CLVPartners

data protection

New rules of aptitude tests

Partial abolition of the employer’s obligation to provide an aptitude test

The subject of much debate and uncertainty in recent months has been the abolition of the compulsory assessment of employees’ fitness for work by employers. The officially communicated legislative aim of the phase-out is (also) to reduce the administrative burden on companies. The purpose of this newsletter is to provide guidance to our clients on the changes and their associated responsibilities.

1.  The previous rules

Previously, the Labour Code and the Occupational Safety and Health Act generally stipulated that employers must provide an occupational fitness assessment free of charge for the employee before the start of the employment and at regular intervals during the employment. Unless the firm’s activity or the requirements of the job were subject to an exception rule, the general rule for the assessment of fitness for work was the NM Decree No. 33/1998 (VI.24.) (the “Decree“).

2. Legislative changes already in force and expected

In order to reduce the aforementioned corporate obligations, both the Labour Code and the Occupational Health and Safety Act were amended with effect from 1 September 2024.

However, the new wording did not fully clarify the obligations of companies. According to the regulation, in general cases, i.e. not covered by a specific occupational requirement (e.g. military service), the test must be carried out if the employer decides to continue the practice in the absence of an obligation or if the law continues to require it.

In the latter case, the draft of the proposals for public consultation have been published in recent weeks, several of which will enter into force in the coming days which aim to clarify when testing is mandatory. Our understanding is that those firms will continue to be obliged to carry out aptitude tests who are operating in the sectors covered by the drafts (e.g. construction, commerce). However, even for firms falling under the sectoral classification, only those workers who, by virtue of their job, fall into the categories listed in the same drafts (e.g. workers exposed to increased risk of accidents, of noise, of manual handling of loads over 10 kg; or workers who also work night shifts). There is one case in which the determining factor will not be the sectoral classification and the job, because if the employee works at night on a regular basis or for at least a quarter of his or her annual working time, he or she falls within the mandatory scope of the test, irrespective of the employer’s sectoral classification.

3. Proposal

Based on the above, it would make sense to recommend that companies should first check whether they fall within a sector covered by the drafts, and then, as a second step, assess the jobs covered by the obligation and organize the aptitude test for these employees.

However, the Occupational Health and Safety Act continues to provide as a general rule that the company is responsible for ensuring that the health of the worker is not adversely affected by his or her employment. This obligation can only be fulfilled with a high degree of certainty if the company assesses the potential risks to the employee on a case-by-case basis, taking into account the specific nature of the job. In the light of this, we recommend that companies should, as far as possible, maintain the aptitude test for all employees in accordance with the Decree until the detailed rules (including regulations related to the implementation of the Occupational Health and Safety Act) are known in their final form.

It is worth noting that the change has not only an employment law but also a data protection dimension, as the test regime is now in many cases based on the company’s decision, which requires additional data processing documentation.

Welcome two new lawyers to the CLVPartners© team!

CLVPartners© Law Firm is pleased to announce two new talented professional team members, Eszter Bohati and Anikó Hrebenku who have recently joined our team.

Eszter has more than 10 years of experience in the legal profession, 8 of which she spent in international law firms, advising on labor law, immigration, and data protection issues. She assists the law firm’s Clients in solving their everyday legal problems in  English and Hungarian and draws on her previous experience to provide personalized, high-quality solutions.

Anikó graduated from Eötvös Loránd University in 2017 and successfully admitted to the Budapest Bar Association in 2021. She gained remarkable experience at several law firms through the years in civil and labor law. She mainly supports our Clients in employment law, company law, and data protection issues in English, German, and Hungarian.

Please join us in welcoming Eszter and Anikó to our team. We are convinced that with their diverse backgrounds and exceptional skills, their arrival will further enhance our firm’s capabilities and performance to deliver excellent services to our Clients.

Data Protection Officers are under the spotlight in the European Data Protection Board’s latest coordinated enforcement action

Since 25 May 2018, there is hardly a company that has not had to deal with a Data Protection Officer, or DPO. It has been 5 years since the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC („General Data Protection Regulation”; hereinafter: “GDPR“) came into force, but this does not and cannot mean that “the machine is running, the creator rests.” In view of the continuous development of case law, a review of the regulations may be necessary from time to time.

