Blog

The so-called GDPR Omnibus Act („Omnibus Act”), which became effective on 26 April 2019, amended the legal regulation of data processing in the employment context.

The special provisions of data processing in the employment context are included in Act I of 2012 on the Labour Code (“Labour Code”); therefore, in this article we will focus on the amendments concerning the Labour Code. There are five categories of the relevant amendments as follows.

1. The employer’s obligation to provide information

The Labour Code already stipulated that the employer shall inform the employees about the processing of their personal data. The legislator now complemented this provision by saying that the information shall be in written form.

Earlier, the Labour Code specifically stipulated that the employer shall notify the employees about the participation of a data processor in the data processing. This provision has been deleted from the Labour Code, since this obligation is already clear from the provisions of the GDPR.

2. The processing of the employees’ biometric data

Based on the definition of the GDPR, biometric data are personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person. For example, facial images, fingerprints or retina images are considered biometric data. Pursuant to the GDPR, these data belong to the special categories of personal data. Therefore, their processing is prohibited, except in cases determined in the GDPR (e.g. if the data controller obtains the data subject’s explicit consent).

The Labour Code includes a detailed regulation on the employer’s processing of biometric data, and determines those exceptional conditions under which the processing is allowed. Pursuant to these provisions, the data processing is allowed if it is necessary to prevent unlawful access to an object, data, or restricted area, provided that the unlawful access would endanger (i) the employees’ or other persons’ life, physical integrity or health, or (ii) possibly cause a serious or massive damage of a so-called “significant interest protected by law”. The Labour Code contains an indicative list of these “significant interests protected by law” (e.g. the interest to the safeguarding of firearms, ammunition, to the safeguarding of toxic or dangerous chemical or biological materials, and to the protection of assets with value exceeding HUF 50,000,000).

Condition (ii) above narrows down the opportunities for processing biometric data. In cases where the data processing is based on condition (i) above,  the so-called balancing exercise (comparing the interests of the employer and the employees) and the data protection impact assessment (evaluation of the risks in connection with the data processing) may guarantee that the employer processes the employees’ biometric data only if justified. Conducting a balancing exercise is compulsory, because the legal basis for the processing concerning the employees’ biometric data is the legitimate interest of the employer. Pursuant to the so-called blacklist published by the National Authority for Data Protection and Freedom of Information, the employers shall conduct a data protection impact assessment if their data processing of biometric data has the purpose of unique identification and concerns vulnerable data subjects (e.g. employees).

During the legislative process of the Omnibus Act, many debates surrounded the employers’ data processing concerning biometric data. For example, during the public discussion, many people criticized the provision, pursuant to which the employer may have processed biometric data in order to keep records of working time. As a result of this criticism, this provision has been deleted from the final text of the Omnibus Act. Based on this, the effective legal regulation is stricter than the one the legislator originally envisioned.

3. The processing of the employees’ personal data relating to criminal convictions and offences

The GDPR allows for the processing of personal data relating to criminal convictions and offences only for official authorities and if authorised by EU or national law. The amended Labour Code provides such authorization. The employer may process the employees’ personal data relating to criminal convictions and offences if (i) the clean criminal record is significant pursuant to an Act (e.g. in case of lawyers, teachers), or (ii) if the employer requires the clean criminal record as the prerequisite of a certain position based on the employer’s significant material interests, on secrets protected by law or on interests protected by law (e.g. protection of nuclear substances). This is important, because, from now on, not only an Act may determine jobs where having a clean criminal record is obligatory.

4. The monitoring of employees at the workplace

Previously, the Labour Code stipulated that (i) the employer may monitor the employees’ behaviour only in the context of the employment, (ii) the methods used for monitoring may not be at the expense of human dignity and (iii) the methods may not violate the employees’ privacy. The monitoring was subject to prior notification.

The Omnibus Act deleted the reference to the human dignity. The Omnibus Act’s justification explains that human dignity shall be protected throughout the entirety of the employment and not only in relation to the monitoring. Pursuant to the Omnibus Act, the employer shall notify the employees about the monitoring in written form.

We deem the regulation of the use of electronic devices provided for working purposes the most important novelty in connection with the monitoring. Earlier, the Labour Code regulated this only in the context of teleworking, and stipulated that the employer may restrict the use of electronic devices solely to working purposes. According to the amended Labour Code, the employee may use the electronic devices provided by the employer only in order to perform his/her obligations stipulated in the employment agreement unless the parties agree on private use. The employer may monitor whether the employees comply with the prohibition of private use.

5. The presentation and copying of the employees’ documentation

Another significant novelty is that, pursuant to the amended Labour Code, the employers may only demand the presentation of the employees’ documentation involving personal data, but they may not copy them. Based on this, as a general rule, the identification cards, certificates, etc. of the employees may not be copied anymore.

There are exceptions from the above if the employer is legally obligated to make copies, for example when the employer qualifies as a provider under Act LIII of 2017 on the Prevention and Combating of Money Laundering and Terrorist Financing (you may read more about this in our next article).

In our view, the modifications concerning the data processing in the employment context leave more room for the employers and allow for a broader scope for them to monitor the employees and to process their biometric data. At the same time, one may also find changes that may make the employers’ life more difficult in the future (e.g. prohibition of copying the employees’ documentation). This requires the employers to review and – as necessary – to change their earlier practice regarding the recording of the employees’ personal data.

You may read our previous article containing general information concerning the Omnibus Act, as well as the amendments concerning CCTV observation here.

Aliz Póczek

Photo credit: pexels.com