CLVPartners

CLV-02
Menu

News

GDPR „OMNIBUS” Act overwrites the usual HR process

Company groups, Data protection, Employment, labour law, Medium-sized companies, News, Start-ups / / , , , ,

On 26 April 2019, Hungary’s new ‘Omnibus Act’ implementing provisions of the GDPR took effect. This article examines its significant impact on employers and the continuing uncertainty surrounding some of the changes it introduces.

Only a few months ago, employers were required to readjust their processes in preparation for GDPR implementation and now the new so-called ‘Omnibus’ act that amends the Labour Code, among other changes has entered into force (on 26 April 2019). The new regulation requires immediate and very significant work from HR departments, while there are several open issues to be jointly interpreted by labour lawyers together with HR and data protection professionals on how to ensure their daily practice is compliant with the new but ambiguous regulations.

The bottleneck is a result of the fact that Hungarian lawmakers were well behind schedule with implementation of GDPR, leaving employers only a few days to review the new processes, since all employers must comply with all requirements from day one. There is a strong hope that (as has happened in several previous cases) the Omnibus Act will very shortly be corrected by a new amendment.

The GDPR ‘Omnibus’ Act amends 86 acts including the Labour Code in order to comply with GDPR regulations.

This amendment requires the review of labour contracts, HR processes and significant HR policies such as recruitment, selection, new employees’ induction process, operations, the data management of access control systems and use of employer’s devices, just to mention the most common areas concerned.

Employers and all organisations should have complied with the new regulations within a couple of days of entry into force.

Although the new requirements contain more details than the published draft bill, there are still several open issues on how to implement them in practice. For example what is the meaning of, and what are the criteria for the necessity and proportionality test contained in the new regulations in relation to limitations on employees’ personal human rights (in connection with e-mail, internet, device or video surveillance, etc.)? The GDPR only includes the privacy impact assessment and the ‘balancing test’ for ‘legitimate interest’.

The usual process of recording a new employee’s data is basically overridden by the new rule that the employer may only request presentation of an ID card and other personal documents, but no copies can be made, even with the consent of the employee. This will mean that proper identification of the employee would be difficult. The provision of false data by the employee may result in annulment of employment, but with a lack of proper evidence and documentation, the employer may not be in a position to act.

Handling of criminal data records is more strictly regulated, and in the future the basic rule is that no criminal record clearance may be requested from employees. Exceptional and very strict criteria are set for cases when the employer may require an employee to present criminal record clearance, but the precise criteria can be decided by the employer if a serious business risk for the organisation would arise from an employee with undisclosed criminal record working for it.

Finally, the amendment relating to data managed by the biometric access control systems (digital fingerprint, iris/retina scanning, face identification systems), and also the use of the employers’ devices is based on new principles, meaning that a review of internal policies relating to these issues must be conducted.

Reinterpreted Restrictive Covenant!

Employment, labour law, Medium-sized companies, News, Start-ups / / , , ,

The supreme court has confirmed that it is not possible to incorporate the consideration for non-compete into the monthly wages even in the labour contract with the executive employees. The common practice is that the employees are required to notify the employer on the data of their a new employer.

Now according to the decision of the supreme court, breach of the notification undertaking shall not be penalised, only breach of the restrictive covenant. This surprising decision would significantly reduce the employers ability to check the fulfilment of this undertaking, because they do not become aware or only by accident if their former employee works for their competitor if there is no sanction for non-reporting. The labour code but it is a contract governed by the Civil Code which basically based on the principle of the parties’ freedom to freely determine their agreement in the absence of expressly prohibited provision, and the Civil Code does not prohibit the imposition of a penalty for breaching of notification obligation. It seems that the courts leave less room for the Hungarian employers in their civil law

Amendments with regard to the GDPR has been published

Company groups, Data protection, Employment, labour law, Medium-sized companies, News, Start-ups / / , , , , ,

The amendments with regards to the GDPR, which was adopted by the Hungarian Parliament on the 1st of April, was officially published today.

In order to harmonize with the GDPR, the amendments modifies over 80 sectorial law, including provisions of the Labour Code.

The majority of the amendments will come into effect at the end of April, but the modifications regarding the national accreditation and the protection of inventions by patents will come into force in May.

