What shall employers pay attention to from now on? We’ve collected the main points of the changes.
1. Restricting the personal rights of employees
Employers have been able to restrict employees’ personal rights only if they have been informed in advance. From now on the employers have to record the notice in writing.
- Employers shall provide information on the type, conditions and expected duration of the restriction in the notice. They also shall provide reasons for the necessity and proportionality of the restriction.
- This means that employers shall carry out a necessity and proportionality test to confirm that the restriction of the personal rights complies with the law and that it does not unreasonably intervenes in the privacy of employees. It is advisable to contact a GDPR expert to carry out the appropriate necessity and proportionality test.
- This rule applies also in the case if the employer uses a technical device, such as an electronic monitoring or entry-exit system in order to control its employees. The employees must be informed in advance and in writing about this circumstance.
- It is also considered as written information if the restriction is communicated in the usual way, e.g. published on a whiteboard, intranet, internal website.
2. The use of Facebook on workplace computers is generally forbidden
According to the new regulations, it is generally forbidden to use computers, laptops or mobile phones provided by the employer for private purposes.
Everything that is not related to the job, e.g. browsing social media pages, reading newspapers, watching movies, etc. can be considered as a private purpose. (Of course, nowadays there may be cases when using social media is essential to perform certain job tasks.)
What shall employers do?
- It is recommended to inform the employees of this legislative change.
- It is also recommended to amend the employment agreements to make it clear for what reasons employees can use a workplace laptop, computer and for what reasons not. In case the employment agreement does not include any provisions regarding this issue, then the general prohibition comes into force, i.e. no device at the workplace can be used for private purposes.
How can the employer control the compliance with the prohibition?
- Employers are entitled to apply a technical device to monitor employees, but employees must be informed in advance and in writing by the employer. (There are some software, that can filter the websites a worker can visit. At some other workplaces e.g. the entire net is only available in certain time bands.)
- The employer shall set up a system that is able to monitor only the data related to the employment relationship, and not the private data. This means that during the inspection the employer can only view the data up to the extent until he can decide whether the data is private or not.
It is important to emphasize that the same rules apply to smart phones provided by the employer.
Is the employer entitled to control the employee’s own computer or mobile?
- Yes, but the employer is entitled to get access only to the documents and data that are related to the employment.
- If the employee uses his / her own phone to write work related emails, then the employer is entitled to check these, but the employer is only entitled to look at the employment-related emails.
- Because of the above reasons, it is not recommended for the employee to send private emails from his / her work email address, as the employer can see these, but the employer is not entitled to check the content thereof.
What is the employee to expect in case he / she violates the law?
It is not a serious issue if the employee browses the net occasionally. However, it can cause problems if it happens regularly and the employee does not fulfil his / her job duties because of this. The employers may impose disciplinary punishment as a warning, and in the worst-case scenario the employee may lose his / her job.
3. Management of the employees’ data concerning health
Employers are not allowed to ask the employee for medical opinion on his / her suitability (fitness) for the job. The occupational doctor provides it to the employer.
The employer is entitled to handle and process the data resulting from the occupational health examination, in accordance with the GDPR Regulation. If the employer processes such data, then it must comply with the special terms regarding the processing of health data.
4. Mandatory impact assessment
It is mandatory for the employers to carry out a data protection impact assessment if the work of the employees is monitored and their personal data are processed and evaluated systematically, in a large number, in the course of data processing. All inspections mentioned in the above paragraphs are considered to be of this nature, and such data management may also be e.g. the use of GPS observer in cars or the use of camera surveillance in premises to prevent theft or fraud.
In the course of impact assessments, it is necessary to assess the risk of data loss and disclosure, and to prepare for the management of a possible incident. It is advisable to contact an appropriate GDPR expert who will prepare a precise risk assessment for us, which can be presented to the Authority in case of an investigation.
5. Presentation of documents can be required
An employee may be requested by the employer to present a document, if it deemed necessary for the conclusion, fulfilment or termination of the employment relationship. Employers should therefore be aware that, for these reasons, they are not allowed to make copies of the employee’s documents or to store them. They are only entitled to ask the employees to present / show their documents and to record the data necessary for identification.
This means that certain documents (e.g. driving license) must be held by the employee. Problems may arise if, for example, the employee does not have a certain document with him / her at a possible labour inspection, as in this case the employer may be penalised.
The authorities’ practice of this requirement has not been developed yet, thus we will be able to provide detailed information about the appropriate procedures in the future.
For employers where personal documents have been copied until now, the change of the system or masking is recommended.
6. When can a certificate of good conduct be requested from the employee?
An employer may process a certificate of good conduct before and during the employment, if the following conditions are met:
- The employer must lay down the terms and conditions of the processing of criminal personal data in advance, e.g. in an Ethics Code.
- .Employers are allowed to manage criminal personal data to examine whether the employee’s employment in a particular position is excluded by law or by the employer. The employer may also specify conditions that exclude or restrict the employment, but these conditions shall be recorded in writing in advance.
- The employer may specify conditions for the exclusion or restriction of employment, if the employment of the employee in a particular position would constitute e.g. a threat to the employer’s substantial financial interests, the secrets protected by law or any other interest protected by law.
- Only the presentation of a certificate of good conduct can be requested, it shall not be copied or stored.