S Z E C S K A Y Ü g y v é d i



Similar documents
Principles Concerning the Protection of Personal Data in the Workplace: Guidelines for Employee Monitoring *

Data Processing Agreement for Oracle Cloud Services

PRESIDENT S DECISION No. 40. of 27 August Regarding Data Protection at the European University Institute. (EUI Data Protection Policy)

LEGISLATION COMMITTEE OF THE CROATIAN PARLIAMENT

Appendix 11 - Swiss Data Protection Act

SURVEILLANCE AND PRIVACY

POLICY. on the Protection of Personal Data of Persons of Concern to UNHCR DATA PROTECTION POLICY

DATA PROTECTION LAWS OF THE WORLD. India

Guidelines on Data Protection. Draft. Version 3.1. Published by

1. Introduction. 2. Sectoral Areas Affected. 3. Data Security. 4. Data Breach Requirements. 5. Traffic Data

MINISTRY OF COMMUNICATIONS AND INFORMATION TECHNOLOGY (Department of Information Technology) NOTIFICATION New Delhi, the 11th April, 2011

Data Compliance. And. Your Obligations

CROATIAN PARLIAMENT 1364

singapore american school

BRING YOUR OWN DEVICE

Binding Corporate Rules ( BCR ) Summary of Third Party Rights

GYMNASTICS NSW PHOTOGRAPHY ACQUIRING AND DISPLAYING IMAGES OF CHILDREN POLICY

POLICIES AND REGULATIONS Policy #78

Data protection compliance checklist

SAS TRUSTEE CORPORATION ( STC )

Processor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries

CLOUD COMPUTING FOR ehealth DATA PROTECTION ISSUES

The Manitowoc Company, Inc.

Proposal of regulation Com /4 Directive 95/46/EC Conclusion

BRIGHAM AND WOMEN S HOSPITAL

UNIVERSITY OF SOUTHAMPTON DATA PROTECTION POLICY

Protection. Code of Practice. of Personal Data RPC001147_EN_D_19

Personal Data Act (1998:204);

Closed Circuit Television (CCTV) code of practice. Based on the publication A Code of Practice for CCTV

Policy # Related Policies: Computer, Electronic Communications, and Internet Usage Policy

Protection. Code of Practice. of Personal Data RPC001147_EN_WB_L_1

APPROVED BY: DATE: NUMBER: PAGE: 1 of 9

PHI- Protected Health Information

STATUTORY INSTRUMENTS. S.I. No. 336 of 2011

TRANSPORT NSW. Guidelines for the Use of Taxi Security Cameras in New South Wales

Data Protection. Processing and Transfer of Personal Data in Kvaerner. Binding Corporate Rules Public Document

UNIVERSITY COLLEGE LONDON CCTV POLICY. Endorsed by the Security Working Group - 17 October 2012

How To Protect Your Data In European Law

VICTOR VALLEY COMMUNITY COLLEGE DISTRICT ADMINISTRATIVE PROCEDURE. Computer Use - Computer and Electronic Communication Systems.

DIOCESE OF DALLAS. Computer Internet Policy

on the transfer of personal data from the European Union

Introduction to The Privacy Act

ON MUTUAL COOPERATION AND THE EXCHANGE OF INFORMATION RELATED TO THE OVERSIGHT OF AUDITORS

2. Scope 2.1 This policy covers all the activities and processes of the University that uses personal information in whatever format.

Monitoring Employee Communications: Data Protection and Privacy Issues

INERTIA ETHICS MANUAL

INTERNET AND MONITORING OF COMPUTER USE POLICY SUMMARY

VIDEO SURVEILLANCE GUIDELINES

OSRAM BCR Binding Corporate Rules ( BCR ) for OSRAM Group Companies and Adopting Companies for the protection of personal data

We use such personal information collected through this Site for the purposes of:

HIPAA COMPLIANCE INFORMATION. HIPAA Policy

RIVERVIEW SCHOOL DISTRICT

AASA Online Privacy Policy CRP.020

ARTICLE 29 Data Protection Working Party

Corporate Guidelines for Subsidiaries (in Third Countries ) *) for the Protection of Personal Data

Data Protection Consent Clause and Policy Background

PINAL COUNTY POLICY AND PROCEDURE 2.50 ELECTRONIC MAIL AND SCHEDULING SYSTEM

Office of the Data Protection Commissioner of The Bahamas. Data Protection (Privacy of Personal Information) Act, A Guide for Data Controllers

