No April Fool Pranks – Legislative Amendments Required for the Implementation of the European Union’s Data Protection Reform

On April 1, 2019, the Hungarian Parliament adopted the bill on legislative amendments required for the implementation of the European Union’s data protection reform, which was promulgated on April 11 in Act XXXIV of 2019 (hereinafter referred to as: Enforcing Act). The Enforcing Act aims to adapt the Hungarian legal system to Regulation (EU) 2016/679 of the European Parliament and of the Council, i.e., the new General Data Protection Regulation (hereinafter: referred to as: GDPR). Within this scope, the Enforcing Act calls for the greater or lesser amendment of a total of eighty-six (86) acts. Some of the amendments affect only the references used by an act, while others result in the deletion of certain sections to eliminate redundant duplications within the legal system, which have until now produced confusion in the interpretation of the law. In certain cases, however, the Enforcing Act introduces radical changes, new sections and completely novel provisions. Data controllers are not provided with much time for preparation because most provisions of the Enforcing Act already entered into force on the fifteenth (15.) day following promulgations, which in this case meant April 26, 2019.

We summarize below most major novelties of the Enforcing Act, focusing primarily on those rules which affect most economic organizations operating in Hungary.

1. Rules on Direct Marketing

An important deregulatory step taken by the Enforcing Act will be the exclusion of direct marketing activities from the scope of Act CXIX of 1995 on the Use of Name and Address Information Serving the Purposes of Research and Direct Marketing (hereinafter referred to as: Research Information Act). Consequently, the Research Information Act will only apply to public opinion polling and market research activities. This is a major change as it will end the contradictions of the regulations pertaining to direct marketing activities, which resulted from this area being subject to both the rules of the Research Information Act and Act XLVIII of 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising Activities, together with new rules of the GDPR, which often resulted in interpretational dilemmas.

Additionally, companies shall no longer be burdened with the explicit statutory obligation of keeping a so-called „prohibitive list” (the Robinson list).

2. Processing Health Related Data

The fog is starting to clear up regarding the requirements of processing health related data as a result of the provisions of the Enforcing Act which amend Act XLVII of 1997 on Processing and Protection of Medical and Other Related Personal Data (hereinafter referred to as: Medical Privacy Act).

The definitions of health data and identification data are both going to be deleted and the Medical Privacy Act shall instead stipulate that data processed by the data controller together with health data, for the same or an inseparable purpose as part of the healthcare documentation, in order to ensure the identification of the data subject to whom the health data pertains shall qualify as identification data.

To comply with the GDPR, the Enforcing Act includes clarification pertaining to the data of deceased persons when it explicitly states that the scope of certain provisions of the Medical Privacy Act shall apply to the circumstances and cause of death of the deceased and shall qualify as health data.

It is an important and long-awaited amendment to the Medical Privacy Act that the requirement of receiving a written consent shall no longer prevail as a formal prerequisite of providing valid consents to the processing of health data. In the future, only a statement that is “based on proper information, expressing unambiguous intention and is expressed in a manner credibly evidencing the compliant statement” shall suffice to provide a lawful consent to processing health data. This shall provide the proper statutory background to the lawful use of countless applications which record and process various health related data and which are of growing popularity nowadays though generally not designed to enable the data subject to provide a written consent even when it would have been mandatory to do so.

The Medical Privacy Act clearly stipulates that data subjects are entitled to receive the first copy of their personal data free of charge. Any additional copies may be contingent on the payment of a fee, the details of which will most likely be defined in a ministerial decree.

3. Protection of Property and Individuals – CCTV and Access Control Systems

Another long-awaited change will be implemented in the amendment of Act CXXXIII of 2005 on Security Services and the Activities of Private Investigators (hereinafter referred to as: Security Act). The importance of this amendment stems from the fact that this was the only statutory provision which explicitly defined the (rather short) periods for which CCTV and access control system recordings collected within the scope of security services could lawfully be stored and thus the storage periods defined were cited and applied analogously by the Hungarian National Authority for Data Protection and Freedom of Information in its practice and recommendations even in the case of data processing operations that did not otherwise fall in the scope of the Security Act. This resulted in the Security Act having a far greater practical importance than it should have had on the basis of its own material scope of application and often tied the hands of companies when they set out to regulate their own internal CCTV and access control policies and systems.

One of the novelties of the Enforcing Act welcomed by many will be the removal of the short storage periods, which often rendered the original purpose of using a CCTV or access control system impossible to achieve. This, of course, does not mean that in the future the personal data embedded in these recordings can be stored for an unlimited period of time, but it does mean that from now on it shall be the responsibility of the data controllers intending to set up the system to regulate the respective storage periods in compliance with the rules of the GDPR, always taking into account the principles of data processing together with data minimization and storage limitation.

However, upon the amendments introduced by the Enforcing Act, the Security Act shall stipulate that the footages recorded by a CCTV system can only be viewed upon drawing up a relevant report, which includes the reason and the time of viewing the footages and the person(s) present.

