New Whistle-blowing Rules in Hungary

On April 1, the Act for the Protection of Fair Process¹The Protection of Fair Process Hungarian Act No. CLXIII of 2009 (2009. évi CLXIII. törvény a tisztességes eljárás védelmérõl, valamint az ezzel összefüggõ törvénymódosításokról), promulgated Dec. 30, 2009. Official Gazette: http://www.magyarkozlony.hu/pdf/2187. entered into force in Hungary (the “Fair Process Act”). It addresses special protections for whistle-blowers, as well as more general data protection issues in employment relationships. The Fair Process Act significantly changes existing privacy practice by removing certain aspects of the requirements for employee consent to the processing of personal data for the purposes of whistle-blowing hotlines.

The Fair Process Act makes Hungary one of the few countries in the European Economic Area (“EEA”)²The European Economic Area (“EEA”) is comprised of the 27 EU Member States and Iceland, Liechtenstein, and Norway. to pass legislation expressly authorizing the processing of personal data for whistle-blowing procedures. While whistle-blowing hotlines are rarely used in other European countries, a 2007 Transparency International study indicates that the average hotline in Hungary receives 10,000 calls a year.³Report by Transparency International, the global coalition against corruption, Alternative to Silence, Whistleblower protection in 10 European Countries, published in 2007.http://www.transparency.org/global_priorities/other_thematic_issues/towards_greater_protection_of_whistleblowers/assessment_of_whistleblowing_frameworks_in_10_european_countries. The current European Data Protection Directive (95/46/EC) (“Data Protection Directive”) does not contain any explicit provisions for data processing in the context of whistle-blowing hotlines, and neither do most EEA Member State laws. In the majority of other countries, there are only general data protection provisions, often complemented by guidance issued by the national data protection authorities.⁴Guidance has been issued by the French (2005), Belgian (2006), Dutch (2006), Swedish (2008), and Danish (2009) data protection authorities. The Fair Process Act is also significant because its provisions differ considerably from the 2006 Opinion⁵Opinion 1/2006 on the application of EU data protection rules to internal whistle-blowing hotlines in the fields of accounting, internal accounting controls, auditing matters, fight against bribery, banking and financial crime http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2006/wp117_en.pdf. of the Article 29 Working Party⁶The Article 29 Data Protection Working Party is an EU advisory body composed of the heads of the EU Member States’ national data protection authorities and the European Data Protection Supervisor. (“WP29”) on how internal whistle-blowing hotlines can be implemented in compliance with the Data Protection Directive.

The Fair Process Act establishes a single framework for managing whistle-blowing hotlines and for dealing with the privacy issues resulting from their operation. Below we outline the implications of the Fair Process Act in conjunction with the extensive guidance issued by the Hungarian Data Protection and Freedom of Information Commissioner⁷Guidance No. ABI-2997-3/2010/P, released in July 2010, does not specifically address the application of the provisions of the Hungarian Act, but addresses whistle-blowing in general. See also Hungarian DPA Guidance No. 652/K/2007 on Whistleblowing Systems (2007); Guidance No. 295/K/2007 on Whistleblowing Systems (2007); Guidance No. 271/K/2007 on Whistleblowing Systems (2007); Guidance No. 2997-3/2010/P on Whistleblowing Reporting Requirements (2010). (the “DPA”), and its interplay with the Hungarian data protection law—the Act for the Protection of Personal Data and Public Access to Data of Public Interest (the “DP Act”).⁸The Act LXIII of 1992 for the Protection of Personal Data and Public Access to Data of Public Interest entered into force on May 1, 1993. We also set out solutions to the practical difficulties employers may face when adapting their policies and practices to comply with the Fair Process Act.

1. Scope

In contrast with other EEA Member States, permitted reportable matters on Hungary’s whistle-blowing hotlines are not restricted to financial and auditing matters as set forth in the U.S. Sarbanes-Oxley Act.⁹The Sarbanes-Oxley Act of 2002, Pub. L. 107-204, 116 Stat. 745, enacted July 30, 2002. Rather, any “matter of public concern” which affects an organization’s conduct or operation is reportable. An organization’s “conduct or operation” is broadly interpreted by the labor courts, and covers any issues or events experienced by employees in the course of their work. The Fair Process Act does not define “matters of public concern” but does provide several examples of reportable matters, including:

• abuse of public resources;

• allegations of corruption;

• bribery;

• direct danger to life;

• danger to the health and safety of others;

• criminal conduct; and

• pollution of the environment.

According to the Fair Process Act, employees can report (suspected) infringements of “matters of public concern,” or their imminent occurrence, which result from their employers’ conduct or operation. The Fair Process Act does not strictly limit the use of whistle-blowing hotlines to employees in senior positions, as is the case in several other countries.¹⁰See DPA Guidance No. ABI 652/K/2007-3, item No 3. However, in the event the whistle-blowing report is made outside the scope of the Fair Process Act and covers matters other than those of public concern, it must be based on employee consent. In such a case, the use of hotlines should preferably be limited to senior employees, as suggested by the DPA in its previous guidance.

