CLVPartners

CLV-02
Menu

Company groups

New COVID-19 restrictions in Hungary: consequences for employers

Company groups, Employment, labour law, Medium-sized companies, News, Start-ups, Trade affairs / / , , , , ,

The restrictions (of Gov. Decree 484/2020 (XI. 10.)) apply as of 11 November 2020 for the whole of Hungary, effective until 11 December 2020. These restrictions may be prolonged if necessary.
The current rules concerning wearing masks, social distancing and border crossing remain in effect, while wearing masks is now obligatory in public spaces designated by the local councils in cities exceeding 10,000 inhabitants.

I. Curfew between 20:00 and 5:00 with an exemption regarding going to work

During the curfew, only people going from their homes (place of residence) to work and back home from work can be in public spaces. A sample of the certificate to be issued by the employers can be found on the Government website: https://kormany.hu/hirek/kijarasi-tilalomrol-szolo-igazolas

II. Rules regarding education

Nurseries, kindergartens and primary schools remain open for those under 14 years of age. Online education has been introduced from grade 9 in middle schools and colleges/universities, and dormitories are closed.

III. General ban on events

All events are banned. This also applies to all professional events held in person (conferences, workshops, etc.).

IV. Restrictions on trade and catering

Restaurants are closed and only takeaway and home delivery are allowed, however, factory canteens may remain open. Shops, stores and other services except for pharmacies and petrol stations must close at 19:00, after which only those working there may stay on site. Hotels may only accommodate guests arriving on business, economic or education purposes.

V. Sanctions

In the event of violation of the rules applicable to events or institutions, shops and facilities, the police may close the area, premises or institution (except for educational institutions) for a period of one day to one year and impose a fine of HUF 100,000 to HUF 1,000,000.

VI. Economic protection measures

In order to protect jobs, the Government has also introduced economic protection measures (Decree no. 485/2020. (XI. 10.)), as follows.

1. Tax allowance
For November 2020 employers operating in the scope of activity listed in the Decree shall not need to pay social contributions and vocational training contributions. Small entrepreneurs within the scope of activity listed in the Decree do not need to count personal payments to their small business tax base relating to employees who would have been dismissed due to the state of emergency, provided that these employees are not dismissed and receive their salaries.

2. Provision for hotels
The state will reimburse 80% of the price (net income) of bookings booked for within the next 30 days and received by the hotels registered in the National Tourism Data Providing Centre (Nemzeti Turisztikai Adatszolgáltató Központ) until 8 November 2020, provided that the hotel employees are not dismissed and receive their salaries.

3. Wage subsidies
50% of the wages for November 2020 of the employees of restaurants and leisure facilities listed in the Decree will be reimbursed by the state in the form of a subsidy, provided that the employees are not dismissed and receive their salaries.

The ‘actual main activity’ is the activity which generated the most revenue, which must be at least 30% of the revenue in the previous six months.

There are still many open questions regarding the implementation of the governmental measures described above, we shall provide information on possible further measures after they have been published.

New COVID-19 restrictions in Hungary: consequences for employers Read More »

Travel restrictions extended again

Company groups, Medium-sized companies, News, Start-ups / / , , ,

Please note that by adopting Gov. Decree No. 469/2020 (X.29.) the Hungarian Government has extended the travel restrictions and border control again until 1 December 2020.
Entry to the country shall remain to be subject to restrictions or otherwise allowed only in exceptional cases in line with the previous communications.
Should there be any change concerning the travel restrictions or entry to the country, we will provide further information.

Should you have any questions regarding the above, feel free to contact us.

 

Travel restrictions extended again Read More »

President of HDPA tempers position on thermometers!

Company groups, Data protection, Employment, labour law, Medium-sized companies, News, Start-ups / / , , , ,

The Head of the Hungarian Data Protection Authority in his interview made an announcement contrary to the Authority’s previous official position.

Unlike in Spring, in the current epidemiological situation in Hungary it is no longer disproportionate to implement body temperature measurement as a general measure, however, recording the results is still considered unjustifiable, because as health related data it would be considered a special category of personal data which should be especially protected.

The Head of the Hungarian Data Protection Authority in his interview made an announcement contrary to the Authority’s previous official position, that unlike in Spring, in the current epidemiological situation in Hungary it is no longer disproportionate to implement body temperature measurement as a general measure, however, recording the results is still considered unjustifiable, because as health related data it would be considered a special category of personal data which should be especially protected.

As a reminder, the Authority’s guidelines issued on 11 March 2020 and its confirmatory official position issued on 28 April 2020 considered disproportionate the requirement of screening tests with any diagnostic device (in particular, but not exclusively, with a thermometer), as the epidemiological situation in Spring did not warrant such measures.