In 2023, the European Data Protection Board (“EDPB“) decided to conduct a coordinated enforcement action focusing specifically on the designation and operation of DPOs. The coordinated action involves 26 European data protection authorities.

The Data Protection Officer is responsible for protecting the rights and freedoms of data subjects and ensuring compliance with data protection rules. Impartiality and independence are among the requirements for DPOs that most often come to the attention of the authorities. Impartiality and objectivity ensure that the officer is able to closely monitor data management processes, effectively manage data breaches and advise the organisation on compliance with the GDPR and other relevant data protection rules. Impartiality guarantees that the DPO represents data protection issues of all interested parties, be it the employees, contractors, or the management of the organisation. The DPO shall be an expert who has no interest in the organisation or its data processing activities. Conflict of interest also means that the appointed data protection professional must not be in a position or engage in an activity that could jeopardise objective and independent decision-making.

A number of decisions on DPOs have been taken by national authorities in previous years, with the following conclusions:

  • The DPO must not only be registered with the competent authority of the mother company, but the organisation must also notify other relevant authorities if the organisation has other branches and the DPO can operate there too.
  • It is not possible to hire an external company as an outsourced DPO and at the same time also appoint a third party as DPO.
  • If the DPO is in charge of compliance, audit and risk management, the independence or impartiality of the role may be compromised.
  • The DPOs are not allowed to engage in a role as the controller’s representative before the data protection authority, as this could jeopardize the impartiality or independence of the DPO.
  • The DPO can be withdrawn if the DPO no longer has the appropriate professional skills or fails to comply with data protection regulations.
  • The DPO cannot be ordered, and therefore it is a breach of the GDRP if the DPO cannot act on his or her own, but only on the instructions of the head of the company (or any other person with the right to make decisions in the company).

A control plan may formalise the DPO’s procedure, but a direct instruction does not comply with the GDPR.

  • It is also a breach of the GDPR to have several hierarchical levels between the DPO and the senior management of the organisation because this way the DPO is no longer directly accountable to the management.
  • It is not an appropriate solution if the DPO is appointed, but the DPO also performs compliance functions in the company, thus compromising independence and impartiality. The authority in the case confirmed that the DPO cannot perform a role that allows him or her to determine the purposes and means of processing personal data.
  • Similarly, it has been held to be contrary to the prohibition of conflicts of interest, if the DPO is also a managing director of two subsidiaries which are responsible for processing data for the main company. In this case there is a conflict of interest because the DPO supervises the adequacy of the data processing tasks, while having a legitimate interest in the profits and operations of the data processing companies.

As the EDPB will focus on DPOs in its coordinated enforcement actions in 2023, we can expect to see a growing number of decisions in which the determining data protection authority makes decisions in principle on the functioning and impartiality of the DPOs. Further guidelines or statements may be issued by national or EU authorities.

Practical problems with cookie data management

Introduction

In today’s digital world, methods and technologies for collecting and processing personal data (e.g. cookies) are extremely widespread because they allow data controllers to learn essential information about us. For example, after a single search for a shoe on the Internet, we are almost inevitably confronted with advertisements for the same or similar shoes on other platforms.

The relationship between data controllers and individuals is fundamentally unequal, as average users are typically unaware of the many ways in which their personal data are handled. To balance this, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector (“ePrivacy Directive“) and Regulation 2016/679/EU on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR“) were adopted to ensure privacy and the protection of personal data. These EU laws set out minimum requirements for data controllers to compensate for asymmetric relationships.

NGOs such as None of Your Business (“NOYB“) are helping to ensure that these rights are effectively enforced. As a result of NOYB’s work the European Data Protection Board’s Cookie Banner Taskforce has published its newest report. In this, the Taskforce has identified 7 main cookie management practices which it considers to be inadequate in the light of the relevant legislation. These are briefly summarized below in order to help website operators to adapt their practices and users to be more aware of them:

No reject button on the first layer: It does not meet the requirements for consent if the information window on cookies that require consent only offers the option “accept” or “more information”, but without containing a button to reject the cookies.

