29
Fri, Mar
42 New Articles

Five Changes in HR Data Processing Under the GPDR

Five Changes in HR Data Processing Under the GPDR

Hungary
Tools
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

Since the publication of Regulation No. 2016/679 of the European Parliament and Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR), it is certain that the regulatory framework of data handling and personal data protection will significantly change.

The GPDR will become applicable on May 25, 2018. This means that member states have more than a year to harmonize or amend their existing laws if necessary. Individual businesses engaged in data-processing activities will also be preparing.

One key area where personal data processing is inevitable is the world of HR. Practically all businesses with employees must process personal data to some extent, which means that they will need to apply and comply with the rules of the GPDR.

Though the GPDR leaves room for member states to establish specific rules for the processing of personal data in the context of employment (e.g., recruitment, work organization, etc.), its general rules remain applicable. Drafts or details of relevant national legislation are not yet available in Hungary, but the most important innovations of the GPDR are known. Below, we take a quick look at some of those aspects of the GDPR that will most significantly affect the world of HR.

Harmonization of the Rules Throughout the EU

The most important objective of the GDPR is to harmonize data protection laws. This is in itself an important improvement for multinational or regional enterprises operating in more than one member state, as, once the GDPR enters into force, they will be able to adopt a unified approach in terms of handling employees’ personal data, as – in principle – the same rules will apply in all member states.

Concept of Personal Data

The GDPR will broaden the definition of personal data though the concept itself – data that makes a natural person identifiable – remains the same. In the world of HR, internal identification codes, personal numbers, or online identifiers by which an employee can be identified will be regarded as personal data and must be protected as such.

Due to the objectivity of the concept (identifiability), from a data-security perspective encrypted data may – under certain circumstances – also be regarded as personal data. Encryptions used 20 years ago can now easily be decrypted. Employers therefore need to review and, if necessary, implement new measures to ensure an appropriate level of data security.

Stricter Liability of Data Processors

The distinction between data controllers and processors, which already exists in Hungarian law, will be adopted by the GDPR. At the moment, data controllers are liable to data subjects for damages arising from any unlawful processing or by a breach of data security requirements. In contrast, as an important change, the GDPR takes a step towards the joint liability of data controllers and processors.

This change will definitely have an impact on providers of ancillary services to employers (e.g., payroll and cafeteria administrators), as they will now have a stricter liability towards employees.

Employee Consent

The most important legal basis of (employee) data processing remains the data subject’s consent. If data processing is required to perform a contract to which the data subject is a party, no consent is needed. From a data protection perspective, however, the extent of intra-group transfer of HR data – for instance – is necessary to perform employment contracts may be questioned. Therefore, under the GDPR, employers may be required to collect employees’ consent to perform certain HR-related data-processing activities.

The GDPR clarifies that this consent should not be regarded as freely given if the data subject has no free choice or is unable to refuse or withdraw consent without detriment. Consequently, particular attention will need to be paid to the nature of the consent, as due to the hierarchical relationship between the parties the freeness of consent may be subsequently questioned.

Increased Fines

Finally, the GDPR dramatically increases penalties for non-compliance. As opposed to the current maximum fine of HUF 20 million (approx. EUR 65,000), the data protection authority will have the power to impose fines up to EUR 10 or 20 million or 2 or 4% of the company’s annual turnover. In addition, the data protection authority will have the right to ban or suspend data processing activities.

Due to the increased power of regulators and the broader rights of data subjects, all businesses should pay particular attention to GDPR-compliant handling of their employees’ (and others’) personal data.

By Kinga Hetenyi, Managing Partner, and Daniel Gera, Attorney at Law, Schoenherr Hungary

This Article was originally published in Issue 4.2 of the CEE Legal Matters Magazine. If you would like to receive a hard copy of the magazine, you can subscribe here.

Hungary Knowledge Partner

Nagy és Trócsányi was founded in 1991, turned into limited professional partnership (in Hungarian: ügyvédi iroda) in 1992, with the aim of offering sophisticated legal services. The firm continues to seek excellence in a comprehensive and modern practice, which spans international commercial and business law. 

The firm’s lawyers provide clients with advice and representation in an active, thoughtful and ethical manner, with a real understanding of clients‘ business needs and the markets in which they operate.

The firm is one of the largest home-grown independent law firms in Hungary. Currently Nagy és Trócsányi has 26 lawyers out of which there are 8 active partners. All partners are equity partners.

Nagy és Trócsányi is a legal entity and registered with the Budapest Bar Association. All lawyers of the Budapest office are either members of, or registered as clerks with, the Budapest Bar Association. Several of the firm’s lawyers are admitted attorneys or registered as legal consultants in New York.

The firm advises a broad range of clients, including numerous multinational corporations. 

Our activity focuses on the following practice areas: M&A, company law, litigation and dispute resolution, real estate law, banking and finance, project financing, insolvency and restructuring, venture capital investment, taxation, competition, utilities, energy, media and telecommunication.

Nagy és Trócsányi is the exclusive member firm in Hungary for Lex Mundi – the world’s leading network of independent law firms with in-depth experience in 100+countries worldwide.

The firm advises a broad range of clients, including numerous multinational corporations. Among our key clients are: OTP Bank, Sberbank, Erste Bank, Scania, KS ORKA, Mannvit, DAF Trucks, Booking.com, Museum of Fine Arts of Budapest, Hungarian Post Pte Ltd, Hiventures, Strabag, CPI Hungary, Givaudan, Marks & Spencer, CBA.

Firm's website.

Our Latest Issue