Hungary’s Data Protection Authority (NAIH) recently issued a position paper (only in Hungarian) on the copying of documents certifying that the qualifications of employees comply with the ISO 9001:2015 quality management system standard.
In drafting this paper, the NAIH examined in general whether an employer may store copies of employee education documents on a protected server, with limited accessibility, based on a legitimate interest. The NAIH's previous practice, which was stricter than most European data protection authorities, consistently prohibited the copying of official employee documents. Hence, the new position paper's more flexible approach is of particular interest to all employers.
Employers should revise their internal HR processes, records of the processing of employee data, and employee privacy notices in order to reflect the NAIH’s newly established requirements more precisely. In the new position paper, the NAIH states:
- Employers may lawfully keep their own internal records of the qualifications of each employee, the date and method of proof of qualification (e.g. by presenting a certificate of graduation, diploma or vocational qualification).
- From a data protection point of view, it is irrelevant how the processing of personal data (that are otherwise lawfully processed or able to be processed) is technically carried out, and in what form (e.g. the data are entered into an Excel/Word document, copied or scanned into a document where the data that cannot be lawfully processed are masked out).
- Employers may lawfully copy documents relating to employee qualifications if they copy only the personal data that they are otherwise entitled to process in the context of the employment relationship (i.e. the copy does not contain any additional data beyond what they are otherwise lawfully entitled to process). In this case, the copying of the personal data on the document is a processing operation, but is not a new processing purpose in relation to the original purpose of the data collection and represents a way of collecting data for the original purpose that otherwise helps to ensure the information's accuracy.
- The employer may store the extracted versions of the documents as long as the processing of personal data proving that education and training has to be carried out due to the existence of the legal relationship for employment on which it is based or a mandatory data processing period is prescribed.
- A copy of a document certifying education or training does not have the probative value of being a certified copy of a valid public document, so the copy is not suitable for establishing the authenticity of the information it contains.
- Different rules may apply to data processing in other employment relationships (e.g. in the case of a service contract with a private individual).
- The mere need to comply with the ISO 9001:2015 quality management system standard does not entitle the employer to make and keep copies of documents certifying the qualifications of its employees. The best practice in this case is for the employer to make a note or record at the start of employment that the given employee or other person has presented the original documents proving his or her education, the relevant data of which is recorded by the employer (e.g. serial number of the document, date of qualification). In order to verify the authenticity of the content of the document, the employer may use the 'four eyes' principle when producing this document or the content may be recorded in a public or private document with full probative value.
For more information on this policy paper and data-protection regulations in Hungary, contact your CMS client partner or local CMS experts.