Reports may be filed by employees, or by contractors with a minimum one year relationship with an employer, provided the parties limit the termination of the contract, and the contractor derives its income exclusively from the employer during this period. Consequently, the scope of the Fair Process Act is limited to “employee-like” relationships, and does not cover suppliers or customers.

2. Consent

Whistle-blowing hotlines based on the Fair Process Act are used to report “matters of public concern.” However, experience shows that reports to corporate whistle-blowing hotlines frequently cover topics which do not fall under the material scope of the Fair Process Act, i.e, that are not “matters of public concern.” Such reports cover violations of internal company policies or codes of conduct. There are two possible options to address this issue:

• (1)  An employer could limit the scope of the hotline strictly to that of the Fair Process Act, and investigate only those complaints related to matters of public concern. In this case, no consent would be required to legitimize data processing. Consent for the processing of sensitive data under the scope of the Fair Process Act is not required.

• (2)  An employer could choose to operate a hotline which extends outside the scope of the Fair Process Act, in order to cover internal policies. In this case, the employer should obtain written consent for the processing and transfer of data of any employee who has access to the hotline to make a report or about whom a report might be made. Consent-based whistle-blowing hotlines may cover the processing of sensitive data, for which written consent is mandatory, and therefore the use of written consent forms is strongly recommended.

Employee consent to the use of personal data is required when operating whistle-blowing hotlines that extend beyond the scope of the Fair Process Act because Hungary has not fully implemented the general provision of Article 7(f) of the Data Protection Directive, which provides for a “balance of interests” clause. This clause states that data processing can be carried out where necessary in the legitimate interests of a data controller (in this case the employer), except where such interests are overridden by the fundamental rights of an individual. Since the Fair Process Act entered into force, several whistle-blowing hotlines that deal with out-of-scope reports have been registered with the DPA.

The conditions for obtaining employee consent in Hungary are particularly strict and burdensome. Consent must be given in writing which means a pen-on-paper signature. The employee must have genuine freedom of choice to consent, and must be able to subsequently withdraw his or her consent without detriment. Consent should be obtained from both the reporting person as well as from any person named in the report. Ideally, consent should be obtained from all employees in advance, i.e., when the hotline is first introduced, or when an employee joins the company. Obtaining employee consent from persons named in a report once it has been filed would be problematic, as the voluntary nature of such consent is questionable. However, if employees have not been asked to provide prior consent, the person filing the report is presumed to be requesting an investigation which implies consent; therefore, employees should be made aware of this fact. If an employee does not consent, or withdraws his or her consent, any complaints outside the scope of the Fair Process Act cannot be investigated. The report should be deleted or anonymized.

3. Obligations When Establishing a Whistleblowing Hotline

3.1. Establishing the whistle-blowing hotline.

There is no general obligation to introduce whistle-blowing hotlines but if reports are filed they must be handled in compliance with the Fair Process Act. An employer should introduce appropriate procedures for collecting whistle-blowing reports to protect the identity of whistle-blowers (unless such persons are found to be acting in bad faith). Although anonymous reporting is neither expressly permitted nor encouraged, it is not prohibited by the Fair Process Act.

3.2. Keeping a record of the report.

Once a report has been filed, an employer is required to create a file on the report (paper or electronic) and provide a copy to the whistle-blower, who should be kept informed about subsequent measures taken in response to the report. The file should describe the report, including when it was submitted.

3.3. Launching an internal investigation.

Unless a report is manifestly unfounded, or does not concern “matters of public interest,” an organization is obliged to launch an internal investigation into each report filed without undue delay. The Fair Process Act does not describe any specific conditions in which an employer can refuse to launch an investigation, and therefore general provisions of the Hungarian Labor Code apply. These provisions specify that any decision must be justified and that an employer must provide a whistle-blower with information on available legal remedies. If the employer refuses to launch an investigation, and if the whistle-blower is dissatisfied with that decision, the whistle-blower may turn to a competent authority, e.g., the police, or the Consumer Protection Agency, for redress.

3.4. Ensuring confidentiality.

Data must not be held for longer than is necessary and should be deleted promptly after conclusion of an investigation, unless legal or disciplinary proceedings require otherwise. Collected data must be held securely and access should be restricted to a limited number of people authorized to process such reports. A whistle-blower’s personal data must be treated confidentially and cannot be disclosed to third parties without the whistle-blower’s express consent. Service providers are not considered third parties, provided that they act as a data processor of an employer. The identity of a reporting person cannot be disclosed to law enforcement agencies unless that person has provided his or her consent, or if a witness hearing is ordered by the Hungarian law enforcement agency pursuant to the provisions of the Criminal Procedural Code. Affiliated entities are always considered third parties and therefore reports must not be automatically disclosed or transferred to affiliates or a parent company. For the transfer of data, respective affiliates and parent entities should be engaged as data processors.

