The Hungarian Parliament has adopted the sectorial legislative amendments relating to the European Union's data protection reform (Act XXXIV of 2019, the "Amendment") which entered into force on 26 April 2019. The Amendment modified 86 legislative acts, to harmonize Hungarian sectoral data protection legislation with the requirements of the GDPR. Key legislative changes for each sector are summarized below:
Health Care Sector
The Amendment aligned the special definition of personal data concerning health with the GDPR. Moreover, it extends the application of the Act XLVII of 1997 on the processing and protection of personal data concerning health and related personal data to deceased persons' data, if processed as part of health documentation. It also removed the requirement that the consent to the processing of personal data concerning health must be documented in written form. In practice, this facilitates health service providers’ and application providers’ lawful processing of personal data concerning health based on the data subject's credibly documented explicit consent, given in other than a written form with wet signature.
Financial Services Sector
Service providers must no longer copy that side of a natural person's home address registration card that contains his/her personal identification number and store that number. The Amendment now authorizes financial services providers to transfer customer personal data to comply with group-wide AML/CFT policies and procedures. The former Hungarian law implementing the AML Directive did not establish that exemption and has caused uncertainty around financial service providers’ right to intra-group transfers of data for AML/CFT purposes.
Security Services Providers / CCTV operations
Security services providers operating CCTV systems no longer need to obtain implied consent from individuals to make the recording. Data controllers are now permitted to use the legitimate interest test as regards CCTV systems operations. In addition, the Amendment removed the mandatory data retention periods applicable to the CCTV security footage.
Physical stores must keep a consumer complaints registry (in Hungarian: "vásárlók könyve"). From now on, traders must remove pages containing customer comments or complaints and retain in serially numbered form the removed pages for inspection by the consumer protection authority.
Employers / Compliance
The Labor Code now includes a new chapter on the processing of personal data. The Labor Code says that only the presentation of documents may be required from employees (meaning a document may be available only for the employer's personal inspection and the employees document’s may not be copied by the employer, unless the law expressly provides otherwise).The Amendment authorizes the employer to use biometric identification measures if needed to prevent unauthorized access to any information or assets that may lead to serious or irreversible consequences (i) to the life, physical integrity or health of others or (ii) to any other significant interest protected by law. Moreover, employers may process job applicants' and employees' criminal personal data for vetting purposes if it is required to safeguard the employer's financial interests, safeguard information protected by legislation or if required in connection with the storage of firearms, ammunition, explosives, toxic or dangerous chemical or biological materials or nuclear material. In addition, the Amendment prohibits the employee's private use of company IT equipment, unless the employer and the employee explicitly agree otherwise. In connection with whistleblowing systems, employers may now process special categories of personal data. This is significant because the prohibition on such processing in prior legislation caused several practical problems with the handling of sexual harassment cases reported through whistleblowing systems in Hungary.
Advertising and Marketing Sectors
The advertising and marketing sectors are largely unaffected by the Amendment. The Amendment did not introduce any material legal changes regarding electronic and postal direct marketing because it did not remove the explicit consent required to send direct marketing communications to natural persons. Accordingly, advertisers will generally continue to have to ask for each individual recipient's explicit consent to send such communication – whether by electronic or postal means – in each of the B2B and the B2C contexts. The special opt-out rule regarding direct marketing bulk postal mails sent simultaneously to at least five hundred natural person recipients / addressees and that contain a uniform marketing message(s) (except for the addressee’s name, address and other modifications which do not alter the nature of the message(s)) remains unchanged. Further, there is still not any soft-opt-in exemption for electronic direct marketing of similar products or services obtained from customers in the context of the sale of a product or service. This means that processing personal data for direct marketing purposes still generally requires the recipient data subject's consent. This approach does not seem to be aligned with the GDPR, which says that direct marketing can be conducted on the basis of legitimate interest.
Considering these recent legislative changes, we recommend:
- reviewing and updating the employee privacy notice provided to Hungarian employees, including making disclosures regarding the legitimate interest assessments concerning employee privacy rights' restrictions, including employee monitoring measures and device audits, if any
- reviewing and updating internal policies regarding the private use of IT equipment and the conditions thereof
- preparing written regulations regarding use of job applicants' and employees' criminal personal data for vetting purposes; and
- reviewing local practices regarding the copying of employee documents for HR purposes (such as IDs, residence cards and other similar documents and other ID documentation).