Blog » 5 KEY CHANGES IN DATA PROTECTION IN HUNGARY FROM MAY 2019
5 KEY CHANGES IN DATA PROTECTION IN HUNGARY FROM MAY 2019
17 April 2019
It is not an April’s fool joke that almost one year after the GDPR entering into force, finally the Hungarian Parliament adopted the GDPR implementation act on 1st April. The act harmonizes various areas of the Hungarian legal system with the GDPR as it will amend more than 80 legal sources. In this short article we collected the 5 most important provisions of the implementation act.
1. Retention period of camera records
One of the most disputed provision of the current laws regarding camera surveillance is that, as a main rule, the records may only be stored until 3 working days. I saw in my GDPR Compliance projects that the clients often found this period too short. They felt that the aim of the camera surveillance cannot be fulfilled with such a short retention period.
I have good news for you: the implementation act repealed this 3 working days deadline. From now on it is the data controller who can decide for how long he retains the record.
Of course, this does not mean that you can keep the records as long as you wish. Indeed, you shall comply with the principle of storage limitation meaning that you can only keep the record until it is necessary for the purpose of the camera surveillance.
2. Register of access to camera records
As usual, more freedom means more responsibility. In this case, the downside of the possibility to establish longer retention period in relation with camera records is more administration.
This means that data controllers shall keep records of who viewed the camera records, what was the reason for it and when did it happen. The records may be in electronic form as well.
3. The prohibition of using company laptop for private purposes
The most heralded change of the implementation act is the explicit prohibition of the usage of company IT tools by the employees for private purposes.
Currently, the employers are free to decide whether they let employees use the IT tools for private purposes. If the employer does not specifically prohibit the private usage, employees can basically use their laptops for their own purposes.
This all changes with the implementation act: if the employer does not regulate the usage of company IT tools, based on the law, the employees may not use them for private purposes. If the employer wants to permit the private usage of laptops, this requires the specific agreement with the employee.
4. The possibility to request criminal records of the employee
After the GDPR entering into force, the legal environment was rather uncertain regarding the question whether the employer can request the extract of criminal records from the employees.
Certain experts claimed that in the lack of special provisions (eg. employment at an employer who cares for children) employers could not process criminal data of employees, thus they could not request criminal records. In February, the Data Protection Authority dealt with the question and was more generous.
The implementation act however ends the debate as it clearly set forth in which cases may the employer request the criminal records of employees. Based on that, the employer may establish conditions which exclude the employment (mainly the protection of his significant material interest. Then he can request the employee to show his criminal record so that he can control that no ground for refusal exists.
5. Retention period of employee files
I cheat a bit because it is not the Implementation Act which clarified the retention period of employee data but another act, however I think it is worth to share with you.
You may remember that it was not clear in Hungary for how long you shall store the employee records (eg. contracts) which may be the basis of the old age pension. Some claimed that these files cannot be scrapped at all, whiles others argued that a 50 / 30 years’ etc. retention period shall apply.
Now it has become clear that employers shall keep the employee records which may be the basis of old age pension until 5 years as of reaching of the pensionable age by the said employee.
The Implementation Act enters into force on 27th April 2019.
ONLINE CONSUMER CONTRACTS – IS YOUR BUSINESS CONCERNED?
Black Friday is once again around us: the time when online shops and the consumer protection authority cash in some extra income every year. We guess you’ve already read about the extreme discounts and the record-breaking fines by the authorities, so in our article, we will explain, that without your knowledge, your own business can easily step into the field of consumer protection, in which case, your contracts are subject to special rules. In our article, we show you how you can recognize these situations and, of course, summarize the obligations.Read more »
HOW TO TRANSFER PERSONAL DATA TO NON-EEA COUNTRIES? - NEW EDPB RECOMMENDATION
Since in the middle of summer 2020, the Court of Justice of the EU (CJEU) invalidated the Privacy Shield and put into question the applicability of the standard contractual clauses, we were wating for guidance from the European Data Protection Board (EDPR) how to transfer personal data to non-EEA countries in a GDPR-compliant way. Finally, the EDPB broke the silence and provided a 6-step guide which we summarize in this short article.Read more »
THE SUPREME COURT RULED – FLEXIBLE WORKING TIME CAN ONLY BE ORDERED IN WRITING IN HUNGARY
It is often the case that the employer does not clearly regulate the employment relationship of the employees, which later leads to an employment lawsuit. This happened in the case before the Hungarian Supreme Court, where a legal dispute arose in connection with the employee's work schedule, the stake is the payment of several million forints of overtime work compensation to the employee. In our short article, we analyze the Supreme Court’s decision and draw conclusions on how the employer can avoid similar situations.Read more »