In this article, we briefly address the issue of whether the so-called "whistle-blowing hotline scheme", which is to be set up by a US public company in line with the provisions of Sarbanes-Oxley, may qualify in Hungary as a legal anonymous hotline that enables the employees of a US public company to denounce potential illegal activities carried on within that company.

As there is no act in Hungary similar to Sarbanes-Oxley, the question actually concerns two fields of Hungarian regulation on data protection, namely that of data management/processing and data transfer. Below is an analysis of these fields from the perspective of an "employer-employee" relationship. It is worth noting that if data management and data transfer takes place within the context of "service-provider-client" relationship, our below article would be different as certain laws on money laundering would also apply.

1    Data Management

Pursuant to Act no LXIII of 1992 on the Protection of Personal Data and the Disclosure of Information of Public Interest (the "Act"), data management must be reported to the data protection commissioner unless it concerns, for example, the data of the data manager's employees. Thus, no report or authority approval is needed for an employer to manage the personal data of its employees.

2    Data Transfer

According to the Act, the transfer of personal data of a person to a country that is not a member state of the European Economic Area (the "EEA") is subject to prior expressed (written) consent from the person whose personal data are being transferred. The consent must be obtained by the data transferor from the affected person(s) in each individual case. In the context of an employment relationship, the employer is required to obtain the expressed written consent from the relevant employee (this can take the form of either a written declaration or a provision in an agreement referred to as a collective agreement, provided that this kind of agreement is in effect at the relevant employer). A collective agreement, pursuant to the Hungarian Labour Act, qualifies as a "regulation applicable to employment relations"; therefore, all employees would be bound by such a consent provision incorporated in a duly signed collective agreement. If data transfer concerns the personal data of those that are already employed by a US public company's Hungarian subsidiary and if the company has a collective agreement, any amendment thereto can only be made through negotiations with and consent from the relevant employees/employee representative body. Some special rules apply to the amendment of a collective agreement, the description of which rules is beyond the scope of the present article.

In addition, the personal data of a person may also be transferred to a country that is not a member state of the EEA if (i) said transfer is permitted by a specific Hungarian law and (ii) the laws of the relevant foreign country in question provide for an adequate level of protection for the management and processing of the personal data transferred. Under the Act, the level of protection is deemed to be proper if (a) the EC so determines; (b) there is a treaty between Hungary and the relevant foreign country in which the contracting parties guarantee each other a proper level of data protection or c) the data manager or processor verifies, by making available the rules it applies to data management and processing, that an adequate level of protection is ensured for (i) the personal data of those affected by data management and processing as well as (ii) their rights and the assertion of their rights. To our knowledge, based on the Data Commissioner's Office's stance, the US is not regarded as a country that ensures an adequate level of protection for data management and processing.

3    Conclusion

With respect to the above, it is suggested that a US public company obtain the prior expressed written consent from each of the relevant employees before transferring any employees' personal data.

Under Hungarian law and practice of the Data Commissioner's Office, no prior approval is required from the Office before setting up a whistle-blowing hotline scheme at a Hungarian subsidiary. However, when transferring personal data from Hungary to the US, Hungarian data protection laws must be complied with. There are also certain statutory requirements to be met when setting up such a scheme which, if not met, may result in severe sanctions depending upon the seriousness of non-compliance and the extent of damages caused.

The contents of this article are intended to provide only a general overview of the subject matter. Specialist advice should be sought for specific matters.