Corresponding changes shall be implemented by the Enforcing Act in Act CXXXIII of 2003 on Condominiums and Act CXV of 2004 on Housing Cooperatives. Statutory storage periods shall be eliminated from these acts and strict restrictions pertaining to data transfer shall also be deleted. These questions in the future shall be interpreted and relevant procedures shall be set up in accordance with the provisions of the GDPR. Amendments incorporated in the Security Act will be similar and footages of CCTV systems can only be viewed upon drawing up a relevant report and persons entering places equipped with a CCTV system must be informed of the details that are mandatory based on rules applicable to the processing of personal data, i.e., especially the existence of the CCTV system, the rights of data subjects, and the identity and contact data of the operating entity.

4. Labor Law Changes

The amendments to the Enforcing Act that have received the greatest publicity because they affect the widest circle and are probably the most important ones are connected to Act I of 2012 on the Labor Code (hereinafter referred to as: Labor Code).

As a result of the amendments implemented by the Enforcing Act, the conditions of limiting an employee’s personality rights have become stricter. Pursuant to the new regulations, employees shall be informed about these limitations in writing and this information shall include the circumstances substantiating the necessity and proportionality of the limitation.

The amended Labor Code makes it clear that employers are entitled to request documents regarding the circumstances bearing significance from the point of view of the establishment, performance or termination of employment relationships or claims arising from the Labor Code, but employers are obliged to inform employees about the data processing activities and any aptitude tests they apply in writing (irrespective of whether or not they require the presentation of documents).

Several employers have already considered the possibility of or the need for biometric identification of employees. The Enforcing Act clarifies this issue when precisely stipulating the conditions and positions regarding which employers have the possibility to apply biometric identification methods. Employers may use biometric identification only if it is necessary to prevent unauthorized access to things or data which would otherwise risk human life, physical integrity or health or could result in serious or massive, irreversible infringement of a substantial interest protected by law. The legislator helps employers identify which “substantial interests protected by law” shall correspond with the previous conditions, as it declares that interests connected to the protection of data that are classified as at least “confidential”, the safe-keeping of firearms, ammunition, explosives, toxic or hazardous chemical or biological materials, nuclear materials and valuables over fifty million forints (HUF 50,000,000) do qualify as substantial interests protected by law. The act also provides some freedom to employers by making it clear that this list is not exclusive, rather illustrative.

The new regulation also clarifies the issue of handling certificates of good conduct (i.e. records from the penal register) by employers. In the future, employers may only request a certificate of good conduct, i.e. they can only process the criminal records of employees or applicants, if the law or the employer restricts or excludes the employment of people with criminal records from the given position. Employers shall only be entitled to enforce such restriction regarding positions where the employment of a person with a criminal record would jeopardize the employer’s substantial pecuniary interest or interests related to the confidentiality of secrets protected by law or the protection of firearms, hazardous or nuclear materials. Employers shall be required to regulate these issues in writing. Accordingly, employers shall destroy the certificates of good conduct they acquired until now and may request new ones only after having developed their procedures and internal regulations in compliance with the new provisions of the Labor Code.

The legislator also refines how employers can monitor employees and endeavors to ensure compliance with the GDPR upon obliging employers to inform employees beforehand in writing about the technical methods applied to monitor employees. In order to prevent employers from unintentionally acquiring personal data related to the employees’ private life within the scope of monitoring, the Enforcing Act stipulates that employees may use the IT devices provided by their employer for performing their work only. Unless the parties expressly agree otherwise, the law will forbid employees to use their company phones, laptops, tablets and other IT devices for private purposes. Irrespective of the total ban, employers are still not completely free to monitor the employees’ IT devices. Pursuant to a new provision of the Labor Code and in accordance with previous legal practice, employers may only inspect any given data until they can decide whether the data is of private nature. In case of private nature, the inspection must be terminated, but the employer may apply the necessary consequences of labor law if the usage for private purposes in itself was unlawful.

5. Disclosures in Public Interest, i.e. Whistleblowing

The Enforcing Act sets out and in certain cases refines the definitions applied by Act CLXV of 2013 on Complaints and Public Interest Disclosures (hereinafter referred to as: Whistleblowing Act), which are relevant regarding whistleblowing systems applied by employers, including the definition of whistleblower and the person(s) affected by whistleblowing. It also defines the scope within which the personal data of the whistleblower may be processed and transferred.

The fact that it shall no longer be prohibited to process special data within the scope of a whistleblowing system is a significant and much needed amendment, as this prohibition often tied the hands of the employer unnecessarily. From now on, special data and criminal data can be processed and even transferred within the scope of a whistleblowing system in compliance with the principles set out in the Whistleblowing Act.

With regards to rationalization and data minimization, the Whistleblowing Act no longer requires the provision of the name and the address of the whistleblower. Although based on the explanatory memorandum issued to the Enforcing Act, systems based on anonymous reporting are still not meant to be encouraged but shall also not be prohibited, either, however, the investigation of reports made by anonymous whistleblowers will remain optional.

Regarding data transfer abroad, the legislator stipulates that it can only take place if the receiving entity explicitly undertakes to provide the guarantees set out in the Whistleblowing Act. This restriction, unlike the data transfer restrictions of the GDPR, shall apply to all transfers outside Hungary and not only to data transfers outside the European Union. In case of the latter, the rules and guarantees required by the GDPR shall simultaneously apply.

The content of this newsletter is for information purposes only and should not be treated as legal advice by KNP LAW Nagy Koppany Varga and Partners or any of their attorneys. For more information please contact us.