The HDPA president’s statement did not affect the rest of the previously issued guidelines and official position, therefore all data processing in connection with the novel coronavirus epidemic such as body temperature measurement may only be introduced in the legitimate interest of the employer, substantiated by a proportionality test and the measurement shall be conducted by healthcare professionals or under their professional supervision under Article 9 (3) of the GDPR.

The Authority invariably requires employers to prefer measures which do not require the processing of personal data (basic hygiene, provision of disinfectants, adequate cleaning, provision of protective equipment, distance between workers).

Should you have any questions regarding the above, feel free to contact us.

President of HDPA tempers position on thermometers! Read More »

Enormous data protection fine imposed by the HDPA

Company groups, Data protection, Medium-sized companies, News, Start-ups / / , , , ,

On 18 May 2020, the Hungarian Data Protection Authority („HDPA” or „Authority”) has imposed a fine of HUF 100 000 000 on DIGI Távközlési és Szolgáltató Korlátolt Felelősségű Társaság („Digi” or „Company”).
The decision has been published by the Authority today, which is by far the highest amount imposed since the GDPR’s entry into force and the existence of the HDPA. The facts leading to the fine and the subsequent decision of the Authority are summarized as follows:

Facts of the case

1. Due to a prior loss of data, Digi created a test database for the purposes of mitigating errors, which the Company filled with existing personal data. The test database was originally available on the Company’s website only with appropriate authorization.

2. The content management system (‘CMS’) applied by the Company had a vulnerability, which has been detected more than 9 years ago. This vulnerability can also be detected and amended automatically by adequate tools and applications. Through this vulnerability, anyone could view the test database without access authorization.

3. Exploiting this vulnerability, an ethical hacker gained access to the test database, where the personal data of a significant number of clients were stored in plain text without any encryption. These data included all personal identifying data, ID card numbers, and in some cases personal identification numbers, e-mail addresses, telephone numbers and bank account numbers were also included.

4. In addition to the above, data of newsletter subscribers and full access system administrators were also accessible through the vulnerability, which could have been used by an attacker to take over complete control of the website and access any personal data or trade secret available on the website.

Findings of the HDPA

The categories of personal data involved made identity theft possible for a potential attacker.

• It is also an aggravating circumstance that the number of people affected by the data protection incident is significant, even in relation to the entire population of Hungary, the Company’s market position would have justified the application of more serious data security measures.

• The vulnerability in the open source content management system has been known for a long time, and a fix is available to fix this vulnerability for free.

• Lack of encryption increased the risk of the incident, even though the Company would also have had the opportunity to encrypt its data for an insignificant cost.

Leaking access credentials for full system administrators severely increases security risk.

• The maintenance of the test database violated the principles of the GDPR, as the test database should have been permanently deleted once its purpose has been fulfilled.

• The Company has also violated the provisions of its own internal regulations.

In light of all of the above, the Authority considered that the warning would not have had sufficient deterrent effect and that a fine, the exceptionally high amount of which was explained by a number of aggravating circumstances, was justified.

Enormous data protection fine imposed by the HDPA Read More »

Deductions from the corporate tax base during the state of emergency

Company groups, Corporate law, Medium-sized companies, News, Start-ups / / , , ,

On 30 April 2020 another tax relief has been published with regards to the state of emergency.
This time, the provisions of tax base deductions set out in Act LXXXI of 1996 on Corporate Tax and Dividend Tax are extended in the tax years during the emergency and in the taxpayer’s choice in the tax year 2019 as well, in accordance with the following:

1. The pre-tax profit is reduced by the amount of earnings retained and transferred to the reserve in the tax year by the corporate taxpayer and shown as a reserve on the last day of the tax year, but not more than the pre-tax profit and up to HUF 10 billion per tax year (“development reserve”). Prior to the tax relief, the development reserve could not exceed 50% of the taxpayer’s pre-tax profit for a given tax year, this restriction does not apply under the new rules.

2. If the taxpayer chooses to apply the new rule to the 2019 tax year, but has already submitted its 2019 tax return by 1 May 2020, it may form a reserve for the 2019 tax year in accordance with the rules of accounting control within a self-revision procedure. until 30 September 2020.

3. If the tax return has not yet been submitted, but the taxpayer already has an approved financial statement, it may form a reserve for the approved report in accordance with the rules of accounting control.

 

Deductions from the corporate tax base during the state of emergency Read More »

Certain Tax and Corporate Deadline and Processes

Company groups, Corporate law, Medium-sized companies, News, Start-ups, Trade affairs / / , , , , ,

During the state of emergency and the implemented partial curfew, the continuous decision-making of companies could easily become impossible. In order to prevent this, as of 11 April 2020 different rules apply to the decision-making process of the obstructed companies, and the mandate term of certain company officers is also extended for this period.

