Global menu

Our global pages


Global employment briefing: Hungary, June 2018

  • Hungary
  • Employment law


Hungary anticipates changes to employment data processing rules, reflecting the GDPR

The General Data Protection Regulation of the European Union (GDPR) applies from 25th May 2018 and affects employers’ data processing activities in Hungary. Although currently there are no changes planned to Hungarian laws, amendments of the Labor Code are likely to follow according to the National Authority for Data Protection and Freedom of Information (Nemzeti Adatvédelmi és Információszabadság Hatóság-NAIH).

Legal ground of processed personal data

In order to be compliant with GDPR, the way in which employers process personal employee data and the legal grounds for doing so must be reviewed.

GDPR does not change the basic principle that a lawful ground is needed for the processing of personal data, but individual consent is generally no longer a reliable legal ground for the processing. This is because GDPR recognises the relationship between employer and employee is not one which allows consent to be provided on a voluntary basis.

Going forwards, an alternative, appropriate legal ground for employers may be, for example, that processing the personal data is necessary for the performance of the employment contract (e.g. bank account number), or for the performance of legal obligations imposed on the employer (e.g. health insurance number) or for the legitimate interests of the employer (e.g. checking emails). However, in the latter case, the employee’s interests or fundamental rights and freedoms have to be considered also as this processing may infringe the employees’ privacy. Accordingly, such data processing should be limited to a minimum. Data processed without a legitimate legal ground must be erased.

Internal regulations and policies regarding data processing

Furthermore, it is important to review and update the employers’ existing internal regulations and policies on data protection in order to be compliant with GDPR. A prior notice on data processing will also be necessary, even for disclosure in the recruitment procedure. In this latter context, it is worth bearing in mind that in future, if a job candidate is not hired, the personal data they provided on application (e.g. C.V, contact data etc.) can be kept for further use only with the employee’s express consent and to the extent agreed. Accordingly, the personal data of unsuccessful candidates who do not provide their consent should be erased.

When checking the electronic communications of their employees, employers must proceed with utmost care since this kind of processing poses particular risks of unlawful intrusion into employee privacy. Accordingly, policies must be updated to address data processing relating to the electronic communications .

In addition to the preparation or update of policies required under GDPR, it is essential that the employees are made aware of the new rules on data protection. Organizing a training session may be an effective way to communicate the new data protection regulations to employees.