Pre-ticked boxes: Indeed inadequate to pre-tick the boxes from the available options that the data controller prefers when setting cookies.

Use of a link: The accept button for cookie-related data management typically pops up automatically on all pages, but some data controllers provide the rejection option only through a separate link, making it difficult for users to make a voluntary choice and putting pressure on them.

Deceptive button colours and contrast: For valid consent it is also an important factor how the possibilities are visually represented. Indeed, if the colour or contrast of the buttons displayed is misleading for the data subject (e.g. if, in addition to the clear display of the accept button, the contrast between the colours of the reject and additional options button is so minimal that the text is almost unreadable), the consent given will most likely be considered invalid. Of course, this should always be considered on a case-by-case basis.

Misrepresentation of the legal basis: It is not lawful for the site operator to base data processing first on the consent of the visitor or, in the absence of consent, on legitimate interest. In this respect, it is particularly unlawful where the user has no possibility to object to the consent, given that in the absence of consent, the controller will process the data on the basis of his legitimate interest, as this may give the impression that the data subject can only consent to the processing and has no other choice.

Inaccurately classified “essential” cookies: The Taskforce has highlighted in its report, that many data controllers classify cookies as essential or strictly necessary, that in fact shall not be considered as essential.

No withdraw icon: A further requirement for consent is that it should be revocable at any time, in the same simple way as it was given by the data subject. Thus, data controllers should also provide for this possibility in relation to cookies (e.g. by placing a floating revocation button or link).

Summary

As can be seen from the above, data controllers must act in such a way as to ensure that users have access to the right information and are thus put in a position to make decisions. Of course, it is the responsibility of the data subjects to actually inform themselves and thus act and make decisions as informed users with regard to their own data (e.g. by customizing their preferences, leaving the visited pages after use, reading the NAIH’s information notices, the controller’s privacy policy).

New guidelines of the EDPB on data controllers and data processors

The European Data Protection Board (“EDPB” or “Board”) has adopted the final version of guidelines no. 07/2020 on the concepts of controller and processor in the GDPR on its meeting of 7 July 2021, which renews and replaces the previous guidance no. 1/2010 of the Article 29 Data Protection Working Party on the same subject.

The definition of roles of data controller and data processor has been and continues to be the most controversial issue of data protection law, both during and prior to the entry into effect of the GDPR, as the assumed role determines the obligations and thus the corresponding responsibility. For this reason, the new EDPB guidelines are essential for all actors involved in data processing activities.

  1. Identifying the data controller

According to the GDPR, the person determining the purposes and means of the processing of personal data shall be considered the data controller. Among the elements of the concept, the new guideline explained the means of data processing in most detail, implementing a sharper distinction compared to the previous guidance.

In the opinion of the Board, when identifying the data controller, the means of data processing shall be understood only as the essential means, which are the following:

  • type of personal data which are processed
  • duration of the processing
  • the categories of recipients with access to the data (including transfers of data)
  • the categories of data subjects

The EDPB also emphasizes that actual access to personal data is not a requirement to be considered the data controller.

  1. Identifying the data processor

According to the GDPR, the data processor is the person who performs the processing operations on behalf of the data controller. The EDPB identified two explicit and one implied condition for the identification of the data processor. The two explicit conditions are as follows:

  • The data processor is a separate entity from the data controller;
  • The processing operations are performed solely on behalf of the data controller and the data are not processed for any purpose or interest other than those of the data controller.

In addition to the above, the third implied condition is that the discretion of the data processor includes the choice of non-essential means of data processing, such as the location of data storage, the software and methodology used for data processing operations.

There must be a written contract between the data controller and the data processor regarding the data processing, the absence of a contract constitutes an infringement of the GDPR on part of both actors.

