In a recent case, the Hungarian Authority for Data Protection and Freedom of Information (Nemzeti Adatvédelmi és Információszabadság Hatóság or NAIH) investigated a case where a company had to access its employee’s laptop for compliance reasons and imposed a fine of HUF 1,500,000 (approximately 5,000 euros) for unlawful data processing.
Whose Data Is It Anyway?
The employee, a project manager at the company, received a company laptop he was also permitted to use for private purposes if it did not hinder the efficiency of his work. After the company’s managing director noticed that the employee printed documents that contained a competitor’s logo, he became suspicious that the employee may have had unauthorised contact with competitors and requested access to his laptop to make a backup of the data stored on it. The employee denied such access because he stored private and trade union data on the computer. After a lengthy dispute involving lawyers and also the police, the employee was granted time to save and delete his private data; however, the company claimed that as part of the process, the employee was also trying to delete confidential business information from the laptop. To verify its suspicion, the company engaged an IT specialist to recover all the deleted data.
As part of a subsequent disciplinary proceeding, the managing director revealed to the employee that among the recovered data, they also found nude photos, bank account data, health data, private correspondence and names of trade union members. The managing director requested the employee make a declaration that he is identifiable on the nude photos so that such photos can be considered as private; otherwise, the company should disclose these photos as part of the disciplinary proceeding. The employee refused to declare this, after which he was dismissed from his position by extraordinary termination.
The Regulator Intervenes
The employee submitted a complaint to the NAIH regarding the data processing practices of the employer. In its investigation, the NAIH found the following deficiencies in the company’s IT policy and internal procedures:
- Besides the information on the technical measures applied for the monitoring, employees must also be informed of the privacy aspects of the monitoring; e.g., purpose of data processing, the data controller, data retention periods, data privacy rights and remedies.
- An IT policy must detail how the employer can access a company device and what kind of rights it may have; e.g., the possibility and the purpose of data recovery, the frequency and scope of back-up copies.
- The IT policy must either prohibit or enable the private use of company assets, without any reservations. In this particular case, the IT policy of the employer enabled the private use of company assets to the extent such use did not hinder the efficiency of the work. However, the NAIH considered this provision too vague and suggests a “yes-no” approach instead. In addition, the NAIH also emphasised that even if the private use is not permitted, the employer should not access the files of employees which are stored on a company laptop for private purposes, even if such storage is in breach of the IT policy.
- In this particular case, the employer’s IT policy contained prohibition on storing adult content and unauthorised third-party software on the company’s assets. The NAIH criticised the general definition of “inappropriate content” in the IT policy and implied that storing private nude photos on the laptop may not constitute “inappropriate content” at all. It is worth noting that this is the first time when the NAIH scrutinises the wording of an internal policy so sophistically.
- The NAIH found that the employer’s IT policy was not disclosed to the employees properly; although it was available on the intranet, the employer could not prove that the employers have fully read its contents. The employer could not prove that it held training to employees and sent the relevant policies via email either. Consequently, companies must always properly document the receipt of similar policies and training.
- The actual monitoring must always be a “last resort.” In this particular case, the suspicion regarding the unauthorised contact with competitors should have been investigated at first by the verification of the print-logger, the e-mail traffic on the company network devices of the employer, which may contain trace of such communication.
However, the question remains how to comply with this requirement if a malicious employee circumvents these “customary” company channels and tries to compromise the employer’s assets otherwise, and the company needs to intervene immediately to protect its confidential data.
- Employees must have the right to prepare for the disposal of their private files before the employer is accessing their computer. (Unfortunately, the NAIH does not analyse how to comply with this requirement in the event of immediate access, in order to protect the employer’s assets, and any delay would jeopardise the results of the investigation.)
- The employer must ensure that the monitoring does not affect the private data of the employees. As part of such obligation, the employer should have classified the recovered data in the presence of the employee either as employment-related or private file. The private data obtained in addition to company data from the recovered data content should have been immediately and irrevocably deleted.
Again, the question remains what happens if a malicious employer is trying to hide some compromising files by classifying them as private, in order to hinder the employer’s investigation.
- The recovered data must be analysed for the purpose for which it was originally accessed, i.e. to verify whether the employer has unlawfully disclosed confidential information. In this particular case, the NAIH criticised that the employer stored the recovered data for months but did not make any analysis on it, as originally intended during the first access to the laptop.
It is worth noting that the NAIH’s decision in this particular case was appealed before court, and the court ordered the NAIH to pass a new decision due to the inappropriate reference to the applicable laws. However, the initial decision may provide an insight –despite certain open questions highlighted above—into the issues which the NAIH may look into in case of similar investigations. Therefore, companies are advised to review and amend their internal policies and data processing practices on the basis of the above findings of the NAIH. If they violate data privacy rules, NAIH can fine them between HUF 100,000 (370 euros) and HUF 10,000,000 (37,037 euros).