Legislative changes on the bill related to GDPR

Company groups, Data protection, Medium-sized companies, News, Start-ups / / , ,

It became necessary with the entry into force and application of the GDPR, amend the domestic sectoral laws, which proposals are expected to be adopted by the Parliament this week. The draft also affects the provisions of the Labour Code.

Provisions related to workplace data management are defined under a new title Data Process after the section of protection of privacy rights. According to this, in addition to the employer, the works council and the trade union may also request employees to make a statement or to disclose any information for exercising their rights or fulfilling their obligations as defined in the Labour Code. In regard to the provisions above, they may also request to present them a document, thus, storing and copying them cannot be necessary for the above reasons, it is sufficient to present them and record the necessary data.

Based on the draft, the processing of biometric identifiers has been further regulated, that the employee’s biometric data can be processed for the purpose of identifying the data subject if it is necessary to prevent unauthorized access to a thing or data which would endanger the life, bodily integrity or health of the employee or others, or the serious or massive irreversible harm of a significant interest protected by law.

Regarding monitoring of the workplace, it has been recorded in the draft, surprising many people that the employee may only use the computing device provided by the employer for the purpose of performing the employment relationship. The parties may differ from this rule by mutual agreement, however, by default, these devices cannot be used by the employee for private purposes at all. Although the draft provides that the employer may only monitor employment-related data when monitoring, it also qualifies, for the purposes of the above entitlement, the data necessary to verify compliance with the private use restriction.

The provisions of the above draft have not yet been adopted, so we will inform you about its subsequent adoption or possible modifications later on.

Legislative changes in Hungary anticipating a possible ‘No Deal’ Brexit

Employment, labour law, Medium-sized companies, News, Start-ups / / , , , , , , ,

The proposal affects the right of residence, employment and entitlement to social security and unemployment benefits for British citizens in Hungary.

The Hungarian government has drafted a bill on 26 February 2019 titled “Amendments to certain laws in the event of the withdrawal of the United Kingdom of Great Britain and Northern Ireland from the European Union in a disorderly manner” under number T/4821. According to the explanatory memorandum to the bill, the likelihood of a disorderly exit has increased significantly, which means that on the midnight of 29 March 2019 the United Kingdom of Great Britain and Northern Ireland would become identical to third-countries. The amendments to the law contained in the bill would enter into force in Hungary at the time and in the event of a no deal Brexit.

As regards residence and employment, the essence of the bill is that British citizens can continue to hold the same status as an EU citizen for 3 years after leaving which means, they can legally reside and work in Hungary after leaving the EU in case their status is in order, i.e. they have a Registration Certificate for EEA Nationals or a Permanent Residence Card prior to the date of the exit. After leaving and staying for at least 3 years in Hungary, they can apply for a National Permanent Residence Permit without examining the terms and conditions applicable to housing, subsistence, health insurance and Hungary’s interest. After 5 years of uninterrupted stay in Hungary, British citizens may apply for EC residence permit as well. In the latter case, however, the examination of the residence conditions, unlike national residence permit, cannot be waived.

As it follows from the rules above, British citizens arriving in Hungary after Brexit will be entitled to reside and work under the rules applicable to third-country nationals.

The main principle for the various social security benefits is that the benefits determined before the UK’s exit remain the same.
In terms of pension rights, the periods of insurance completed both prior and past to Brexit are recognized and offset, as proposed in the bill.

NAIH imposed a fine of one million forints

Company groups, Data protection, Medium-sized companies, News, Start-ups / / , , , , ,

The Hungarian Data Protection Authority (NAIH) imposed a fine of one million forints on a company with a turnover of 15 million forints, which the Authority considered to be a symbolic amount of money, for not restricting and issuing copies of camera recordings, despite a request from the data subject.

The data subject wanted to use the recordings as evidence in legal proceedings, as he/she also stated in the request. The company justified its decision of not restricting and giving out a copy of the recordings because the data subject did not indicate how deleting of the camera recording would infringe his/her legitimate interest, and in connection with what legal proceedings he/she requests the restriction of processing data of the camera recordings, although it is required to do so according to the Act CXXXIII of 2005 on the private security services and the activity of private detectives (Szvmt).