The EDPB emphasized that the GDPR also imposes stricter obligations on data processors compared to the previous regulation. In addition, in the data processing agreement, the data controller may indirectly hold the data processor responsible for the performance of the data controller’s obligations under the GDPR, therefore, in order to limit the data controller’s liability, the most important thing is to select a responsible data processor, and conclude a processing agreement which duly takes into account all responsibilities.

  1. A person under the direct control of the data controller or data processor

Compared to the concepts of data controller and data processor, the role under the direct control of the data controller or data processor set out by Article 29 of the GDPR is less frequently discussed, but in practice the majority of natural persons perform data processing operations in this capacity.

This category includes a person who is not separate from the data controller or data processor. For example, neither the managing director nor a department of the company can be considered a separate entity from the company.

This category also includes a person who, although carrying out processing operations on behalf of the controller, has no independent decision-making power over these operations at all. Directly under the direct control are mainly workers and employees, but it is important to note that from the point of view of data protection law, not only workers employed under the Labour Code should be considered as employees, but also, where appropriate, staff employed under a service or agency contract.

When identifying direct control, in addition to the type of legal relationship, it is therefore necessary to examine the decision-making rights of the individual, his or her integration into the organization of the data controller or data processor, and the control exercised by the data controller or data processor.

For persons under direct control, the GDPR contains a single requirement that personal data may not be processed contrary to the instructions of the data controller. It is also possible and recommended in case of the persons under direct control to impose the obligations of the GDPR, as well as to sanction any conduct that infringes data protection law, in a contract or internal regulations.

Should you have any questions regarding the above, feel free to contact us.

CLVPartners news

 

President of HDPA tempers position on thermometers!

The Head of the Hungarian Data Protection Authority in his interview made an announcement contrary to the Authority’s previous official position.

Unlike in Spring, in the current epidemiological situation in Hungary it is no longer disproportionate to implement body temperature measurement as a general measure, however, recording the results is still considered unjustifiable, because as health related data it would be considered a special category of personal data which should be especially protected.

The Head of the Hungarian Data Protection Authority in his interview made an announcement contrary to the Authority’s previous official position, that unlike in Spring, in the current epidemiological situation in Hungary it is no longer disproportionate to implement body temperature measurement as a general measure, however, recording the results is still considered unjustifiable, because as health related data it would be considered a special category of personal data which should be especially protected.

As a reminder, the Authority’s guidelines issued on 11 March 2020 and its confirmatory official position issued on 28 April 2020 considered disproportionate the requirement of screening tests with any diagnostic device (in particular, but not exclusively, with a thermometer), as the epidemiological situation in Spring did not warrant such measures.

The HDPA president’s statement did not affect the rest of the previously issued guidelines and official position, therefore all data processing in connection with the novel coronavirus epidemic such as body temperature measurement may only be introduced in the legitimate interest of the employer, substantiated by a proportionality test and the measurement shall be conducted by healthcare professionals or under their professional supervision under Article 9 (3) of the GDPR.

The Authority invariably requires employers to prefer measures which do not require the processing of personal data (basic hygiene, provision of disinfectants, adequate cleaning, provision of protective equipment, distance between workers).

Should you have any questions regarding the above, feel free to contact us.

Enormous data protection fine imposed by the HDPA

On 18 May 2020, the Hungarian Data Protection Authority („HDPA” or „Authority”) has imposed a fine of HUF 100 000 000 on DIGI Távközlési és Szolgáltató Korlátolt Felelősségű Társaság („Digi” or „Company”).
The decision has been published by the Authority today, which is by far the highest amount imposed since the GDPR’s entry into force and the existence of the HDPA. The facts leading to the fine and the subsequent decision of the Authority are summarized as follows:

Facts of the case

1. Due to a prior loss of data, Digi created a test database for the purposes of mitigating errors, which the Company filled with existing personal data. The test database was originally available on the Company’s website only with appropriate authorization.

2. The content management system (‘CMS’) applied by the Company had a vulnerability, which has been detected more than 9 years ago. This vulnerability can also be detected and amended automatically by adequate tools and applications. Through this vulnerability, anyone could view the test database without access authorization.

