New Guidance on Internal Whistleblowing in Hungary

The Data Protection Commissioner, the Hungarian Data Protection Authority (DPA) has released several guidances in the past (Guidance Nr 271/K/2007, Guidance Nr 295/K/2007 as well as Guidance Nr 652/K/2007) concerning the operation of employee ethics hotlines in Hungary. The Commissioner acknowledged in its standpoint that Hungarian laws did not specifically address the issue of internal whistleblowing, however, the operation of such systems indeed involves the processing of personal data, therefore the general data protection principles must be respected when the employer decides to  introduce such mechanisms. The Commissioner held that internal reporting systems must comply with the  Opinion of the Article 29 Working Party Nr 1/2006 (WP117) on internal whistleblowing. Considering that the Hungarian Labour Code does not specifically permit the introduction of such schemes, the Commissioner stated that the legal interest of the controller cannot legitimize the use of reporting systems and the voluntary informed consent of employees should be obtained. The Commissioner established that the scheme should promote constitutionally protected rights of the data controller or third persons. Further, the DPA made it also clear that the use of such systems must be notified to the Data Protection Register as it is the Commissioner’s understanding that the notification-exemption relating to the processing of employee (Section 30 a) of the Data Protection Act) data does not apply in the case of reporting requirements imposed on local employees.

In 2009, the Hungarian Parliament adopted the Act No CLXIII on the Protection of Fair Process which entered into force on 1 April 2010 and it governs public interest whistleblowing in Hungary. The new legislation made the aforementioned guidances of the Commissioner partially obsolete, since it introduced a separate legal basis for data processing in connection with reports concerning the (suspected) infringement of matters of public concern. The new Act lays down the basic rules regarding the collection of complaints, the confidential treatment of reports, as well as concerning the protection of whistleblowers and their close relatives. The Act permits the outsourcing of the operation of reporting mechanisms as well as the investigation of complaints provided that the employer adopts an internal policy on the reporting mechanisms.

Recently, the Commissioner released a new guidance (released under ABI-2997-3/2010/P ) which concerns the interpretation of the Act on Public Service, but the guidance articulates several requirements in connection with the operation of whistleblowing systems. Interestingly, the Commissioner held that it is per se illegal if reports are directly made to the mother company by employees, as whistleblowers (reporting persons) are not entitled to disclose the personal data of co-employees to third persons (including parent companies or affiliates), but only to the local employer, which statement causes severe problems to multinationals with centralized reporting systems and cross border investigation of complaints.

The full text of the guidance is available here. (in English)

The editors of DataPrivacy.hu hereby would like to thank Mr Csongor Palotás (Attorney at Law) for his valuable help for providing the translation of the above DPA guidance.