CLVPartners

CLV-02
Menu

Company groups

HDPA issues statement on the monitoring of employee e-mails

Company groups, Data protection, Employment, labour law, Medium-sized companies, News, Start-ups / / , , , ,

At the end of last year, the Hungarian Data Protection Authority (HDPA) issued a statement, in which the HDPA commits itself to take all possible actions and use all available means – including adequate legal consequences to prevent further infringements – to stop the widespread practices of unlawful processing of employee e-mails. 
How does personal data enter the picture?

Even if an e-mail address was provided for the purposes of working, it might eventually be used by the employee for personal matters, or third parties might send personal e-mails to the address, which turns this into a question of data privacy. Although some advisable steps can be taken to prevent the personal use of work e-mail addresses (i.e. the prohibition of personal use of work assets), it is not seemingly possible to fully separate the two uses, since receiving a personal e-mail from a third party is generally outside the employer’s or employee’s control. It is also important to note that if an employee uses the work e-mail address for personal matters despite possible explicit prohibitions set in place, such an act will still be attributed to the employer’s data processing, thus the processing of personal data is unavoidable.

What is expected of the employers?

First and foremost, employers should determine the lawful ground of the processing. The HDPA highlighted storing, archiving and searching/ indexing as the most common processing actions performed on employee e-mails. Naturally, employers have a vested interest in the monitoring of employee e-mails, as it is necessary to control and maintain the work flow, therefore the lawful ground must be substantiated by a thorough balancing test prior to the processing. Once the lawful ground is established, it is advisable to prepare an SOP on the monitoring process.

The employer must duly inform the employees about the monitoring of work e-mails, the data processing and whether or not personal use of work e-mails is permitted or prohibited at the workplace.

Before or during the monitoring, the employer must take all reasonable steps to separate work related and private e-mails. In accordance with the principle of accountability, the employer should maintain a record of the steps taken during monitoring.

Considering the fact that almost every employer provides its employees with an e-mail address for work purposes, this statement is important to all employers who wish to be compliant with the GDPR and employees interested in the protection of their private lives.

HDPA issues statement on the monitoring of employee e-mails Read More »

GDPR – One Year On

Data protection, Company groups, Medium-sized companies, Start-ups / / , ,

As 25 May 2018 approached, many organisations faced these new European privacy rules with increasing concern. One of the main reasons for this was undoubtedly the extremely high fines that can be imposed for breaches of the GDPR: the majority of infringements can be punished by a fine of up to EUR 20 million or 4% of total worldwide annual turnover for the previous financial year (the higher of the two).
The level of fine imposed will depend on an assessment by the national data protection authority (DPA) of mitigating or aggravating circumstances listed in the GDPR including the nature, seriousness and duration of the infringement, whether the data involved was sensitive and any previous breaches.
A year on, with the first wave of decisions and fines now issued by a number of DPAs and investigations ongoing in others, it is interesting to examine the initial effects of the GDPR in the EU. Has it managed to enhance protection for people’s privacy? Did the concern expressed at its potential impact turn out to be justified? Are different trends emerging in different EU countries? These and other questions are discussed below.

Several companies involved in Hungarian Data Protection Authority (NAIH) procedures have been fined. The usual amount of the fine is between HUF 500,000 and HUF 1 million, (approximately EUR 1500 and EUR 3000).
In one of its most relevant recent decisions, the NAIH imposed a fine of HUF 1 million on a company with a turnover of HUF 15 million, which it considered a symbolic amount, for not restricting and issuing copies of camera recordings, despite a request from a data subject. The data subject wanted to use the recordings as evidence in legal proceedings, as stated in the request. The company justified its decision on several grounds, including the fact that the data subject did not indicate how deleting the recording would infringe his or her legitimate interest, and in connection with what legal proceedings he or she made the request (although required to do so under Hungarian law).
According to NAIH, the company violated the data subject’s right to restrict data processing. Under Article 18 (1) (c) of the GDPR, it is sufficient for the data subject to argue that restricting processing is necessary for the submission and enforcement of legal claims. There is no need to justify the right and the legitimate interest further than that. The conflicting Hungarian legal provision has been amended by the GDPR implementation law mentioned below.

In addition, the company failed to inform the data subject about the reasons for its decision and the legal remedies available to the data subject.
In imposing the fine, the authority assessed the nature of the infringement as an aggravating circumstance, as it violated the applicant’s rights. The refusal of the request also led to the deletion of the recordings, which cannot be restored. It was a mitigating circumstance that the company committed the infringement for the first time, and also that the conflicting national legal provision. was still in force, which could have misled the company in its decision to deny the data subject’s request.

