In our modern age surveillance technology permeates many aspects of daily life and methods such as CCTV cameras have become a common phenomenon in the workplace. Given that their presence also raises significant questions regarding the privacy of the employees, multinational employers must be aware of the basic principles of using such methods in Hungary. In this short article we summarize ti most important issues related to CCTV surveillance in workplaces.

Smartlegal Schmidt&Partners reports from Hungary:

1.     CCTV in the spotlight of the Hungarian watchdog

The Hungarian Data Protection Authority is particularly concerned with the data protection issues related to the CCTV surveillance, since the entry into force of the GDPR the Authority has taken several damning decisions.

Problems include the lack of information provided to data subjects; cameras put on places where surveillance cannot be carried out.

Other typical omissions are the inadequate specification of retention periods or the use of recordings for purposes that were not originally included in the purposes for which they were collected.

2.     Data protection impact assessment

As a starting point, it is necessary to note that the Hungarian Data Protection Authority in its list under Article 35 (4) of the GDPR explicitly mentions the monitoring of employees’ work (e.g. placing a GPS in a car, camera surveillance for the purpose of combating theft or fraud) as a processing operation for which a data protection impact assessment is required.

This means that prior to the data processing in question (the monitoring) the controller shall carry out a data protection impact assessment (DPIA) which contains at least the following:

  • the description of the planned processing operation, its purposes and if applicable, the legitimate interest pursued by the controller,
  • the assessment of the necessity and proportionality of the processing,
  • the assessment of the risks to the rights and freedoms of the data subjects,
  • the measures envisaged to address the risks.

 

3.     Purpose and legal basis

Before starting the CCTV surveillance, the employer must clearly define the purposes of the processing. Lawful purposes may be e.g. supporting the protection of property, supporting the protection of life and physical integrity of individuals, collecting evidence[1]. The lawfulness of the purpose of CCTV surveillance also depends on where the cameras are placed.

Cameras may not be operated for the purpose of permanent and explicit surveillance of employees and the activities they carry out, and the use of electronic surveillance systems to influence the behaviour of employees at work may also be considered unlawful.[2]

When it comes to the legal basis, given the imbalance of power between employers and employees, in most cases, employers should not rely on consent[3] when using CCTV surveillance, as it is unlikely to be freely given.

Instead of the consent, employers should rather rely on their legitimate interest and carry out a legitimate interest assessment to evidence that the CCTV surveillance is necessary and proportional.

4.     Informing the employees

Based on the GDPR data subjects shall be informed about several detail of the data processing and it is now always easy to find a balance between providing all the necessary information and being transparent at the same time.

That is why the European Data Protection Board emphasized that in relation with the CCTV surveillance the layered approach of the information is particularly important.

The first layer shall be a warning sign and the most important information (e.g. purposes of processing, identity of the controller) and any information that could surprise the data subject (e.g. retention periods). The second layer of information shall be the detailed privacy notice which shall also be easily accessible by the employees.

Written by Anita Vereb

SMARTLEGAL is a team of agile business & litigation lawyers in Budapest, Hungary, helping international corporate clients and individual entrepreneurs doing business in Hungary. For more information please visit our website at smartlegal.hu

[1] see Guidelines 3/2019 on processing of personal data through video devices by the EDPB

[2] see decision NAIH-2732-2/2023 of the Hungarian Data Protection Authority

[3] see Guidelines 3/2019 on processing of personal data through video devices by the EDPB