Second-round amendment of the Information Act
The Act no. XIII of 2018, which entered into force on 30 June 2018, the Hungarian lawmaker designated the National Data Protection and Freedom of Information Authority (NAIH) as the authority in charge of the enforcement of the GDPR. In addition to the designation, the act also contains a provision pursuant to which, for first time violations, the NAIH should firstly issue warnings to controllers and processors rather than impose fines on them. The lawmaker wishes to give some “orientation” to authority practice.
At the end of July, the Parliament adopted the second-round amendment of the data protection act, which contains a more detailed amendment of the said data protection act ("Act").
The Act is based on the following four “pillars”:
(a) it contains supplementary rules that are applicable to data processing covered by the GDPR, in addition to the rules in the GDPR;
(b) it contains the rules implementing the Directive 2016/680 on the processing of criminal data ("Directive");
(c) it provides that the provisions of the GDPR apply to (i) data processing not covered by the GDPR (i.e. to the processing of personal data not forming part of a “filing system” for the purposes of the GDPR and (ii) data processing falling out of the scope of the Directive;
(d) based on preamble (27) of the GDPR, it contains the rules for the exercising of the rights of the data subject following the data subject's death.
The Act contains the following main provisions in respect of the GDPR:
Assessment of mandatory data processing every three years
With regards to mandatory data processing, the Act provides that the controller is required to evaluate, at least three years from the commencement of the data processing, if the processing of personal data processed by the controller or the processor acting on behalf of the controller is indeed necessary to achieve the purpose of data processing. The outcome of the assessment must be documented and retained for 10 years. Furthermore, the documentation must be presented to the NAIH at its request.
A data processing qualifies as mandatory data processing if:
(i) it has been ordered by an act or a municipal decree based on statutory authorization with a view to the public interest; or
(ii) in respect of special categories of data (e.g. health, genetic, biometric data), it is necessary for the enforcement of an international treaty or if it is ordered by an act with a view to asserting a right laid down in the Constitution or with a view to national security or military interest; or
(iii) it is necessary for the controller to fulfill a legal obligation it is subject to as per the GDPR (Article 6 (1) c); or
(iv) it is necessary on grounds of public interest as per the GDPR (Article 6 (1) e) of the GDPR).
With regards to data processing commenced prior to 25 May 2018, the assessment must be carried out by 25 May 2021.
Assertion of data subject’s rights after the death of the data subject
According to the Act, in case of data processing falling under the scope of the GDPR, the access right, the right to rectification, the right to erasure, the right to restriction of processing and the right to object to processing may be exercised within 5 years of the data subject’s death by the person the data subject authorized in a public deed or a document with full probative force in front of the controller. With regards to data processing not falling under the scope of the GDPR, the rights that may be exercised are as follows: the access right, the right to rectification, the right to erasure, the right to restriction of processing.
If the data subject did not grant an authorization as referred to above, his/her close relatives as per the Civil Code are entitled to exercise certain rights with regards to data processing covered by the GDPR and also with regards to data processing not covered by the GDPR, within 5 years from the data subject’s death. The person who exercises such rights first is entitled to exercise such rights.
High-risk data processing, data processing that is not high-risk processing
Pursuant to the Act, if the NAIH classifies a data processing as a high-risk processing and publishes this classification, then if the contemplated data processing is covered by such classification or is very similar to the processing the NAIH has classified as being a high-risk processing, the high-risk nature of the processing must be assumed.
If the NAIH classifies a data processing as not being a high-risk processing and publishes this classification, then if during the contemplated data processing only such operations are applied which are covered by the classification or which are very similar to the processing the NAIH has classified as not being a high-risk processing, it must be assumed that the data processing is not a high-risk processing.
Confidentiality obligation of the data protection officer
According to the Act, the data protection officer is required to keep confidential during his/her position and after termination of the position all personal data, qualified data and, respectively, secrets, professional secrets and any other data, fact and circumstance he/she has become aware of in connection with his/her activity, which the controller or processor is not obliged to make public.
Inspection procedure, authority procedure
Under the Act, an inspection procedure may also be initiated ex officio, whereas an authority procedure may also be commenced upon request. The authority procedure must be completed within 120 days.
According to the Act, the sanctions as per the GDPR also apply in case of the data processing described under clause (c) above. In case of a state body, the maximum amount of the fine is set at HUF (not Euro) 20 million, which means that the lawmaker wishes to (partially) take advantage of Article 83 (7) of the GDPR.
The reasoning underlines that the Act has no impact on the „orientation” as referred to above.
Rules on payment of the fine
As per the Act, the fine may not be decreased upon request, however, a deferred payment or payment in installments may be requested. In the request, the relevant entity must prove that payment in time would not be possible due to external reasons out of its control or that payment would mean a disproportionate burden to him/her.
The Act contains certain rules for the certification procedure to be conducted by the NAIH. (Under the GDPR, the Member States, the supervisory authorities and the EU encourage the development of such certification mechanisms which prove that the data processing carried out by a controller or processor complies with the provisions of the GDPR.)
The NAIH publishes the conditions for the conclusion of the agreement on the performance of certification, the consideration for certification and the steps of certification, as well as the certification factors. It is the NAIH that determines the conditions for the conclusion of the agreement on the performance of certification and the consideration for certification.
Publications by the NAIH
As per the Act,
(i) the NAIH may publish its resolution made during an authority procedure if, for example, the resolution affects a larger group of persons or if the gravity of the violation justifies publication;
(ii) the NAIH publishes the data reported to it in connection with the data protection officer.
Zoltán Balázs Kovács, J.D. (LL.M.), Partner, Szecskay Attoneys at Law, Budapest, Hungary (firstname.lastname@example.org)
The contents of this post are intended to provide only a general overview of the subject matter and do not qualify as legal advice.