Hungary: New data protection guidelines in the DPA's 2009 Report

In 2009, the Hungarian Data Protection Supervisory Authority (DPA) dealt with 3953 cases concerning either data protection or freedom of information. On the basis of its investigations, the DPA has now issued his annual report, which contains important new guidelines for persons / companies that are processing personal data. Therefore, it is advisable for data processors to review their privacy practices.

The most important findings of the DPA’s 2009 annual report are the following:

• The DPA performed its first on-site investigations and reviewed the operation of IT security systems and company procedures, particularly in connection with data security breaches and also in order to verify the compliance of telecommunications companies with the EU Data Retention Directive.
• The DPA has also reviewed the general data retention practices of companies and given advice regarding the retention period in relation to specific types of document, and has suggested refinements in respect of the form and content of consents.
• Employment-related issues: the DPA has repeatedly noted that the use of video surveillance in the workplace and tracking the location of the employees with GPS (e.g. in company cars or via mobile phones) is permitted only in specific circumstances and subject to certain notification obligations. The DPA has also noted that “background checks” are generally not allowed. Disclosure of salary data, the monitoring of phone calls, e-mails and internet use, conducting personality or alcohol tests, or operating whistleblowing schemes are almost always subject to the preliminary consent of the employees. Consultation with the workers’ council (if one exists) may also be advisable. The DPA has noted again that data transfers from EEA to non-EEA countries must also be registered in the Data Protection Registry, even if they only concern employee or customer data or are made within a group of companies.
• Future trends: the DPA is about to publish comprehensive guidance in relation to social networking sites, and has also noted that in relation to the processing of sensitive data, the relevant legislation will be updated in the future.
• The DPA has extensively investigated the data processing practices of financial institutions and criticized any data processing which is carried out only for business purposes but which unreasonably restricts the privacy of customers. For example, the DPA has strongly contested the establishment of databases of so-called “positive” debtors and certain methods of debt collection.
• The DPA has also issued detailed guidance on the data protection aspects of recording customer telephone calls.
• In several cases, the DPA has advised data processors that the relevant persons must be informed of the logic involved in any automatic processing of data concerning them, such as performance at work, creditworthiness, marketing target group or taxation target group.
• In 2009, new amendments were introduced to the direct marketing legislation. Companies involved in the compilation, maintenance or trade of DM databases or which conduct behavioural targeting should review their practices accordingly.

The full text of the DPA’s 2009 annual report can be found at http://abiweb.obh.hu/abi/beszamolok/2009/abi_2009.pdf