Hungary has implemented the GDPR with an implementation act came into force on 26 April 2019. The aim of the amendments is the harmonisation of sectoral laws in order to apply the GDPR. The GDPR implementation act amends 86 acts to comply with the GDPR, including the Labour Code. As a result, employees’ documents, the processing of the criminal records and the agreements relating to the use of work-related IT equipment must be reviewed.
Experience has shown that the NAIH is active; several proceedings have been initiated checking the data processing practices of operators and assessing compliance.

GDPR – One Year On Read More »

GDPR „OMNIBUS” Act overwrites the usual HR process

Company groups, Data protection, Employment, labour law, Medium-sized companies, News, Start-ups / / , , , ,

On 26 April 2019, Hungary’s new ‘Omnibus Act’ implementing provisions of the GDPR took effect. This article examines its significant impact on employers and the continuing uncertainty surrounding some of the changes it introduces.

Only a few months ago, employers were required to readjust their processes in preparation for GDPR implementation and now the new so-called ‘Omnibus’ act that amends the Labour Code, among other changes has entered into force (on 26 April 2019). The new regulation requires immediate and very significant work from HR departments, while there are several open issues to be jointly interpreted by labour lawyers together with HR and data protection professionals on how to ensure their daily practice is compliant with the new but ambiguous regulations.

The bottleneck is a result of the fact that Hungarian lawmakers were well behind schedule with implementation of GDPR, leaving employers only a few days to review the new processes, since all employers must comply with all requirements from day one. There is a strong hope that (as has happened in several previous cases) the Omnibus Act will very shortly be corrected by a new amendment.

The GDPR ‘Omnibus’ Act amends 86 acts including the Labour Code in order to comply with GDPR regulations.

This amendment requires the review of labour contracts, HR processes and significant HR policies such as recruitment, selection, new employees’ induction process, operations, the data management of access control systems and use of employer’s devices, just to mention the most common areas concerned.

Employers and all organisations should have complied with the new regulations within a couple of days of entry into force.

Although the new requirements contain more details than the published draft bill, there are still several open issues on how to implement them in practice. For example what is the meaning of, and what are the criteria for the necessity and proportionality test contained in the new regulations in relation to limitations on employees’ personal human rights (in connection with e-mail, internet, device or video surveillance, etc.)? The GDPR only includes the privacy impact assessment and the ‘balancing test’ for ‘legitimate interest’.

The usual process of recording a new employee’s data is basically overridden by the new rule that the employer may only request presentation of an ID card and other personal documents, but no copies can be made, even with the consent of the employee. This will mean that proper identification of the employee would be difficult. The provision of false data by the employee may result in annulment of employment, but with a lack of proper evidence and documentation, the employer may not be in a position to act.

Handling of criminal data records is more strictly regulated, and in the future the basic rule is that no criminal record clearance may be requested from employees. Exceptional and very strict criteria are set for cases when the employer may require an employee to present criminal record clearance, but the precise criteria can be decided by the employer if a serious business risk for the organisation would arise from an employee with undisclosed criminal record working for it.

Finally, the amendment relating to data managed by the biometric access control systems (digital fingerprint, iris/retina scanning, face identification systems), and also the use of the employers’ devices is based on new principles, meaning that a review of internal policies relating to these issues must be conducted.

GDPR „OMNIBUS” Act overwrites the usual HR process Read More »

Amendments with regard to the GDPR has been published

Company groups, Data protection, Employment, labour law, Medium-sized companies, News, Start-ups / / , , , , ,

The amendments with regards to the GDPR, which was adopted by the Hungarian Parliament on the 1st of April, was officially published today.

In order to harmonize with the GDPR, the amendments modifies over 80 sectorial law, including provisions of the Labour Code.

The majority of the amendments will come into effect at the end of April, but the modifications regarding the national accreditation and the protection of inventions by patents will come into force in May.

Amendments with regard to the GDPR has been published Read More »

Legislative changes on the bill related to GDPR

Company groups, Data protection, Medium-sized companies, News, Start-ups / / , ,

It became necessary with the entry into force and application of the GDPR, amend the domestic sectoral laws, which proposals are expected to be adopted by the Parliament this week. The draft also affects the provisions of the Labour Code.

Provisions related to workplace data management are defined under a new title Data Process after the section of protection of privacy rights. According to this, in addition to the employer, the works council and the trade union may also request employees to make a statement or to disclose any information for exercising their rights or fulfilling their obligations as defined in the Labour Code. In regard to the provisions above, they may also request to present them a document, thus, storing and copying them cannot be necessary for the above reasons, it is sufficient to present them and record the necessary data.

