Global menu

Our global pages


GDPR is coming

  • Hungary
  • General


GDPR is coming!

Processing personal data in the employment relationship

The General Data Protection Regulation of the European Union (GDPR) that will in each member state uniformly regulate the legal framework of the protection of personal data will be applicable from 25th May 2018. The GDPR imposes an enhanced penalty in case of the infringement of its provisions, the fine can amount to max. EUR 20 000 000, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year. Thus, till the above deadline employers must also adjust their data processing to the new regulation.

The Article 29 Working Party of the EU has recently adopted a new opinion (Opinion 2/2017 on data processing at work), which focuses on the new obligations of employers upon the GDPR.

The question is what are the tasks in practice that must be done by the employers in order to be prepared for the application of the GDPR.

Firstly, in order to be compliant with GDPR, the employees’ processed personal data and the legal ground must be reviewed.

GDPR does not change the basic principle that an appropriate legal ground is needed for the lawful processing of personal data, but the WP 29 opinion highlights that the consent can hardly be an appropriate legal ground for the processing - because of the special relationship between employer and employee questions that consent is provided on a voluntary basis. Appropriate legal ground may be, e.g. if the given personal data is necessary for the performance of the employment contract (e.g. bank account number), or for the performance of the legal obligations imposed on the employer (e.g. health insurance number) or for the legitimate interests of the employer (e.g. checking emails). However, in the latter case, the employee’s interests or fundamental rights and freedoms  have to be also considered as this processing may infringe the eployees’ privacy thus such data processing is to be limited to the minimum. Therefore, it is adviseable to limit this kind of data processing in time and in space. Data processed without a due legal ground must be erased.

Furthermore, it is highly important to review and update the employers’ existing internal regulations and policies on data protection in order to be compliant with  GDPR. It has to be stressed that according to the WP 29 opinion in the recruitment procedure a prior notice regarding data processing will be also necessary, thus this notice is to be prepared as well. As for the recruitment, it is worth to bear in mind that in the future – in case the candidate is not hired – the provided personal data (e.g. C.V, contact data) can be kept for further use only upon the employee’s consent hereto. Accordingy, the personal data of unsuccessfull candidates who did not provide their consent should be erased.

When checking the electronic communication of employees employers must proceed with utmost care since this kind of processing can mostly violate the employees’ privacy. Accordingly, the policies to be updated should cover data processing relating to the electronic communication as well.

In addition to the preparation of the necessary policies, it isessential that the employees be effectively made aware of the new rules of data protection. Organizing a training session may be an effective way to communicate the new data protection regulations to the employees.

Finally, it is recommended to start the GDPR compliance programme as soon as possible because even though there is no new additional national legislation in place yet, the Regulation is directly applicable in Hungary.

Download the newsletter


This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full terms and conditions on our website.

< Go back

Print Friendly and PDF
Register to receive regular updates via email.