Employers often ask for certificates of no criminal record from their employees, but this does not mean that they do it right. Until recently, experts said that requesting the employees to submit their certificates of no criminal record was only possible when a legal act prescribed the clean sheet for the given job title or legal relationship.
A legislative modification of the Hungarian Labour Code that is expected to be adopted in the coming weeks will introduce a surprising twist into the plot. Of course, the result is not black and white but at least gives some pointers to the employers. The employers who want to request such certificates from their employees definitely have to consider several conditions and prepare a convincing documentation. Before we decide to request our employees to present their certificates of no criminal record, it is worth examining the prospective legislative changes.
Right after the GDPR (i.e. Directive (EU) 2016/680 of the European Parliament and of the Council, also known as the general data protection directive) had entered into force, the argument of data protection experts and the data protection authority was that a certificate could only be requested from an employee if a specific statute expressly required it (e.g. in the case of public employees), if a clean criminal record was a statutory condition for filling the relevant position or if certain crimes barred a person from being employed (e.g. by employers responsible for the education, supervision, care or medical treatment of people under the age of 18 pursuant to Section 44/A of the Labour Code). According to a guideline that was issued by the National Data Protection and Freedom of Information Authority (NAIH) back in 2016, well before the GDPR took effect, an employer could only request a certificate if “the certification of good morals is really indispensable for a given job under the applicable sectorial regulations.” It was obvious that NAIH believed, the requiring certificates of no criminal records as a precondition of the employment was only lawful if a specific statute expressly stated such requirement.
However, in its ruling (published on 25 January 2019) NAIH already modified this position and stated that in the absence of an express statutory authorisation, the employer’s legitimate interest may also serve as grounds for the processing of criminal personal data (i.e. for requesting a certificate of no criminal record). If an employer’s interest assessment test showed that its own interest outweighed that of its employees, it could request the employees to present a certificate of no criminal record. It must be emphasized here that this will be restricted by the amendment of the Labour Code (see below)
The NAIH emphasised that in order for an employer to rely on the legitimate interest argument, it must carry out an interest assessment test – just as in the case of any data processing that is based on a legitimate interest. An interest assessment test is a multi-stage process where the legitimate interests of the data processor, i.e. the employer, must be weighed against the interests of data subjects and employees and against the relevant fundamental rights, and then it must be determined whether the relevant personal data can be processed. If the outcome of the test is that the employer’s legitimate interest outweighs the employees’ right to the protection of their personal data, the data associated with criminal activities can be processed and the employer can request the presentation of the certificate to confirm the accuracy of such personal data. It should be noted that the NAIH’s position is that employers may only request the presentation of the certificate and they may not lawfully make copies of them because that is not in line with the principle of purpose limitation. It can be a good practice if the person who represents the employer when the certificate is presented by the employee records the data in a report, and then signs it and has it signed by the employee to certify its authenticity.
Then, the above mentioned bill concerning the modification of a plethora of regulations and designed to bring Hungarian law in line with the GDPR was submitted to Parliament on 7 February 2019.
The bill also includes provisions in connection with criminal personal data and the treatment of certificates of no criminal record in relation to the amendment of the Labour Code. The bill states that an employer may request a certificate of no criminal record (in addition to cases when a relevant legislation grants such right) if it is necessary in order to confirm compliance with restrictive or disqualifying conditions specified by the employer itself. The new development here is that conditions that restrict or prevent the employment of a person can be determined by not only regulations (and more specifically, laws) but by employers as well.
On the other hand, the bill states that an employer may only specify such conditions if the employment of a person with a criminal record in a given job would risk the violation of the following interests:
- the employer’s major financial interest, or
- a statutorily protected secret, or
- certain other interests expressly defined by law.
It is important to note that the major financial interest requirement can only apply to the employer, and the major financial interest of third parties (such as the employer’s customers or other employees) may not or just indirectly serve as grounds for the introduction of restrictive or disqualifying conditions. Similarly, citing other (non-financial) interests, such as personality rights or the protection of business secrets will not be acceptable (although the protection of business interests are often associated with the employer’s financial interests as well).
It is an important requirement that restrictive or disqualifying conditions and the conditions of processing criminal personal data must be set out in writing (practically in the form of a written instruction or an internal policy).
Although the bill does not state this, in our opinion it is unavoidable that employers will have to carry out the above mentioned interest assessment test before (or as part of) determining the restrictive or disqualifying conditions they want to apply.
It should be noted that employers will not be able to use the employees’ consent to avoid the above rules. Data protection regulations very rarely accept employee consent as a legal basis for data processing, because the absence of a voluntary consent must always be assumed due to the general subordination of employees to employers, which in turn renders such consent invalid.
We also believe that employers will continue to be able to request certificates of no criminal record for presentation only, because photocopying and archiving the documents does not satisfy the principle of purpose limitation (see above).
At this time it is unknown whether employers will change their practices and start requesting the certificates en masse after the bill is passed into law. Undoubtedly, any employer will have to carry out and document a detailed interest assessment test for each relevant position before it can cite its own financial interests as the legal basis for data processing. In the light of this requirement, it is unlikely that it will become a general and automatic practice for employers to request certificates of no criminal record from their employees (assuming, of course, that employers will continue to want to comply with the regulations).
 interests associated with the safeguarding of firearms, ammunition and explosives, the safeguarding of toxic or hazardous chemical or biological substances and the safeguarding of nuclear substances