City of Grand Rapids ADMINISTRATIVE POLICY

Privacy Policy Draft

Video surveillance policy (PUBLIC)

Compensation for Occupational Injuries and Diseases Act 130 of 1993 (COIDA)

Freedom of information guidance Exemptions guidance Section 41 Information provided in confidence

How To Write A Report On A Recipe Card

St Michael s CE (Aided) Primary School School Policy for the Safe Use of Children s Photographs

The potential legal consequences of a personal data breach

Interception of Communications Code of Practice. Pursuant to section 71 of the Regulation of Investigatory Powers Act 2000

GENOA, a QoL HEALTHCARE COMPANY GENOA ONLINE SYSTEM TERMS OF USE

TPS Corporate Services Personal Data Protection Policy

Data Protection Act a more detailed guide

8 Securities Limited ( 8Sec ) reserves the right to update and change the TOS from time to time without notice or acceptance by you.

Adaptive System of School Improvement Support Tools (ASSIST ) TERMS AND CONDITIONS

University of Limerick Data Protection Compliance Regulations June 2015

The Future Of UK Pharmaceutical Best Practices --By Lincoln Tsang and Silvia Valverde, Arnold & Porter LLP

GUIDE TO THE ISLE OF MAN DATA PROTECTION ACT. CONTENTS PREFACE 1 1. Background 2 2. Data Protections Principles 3 3. Notification Requirements 4

The Internet and 2 Acceptable use 2 Unacceptable use 2 Downloads 3 Copyrights 3 Monitoring 3. Computer Viruses 3

Acceptable Use of Information Systems Standard. Guidance for all staff

Data Protection in Ireland

DATA PROTECTION AND DATA STORAGE POLICY

AMENDMENTS TO THE DRAFT DATA PROTECTION REGULATION PROPOSED BY BITS OF FREEDOM

Transcription:

EMPLOYEE MONITORING FROM THE PERSPECTIVE OF HUNGARIAN DATA PROTECTION LAWS While employers oftentimes wish to monitor the behavior of their employees, which generally is a rightful intention, it is also the employees' rightful expectation for the employer to respect their privacy and personal data. In this article, we provide a brief overview of the most important rules employers must observe when monitoring their employees. Under the Hungarian Labour Code, an employer may inspect the work of its employees. However, there are certain mandatory rules employers must comply with when actually monitoring employee's behaviour. The data commissioner has issued several opinions (aka information sheets) on the employer s control of the employee s use of Internet, email and cellular phone. They also addressed the issue of surveillance cameras at the workplace and to what extent and under what conditions employers may use them. Under the Hungarian Data Protection Act, personal data may only be managed with consent from the person concerned. Personal data means any information relating to an identified or identifiable natural person and any reference drawn, whether directly or indirectly, from such information. In the course of data management, such information shall be treated as personal data as long as the data subject remains identifiable through it. An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his/her physical, physiological, mental, economic, cultural or social identity. For the purposes of the Data Protection Act, data management means any operation or set of operations that is performed upon data, whether or not by automatic means, such as collection, recording, arrangement, storage, adaptation or alteration, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, deletion or destruction, and blocking them from further use. Photographing, sound and video recording, and the recording of physical attributes for identification purposes (such as fingerprints and palm prints, DNA samples and retinal images) also qualifies as data management. 1

It is worth noting that concerned person's consent means any freely given specific and informed indication of his / her wishes by which the person concerned signifies his / her agreement to his / her personal data being processed without limitation or with regard to specific operations. This means that for the purposes of the Data Protection Act, only consent that has been granted based on proper, complete and prior information given by the employer may be regarded as consent. We now briefly address the various means through which employee behavior may be lawfully monitored. 1 Internet Use The employer may monitor the use of Internet by the employees if (i) the employer has previously informed the employees that Internet is provided specifically for work-related purposes and of the prohibition to use the Internet for private purpose and also of the employees rights concerning data management and (ii) the employees have given their written consent regarding monitoring as indicated under clause (i) above. The monitoring must be proportionate with the aims wished to be achieved by the employer and must be justified by a lawful aim of the employer. Personal data can only be managed for specified and explicit purposes, where it is necessary for carrying out certain rights or obligations. This purpose must subsist in all stages of operations of data management. The personal data managed must be essential for the purpose for which they were collected, they must be suitable for achieving that purpose, and they may be managed to the extent and the duration necessary for achieving that lawful purpose. If the employer has not prohibited or restricted the use of Internet for private purpose or has explicitly allowed private use, the employer may not lawfully monitor employees' Internet use. It is worth noting that if the employer may monitor the use of Internet, it does not mean that the employer has the right to review all data collected through monitoring. The employer may only list the data downloaded and the sites visited; it may not review such data and sites. 2

