Focus on: LOCAL FLAVOURS OF HUNGARIAN DATA PROTECTION

VJT & Partners

VJT & Partners logo View Firm Profile

It would be incorrect to say that it was solely the GDPR that led to modern-day Hungarian data protection. Hungary has had close to a 30-year long data protection practice which has been long enough to develop an established approach to data protection supported by numerous decisions and guidelines…

Contributed by VJT & Partners

INTRODUCTION

It would be incorrect to say that it was solely the GDPR that led to modern-day Hungarian data protection. Hungary has had close to a 30-year long data protection practice which has been long enough to develop an established approach to data protection supported by numerous decisions and guidelines.

As regards approach, the Hungarian Data Protection Authority (DPA) has been always considered as one of the strictest privacy watchdogs in the EU due to its strict interpretation of data protection laws. It is especially strict in interpreting basic data protection principles and having a very granular approach on data processing purposes resulting in a much heavier documentation requirement (e.g. a much longer privacy policy) than other EU countries.

This can pose problems as many foreign companies simply expect to localise their Hungarian data processing operations and automatically ensure a consistent approach across different jurisdictions (e.g. one uniform local privacy policy across jurisdictions). In short, meeting Hungarian data processing rules is a challenging task as, despite the uniform GDPR rules, the DPA still interprets the GDPR in its own way by adding its ’local flavours’ which makes the Hungarian data protection environment unique.

Moreover, the Hungarian Data Protection Act itself also adds some specific requirements including extending the GDPR to manual data processing even where personal data is not a part of the filing system and, in some instances, even to the processing of a deceased person’s personal data.

Last but not least, as part of the GDPR implementation package, Hungary amended 86 sectoral acts in numerous sectors (including the employment, CCTV, finance, healthcare and marketing sectors) making room for plenty of GDPR derogations.

Overall, despite the GDPR’s intention to introduce uniformity, many Hungarian peculiarities still do not allow a cross-border uniform approach in Hungary.

In our guide, we provide a basic survival kit by focusing on the specialities of the Hungarian data protection practice that businesses must address when commencing any data processing activity in Hungary. First, we will provide an overview of the most important local Hungarian data protection flavours irrespective of the type of data processing. Secondly, we will present the Hungarian specialities in the context of employment and business data processing. Finally, we consider it important to touch upon the outlook of the Hungarian data protection practice.

THE MOST IMPORTANT LOCAL DATA PROTECTION SPECIALITIES

In this part, we present a general overview of the most important issues that regularly present a challenge in Hungarian data protection practice.

Data localisation

The GDPR applies not just to structured electronic data, but also to unstructured data (e.g. data in e-mails, PDFs and spreadsheets). Moreover, the Hungarian Data Protection Act extends the GDPR’s reach to include manual data processing even where personal data is not part of the filing system (e.g. business cards).  The bottom line is that businesses must identify all their data processing activities.

Purpose specification

It is not enough to locate the data processing activities; they must be also specified. For each data processing purpose, the data processing circumstances (e.g. the legal grounds, the scope of data, the duration of data processing, the persons authorised to processing, etc) may be determined only if the data processing purpose is correctly identified. The DPA requires the purpose to be as specific as possible so that the purpose can be interpreted only in one way (e.g. “sending a newsletter” is satisfactory as it could be not interpreted differently; however, “marketing” is unsatisfactory as it could be interpreted in numerous ways).

Transparency

The DPA considers that privacy policies must be written in a way that every layman could understand. At the same time, the DPA expects a controller to have a detailed privacy policy so that a data subject can gain a comprehensive understanding of the data processing circumstances for each data processing purpose. This means that the data controller must first identify the data processing purpose based on a purpose specification requirement and then all other data processing circumstances must be provided for each data processing purpose (e.g. in a table where each specified purpose is connected with the relevant data processing circumstances). This could result in long privacy policies, longer than businesses are used to.

Data minimisation

The DPA takes data minimisation requirements very strictly. Only data that is strictly necessary for the reason to process data may be processed. For example, the DPA has fined marketing companies for collecting unnecessary online marketing data, i.e. collecting e-mail addresses is permitted but collecting one’s phone number and date of birth data is not. If the scope of data is not set by law for the given data, the data controller decides for itself on the scope of the collected data but the data controller must strictly follow the logic of the data minimisation requirement. If the scope of collected data is set by law for the given purpose, the data controller may collect only that data.

Storage limitation

The DPA also keeps an eye on storage limitation requirements. In several rulings, the DPA has fined a company due to a breach of storage limitation rules (e.g. storing CCTV files for an unjustifiable time). If a specific law has set a retention period for the given purpose, those retention periods apply. If a specific law sets the data processing circumstances for the given purpose (e.g. the scope of the data that may be collected or the authorised persons who may collect the data) but without the retention period(s), the necessity of processing must be reviewed and documented every 3 years. In other cases, the controller decides the duration of the processing on its own but must strictly follow the storage limitation requirement.