Based on the draft, the processing of biometric identifiers has been further regulated, that the employee’s biometric data can be processed for the purpose of identifying the data subject if it is necessary to prevent unauthorized access to a thing or data which would endanger the life, bodily integrity or health of the employee or others, or the serious or massive irreversible harm of a significant interest protected by law.

Regarding monitoring of the workplace, it has been recorded in the draft, surprising many people that the employee may only use the computing device provided by the employer for the purpose of performing the employment relationship. The parties may differ from this rule by mutual agreement, however, by default, these devices cannot be used by the employee for private purposes at all. Although the draft provides that the employer may only monitor employment-related data when monitoring, it also qualifies, for the purposes of the above entitlement, the data necessary to verify compliance with the private use restriction.

The provisions of the above draft have not yet been adopted, so we will inform you about its subsequent adoption or possible modifications later on.

Legislative changes on the bill related to GDPR Read More »

NAIH imposed a fine of one million forints

Company groups, Data protection, Medium-sized companies, News, Start-ups / / , , , , ,

The Hungarian Data Protection Authority (NAIH) imposed a fine of one million forints on a company with a turnover of 15 million forints, which the Authority considered to be a symbolic amount of money, for not restricting and issuing copies of camera recordings, despite a request from the data subject.

The data subject wanted to use the recordings as evidence in legal proceedings, as he/she also stated in the request. The company justified its decision of not restricting and giving out a copy of the recordings because the data subject did not indicate how deleting of the camera recording would infringe his/her legitimate interest, and in connection with what legal proceedings he/she requests the restriction of processing data of the camera recordings, although it is required to do so according to the Act CXXXIII of 2005 on the private security services and the activity of private detectives (Szvmt).

According to NAIH, the company violated the data subject’s right to restrict data processing. According to Article 18 (1) (c) of the GDPR, it is sufficient for the data subject to argue that the restriction of the processing is necessary for the submission and enforcement of his legal claims. In this regard, Szvmt. is expected to be amended soon.

According to the opinion of NAIH, the company should have complied with the request of the data subject without consideration, since the reason stated by the data subject shall be sufficient to fulfill the request.

In imposing the fine, the Authority assessed the nature of the infringement as an aggravating circumstance, as it violated the applicant’s rights, furthermore, the refusal of the request has led to the deletion of the recordings, which cannot be restored. It was a mitigating circumstance that the company committed the infringement for the first time, and also that the provision referred from the Szvmt. is still in force, which could have misled the company in its decision to deny the data subject’s request.

NAIH imposed a fine of one million forints Read More »

Google fined €50 million for infringing the GDPR

Company groups, Data protection, Medium-sized companies, News, Start-ups / / , , , , , ,

On 21 January 2019, the French Data Protection Authority (the ‘CNIL’) fined Google EUR 50 million for infringement of the GDPR. Though this decision only concerned user data, given the unprecedented amount of the fine, it should be considered a warning to all companies to ensure that their personal data management practices, including on HR matters, are GDPR compliant.
The Authority based the investigation on two complaints that arrived immediately after the entry into force of GDPR on May 25, 2018.

The CNIL has examined the complained data processing operations and found two types of infringement.

• Violation of the obligation to have a legal basis for advert personalization processing:

The CNIL observed that the information on the data processing activities provided to users was neither easily accessible nor always clear or comprehensive. Essential information required to sufficiently inform data subjects of storage purposes, periods or categories of personal data used for ads personalization was spread across various documents.

• Violation of the obligation to have a legal basis for advert personalization processing:

Google relied on data subjects’ consent to process data for ad personalization purposes. However, the Authority found that this agreement did not constitute specific, informed and unambiguous consent for the data subjects, because they had to ‘agree’ to Google’s entire privacy policy and terms and conditions in order to access the its products. The CNIL concluded that the data subjects’ consent was not freely given, because they had not been sufficiently informed due to the use of multiple documents and the unclear depiction of the services and websites that would be involved in the ad personalization section.

Further, the CNIL noted that before creating a Google account, each user was asked to agree to the company’s terms of service and privacy policy, which he or she could only amend at a later time by going into ‘more options’ and de-selecting ad personalization.