3. Exploiting this vulnerability, an ethical hacker gained access to the test database, where the personal data of a significant number of clients were stored in plain text without any encryption. These data included all personal identifying data, ID card numbers, and in some cases personal identification numbers, e-mail addresses, telephone numbers and bank account numbers were also included.

4. In addition to the above, data of newsletter subscribers and full access system administrators were also accessible through the vulnerability, which could have been used by an attacker to take over complete control of the website and access any personal data or trade secret available on the website.

Findings of the HDPA

The categories of personal data involved made identity theft possible for a potential attacker.

• It is also an aggravating circumstance that the number of people affected by the data protection incident is significant, even in relation to the entire population of Hungary, the Company’s market position would have justified the application of more serious data security measures.

• The vulnerability in the open source content management system has been known for a long time, and a fix is available to fix this vulnerability for free.

• Lack of encryption increased the risk of the incident, even though the Company would also have had the opportunity to encrypt its data for an insignificant cost.

Leaking access credentials for full system administrators severely increases security risk.

• The maintenance of the test database violated the principles of the GDPR, as the test database should have been permanently deleted once its purpose has been fulfilled.

• The Company has also violated the provisions of its own internal regulations.

In light of all of the above, the Authority considered that the warning would not have had sufficient deterrent effect and that a fine, the exceptionally high amount of which was explained by a number of aggravating circumstances, was justified.

Statement of the EDPB on data processing during the coronavirus epidemic

The European Data Protection Board (“EDPB”) has issued a statement on its website on data processing during the coronavirus epidemic.Please find our summary of the statement below:
1. The conditions of processing health data, as special category of data shall be specified by the national law in accordance with the GDPR. In this regard, the GDPR requires that the lawmaker defines specific measures and the suitable safeguards of the rights of the data subjects.

2. As per the position of the Hungarian Data Protection Authority emphasized, in the event of medical examinations such as body temperature measurement, this safeguard is the presence of a healthcare professional, therefore it is still not possible to implement such measurement at the workplace without the presence of a professional.

3. According to the EDPB’s position, the employers should inform employees if a coronavirus infected person has been identified at the workplace (to take the necessary protective measures), without revealing the identity of said person. The concerned employees shall be informed in advance and their dignity and shall be protected. Information on the infection should be first and foremost disclosed to those entitled to process these data, such as authorities and treating physicians if requested.

As the GDPR allows for a wide range of derogations in national law, we can expect a more detailed regulation of the data processing in relation to the epidemic.

The content of this article is not exhaustive and does not constitute a legal advice. Should you have any specific questions regarding any issues investigated by our articles, please contact us and we will be happy to be at your disposal.

ON THE DATA PROCESSING RELATED TO THE CORONAVIRUS EPIDEMIC

The Hungarian Data Protection Authority („HDPA”, „Authority”) has issued on its website a briefing regarding data processing related to the coronavirus epidemic, also including certain general legal obligations beyond data protection. We have summarized the most important details as follows:
1. It is not only a vital interest but also a legal obligation of employers to provide a healthy and safe workplace.

2. Prior to any data processing, employers may be expected to create an epidemic action plan (preventive measures, allowing alternative working conditions (“home office”), procedure to be followed if the infection appears, assignment of responsible personnel within the company, implementation of a reporting system).

3. As a preventive measure within the action plan, it is recommended to provide employees with all necessary details, especially on the most critical information on the coronavirus (rules of hygiene, symptoms, who to report to within the company). The document titled “Procedure regarding the novel coronavirus identified in the year 2020” published on the website of the National Public Health Center could provide helpful for employers when wording the information.

4. According to the Labour Code, the employees shall report to the employer if they have knowledge of a risk of infection, including the risk of their own illness. With regards to this, the reporting system shall be implemented in a way that allows for confidential processing of data.

5. In the event of a report or suspicion of infection the HDPA considers filling out a questionnaire appropriate. Particular attention shall be paid to data minimisation. Employers shall not process the data of the suspected employee related to the epidemic beyond the questionnaire. The Authority specifically notes that data related to medical history or medical documentation shall not be requested or processed by the employer!

6. It needs to be emphasized that the employer shall not begin contact investigation, this should be entrusted with the investigating authority having jurisdiction!