Legal grounds

Obviously, the GDPR intended to make the application of legal grounds more flexible by providing room to apply various legal grounds to process data. However, the DPA applies quite a restrictive interpretation of those legal grounds. The following are the most important:

  • Consent – The DPA is very consistent in requiring ’voluntary’ consent. Thus, a data subject must have the opportunity to give its consent separately for each data processing purpose. This means that the data controller must work out the proper check-box mechanism (e.g. if there are 5 various marketing purposes, 5 checkboxes must be provided).
  • Legitimate interest – In business, it has become common to refer to legitimate interest as providing legal grounds to process data. Still, in the Hungarian data protection practice, the controller may rely on legitimate interest only if a proper balance test is carried out and documented. The balance test must demonstrate why the controller’s interest overrides the privacy interest of the data subject. The test must answer some basic questions, e.g.:
  1. What is the interest of the parties?
  2. Is there any alternative to data processing or a less privacy-invasive solution? and
  3. What guarantees are taken to protect the data subject’s rights?

For each data processing purpose, a separate balance test must be conducted; this could result in a significant additional administrative burden.

  • Fulfilment of contract – The Hungarian DPA accepts this very narrowly, i.e. where the data processing is necessary to fulfil the contract. For example, if the data subject breaches the contract, and the data controller assigns its claim to a debt collector agency, the debt collector agency may not rely on the fulfilment of the contract rationale as it is outside the scope of the original contract (concluded between the controller and the data subject).
  • Legal obligation – The Hungarian Data Protection Act provides that a legal obligation as legal grounds may only be accepted if Hungarian law specifies the data processing circumstances (e.g. the scope of data, the purpose of the processing or the duration of the processing). If the law does not provide the circumstances of the processing and makes too much room for the controller to determine such circumstances, the controller must instead rely on legitimate interest and carry out and document a balance test.

Data security requirements

In general, there are no special Hungarian flavours. But it is worth investing in data security measures as there is a shift from traditional GDPR to cyber-security and data breach issues; further, the Hungarian DPA has imposed its highest fine (approx. EUR 300,000) in this area. For certain organisations (e.g. critical service providers in the financial, energy or health sectors), the Information Security Act also applies (apart from the GDPR) which imposes additional security requirements (e.g. logging, data localisation or reporting security breaches).

Data breach management

The Hungarian DPA sets a very low threshold for data breach notifications. In general, controllers must file a notification to the DPA each time there is a reasonable certainty that a breach has occurred and the breach may have had an adverse effect on data subjects. Although it could be argued that the GDPR is more nuanced in this regard, the DPA has a strict approach and anything beyond the “not occurred” category is practically reportable.

EMPLOYMENT DATA PROCESSING

Hungarian employment data processing also has specialities in all cases from recruitment and selection through establishing and maintaining employment relationships to employee monitoring.

The Hungarian GDPR implementation has also brought important changes in the workplace environment by presenting new rules that present hardships for employers in practice (e.g. not allowing copies to be made of employee documents).

In this part, we present the key Hungarian data protection challenges in the employment context:

Recruitment/selection

Candidates must get a company’s privacy policy together with the job description. Anonymous offers are not accepted. If a recruiter company is engaged, the candidate must give consent to the transfer of the CV to the employer. As a general rule, candidates’ background checks are not allowed. The exceptions to this are the need to request clear criminal records and check social media under certain conditions. Personality tests are not permitted.

Employment relationships

In the employment context, the basic data protection principles apply even under some stricter settings:

  • Legal grounds – Businesses must be careful that, in principal, consent is not an acceptable legal ground for employment data processing as consent cannot be voluntary due to the subordinate nature of the employment. The main legal grounds to process data remain legitimate interest and legal obligation. In some instances, the performance of a contract can also be used.
  • Data minimisation – This principle is very strongly reflected under employment relationships. The employer may require only data that is necessary to establish, complete or terminate the employment relationship, or that is important in relation to exercising employment claims. Moreover, during the onboarding process, employers may only ask the employee to show their documents (e.g. ID, driving licence, address card, tax card and qualification documents) and the employer may not make electronic or hard copies.
  • Confidentiality – Only the relevant authorised people within the employer’s organisation may have access to employee data. For company groups, the parent company and the affiliates are qualified as separate entities; thus, to disclose data within the group, lawful legal grounds must be provided.
  • Storage limitation – In principle, employee data may not be processed after the end of the employment relationship. But the employer may keep any records that may be important in an employment dispute for a further 3 years (i.e. for the limitation period set for employment-related claims) based on its legitimate interest. The employer may also retain any documents relevant to pension entitlement up to 5 years after the employee has reached pension age.