According to NAIH, the company violated the data subject’s right to restrict data processing. According to Article 18 (1) (c) of the GDPR, it is sufficient for the data subject to argue that the restriction of the processing is necessary for the submission and enforcement of his legal claims. In this regard, Szvmt. is expected to be amended soon.

According to the opinion of NAIH, the company should have complied with the request of the data subject without consideration, since the reason stated by the data subject shall be sufficient to fulfill the request.

In imposing the fine, the Authority assessed the nature of the infringement as an aggravating circumstance, as it violated the applicant’s rights, furthermore, the refusal of the request has led to the deletion of the recordings, which cannot be restored. It was a mitigating circumstance that the company committed the infringement for the first time, and also that the provision referred from the Szvmt. is still in force, which could have misled the company in its decision to deny the data subject’s request.

Google fined €50 million for infringing the GDPR

Company groups, Data protection, Medium-sized companies, News, Start-ups / / , , , , , ,

On 21 January 2019, the French Data Protection Authority (the ‘CNIL’) fined Google EUR 50 million for infringement of the GDPR. Though this decision only concerned user data, given the unprecedented amount of the fine, it should be considered a warning to all companies to ensure that their personal data management practices, including on HR matters, are GDPR compliant.
The Authority based the investigation on two complaints that arrived immediately after the entry into force of GDPR on May 25, 2018.

The CNIL has examined the complained data processing operations and found two types of infringement.

• Violation of the obligation to have a legal basis for advert personalization processing:

The CNIL observed that the information on the data processing activities provided to users was neither easily accessible nor always clear or comprehensive. Essential information required to sufficiently inform data subjects of storage purposes, periods or categories of personal data used for ads personalization was spread across various documents.

• Violation of the obligation to have a legal basis for advert personalization processing:

Google relied on data subjects’ consent to process data for ad personalization purposes. However, the Authority found that this agreement did not constitute specific, informed and unambiguous consent for the data subjects, because they had to ‘agree’ to Google’s entire privacy policy and terms and conditions in order to access the its products. The CNIL concluded that the data subjects’ consent was not freely given, because they had not been sufficiently informed due to the use of multiple documents and the unclear depiction of the services and websites that would be involved in the ad personalization section.

Further, the CNIL noted that before creating a Google account, each user was asked to agree to the company’s terms of service and privacy policy, which he or she could only amend at a later time by going into ‘more options’ and de-selecting ad personalization.

This is the first time that the CNIL has applied the new sanction limits provided by the GDPR since its entry into force on 25 May 2018. In imposing the fine, the Authority took into account the serious breach of the main principles of the GDPR, according to which the maximum amount to be imposed could be EUR 20 million or 4 % of the company’s global annual turnover. The factors taken into consideration in the Authority’s decision whether to impose a fine or its amount, were the fact that Google’s violations were not one-off incidents or limited in time, but rather continuous breaches of the GDPR, and that their data process cover a wide range of data subjects. Lastly, the CNIL pointed out that as the company’s business model was partly based on ad personalization, Google had all the more reason to ensure that it complied with its GDPR obligations.

The fines serve as a lesson for employers that they need to ensure that the information provided to applicants and employees on the processing of their personal data is clear, unambiguous and easily accessible.

Opportunities created by the “overtime act” put into practice

Employment, labour law, Medium-sized companies, News, Start-ups / / , , , , ,

Amending Act CXVI of 2018 on the organization of working time and the minimum fee of labor leasing activity (hereinafter: amendment) has been announced on 20 December 2018 and entered into force on 1 January 2019.

In our article we are looking for answers to the following questions; what opportunities the change has actually created for employers and which employers can take advantage of the opportunities created by the change.
The amendment essentially concerns issues related to the organization of working time, in particular the rules on working time banking and overtime.

The new opportunities provided by working time banking are only open for employers with collective agreements, while the opportunities in the area of overtime may be used by employers without collective agreements as well, as follows:

I. Options based on collective agreement

According to the amendment as from 1 January 2019, a maximum of 36 months of working time banking may be introduced on the basis of a collective agreement instead of a maximum of one year. In practice, this means that employers wishing to apply a longer working time frame, an amendment must be initiated to the collective agreement currently in force or; in the absence of a collective agreement in force, a collective agreement must be concluded with the trade union authorized to conclude the collective agreement, including that option.