This is the first time that the CNIL has applied the new sanction limits provided by the GDPR since its entry into force on 25 May 2018. In imposing the fine, the Authority took into account the serious breach of the main principles of the GDPR, according to which the maximum amount to be imposed could be EUR 20 million or 4 % of the company’s global annual turnover. The factors taken into consideration in the Authority’s decision whether to impose a fine or its amount, were the fact that Google’s violations were not one-off incidents or limited in time, but rather continuous breaches of the GDPR, and that their data process cover a wide range of data subjects. Lastly, the CNIL pointed out that as the company’s business model was partly based on ad personalization, Google had all the more reason to ensure that it complied with its GDPR obligations.

The fines serve as a lesson for employers that they need to ensure that the information provided to applicants and employees on the processing of their personal data is clear, unambiguous and easily accessible.

Google fined €50 million for infringing the GDPR Read More »

Employee Stock Ownership Program as a possible alternative to cafeteria

Company groups, Employment, labour law, Medium-sized companies, News / / , , , ,

The Employee Stock Ownership Program (ESOP) – which has been introduced in 2015 – may offer a beneficial and flexible alternative to cafeteria for employees from a taxation point of view.
The point of ESOP is that the company’s employees acquire shares in their employer. The main purpose of the ESOP system is to create ownership interest for the participating employees. Although the employees become owners, they do not have voting rights; therefore, they have no say in the employer’s operations. Their shares only entitle them to receive payments through the company.
The law on ESOP has been changed from 1 January 2019. In this context, existing legal rules have been clarified and additional guarantee rules for employee ownership interest have been established.
The greatest advantage of ESOP lies in its taxation. Rather than the employees would be a subject to a 45% tax burden on their salary, they may receive a part of their salary with only a 15% tax burden as an ’investment income’ through the ESOP.

Employee Stock Ownership Program as a possible alternative to cafeteria Read More »

Blacklist on Data Protection Impact Assessment (DPIA)

Company groups, Data protection, Medium-sized companies, News, Start-ups / / , , , , , , ,

Under Article 35 (4) of regulation (EU) 2016/679 of the European Parliament and of the Council („GDPR”), the National Authority for Data Protection and Freedom of Information
(„NAIH”) established a list of the kind of processing operations which
are subject to the requirement for a data protection impact assessment („black list”).
According to article 35 of the GDPR: Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.

The GDPR defines some circumstances when a DPIA is to be carried out:
• a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and upon which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;
• processing on a large scale of special categories of data, or of personal data relating to criminal convictions and offences; or
• a systematic monitoring of a publicly accessible area on a large scale.

The black list contains the following processing activities when a DPIA is to be carried out:
• processing of biometric or genetic data;
• scoring;
• credit or solvency rating;
• further use of data collected from third persons;
• the use of the personal data of pupils and students for assessment;
• profiling;
• anti-fraud activity;
• smart meters;
• automated decision making producing legal effects or similarly significant effects;
• systematic surveillance;
• location data;
• monitoring employee work;
• processing of considerable amounts of special categories of personal data;
• processing of considerable amounts of personal data for law enforcement purposes;
• the processing of the personal data of children for profiling;
• the use of new technologies for data processing;
• the processing of health data;
• an application, tool, or platform for use by an entire sector;
• combine data from various sources.

Blacklist on Data Protection Impact Assessment (DPIA) Read More »

Resolution on criteria for setting administrative fines

Company groups, Data protection, Medium-sized companies, News, Start-ups / / , , , ,

In its resolution published on 19 September 2018, the National Authority for Data Protection and Freedom of Information (NAIH) assessed the criteria to take into consideration during the process of setting a fine, especially the level of the fine that NAIH may impose in case of the first infringement of the data protection regulations.

The Authority is being guided by the provisions of the Regulation (EU) 2016/679 of the European Parliament and of the Council (“Regulation”) and the Act CXII of 2011 on Informational Self-determination and Freedom of Information (“Info Act”) with regard to the determination of the fine.

Article 83 (1) of the Regulation states, that the administrative fines shall be effective, proportionate and dissuasive. Pursuant to Preamble (148) in a case of a minor infringement or if the fine likely to be imposed would constitute a disproportionate burden to a natural person, a reprimand may be issued instead of a fine.

This provision was completed by Section 75/A of the Info Act according to which the Authority shall exercise its competence provided for in Article 83 (2)-(6) of the Regulation in due consideration of the principle of proportionality, in particular with the provision that in the event of any non-compliance with the Regulation for the first time, the Authority shall in principle issue warning to the data controller or data processor in order to arrange the remedy of the infringement.

The Authority shall take into account the Data Protection Working Party (WP29) guidelines on the application and setting of administrative fines for the purposes of the Regulation 2016/679, available at the following link: http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=611237

Resolution on criteria for setting administrative fines Read More »

CLVPartners
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.