By definition, the decision-making rules do not apply to companies not obstructed by the exceptional circumstances, for example in the case sole member companies.

During the emergency and until the 90th day after its end, the term of managing directors, board members (e.g. supervisory board members) and auditor may not be terminated as a result of expiration or resignation and these officers shall continue to carry out their duties during this time. This provision also applies to unhindered companies, but of course it is also possible to elect new officers during the state of emergency.

A new rule to be applied to all taxpayers is that the deadline for preparing, disclosing, depositing, publishing and submitting financial statements of the Accounting Act due after 22 April 2020 is extended until 30 September 2020. In the case of the main types of tax (corporate and dividend tax, small business tax, local business tax, etc.), the tax assessment, declaration and payment obligations, as well as the tax advance assessment and declaration obligation to be fulfilled simultaneously with the annual tax returns can also be fulfilled by this extended deadline.

Certain Tax and Corporate Deadline and Processes Read More »

Statement of the EDPB on data processing during the coronavirus epidemic

Company groups, Data protection, Medium-sized companies, News, Start-ups / / , , , , , ,

The European Data Protection Board (“EDPB”) has issued a statement on its website on data processing during the coronavirus epidemic.Please find our summary of the statement below:
1. The conditions of processing health data, as special category of data shall be specified by the national law in accordance with the GDPR. In this regard, the GDPR requires that the lawmaker defines specific measures and the suitable safeguards of the rights of the data subjects.

2. As per the position of the Hungarian Data Protection Authority emphasized, in the event of medical examinations such as body temperature measurement, this safeguard is the presence of a healthcare professional, therefore it is still not possible to implement such measurement at the workplace without the presence of a professional.

3. According to the EDPB’s position, the employers should inform employees if a coronavirus infected person has been identified at the workplace (to take the necessary protective measures), without revealing the identity of said person. The concerned employees shall be informed in advance and their dignity and shall be protected. Information on the infection should be first and foremost disclosed to those entitled to process these data, such as authorities and treating physicians if requested.

As the GDPR allows for a wide range of derogations in national law, we can expect a more detailed regulation of the data processing in relation to the epidemic.

The content of this article is not exhaustive and does not constitute a legal advice. Should you have any specific questions regarding any issues investigated by our articles, please contact us and we will be happy to be at your disposal.

Statement of the EDPB on data processing during the coronavirus epidemic Read More »

ON THE DATA PROCESSING RELATED TO THE CORONAVIRUS EPIDEMIC

Company groups, Data protection, Medium-sized companies, News, Start-ups / / , , , ,

The Hungarian Data Protection Authority („HDPA”, „Authority”) has issued on its website a briefing regarding data processing related to the coronavirus epidemic, also including certain general legal obligations beyond data protection. We have summarized the most important details as follows:
1. It is not only a vital interest but also a legal obligation of employers to provide a healthy and safe workplace.

2. Prior to any data processing, employers may be expected to create an epidemic action plan (preventive measures, allowing alternative working conditions (“home office”), procedure to be followed if the infection appears, assignment of responsible personnel within the company, implementation of a reporting system).

3. As a preventive measure within the action plan, it is recommended to provide employees with all necessary details, especially on the most critical information on the coronavirus (rules of hygiene, symptoms, who to report to within the company). The document titled “Procedure regarding the novel coronavirus identified in the year 2020” published on the website of the National Public Health Center could provide helpful for employers when wording the information.

4. According to the Labour Code, the employees shall report to the employer if they have knowledge of a risk of infection, including the risk of their own illness. With regards to this, the reporting system shall be implemented in a way that allows for confidential processing of data.

5. In the event of a report or suspicion of infection the HDPA considers filling out a questionnaire appropriate. Particular attention shall be paid to data minimisation. Employers shall not process the data of the suspected employee related to the epidemic beyond the questionnaire. The Authority specifically notes that data related to medical history or medical documentation shall not be requested or processed by the employer!

6. It needs to be emphasized that the employer shall not begin contact investigation, this should be entrusted with the investigating authority having jurisdiction!

7. Also important to note, the employer shall not conduct medical examination (i.e. use of thermometer), however, the professional examination of employees may be initiated through the involvement of healthcare professionals (first and foremost the company doctor).

8. The legal ground for the above data processing is based on the employer’s legitimate interest, if the medical examination of employees becomes necessary, the exceptional purpose of processing shall be in the interest of providing a healthy workplace.

9. It is recommended for employers to favour measures that do not result in the processing of data (following basic hygiene, providing disinfectants, proper cleaning). We would also like to note that the legislation does not allow for employers to distribute vitamins, medicine or immune-boosting products, etc. among its employees, therefore these are not legally possible as a preventive measure.