It is important to note that not only 36 months, but shorter, e.g. a 24-month working time frame may also be included in a collective agreement by the parties.

There is a statutory limit to the extremes of work schedules arrangement within the longer working time banking – in addition to the rules on rest days/rest periods – that the 48 hours a week should be at most an annual average (and not, for example, the average of the three years).

For the time being, it is disputed whether the working time banking of more than one year is harmonized with the rules of Directive 2003/88/EC on certain aspects of the organization of working time. Article 19 of that directive provides that a ‘reference period’ for the calculation of working time or rest periods in a collective agreement may not exceed 12 months.

II. Options based on individual agreements with employees

The annual number of overtime hours can be increased up to 400 hours based on an individual agreement with employees. This option is therefore open to employers which do not have a collective agreement/ do not have a trade union with authorized to conclude a collective agreement.

400 hours is the absolute upper limit for overtime work. Higher amounts cannot validly be stipulated in a collective agreement either.

The employee may terminate the agreement by the end of the calendar year. Termination of the agreement shall not be a reason for termination of employment.

III. Options based on the request of the employee

According to the amendment, overtime (supplement payment) is not generated in situations where the employees themselves request the modification of the working time schedule in advance within 96 hours.

This provision recognizes situations that actually occur in practice, when for example the employee asks for a change in the working time schedule for some kind of personal reasons, e.g. “exchange” a workday with another colleague.

It is important that the initiative really comes from the employee. Using employee’s requests for employers’ interests are abusive, thus illegal.

In relation to the option described above it is also important to take into account the general principle of labor law, that working schedule arrangements, overtime arrangements are possible only if the requirements of healthy and safe work are met. In addition to the economic benefits associated with more flexible working hours, it is important to consider that the employer may be required to pay financial compensation for the damage caused by the workers who are proven overloaded or the accidents and health damage caused to them.

Employee Stock Ownership Program as a possible alternative to cafeteria

Company groups, Employment, labour law, Medium-sized companies, News / / , , , ,

The Employee Stock Ownership Program (ESOP) – which has been introduced in 2015 – may offer a beneficial and flexible alternative to cafeteria for employees from a taxation point of view.
The point of ESOP is that the company’s employees acquire shares in their employer. The main purpose of the ESOP system is to create ownership interest for the participating employees. Although the employees become owners, they do not have voting rights; therefore, they have no say in the employer’s operations. Their shares only entitle them to receive payments through the company.
The law on ESOP has been changed from 1 January 2019. In this context, existing legal rules have been clarified and additional guarantee rules for employee ownership interest have been established.
The greatest advantage of ESOP lies in its taxation. Rather than the employees would be a subject to a 45% tax burden on their salary, they may receive a part of their salary with only a 15% tax burden as an ’investment income’ through the ESOP.

Blacklist on Data Protection Impact Assessment (DPIA)

Company groups, Data protection, Medium-sized companies, News, Start-ups / / , , , , , , ,

Under Article 35 (4) of regulation (EU) 2016/679 of the European Parliament and of the Council („GDPR”), the National Authority for Data Protection and Freedom of Information
(„NAIH”) established a list of the kind of processing operations which
are subject to the requirement for a data protection impact assessment („black list”).
According to article 35 of the GDPR: Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.

The GDPR defines some circumstances when a DPIA is to be carried out:
• a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and upon which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;
• processing on a large scale of special categories of data, or of personal data relating to criminal convictions and offences; or
• a systematic monitoring of a publicly accessible area on a large scale.

The black list contains the following processing activities when a DPIA is to be carried out:
• processing of biometric or genetic data;
• scoring;
• credit or solvency rating;
• further use of data collected from third persons;
• the use of the personal data of pupils and students for assessment;
• profiling;
• anti-fraud activity;
• smart meters;
• automated decision making producing legal effects or similarly significant effects;
• systematic surveillance;
• location data;
• monitoring employee work;
• processing of considerable amounts of special categories of personal data;
• processing of considerable amounts of personal data for law enforcement purposes;
• the processing of the personal data of children for profiling;
• the use of new technologies for data processing;
• the processing of health data;
• an application, tool, or platform for use by an entire sector;
• combine data from various sources.

CLVPartners
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.