According to Marton Domokos, Senior Counsel of CMS in Budapest, one of the hottest topics in Hungary at the moment is the new set of data protection recommendations issued by the country's Data Protection Authority (DPA), which he says have a wide range of ramifications in terms of employment policies.
One of the DPA's recommendations is related to the use of employee photos, which Domokos explains is usually not covered by internal privacy policies. The DPA is advising companies to review their policies by focusing on the necessity of the photo, as the company is entitled to use such photos as necessary for its operation.
Another employment related update — "and a more significant one," Domokos explains — affects how companies carry out background checks. According to Domokos, Hungarian legislation does not regulate the background checks that are usually carried out by employers. The DPA reviewed these practices in detail and recommended first that former employers can be contacted only with the potential employee's express consent. The DPA is also recommending the a request for a certificate of a clean criminal record — a public record document that is accepted as authentic and valid for 90 days — should be the only form of criminal record review. Domokos acknowledges that there are other "informal methods” services that employers use in the country, but notes that “employers should be cautious when employing such services because they are not in line from a data protection perspective."
According to Domokos, the DPA has also recommended that it is possible for companies to collect "publicly available data — such as from social media," but instructs companies to notify the employee should of this collection and the employee should be allowed to dispute or object to any inaccuracies such collection might result in.
While these recommendations primarily impact specific employment data protection issues, the DPA has also issued a major update with "general applicability in employment," according to Domokos. “It is a 40-page long document that covers all kinds of data processing practices in the workplace," he says, adding that one of the major elements is that consent cannot be a basis of employment-related data processing, even if the law allows for it. Domokos explains that the DPA claims that genuine consent cannot really exist in an employee-employer relationship and, as such, any purported consent is not valid. The new guidance from the DPA, Domokos believes, will lead to a real revision of workplace data protection policies. As an alternative, Domokos explains, companies need to implement the concept of a "legitimate interest," with employers being prepared to communicate the legitimate interest for its collection or processing of data and why that interest is important. This, he explains, actually provides companies with more flexibility, but the update will require redrafting of many internal policies.
Ultimately, Domokos explains, the DPA is preparing for the new EU Data Protection Board and the unified Data Guidances. "So far they have only issued just a very general guidance on this," he says, "but, interestingly, there are some concepts from the upcoming EU regulation that are already being used by the DPA such as in the case of voice recordings, where the DPA already is using access rights to a copy of the recordings."
In "The Buzz" we interview experts on the legal industry living and working in Central and Eastern Europe to find out what’s happening in the region and what legislative/professional/cultural trends and developments they’re following closely.