ON THE DATA PROCESSING RELATED TO THE CORONAVIRUS EPIDEMIC Read More »

GPDR after Brexit – Data transfers outside the EU

Company groups, Medium-sized companies, News, Start-ups / / , , , , ,

After years of negotiations the United Kingdom has officially left the European Union, therefore the UK has become a “third country”. We would like to take this opportunity to point out the special rules concerning the UK and data transfers outside the EU in general.
Data transfer to the UK

As we have noted in our latest article on Brexit, some changes need time to enter into force. According to the withdrawal agreement concluded between the UK and the EU, there will be a transition period until 31 December 2020. In this transition period, the GDPR is still applicable in the UK, so the UK would not be considered as a third country until the end of this year.

What happens after the transition period?

It is very important to note that any data processed before the end of the transition period shall continue to be processed in accordance with the GDPR. Thus, personal data transferred to the UK during the transition period shall be guaranteed the same level of safety as currently provided by the GDPR and data subjects have no cause to worry about their right to privacy.

After the transition period, the UK and the EU still need to iron out the specifics of data protection. Certainly, for most data controllers that would be most convenient if the UK continued to apply the GDPR.

However, in the event of a “no-deal” Brexit or if the “deal” excludes data protection, the rules of transferring data outside the EU would have to be applied to the UK.

Data transfers outside the EU

One of the most emphasized general rule of the GDPR is that transferring data outside the EU is not allowed only with a very few exceptions. There are three categories of these exceptions, “adequacy decisions” in Article 45, “appropriate safeguards” in Article 46 and “derogations for specific situations” in Article 49.

Adequacy decisions

With regards to Brexit, the second best scenario would be an EU Commission adequacy decision. Data may be transferred without any special rules or authorizations to third countries deemed to provide an adequate level of data protection. While the decision falls to the discretion of the Commission, we expect this to be a very likely outcome, as the UK has high standards of data protection in their national legislation.

Appropriate safeguards

Should the UK not be found adequate, the next option is for the data controller or processor to provide appropriate safeguards. These safeguards are subject to the approval/ adoption of the Commission and/or the supervisory authority. The most relevant of these safeguards are as follows:

• binding corporate rules (BCR) of a corporate group (approved by the supervisory authority);
• standard data protection clauses (adopted by the Commission);
• standard data protection clauses (adopted by a supervisory authority and approved by the Commission);
• an approved code of conduct together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights;
• an approved certification mechanism together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights.

The abovementioned options require either significant effort from the data controller (i.e. drafting BCRs or codes of conduct) or a proactive supervisory authority (i.e. drafting and adopting standard clauses). Since the GDPR’s entry into force, no standard clauses have been adopted yet. Consequently, most data controllers might find appropriate safeguards a barrier too high to entry.

Derogations for specific situations

The last option is derogations for specific situations, to be applied for exceptional cases and will not serve as legal basis for systematic or regular transferring of personal data. The most relevant of these situations are as follows:

• explicit consent of a data subject informed of the risks of transfer to the third country;
• transfer is necessary for the performance of a contract between the data subject and the data controller or a contract concluded in the interest of the data subject;
• transfer is necessary for the establishment, exercise or defence of legal claims;
• transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent.

In any event, if the data controller uses these derogations as basis for data transfer outside the EU, the transfer may only take place if it is not repetitive and concerns only a limited number of data subjects, in addition the controller must demonstrate a compelling legitimate interest and inform the supervisory authority as well as the data subject. This is considered the least favourable option for data controllers because of their obligations to inform.

GPDR after Brexit – Data transfers outside the EU Read More »

The right of exit and of entry following Brexit

Company groups, Medium-sized companies, News, Start-ups, Trade affairs / / , , , ,

The United Kingdom is set to leave the European Union on 31 January 2020. As the date draws ever so close, it is time to get acquainted with the rules to follow the departure of the country, most importantly the right of exit and of entry of union citizens.
Presently, union citizens can enter the UK with both their national identity cards or their passports and they do not need a visa to do so. Although 31 January 2020 is the day the UK shall officially leave the EU, it will be followed by a transition period, in which the rules of entry and exit shall remain unchanged.

According to the agreement between the UK and the EU, this transition period ends on 31 December 2020. The Joint Committee (comprising representatives of the EU and UK) may extend this transition period one time with an additional 1 or 2 years. As a result, the current system could hold out as late as 2022, but for now 31 December 2020 shall be deemed the relevant date.

Come 1 January 2021, – assuming no extension takes place – it will be entirely up to the British Parliament to determine the conditions of entry and exit into the country, specifically whether or not a passport and/ or visa is required.

The right of exit and of entry following Brexit Read More »

CLVPartners
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.