Hungary: Transfer By The Employer Of Employees´ Personal Data To The Us From The Perspective Of Hungarian Data Protection Laws

In this article, we briefly address the issue of what requirements prescribed by Hungarian laws on data protection must be complied with by an employer that wishes to transfer the personal data of its employees to the United States.

1 Data Transfer

According to the Act no LXIII of 1992 on the Protection of Personal Data and the Disclosure of Information of Public Interest (the "Act"), the transfer of personal data of a person to a country that is not a member state of the European Economic Area (the "EEA") is subject to the prior expressed (written) consent from the person whose personal data are to be transferred. The consent must be obtained by the data transferor from the affected person(s) in each individual case. In the context of an employment relationship, the employer is required to obtain the expressed written consent from the relevant employee(s).

In addition, the personal data of a person may also be transferred to a country that is not a member state of the EEA if (i) said transfer is permitted by a specific Hungarian law and (ii) the laws of the relevant foreign country in question provide for an adequate level of protection for the management and processing of the personal data transferred. Under the Act, the level of protection is deemed to be proper if (a) the European Commission so determines (if, for instance, a US company wishing to receive the personal data is on the so-called "Safe Harbor List" prepared by the US Department of Commerce, condition (a) is deemed to be fulfilled)); (b) there is a treaty in place between Hungary and the relevant foreign country in which the contracting parties guarantee each other an adequate level of data protection or (c) the data manager or processor verifies, by making available the rules it applies to data management and processing, that an adequate level of protection is ensured for (i) the personal data of those affected by data management and processing as well as (ii) their rights and the assertion of their rights (e.g. the data manager applies standard contractual terms as referred to below or wishes to apply an ad hoc agreement on data transfer). Based on the Data Commissioner's Office's (the "DCO") stance, the US is, in general, not regarded as a country that ensures an adequate level of protection for data management and processing.

2 Submission Requirements

Based on the DCO's stance, in addition to obtaining the employees' express written consent to data transfer, the employer is advised to fulfill the condition under clauses (a) or (c) above. If the standard contractual clauses attached as an appendix to Commission Decision of 15 June 2001 on the standard contractual clauses for the transfer of personal data to third countries, under Directive 95/46/EC (the "EC Decision no 2001/497") are signed by the relevant parties (i.e. the employer and the employee(s)), the signed standard contractual clauses do not need to be submitted to the DCO for approval. However, based on the DCO's view, if an employer wishes to apply an ad hoc agreement governing the transfer to a non-EEA country of the personal data of its employees, the draft agreement must first be submitted to the DCO for approval.

3 Registration Requirements

According to Section 28 of the Act, "prior to commencing operations, the manager of personal data must notify for the purpose of registration the data protection commissioner of the following:

a) the purpose of data processing;

b) the category of data and the grounds for data processing;

c) persons affected by data management;

d) the source of data;

e) the types of data transferred, the recipients and the grounds for transfer;

f) the deadline for deletion of specific types of data;

g) name and address (corporate address) of the data manager and the data processor, the place where records are kept and/or where processing is carried out, and the data processor's activities in connection with data management operations and

h) the name of and contact information for the internal data protection officer."

Pursuant to Section 30 of the Data Protection Act, "data management shall not be reported to the registry of data protection if data management concerns e.g. the data of employees, clients, members and/or students of the entity managing the data. Despite the afore-said, pursuant to the prevailing stance of the DCO, an employer wishing to transfer the personal data of its employees to the US must register himself with the data protection registry (i.e. a report must be made).

4 Conclusion

The safest solution appears to be if the Hungarian entity wishing to transfer to its US mother company the personal data of its employees (i) registers itself with the DCO (i.e. makes a report on the data transfer to the DCO) and (ii) obtains the explicit (written) consent of the employee(s) to data transfer by way of applying the standard contractual clauses as per the annex of the EC Decision no 2001/497 or an ad hoc agreement on data transfer which has previously been approved by the DCO.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.