional cases, the check may be carried out without the employee being present, e.g. in cases requiring immediate attention or in the case of an employee on sick leave in the event of an urgent need for action. However, in this case too, the employee must be informed of the employer’s planned action in advance and must be given the opportunity to be represented by a proxy or representative if he/she is unable to be present. However, even in such case, every effort should be made to ensure that the circumstances of the review are recorded in a way that the exact course of the review, the scope of the data obtained, etc. can be verified afterwards.

What are the limits of using artificial intelligence in employment?

We are not aware of any specific practice on this.

The Labour Code contains the general rule as described above when it comes to checking the employees in connection with their work. In addition to that basic rule, the provisions of the GDPR apply. There are no special rules governing the use of artificial intelligence.

Having said the above, it is important that prior to the start of any processing, the entity (the prospective controller) assesses what processing would mean and how it could and should be designed. It is essential to have a legitimate purpose of processing and a valid legal basis for the processing. Also, proper information must be given to the employees concerned in advance. Furthermore, the fact that artificial intelligence would be used would most likely mean that a data protection impact assessment would have to be prepared prior to the start of processing.

What are the data protection issues in whistleblowing?

Hungary has not yet implemented the EU’s whistleblowing directive and it is not yet known when it will be transposed into Hungarian law. It is worth noting though that the Act no. CLXV of 2013 on Complaints and Reports of Public Interest contains the rules that are applicable when an entity wishes to set up a whistleblowing scheme.

The setting up of a whistle-blowing system is not mandatory. However, if such a system is set up by an entity, certain mandatory rules must be complied with.

Below you will find a bullet point summary of the currently effective rules:

• The employer, as well as its owner operating in the form of a business company (“employer”), may, in line with the Labour Code, establish rules of conduct for the protection of the public interest or overriding private interests for the employees of the employer, which the employer has to publish in a manner accessible to any person, together with a description of the related procedural rules,
• Employees of the employer and persons who have a contractual relationship with the employer’s organisation or who have a legitimate interest in making the notification or in remedying or ending the conduct which is the subject of the notification may make a report,
• The employer is required to publish detailed information on the operation of the whistleblowing system along with the procedural rules on its website in the Hungarian language,
• Within the framework of the whistleblowing system, the employer may process the personal data of (i) the person making the report and (ii) the person whose conduct or omission gave rise to the report or who is in a position to have information of the substance concerning the matter to which the report relates, including sensitive data and criminal data, which are essential for the investigation of the report, solely for the purpose of investigating the notification and remedying or stopping the conduct which is the subject of the notification, and transmit them to the whistleblower protection lawyer or to an external body assisting in the investigation of the report (any other personal data must be erased as soon as possible),
• The personal data of the whistleblower may be disclosed only to the body competent to conduct the proceedings initiated on the basis of the report, if that body is entitled to process the data by law or if the whistleblower has given his/her unambiguous consent to the disclosure of the data. The personal data of the whistleblower may not be disclosed without their explicit consent. As an exception to this rule, if it has become apparent that the whistleblower has communicated false and decisive information in bad faith and (a) the circumstances suggest that a criminal offence has been committed, his/her personal data must be handed over to the body or person entitled to conduct the proceedings, (b) there are reasonable grounds for believing that he/she has caused unlawful damage or other harm to another person, his/her personal data must be handed over to the authority or person entitled to initiate or conduct the proceedings, on request,
• When making a notification, the whistleblower has to declare that the report is made in good faith concerning circumstances of which he/she has knowledge or that he/she has reasonable grounds for believing that they are true. When making a notification, a legal person filing a notification must indicate its registered seat and the name of its statutory representative. The whistleblower has to be made aware of the consequences of reporting in bad faith, of the procedural rules governing the investigation of the whistleblowing and of the fact that his/her identity, if he/she provides the information necessary to establish it, will be treated confidentially at all stages of the investigation,
• Data processed within the whistleblowing system may be transferred to another state or international organisation only if the recipient has given an undertaking to comply with the rules on notification set out in the act (and provided that the rules of the GDPR are complied with),
• The reporting system has to be designed in such a way that the identity of the non-anonymous whistleblower cannot be known to anyone other than the investigators of the report. Until the investigation is closed or formal prosecution is initiated as a result of the investigation, the investigators of the report must keep confidential all information on the content of the report and the persons concerned by the report and may not share it with any other department or staff member of the employer, except for the purpose of informing the person concerned by the report,
• The person concerned must be informed in detail about the report (except for the identity of the whistleblower), his/her rights regarding the protection of his/her personal data and the rules on the processing of his/her data when the investigation is opened. In accordance with the requirement of a fair hearing, the person concerned must be given the opportunity to express his/her opinion on the notification, including through his/her legal representative, and to provide evidence in support of such opinion. Exceptionally, and in duly justified cases, the person concerned may be informed at a later stage if immediate information would prevent the investigation of the report,
• The report must be investigated by the employer in accordance with the procedures laid down by it and the whistleblower must be informed of the outcome of the investigation and of the measures taken,
• A whistleblower protection lawyer can be contracted to receive or investigate notifications, and a whistleblower protection lawyer or another external organisation can be engaged with assisting in the investigation of reports,
• The examination of the notification may be rejected if (i) the whistleblower has made the report on an anonymous basis, (ii) the application is a repeated report by the same whistleblower with the same content as the previous report, (iii) the report was made after the expiry of a period of six months from the date on which the whistleblower became aware of the act or omission complained about, (iv) the harm to public interest or to an overriding private interest would not be proportionate to the restriction of the rights of the person concerned resulting from the investigation of the notification,
•  The facts contained in the report must be examined within the shortest time possible under the circumstances, which may not exceed 30 days from the date of receipt of the report. This time limit may be extended only in particularly justified cases (except in the case of a report by an anonymous or unidentifiable whistleblower) and the whistleblower must be informed simultaneously. The duration of the examination may not exceed 3 months,
• If the investigation of the conduct that the report refers to justifies the initiation of criminal proceedings, a criminal report must be made,
• If, on the basis of the investigation, the conduct referred to in the report is not a criminal offence, but violates the rules of conduct laid down by the employer, the employer may impose sanctions on the employee in accordance with the rules of labour law,
• If the investigation reveals that the report is unfounded or that no further action is necessary, the data relating to the report must be deleted within 60 days of the completion of the investigation,
• If action is taken on the basis of the investigation, including also legal proceedings or disciplinary action against the whistleblower, the data relating to the report may be processed within the whistleblowing system until the final conclusion of the proceedings initiated on the basis of the report.