GDPR Q&A

GDPR kérdezz-felelek / GDPR Q&A

Amendment of the Hungarian data protection act due to the GDPR

2018. július 17. - Kovacs Zoltan Balazs

Amendment of the Hungarian data protection act due to the GDPR

In the Act no. XIII of 2018, which entered into force on 30 June 2018, the Hungarian lawmaker designated the National Data Protection and Freedom of Information Authority (NAIH) as the authority in charge of the enforcement of the GDPR. In addition to the designation, the act also contains a provision pursuant to which, for first time violations, the NAIH should firstly issue warnings to controllers and processors rather than impose fines on them. The lawmaker wishes to give some “orientation” to authority practice.

In addition to the above, it is worth noting that on 19 June, the Government submitted a draft bill under no. T/623 (“Bill”), which contains a more detailed amendment of the Hungarian data protection act due to the GDPR. (The Bill is also about the implementation of the Directive 2016/680 of the European Parliament and of the Council on the processing of personal data by investigative authorities (“Directive”).

The Bill is based on the following four “pillars”:

(a)        it contains supplementary rules that are applicable to data processing covered by the GDPR, in addition to the rules in the GDPR;

(b)       it contains the rules implementing the Directive;

(c)        it provides that the provisions of the GDPR apply to (i) data processing not covered by the GDPR (i.e. to the processing of personal data not forming part of a “filing system” for the purposes of the GDPR and (ii) data processing falling out of the scope of the Directive;

(d)       based on preamble (27) of the GDPR, it contains the rules for the exercising of the rights of the data subject following the data subject's death.

The Bill contains the following main provisions in respect of the GDPR:

Assessment of mandatory data processing every three years

With regards to mandatory data processing, the Bill provides that the controller is required to evaluate, at least three years from the commencement of the data processing, if the processing of personal data processed by the controller or the processor acting on behalf of the controller is indeed necessary to achieve the purpose of data processing. The outcome of the assessment must be documented and retained for 10 years. Furthermore, the documentation must be presented to the NAIH at its request.

A data processing qualifies as mandatory data processing if:

(i) it has been ordered by an act or a municipal decree based on statutory authorization with a view to the public interest; or

(ii) in respect of special categories of data (e.g. health, genetic, biometric data), it is necessary for the enforcement of an international treaty or if it is ordered by an act with a view to asserting a right laid down in the Constitution or with a view to national security or military interest; or

(iii)      it is necessary for the controller to fulfill a legal obligation it is subject to as per the GDPR (Article 6 (1) c); or

(iv)      it is necessary on grounds of public interest as per the GDPR (Article 6 (1) e) of the GDPR).

With regards to data processing commenced prior to 25 May 2018, the assessment must be carried out by 25 May 2021.

Assertion of data subject’s rights after the death of the data subject

According to the Bill, in case of data processing falling under the scope of the GDPR, the access right, the right to rectification, the right to erasure, the right to restriction of processing and the right to object to processing may be exercised within 5 years of the data subject’s death by the person the data subject authorized in a public deed or a document with full probative force in front of the controller. With regards to data processing not falling under the scope of the GDPR, the rights that may be exercised are as follows: the access right, the right to rectification, the right to erasure, the right to restriction of processing.

If the data subject did not grant an authorization as referred to above, his/her close relatives as per the Civil Code are entitled to exercise certain rights with regards to data processing covered by the GDPR and also with regards to data processing not covered by the GDPR, within 5 years from the data subject’s death. The person who exercises such rights first is entitled to exercise such rights.

High-risk data processing, data processing that is not high-risk processing

Pursuant to the Bill, if the NAIH classifies a data processing as a high-risk processing and publishes this classification, then if the contemplated data processing is covered by such classification or is very similar to the processing the NAIH has classified as being a high-risk processing, the high-risk nature of the processing must be assumed.

If the NAIH classifies a data processing as not being a high-risk processing and publishes this classification, then if during the contemplated data processing only such operations are applied which are covered by the classification or which are very similar to the processing the NAIH has classified as not being a high-risk processing, it must be assumed that the data processing is not a high-risk processing.

Confidentiality obligation of the data protection officer

According to the Bill, the data protection officer is required to keep confidential during his/her position and after termination of the position all personal data, qualified data and, respectively, secrets, professional secrets and any other data, fact and circumstance he/she has become aware of in connection with his/her activity, which the controller or processor is not obliged to make public.

Inspection procedure, authority procedure

Under the Bill, an inspection procedure may also be initiated ex officio, whereas an authority procedure may also be commenced upon request. The authority procedure must be completed within 120 days.

Sanctions

According to the Bill, the sanctions as per the GDPR also apply in case of the data processing described under clause (c) above. In case of a state body, the maximum amount of the fine is set at HUF (not Euro) 20 million, which means that the lawmaker wishes to (partially) take advantage of Article 83 (7) of the GDPR.

The reasoning underlines that the Bill has no impact on the „orientation” as referred to above.

Rules on payment of the fine

As per the Bill, the fine may not be decreased upon request, however, a deferred payment or payment in installments may be requested. In the request, the relevant entity must prove that payment in time would not be possible due to external reasons out of its control or that payment would mean a disproportionate burden to him/her.

Data processing licensing procedure

Pursuant to the Bill, the NAIH performs a so-called data processing licensing procedure in some cases (for example, the approval of codes of conduct, certification factors, contractual clauses for data transfer or binding corporate rules (BCR)). The procedure must be completed in 180 or 90 days, depending on the type of document.

Certification

The Bill contains the rules for the certification procedure to be conducted by the NAIH. (Under the GDPR, the Member States, the supervisory authorities and the EU encourage the development of such certification mechanisms which prove that the data processing carried out by a controller or processor complies with the provisions of the GDPR.)

The NAIH publishes the conditions for the conclusion of the agreement on the performance of certification, the consideration for certification and the steps of certification, as well as the certification factors. It is the NAIH that determines the conditions for the conclusion of the agreement on the performance of certification and the consideration for certification.

Publications by the NAIH

As per the Bill,

(i) the NAIH may publish its resolution made during an authority procedure if, for example, the resolution affects a larger group of persons or if the gravity of the violation justifies publication;

(ii) the NAIH publishes its approving resolution made during a data processing licensing procedure;

(iii) the NAIH publishes the data reported to it in connection with the data protection officer.

Zoltán Balázs Kovács, J.D. (LL.M.), Partner, Szecskay Attoneys at Law, Budapest, Hungary (zoltan.kovacs@szecskay.com)

The contents of this post are intended to provide only a general overview of the subject matter and do not qualify as legal advice.

A bejegyzés trackback címe:

https://eugdpr.blog.hu/api/trackback/id/tr5914118725

Kommentek:

A hozzászólások a vonatkozó jogszabályok  értelmében felhasználói tartalomnak minősülnek, értük a szolgáltatás technikai  üzemeltetője semmilyen felelősséget nem vállal, azokat nem ellenőrzi. Kifogás esetén forduljon a blog szerkesztőjéhez. Részletek a  Felhasználási feltételekben és az adatvédelmi tájékoztatóban.

Nincsenek hozzászólások.