CLVPartners

HDPA

President of HDPA tempers position on thermometers!

The Head of the Hungarian Data Protection Authority in his interview made an announcement contrary to the Authority’s previous official position.

Unlike in Spring, in the current epidemiological situation in Hungary it is no longer disproportionate to implement body temperature measurement as a general measure, however, recording the results is still considered unjustifiable, because as health related data it would be considered a special category of personal data which should be especially protected.

The Head of the Hungarian Data Protection Authority in his interview made an announcement contrary to the Authority’s previous official position, that unlike in Spring, in the current epidemiological situation in Hungary it is no longer disproportionate to implement body temperature measurement as a general measure, however, recording the results is still considered unjustifiable, because as health related data it would be considered a special category of personal data which should be especially protected.

As a reminder, the Authority’s guidelines issued on 11 March 2020 and its confirmatory official position issued on 28 April 2020 considered disproportionate the requirement of screening tests with any diagnostic device (in particular, but not exclusively, with a thermometer), as the epidemiological situation in Spring did not warrant such measures.

The HDPA president’s statement did not affect the rest of the previously issued guidelines and official position, therefore all data processing in connection with the novel coronavirus epidemic such as body temperature measurement may only be introduced in the legitimate interest of the employer, substantiated by a proportionality test and the measurement shall be conducted by healthcare professionals or under their professional supervision under Article 9 (3) of the GDPR.

The Authority invariably requires employers to prefer measures which do not require the processing of personal data (basic hygiene, provision of disinfectants, adequate cleaning, provision of protective equipment, distance between workers).

Should you have any questions regarding the above, feel free to contact us.

Statement of the EDPB on data processing during the coronavirus epidemic

The European Data Protection Board (“EDPB”) has issued a statement on its website on data processing during the coronavirus epidemic.Please find our summary of the statement below:
1. The conditions of processing health data, as special category of data shall be specified by the national law in accordance with the GDPR. In this regard, the GDPR requires that the lawmaker defines specific measures and the suitable safeguards of the rights of the data subjects.

2. As per the position of the Hungarian Data Protection Authority emphasized, in the event of medical examinations such as body temperature measurement, this safeguard is the presence of a healthcare professional, therefore it is still not possible to implement such measurement at the workplace without the presence of a professional.

3. According to the EDPB’s position, the employers should inform employees if a coronavirus infected person has been identified at the workplace (to take the necessary protective measures), without revealing the identity of said person. The concerned employees shall be informed in advance and their dignity and shall be protected. Information on the infection should be first and foremost disclosed to those entitled to process these data, such as authorities and treating physicians if requested.

As the GDPR allows for a wide range of derogations in national law, we can expect a more detailed regulation of the data processing in relation to the epidemic.

The content of this article is not exhaustive and does not constitute a legal advice. Should you have any specific questions regarding any issues investigated by our articles, please contact us and we will be happy to be at your disposal.

ON THE DATA PROCESSING RELATED TO THE CORONAVIRUS EPIDEMIC

The Hungarian Data Protection Authority („HDPA”, „Authority”) has issued on its website a briefing regarding data processing related to the coronavirus epidemic, also including certain general legal obligations beyond data protection. We have summarized the most important details as follows:
1. It is not only a vital interest but also a legal obligation of employers to provide a healthy and safe workplace.

2. Prior to any data processing, employers may be expected to create an epidemic action plan (preventive measures, allowing alternative working conditions (“home office”), procedure to be followed if the infection appears, assignment of responsible personnel within the company, implementation of a reporting system).

3. As a preventive measure within the action plan, it is recommended to provide employees with all necessary details, especially on the most critical information on the coronavirus (rules of hygiene, symptoms, who to report to within the company). The document titled “Procedure regarding the novel coronavirus identified in the year 2020” published on the website of the National Public Health Center could provide helpful for employers when wording the information.

4. According to the Labour Code, the employees shall report to the employer if they have knowledge of a risk of infection, including the risk of their own illness. With regards to this, the reporting system shall be implemented in a way that allows for confidential processing of data.

5. In the event of a report or suspicion of infection the HDPA considers filling out a questionnaire appropriate. Particular attention shall be paid to data minimisation. Employers shall not process the data of the suspected employee related to the epidemic beyond the questionnaire. The Authority specifically notes that data related to medical history or medical documentation shall not be requested or processed by the employer!

