The Hungary DPA has recently issued a guidance document on video surveillance at the workplace, which addresses the issues of legal basis, guarantees, data retention, notice and registration requirements relating to surveillance systems.
Legal basis: First of all, the DPA acknowledged that consent is not an appropriate legal basis for the operation of surveillance systems at the workplace, as the voluntary nature of such consent is generally questionable within the employment context. The Guidance notes that the Hungarian Labour Code does not provide an adequate legal basis for the operation of electronic surveillance systems, therefore the DPA encourages employers to rely on the legitimate interest test articulated by Article 7 (f) of the EU Data Protection Directive. In that regard, the employer shall observe the data protection principles of necessity, proportionality and accountability. The employer should apply the least restrictive means and the surveillance system shall not infringe the employees’ human dignity or intrude into their privacy.
Legitimate purposes: The surveillance systems cannot be used for the monitoring of employees’ behaviour and permitted use shall be limited to the protection of health, safety or security of assets, including the safety of hazardous materials; protection of financial assets or secrecy; as well as protection of property. Bathrooms, toilets, locker rooms, medical rooms may not be subject to surveillance, since these measures may violate human dignity. The positioning and angle of the camera shall be limited to permitted locations.
Notice: The employer must adopt a policy on the operation of the surveillance system and specific, detailed, written notice must be provided to employees, which shall indicate the location of each camera as well as the purpose of its installation. A general notice on the operation of the surveillance system does not comply with requirement of a specific notice.
Data retention: Records of the surveillance system may be kept for a limited period of time that should not exceed three working days as a rule. The data retention may exceed three working days if the employer could substantiate that a longer period would be necessary. The DPA argues that data retention may be extended up to 60 days in case of financial service providers, banks or insurance companies.
Registration: data processing relating to the surveillance system must be notified to the DPA, if surveillance may also affect not only employees but third persons (such as visitors). Notification and registration is also a must, if the surveillance system is not operated by the employer directly, but by a service provider (security service) that is considered as a sole controller of the system.
The guidance is available under the following link (in Hungarian): http://naih.hu/files/Ajanlas-a-munkahelyi-kameras-megfigyelesr-l.pdf