Strict conditions for employment monitoring

Even before the GDPR implementation package, it was clear that an employer may monitor an employee’s work (e.g. monitoring e-mail, laptop or internet use) only if the employer provides prior notice of this activity. But, the GDPR implementation package made it clear that such notice must be made in writing and it must cover why the employer’s measures are necessary and proportionate in comparison to limiting the employee’s personal rights.

The key takeaways are the following:

  • The employer may not store the employee’s private files;
  • The employer must provide the possibility to the employee to be present before the inspection. The employer must always act in light of the proportionality and gradual approach (e.g. if websites are blocked, website monitoring may not be needed); and
  • The employee must be properly notified before each respective monitoring.

BUSINESS DATA PROCESSING

The business data processing environment also remains a challenging field as the DPA strictly interprets this area as well. The DPA requires data controllers in this field to strictly follow the basic data protection principles (see the MOST IMPORTANT LOCAL DATA PROTECTION SPECIALITIES)

The Hungarian GDPR implementation package aimed at harmonising the sectoral data protection legislation with the GPDR has not brought particular easement either.

In this part, we present the key Hungarian data protection challenges in the business context:

E-commerce

In the e-commerce world, businesses tend to rely on the performance of a contract as providing the legal grounds to process data in a broad way as it makes their data processing operations practical.

However, this is not a sustainable solution in Hungary as the E-Commerce Act states that, for any data processing operation that does not strictly stem from the provision of the service (e.g. improving performance or marketing research) the service provider must specify any sub-data processing operations in advance.

In practice, this means that, prior to introducing a new e-commerce business, the service providers must examine whether the ‘provision of the service’ can be broken down into further sub-purposes and then examine the compliance of each sub-purpose against basic data protection requirements.

The data minimisation principle has a special dimension in Hungarian e-commerce. Apart from assessing which data is strictly necessary for a given purpose, service providers must pay attention to the requirement that the data collected for purposes other than ‘the provision of a service’ may not be linked with the user’s identification data.

Electronic marketing

To prevent client or lead dropouts, businesses regularly try to avoid consent in promoting their business, especially by using legitimate interest as the legal ground for data processing, because they consider that the GDPR is more flexible on legitimate interest. However, the Hungarian electronic marketing sector has been largely unaffected in this regard, as Hungarian law did not remove the consent requirement. In principle, electronic marketing (via email, fax or SMS) is allowed only if the user’s prior, explicit and unambiguous consent has been obtained.

The DPA recognises electronic marketing communication without consent only for offering similar products/services to existing customers. In such case, obtaining consent can be avoided if the business carries out and documents a legitimate interest test in which it explains why its business interest overrides the user’s interest and the user has the right to opt out from future marketing communication at any time.

Internet use & social media

Website operators remain liable for any third-party cookies used on their website. Thus, they should only use cookies that they are fully aware of. Only functional cookies (that are strictly necessary for the website’s operation) do not require explicit consent but, even in this case, a legitimate interest test must be carried out and documented. For non-functional cookies (e.g. marketing cookies), the cookies may be placed on the user’s device only based on prior and explicit consent (e.g. a cookie wall appears where the user can read the full cookie information and individually choose the cookies they want to be placed on their device)

A website operator who uses embedded social media modules (e.g. tracking pixels) is qualified as a data controller. Thus, the DPA expects such operators to examine how the social media modules involve transferring personal data to social media and to reflect this adequately in the privacy policy. It is also crucial to ensure a free consent mechanism for social media modules. If the user can access a website content only by clicking ’accept all cookies’, the consent will be not valid.

Retail sector

To comply with the GDPR, retail stores must remove pages containing customer comments/complaints from the public consumer complaint registry (so the general public can no longer view them). The retail stores must provide the serial numbers to the removed pages and only keep them in their internal records for inspection purposes.

SUMMARY

As presented, the Hungarian data protection practice has many local flavours.

The key issue remains whether the DPA will keep its own practice or rely more on the interpretation of the European Data Protection Board (EDPB) that has the role of making guidelines uniform across the EU.

There are some signs that the DPA is trying to avoid conflict with EDPB/WP29 international guidelines and thus, it has started to focus more on areas that dictate more uniform logic (e.g. data subject rights) instead of the privacy policy area which, for a long time, was an enforcement priority and was the main source of headaches for businesses in Hungary.

Still, the Hungarian DPA will continue to use its old practice in all issues that are not explicitly regulated by the EDPB guidelines. Currently, there are still many such unregulated areas.

The GDPR implementation of more than 80 sectoral laws also deserves special attention. It provides many additional special sectoral data protection rules and raises questions about where the GDPR alignment with the local laws has not been fully reached.

Overall, the Hungarian data protection environment must be treated carefully and it is worth investing efforts in complying with the local Hungarian flavours.