7. Also important to note, the employer shall not conduct medical examination (i.e. use of thermometer), however, the professional examination of employees may be initiated through the involvement of healthcare professionals (first and foremost the company doctor).

8. The legal ground for the above data processing is based on the employer’s legitimate interest, if the medical examination of employees becomes necessary, the exceptional purpose of processing shall be in the interest of providing a healthy workplace.

9. It is recommended for employers to favour measures that do not result in the processing of data (following basic hygiene, providing disinfectants, proper cleaning). We would also like to note that the legislation does not allow for employers to distribute vitamins, medicine or immune-boosting products, etc. among its employees, therefore these are not legally possible as a preventive measure.

GPDR after Brexit – Data transfers outside the EU

After years of negotiations the United Kingdom has officially left the European Union, therefore the UK has become a “third country”. We would like to take this opportunity to point out the special rules concerning the UK and data transfers outside the EU in general.
Data transfer to the UK

As we have noted in our latest article on Brexit, some changes need time to enter into force. According to the withdrawal agreement concluded between the UK and the EU, there will be a transition period until 31 December 2020. In this transition period, the GDPR is still applicable in the UK, so the UK would not be considered as a third country until the end of this year.

What happens after the transition period?

It is very important to note that any data processed before the end of the transition period shall continue to be processed in accordance with the GDPR. Thus, personal data transferred to the UK during the transition period shall be guaranteed the same level of safety as currently provided by the GDPR and data subjects have no cause to worry about their right to privacy.

After the transition period, the UK and the EU still need to iron out the specifics of data protection. Certainly, for most data controllers that would be most convenient if the UK continued to apply the GDPR.

However, in the event of a “no-deal” Brexit or if the “deal” excludes data protection, the rules of transferring data outside the EU would have to be applied to the UK.

Data transfers outside the EU

One of the most emphasized general rule of the GDPR is that transferring data outside the EU is not allowed only with a very few exceptions. There are three categories of these exceptions, “adequacy decisions” in Article 45, “appropriate safeguards” in Article 46 and “derogations for specific situations” in Article 49.

Adequacy decisions

With regards to Brexit, the second best scenario would be an EU Commission adequacy decision. Data may be transferred without any special rules or authorizations to third countries deemed to provide an adequate level of data protection. While the decision falls to the discretion of the Commission, we expect this to be a very likely outcome, as the UK has high standards of data protection in their national legislation.

Appropriate safeguards

Should the UK not be found adequate, the next option is for the data controller or processor to provide appropriate safeguards. These safeguards are subject to the approval/ adoption of the Commission and/or the supervisory authority. The most relevant of these safeguards are as follows:

• binding corporate rules (BCR) of a corporate group (approved by the supervisory authority);
• standard data protection clauses (adopted by the Commission);
• standard data protection clauses (adopted by a supervisory authority and approved by the Commission);
• an approved code of conduct together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights;
• an approved certification mechanism together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights.

The abovementioned options require either significant effort from the data controller (i.e. drafting BCRs or codes of conduct) or a proactive supervisory authority (i.e. drafting and adopting standard clauses). Since the GDPR’s entry into force, no standard clauses have been adopted yet. Consequently, most data controllers might find appropriate safeguards a barrier too high to entry.

Derogations for specific situations

The last option is derogations for specific situations, to be applied for exceptional cases and will not serve as legal basis for systematic or regular transferring of personal data. The most relevant of these situations are as follows:

• explicit consent of a data subject informed of the risks of transfer to the third country;
• transfer is necessary for the performance of a contract between the data subject and the data controller or a contract concluded in the interest of the data subject;
• transfer is necessary for the establishment, exercise or defence of legal claims;
• transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent.

In any event, if the data controller uses these derogations as basis for data transfer outside the EU, the transfer may only take place if it is not repetitive and concerns only a limited number of data subjects, in addition the controller must demonstrate a compelling legitimate interest and inform the supervisory authority as well as the data subject. This is considered the least favourable option for data controllers because of their obligations to inform.