Hungary and Data Protection in the Workplace
Employers have a keen economic interest in ensuring that employees keep operational information confidential and spend work time completing necessary tasks efficiently and effectively. For this reason, employers have an inevitable need to monitor the work of their employees. At the same time, monitored employees also have a relevant need to protect their privacy and human dignity. These two opposing interests make setting boundaries an important part of fostering a positive work environment that meets the needs of both employers and employees.
Employers will often aim to control employee behaviour at the workplace, which nowadays is becoming increasingly difficult to completely separate from private lives. From time to time employees might send private e-mails from corporate accounts or browse the internet on office computers during work hours. Regardless of whether employees do this with malicious intent or at the expense of their job performance, an employer’s control powers conflict with employee personality rights.
Legal regulations set the general boundaries of an employer’s control power. An employer may only monitor and control an employee’s behaviour if it relates to work performance. In the course of monitoring and controlling, the principles of purpose limitation, necessity and proportionality must be maintained. Furthermore, an employee must consent to having his or her personal data collected and used. In Hungary, the Data Protection Supervisor has set forth the guiding principles for dealing with employee data. Our current newsletter focuses on legal regulations regarding an employer’s right to control, monitor or inspect employee corporate e-mail accounts and employee internet usage.
Surveillance of Employee Internet Usage
Regulations concerning surveillance of internet usage differ according to whether the electronic device (computer, notebook, tablet, smartphone, etc.) has been given to the employee strictly for work purposes or for work and private use. An employer that does not specify and declare that such equipment is strictly for work has no right to access or search any personal data stored on the device.
The Hungarian Data Protection Supervisor has issued a statement classifying an employee’s internet browsing history and habits (which sites are visited and how often) as personal data. Thus an employer is not permitted to monitor or analyse an employee’s browsing habits and history if private use is allowed. But if the employer issued the devices and internet access strictly for work purposes and specified this, then the employer may access and analyse an employee’s browsing history and habits. Such surveillance and analysis, however, requires the employer to give an employee advance notification about possible monitoring and how this will be conducted. If the employer does not provide specific information on whether the internet may be used for work only or for private purposes as well, monitoring is not allowed. If the employer proceeds to do so nevertheless, the employer is violating data management rules.
Employers should notify all employees in writing of a company’s internal regulations regarding employee internet usage. This should be in the form of a unilateral legal statement specifying the employer’s right to monitor usage. Internal guidelines can also serve to protect the interest of employees by making them aware of the conditions surrounding internet usage and the fact that their usage will be monitored.
However, the mere existence of an internal regulation is not sufficient to allow an employer to legally monitor employee internet usage. Data-protection-wise, the accepted procedure is to send the internal regulation to all concerned, who shall then prove their acceptance and acknowledgement of the regulation by, for example, signing an acknowledgement form. The internal regulation may also be acknowledged and accepted by signing an employment contract if this statement is included in the contract.
Monitoring Employee Email Accounts
In reference to employee email accounts, a distinction must be made between whether or not an employer has specifically stated that corporate email accounts are solely for work use or not. Preliminary information regarding the details of the possible monitoring is required. Internal regulations on the use of corporate e-mail accounts may also be communicated and confirmed through the signing of a corporate statement or an employment agreement.
Another issue related to the monitoring of e-mail accounts is whether the e-mail address includes the employee’s name (even a part of the name) and whether it may only be accessed by the concerned employee or others too. Employers are entitled to inspect and monitor corporate e-mail accounts at will when the account is used to manage general company issues and does not consist of a specific employee’s name and is accessible to more than one employee (such as addresses).
The Hungarian Data Protection Supervisor places corporate account email communications using name-specific accounts into two different categories. One category involves e-mails among employees and the second involves employee communications with parties outside the corporation. While employees know that e-mail communication may be checked by the employer, third party recipients are not only not aware of this fact, but have also not given their consent for this to happen. Therefore employer control power on e-mail correspondence with non-employees is restricted, even if the e-mail account is provided strictly for work purposes and preliminary information on monitoring was given to the employee. In such cases the control power is limited by the other party’s personal data protection rights.
If an employer has informed an employee of possible monitoring, the employer may request that an employee provide received and/or sent e-mails in printed form. The employer may also request the employee provide specific e-mails based on the e-mail headline (sender, recipient, subject, date).
The employee, however, may refuse to comply with this request on the basis of the confidentiality rights of the third party. However, if the e-mail account has solely been provided for work purposes and the e-mails have originated from the employee, then the employer may impose labour law sanctions against the employee for not fulfilling the request.
If the third party is in a legal relationship with the employer, the employee may not refuse to abide with the request on the basis of confidentiality rules. Parties in a legal relationship are allowed to access relevant data, and therefore are entitled to view emails containing such data. Therefore, an employer has the right to monitor email correspondence with a contractual partner. However, standard professional courtesy would be to include a line about such data processing regulations as part of the footer in email correspondences.
One group that is entitled to check communications is the computer administrator (system administrator, IT personnel, etc.) by checking the content of e-mail traffic in order protect computer systems and data. The computer administrator however shall not provide any information about the e-mails or browsing history to any third parties, including the employer.