6. It needs to be emphasized that the employer shall not begin contact investigation, this should be entrusted with the investigating authority having jurisdiction!

7. Also important to note, the employer shall not conduct medical examination (i.e. use of thermometer), however, the professional examination of employees may be initiated through the involvement of healthcare professionals (first and foremost the company doctor).

8. The legal ground for the above data processing is based on the employer’s legitimate interest, if the medical examination of employees becomes necessary, the exceptional purpose of processing shall be in the interest of providing a healthy workplace.

9. It is recommended for employers to favour measures that do not result in the processing of data (following basic hygiene, providing disinfectants, proper cleaning). We would also like to note that the legislation does not allow for employers to distribute vitamins, medicine or immune-boosting products, etc. among its employees, therefore these are not legally possible as a preventive measure.

HDPA issues statement on the monitoring of employee e-mails

At the end of last year, the Hungarian Data Protection Authority (HDPA) issued a statement, in which the HDPA commits itself to take all possible actions and use all available means – including adequate legal consequences to prevent further infringements – to stop the widespread practices of unlawful processing of employee e-mails. 
How does personal data enter the picture?

Even if an e-mail address was provided for the purposes of working, it might eventually be used by the employee for personal matters, or third parties might send personal e-mails to the address, which turns this into a question of data privacy. Although some advisable steps can be taken to prevent the personal use of work e-mail addresses (i.e. the prohibition of personal use of work assets), it is not seemingly possible to fully separate the two uses, since receiving a personal e-mail from a third party is generally outside the employer’s or employee’s control. It is also important to note that if an employee uses the work e-mail address for personal matters despite possible explicit prohibitions set in place, such an act will still be attributed to the employer’s data processing, thus the processing of personal data is unavoidable.

What is expected of the employers?

First and foremost, employers should determine the lawful ground of the processing. The HDPA highlighted storing, archiving and searching/ indexing as the most common processing actions performed on employee e-mails. Naturally, employers have a vested interest in the monitoring of employee e-mails, as it is necessary to control and maintain the work flow, therefore the lawful ground must be substantiated by a thorough balancing test prior to the processing. Once the lawful ground is established, it is advisable to prepare an SOP on the monitoring process.

The employer must duly inform the employees about the monitoring of work e-mails, the data processing and whether or not personal use of work e-mails is permitted or prohibited at the workplace.

Before or during the monitoring, the employer must take all reasonable steps to separate work related and private e-mails. In accordance with the principle of accountability, the employer should maintain a record of the steps taken during monitoring.

Considering the fact that almost every employer provides its employees with an e-mail address for work purposes, this statement is important to all employers who wish to be compliant with the GDPR and employees interested in the protection of their private lives.

NAIH imposed a fine of one million forints

The Hungarian Data Protection Authority (NAIH) imposed a fine of one million forints on a company with a turnover of 15 million forints, which the Authority considered to be a symbolic amount of money, for not restricting and issuing copies of camera recordings, despite a request from the data subject.

The data subject wanted to use the recordings as evidence in legal proceedings, as he/she also stated in the request. The company justified its decision of not restricting and giving out a copy of the recordings because the data subject did not indicate how deleting of the camera recording would infringe his/her legitimate interest, and in connection with what legal proceedings he/she requests the restriction of processing data of the camera recordings, although it is required to do so according to the Act CXXXIII of 2005 on the private security services and the activity of private detectives (Szvmt).

According to NAIH, the company violated the data subject’s right to restrict data processing. According to Article 18 (1) (c) of the GDPR, it is sufficient for the data subject to argue that the restriction of the processing is necessary for the submission and enforcement of his legal claims. In this regard, Szvmt. is expected to be amended soon.

According to the opinion of NAIH, the company should have complied with the request of the data subject without consideration, since the reason stated by the data subject shall be sufficient to fulfill the request.

In imposing the fine, the Authority assessed the nature of the infringement as an aggravating circumstance, as it violated the applicant’s rights, furthermore, the refusal of the request has led to the deletion of the recordings, which cannot be restored. It was a mitigating circumstance that the company committed the infringement for the first time, and also that the provision referred from the Szvmt. is still in force, which could have misled the company in its decision to deny the data subject’s request.

