Due to the nature of employment relationships, personal employee data are processed in countless contexts every day. However, Hungarian labor regulations have very limited provisions on data processing at the workplace. Despite the fact that the data protection commissioner and the president of the data protection authority have published several opinions and recommendations on this issue, a great deal of uncertainty remains.
To provide some clarity, at the end of 2016 the President of the Hungarian National Authority for Data Protection and Freedom of Information published guidelines on the requirements of data processing in the workplace. In addition to general data protection requirements, the guidelines also summarize the requirements for certain special types of data processing at the workplace, such as camera surveillance; the monitoring of workplace telephones, computers, Internet, and e-mail accounts; GPS and biometric systems; and whistleblowing hotlines. It appears likely that data protection authority will continue to follow these comprehensive guidelines even after the General Data Protection Regulation comes into force on May 28, 2018.
The guidelines set out three main grounds for data processing under both Hungarian and EU rules, including the consent of the data subject, authorization by law, and the employer’s legitimate interest.
Consent of data subjects
The consent of data subjects may serve as legal grounds for data processing only if it is voluntary (or in other words, if there is no risk of negative consequences if consent is refused). Since the hierarchical relationship between employers and employees generally precludes voluntariness both in EU and Hungarian practice, employee consent rarely constitutes sufficient legal grounds for data processing. This is particularly relevant because, in practice, the data subject’s consent is often wrongly considered the strongest legal grounds for data processing.
Authorization by law
The guidelines distinguish between two types of data processing based on authorization by law: mandatory and permitted. Mandatory data processing includes data processing by the employer as stipulated by tax and social security regulations. Data processing permitted by law includes data collected in the course of operating whistleblowing hotlines or monitoring employees. However, the guidance also notes that as the employer itself determines what data are processed while monitoring its employees, such cases are very close to data processing based on the employer’s legitimate interest.
Employer’s legitimate interest
At present, many are reluctant to process data on the grounds of employer’s legitimate interest and often wrongly believe that it is safer to obtain the data subject’s consent. However, both EU and Hungarian practice attach great importance to data processing based on legitimate interest. The EU’s Data Protection Directive and Hungary’s Informational Self-Determination Act both stipulate that personal data may be processed if necessary to safeguard the legitimate interest of the employer, providing that this interest and the data collected are proportionate to the resulting limitation of the employee’s right to the protection of personal data.
The essence and the challenge in proving legitimate interest is striking the right balance. Through the legitimate interest balancing test, the employer needs to demonstrate to its employees, or – as the case may be – to the data protection authority or the courts, that the data processing carried out is proportionate to the limitation of the employees’ rights.
The guidelines set out five steps in the legitimate interest balancing test. The first step is to examine whether the aim can be achieved without processing personal data. If it cannot, as a second step, the employer needs to determine, as precisely as possible, its legitimate interest relating to the establishment, performance or termination of employment. The third step is to determine the purpose of data processing, the type of personal data, and the term of processing required by such legitimate interest. The fourth step is to assess the interests and expectations the employees could raise vis-á-vis the employer’s data processing. Finally, as a fifth step, the employer needs to demonstrate why the data processing carried out based on its legitimate interest is proportionate to the limitation of the employees’ interests and expectations.
To ensure the lawfulness of data processing based on legitimate interest, the employer must provide appropriate guarantees, particularly when monitoring employees. Such guarantees include the “minimum necessary” principle, meaning the employer should collect the least amount of data necessary, as well as the employee’s right to be present at investigations, unless circumstances exclude this possibility.