On 23 August 2016, the Hungarian Data Protection and Freedom of Information Agency (DPA) released comprehensive guidance on employment background checks, covering contact requests sent to past employers, criminal background checks and general Internet searches about candidates. Although the DPA’s guidance is not binding, it provides useful information to data controllers about the manner in which the DPA interprets applicable data protection law requirements.
The DPA guidance says that the Hungarian Labour Code does not specifically authorize employers to conduct background checks of employees. The Labour Code’s general provisions say that the employer may request information from employees only if such request does not violate the employee’s personal rights (such as that to data protection) and provides substantive information in connection with the conclusion, fulfilment or termination of the relevant employment relationship. The DPA guidance states that employers may control their employee’s behaviour only on matters that pertain to the employment relationship; but the employer may not control the employee’s private life.
The DPA guidance articulates several requirements in connection with background checks:
- In order to comply with the “purpose limitation” principle, the employer may conduct the check and ask for information directly related to or strictly necessary for the job position in question;
- The employer may contact former employers to collect information about the candidate only with the candidate’s prior informed consent. Such contact requests must be specific; the DPA believes that general information requests do not comply with the “purpose limitation” principle. The former employer may not disclose its opinion or facts about the candidate to the new employer without the data subject’s informed consent;
- In case of criminal background checks, the employer must rely on and accept the criminal record certificate (“Hatósági Erkölcsi Bizonyítvány” in Hungarian) provided by the candidate. (Said certificate does not indicate convictions or past convictions subject to a criminal record exemption.) The employer must accept a certificate that was issued up to 90 days before submission to the employer as being valid proof of the candidate’s criminal record. The employer may not obtain data directly from the criminal register or request the candidate to present a copy of his/her criminal register records to the employer.
- The employer may conduct a general Internet search about the candidate and check public records of social network sites about the candidate. The DPA assumes that the candidate is able to control the public nature of those accounts.
The DPA believes that significant data quality issues with the accuracy and validity of general internet search results could arise (from, e.g., fake accounts) and therefore additional safeguards might be necessary when using information obtained from a general internet search. Accordingly, if, in connection with its hiring decision the employer relies on information sourced from general Internet search results, then the employer must: (i) provide full notice to the candidate about the Internet search; (ii) present the search hits to the candidate; and (iii) give the candidate the possibility to dispute the accuracy and validity of those results. The DPA considers those steps as necessary to secure the legality and fairness of the data processing.
The DPA’s guidance did not set any specific deadline for compliance with the information in the guidance.
Data controllers should review their background check practices within a reasonable time in light of the information in the guidance.