3.5. Ensuring reports are addressed to a local employer.

Reports may only be made to:

• an employer;

• a supervisory body or oversight institution of the employer;

• the Authority on the Protection of Public Interest,¹¹The provisions of the Fair Process Act provide for establishment of the Authority on the Protection of Public Interest. However, these provisions were legally challenged and they have not yet come into force. The Authority would be set up to provide protection and support to whistle-blowers and has investigative powers similar to those of the Hungarian Competition Authority. a specialized anti-corruption office; or

• a service provider contractually assigned by the employer for the whistle-blowing procedure.

According to the DPA guidance, a report may only be filed with an employer’s local entity and not with its parent company or a group entity.¹²Guidance of the DPA No. 2997-3/2010/P on Whistleblowing Reporting Requirements (2010). For the employer this means that its internal whistle-blowing hotline must be operated on behalf of the local entity and not by the parent company. If data is transferred to an affiliate or parent company, the DPA can order the suspension, deletion or destruction of the data, prohibit the unlawful processing or technical processing of data, and suspend all transfers of data to foreign countries. Many organizations address this requirement with data processing agreements between the local entity and the whistle-blowing hotline service provider, as well as between the local entity and the parent company.

3.6. Implementing service and processing agreements.

If the operation of a hotline is outsourced and if an employer’s parent company is also involved in its operation, a data processing agreement should be entered into by the service provider/parent company and a local entity. Any sub-processing of data outsourced by the service provider must be directly authorized by the local entity. There is no existing guidance as to whether a third party beneficiary rights clause in the service agreement allowing the local entity to enforce contractual rights directly towards the sub-processor would suffice. The choice of appropriate applicable contractual law could be used to address this issue; the DP Act is silent in this regard and therefore some flexibility is possible. Processing agreements must be concluded in writing and must comply with general provisions of the DP Act. If the service provider or parent company is located outside the EEA, adequacy mechanisms such as Standard Contractual Clauses or Safe Harbor provisions must be utilized.

3.7. Registering with the DPA.

All hotlines must be registered with the DPA.¹³The provisions of the DP Act exempt employment-related data processing activities (Section 30a of the DP Act) from the notification requirements; however, according to the DPA’s practice and Guidance, this exemption does not apply to the operation of whistle-blowing hotlines. No specific authorization is necessary, but the DPA issues a certificate of registration. The DPA may carry out checks on the operation of the hotline before issuing certification, but in practice the hotline may be launched as soon as the registration form has been submitted to the DPA. If an employer implements a hotline that is beyond “matters of public concern” in scope (i.e., outside the scope of the Fair Process Act), that fact must be indicated on the registration form. Only the form itself needs to be submitted; the DPA may ask for supporting documents, but in practice such requests are unusual.

Employers must inform the DPA if they have modified existing whistle-blowing hotlines in order to comply with the Fair Process Act. The DPA must be informed that the legal basis for the hotline has changed from consent to statutory provisions of the Fair Process Act. If an employer decides to maintain an existing hotline that is already registered with the DPA, the registration remains valid and no further action is necessary.

3.8. Informing staff about a whistle-blowing hotline.

Staff should be provided with information concerning the operation of a whistle-blowing hotline. The information must be clear, easy to understand, and must cover all relevant issues, including:

• the existence of the whistle-blowing system;

• the types of data to be collected;

• what processing will occur and for what purposes;

• to whom reports should be filed and the methods of filing;

• the data retention period;

• whether data transfer takes place and whether an assigned data processor/third party service provider will be used;

• the departments or services that may receive the report;

• the possible legal consequences of reports filed in bad faith;¹⁴See DPA Guidance No. ABI 271/K/2007-3. and

• how employees may exercise their rights of access and correction.

Failing to provide accurate information about the hotline and procedures may be considered a breach of personal rights or data, and if subsequent unlawful processing takes place, the employee may:

• demand compensation by way of material as well as immaterial damages;

• be entitled to terminate his or her employment with reference to the breach of privacy rights and data protection laws; and

• claim compensation for any damages and for any other regular earnings in connection with his or her employment.

3.9. Informing employees’ representatives.

Employees’ representatives must be consulted in compliance with the relevant provisions of the Hungarian Labor Code, but no consent or co-decision procedure is required. Trade unions should also be informed if provided for in the collective agreement.

3.10. Protecting a whistle-blower.

If an employee files a report in good faith, he or she is protected from being discharged, demoted, suspended, threatened, harassed or discriminated against as a consequence of the report. This protection also covers the employee’s relatives and other closely related persons. To date, there have only been two court cases brought by whistle-blowers who were fired as a result of their reports. In both cases, the dismissal was found to be unlawful. In the event that a whistle-blowing report is submitted by a contractor, it is possible to terminate the contract. However, the burden of proof that an employer did not retaliate against him or her as a result of the report is shifted to the employer.

3.11. Informing the accused persons.

The DP Act applies to the processing of personal data of accused persons, as the new Fair Process Act is silent in this regard. At a minimum, the individual about whom a report is filed must be informed about:

• the launch of the investigation;

• the nature of the accusation(s);

• the departments or services that may receive the report; and

• how he or she may exercise rights of access and correction.

These changes introduced by the Fair Process Act are significant and require changes in contracts, procedures and consent obligations. Organizations operating in Hungary should review their existing hotlines and ensure compliance with the new legislation.