Of course, the employer may restrict the employees' use of Internet in a way that certain sites cannot be opened. In addition, the employer may also easily list the sites opened and files downloaded. 2 Email Use If the employer wishes to monitor email correspondence, the employer must properly and completely inform the employees of the monitoring of email use in advance. The information must cover the following: (i) purpose and duration of monitoring; (ii) entity carrying out data management and (iii) rights of the data subjects. The employer must obtain prior written consent to such monitoring from the employees. Again, as indicated above, personal data may be managed only for specified and explicit purposes, where it is necessary for carrying out certain rights or obligations. This purpose must subsist in all stages of operations of data management. The personal data managed must be essential for the purpose for which they were collected, they must be suitable for achieving that purpose, and they may be managed to the extent and the duration necessary for achieving that purpose. It is worth noting that any email sent to or received from a third party may not be reviewed. This is because the third party has not given his / her consent to such review / data management. If the employer has provided an email account to the employees for work purposes, the employer may review the subject of the email, the name of sender and recipient, date and size of email. Following such review, the employer may require the employee to hand over to him a specific email. The employee may refuse to hand over an email only by way of reference to a third party s interest. Instead of a total prohibition from using the work-related email account for private purposes, it is also possible to restrict the use of email, e.g. in a way that emails above a certain size may not be sent from the specific email account or no email may be sent to a specific addressee. 3

It is worth noting that IT hosts may review email correspondence if such review is necessary for protecting the employer's IT system from viruses. However, it is essential that the information collected by the IT host through the review may not be handed over to third parties, including the employer. 3 Cellular Information If the employer wishes to know where certain employees are during working hours, the employer must properly and completely inform the employees in advance of such monitoring during working hours. The information must cover the following: (i) purpose and duration of monitoring; (ii) entity carrying out data management; (iii) rights of the data subjects. The employer must obtain prior written consent to such monitoring from the employees. Personal data may be managed only for specified and explicit purposes, where it is necessary for carrying out certain rights or obligations. This purpose must subsist in all stages of operations of data management. The personal data managed must be essential for the purpose for which they were collected, they must be suitable for achieving that purpose, and they may be managed to the extent and the duration necessary for achieving that purpose. The employer may under no circumstance monitor the location of its employees out of working hours. It is worth noting that the employer may not monitor any private calls from office cellular phones nor may it list the calls placed by the employee. This is because the third party (the calling party or the person called) has not given his / her consent to such monitoring. A practical proposal, as suggested by the data commissioner, is as follows: The employer sets a threshold (budget) for the employees up to which threshold the employer pays the cellular phone bill. This threshold may be determined in a way that it also covers the costs of some estimated private calls by the employees. The relevant employee then pays the amount exceeding the monthly threshold. 4

4 Use of Surveillance Cameras If an employer wishes to install surveillance cameras at the workplace, it must properly and completely inform all employees of the surveillance in advance. The information must cover the following: (i) purpose and duration of surveillance; (ii) entity carrying out data management; (iii) rights of the data subjects and (iv) whether the surveillance cameras record or simply show real time events without recording anything. Personal data may be managed only for specified and explicit purposes, where it is necessary for carrying out certain rights or obligations. This purpose must subsist in all stages of operations of data management. The personal data managed must be essential for the purpose for which they were collected, they must be suitable for achieving that purpose, and they may be managed to the extent and the duration necessary for achieving that purpose. An employer must obtain prior written consent from the employees if surveillance cameras are used to check the performance and/or presence of employees. No consent is needed if surveillance cameras are used to detect theft (e.g. if the cameras are installed in a warehouse). In this case, prior information is sufficient. The use of surveillance cameras may not be secret. In addition, no surveillance cameras may be used in changing rooms, restrooms, toilets or kitchens. The surveillance cameras must be installed in such a way that they are clearly visible to those entering the relevant room and a sign must be posted at the entry of the rooms equipped with such cameras. In addition to the above, the employer must ensure that the footage is deleted as and when necessary under the law. 5

Although employees can request that the employer delete relevant footage relating to them, the employer may refuse this request if it turns out that the employee requesting deletion committed a theft which can be proven by the relevant footage. The contents of this article are intended to provide only a general overview of the subject matter. Specialist advice should be sought for specific matters. Queries relating to this article should be addressed to the author at: ZOLTAN.KOVACS@SZECSKAY.COM 6

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information