Google fined €50 million for infringing the GDPR

On 21 January 2019, the French Data Protection Authority (the ‘CNIL’) fined Google EUR 50 million for infringement of the GDPR. Though this decision only concerned user data, given the unprecedented amount of the fine, it should be considered a warning to all companies to ensure that their personal data management practices, including on HR matters, are GDPR compliant.
The Authority based the investigation on two complaints that arrived immediately after the entry into force of GDPR on May 25, 2018.

The CNIL has examined the complained data processing operations and found two types of infringement.

• Violation of the obligation to have a legal basis for advert personalization processing:

The CNIL observed that the information on the data processing activities provided to users was neither easily accessible nor always clear or comprehensive. Essential information required to sufficiently inform data subjects of storage purposes, periods or categories of personal data used for ads personalization was spread across various documents.

• Violation of the obligation to have a legal basis for advert personalization processing:

Google relied on data subjects’ consent to process data for ad personalization purposes. However, the Authority found that this agreement did not constitute specific, informed and unambiguous consent for the data subjects, because they had to ‘agree’ to Google’s entire privacy policy and terms and conditions in order to access the its products. The CNIL concluded that the data subjects’ consent was not freely given, because they had not been sufficiently informed due to the use of multiple documents and the unclear depiction of the services and websites that would be involved in the ad personalization section.

Further, the CNIL noted that before creating a Google account, each user was asked to agree to the company’s terms of service and privacy policy, which he or she could only amend at a later time by going into ‘more options’ and de-selecting ad personalization.

This is the first time that the CNIL has applied the new sanction limits provided by the GDPR since its entry into force on 25 May 2018. In imposing the fine, the Authority took into account the serious breach of the main principles of the GDPR, according to which the maximum amount to be imposed could be EUR 20 million or 4 % of the company’s global annual turnover. The factors taken into consideration in the Authority’s decision whether to impose a fine or its amount, were the fact that Google’s violations were not one-off incidents or limited in time, but rather continuous breaches of the GDPR, and that their data process cover a wide range of data subjects. Lastly, the CNIL pointed out that as the company’s business model was partly based on ad personalization, Google had all the more reason to ensure that it complied with its GDPR obligations.

The fines serve as a lesson for employers that they need to ensure that the information provided to applicants and employees on the processing of their personal data is clear, unambiguous and easily accessible.

Resolution on criteria for setting administrative fines

In its resolution published on 19 September 2018, the National Authority for Data Protection and Freedom of Information (NAIH) assessed the criteria to take into consideration during the process of setting a fine, especially the level of the fine that NAIH may impose in case of the first infringement of the data protection regulations.

The Authority is being guided by the provisions of the Regulation (EU) 2016/679 of the European Parliament and of the Council (“Regulation”) and the Act CXII of 2011 on Informational Self-determination and Freedom of Information (“Info Act”) with regard to the determination of the fine.

Article 83 (1) of the Regulation states, that the administrative fines shall be effective, proportionate and dissuasive. Pursuant to Preamble (148) in a case of a minor infringement or if the fine likely to be imposed would constitute a disproportionate burden to a natural person, a reprimand may be issued instead of a fine.

This provision was completed by Section 75/A of the Info Act according to which the Authority shall exercise its competence provided for in Article 83 (2)-(6) of the Regulation in due consideration of the principle of proportionality, in particular with the provision that in the event of any non-compliance with the Regulation for the first time, the Authority shall in principle issue warning to the data controller or data processor in order to arrange the remedy of the infringement.

The Authority shall take into account the Data Protection Working Party (WP29) guidelines on the application and setting of administrative fines for the purposes of the Regulation 2016/679, available at the following link: http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=611237

The National Authority for Data Protection and Freedom of Information regulates “cookies”

The National Authority for Data Protection and Freedom of Information published a notice about the data protection requirements of “cookies” this February.
The National Authority for Data Protection and Freedom of Information in its February announcement summarised the experiences on the data protection requirements of the “cookies” used by webshops, with a clear intention to create a legitimate and coherent practice.

The Authority draws attention to the fact that the at the same time, on 25 May 2018, both the new regulations on the general data protection and the new electronic communication regulation will enter into force, and the latter will regulate and standardise the cookies in the European Union.

The publication pointed out that to the direct marketing newsletters (DM Letters) not only the Law on Advertising and the Electronic Commerce Act shall be applied, but the Data Protection Law as well.