New GDPR approaches from the Hungarian National Authority for Data Protection and Freedom of Information
The Hungarian National Authority for Data Protection and Freedom of Information (hereinafter referred to as NAIH) submitted 11 new resolutions on their website (www.naih.hu) on April 11th with regards to various questions about the new EU data protection regulation (GDPR). We have gathered the most important questions in our assessment.
1. The GDPR applies to self-employed professionals as well
The NAIH confirmed that the GDPR applies to self-employed professionals, individuals and to corporate bodies that process data under the scope of the GDPR. Thus, the regulation does not differentiate between self-employed individuals and corporate bodies in terms of data processing whatsoever. The NAIH further stated that the number of employees at different corporations does not influence the application of the GDPR, thus, it also applies to companies that have no employees, should they process data under the scope of the Regulation.
2. Data protection prospectus instead of data protection regulation
The NAIH has stated in multiple resolutions that documents labeled as data protection regulations will be replaced by the label data protection prospectus. This data protection prospectus needs to be edited in a way that makes it possible for everyone to understand its contents, and it also has to be placed in a location that is readily apparent to the pertaining data subjects. The GDPR does not impose an obligation to create a data protection regulation but it does impose a duty to create a data protection prospectus. Thus, data protection regulations should only be established for internal data protection procedures at companies where it is proportionate to the quality of the procession of data.
3. IT engineers can also be Data Protection Officers
The NAIH has confirmed that the position of data protection officers may be fulfilled by workers, external companies/individuals pursuant to a mandate. Data protection officers do not have to obtain a degree; however they need to possess sufficient expertise and complex professional knowledge about the legal and practical standards of data protection as well as be eligible for the position. Thus, one can become a data protection officer with any type of qualification – with an IT degree as well – under a service contract. The NAIH has stated that it will continue to keep records of data protection officers.
4. The procession of data by professional chambers does not require approval
The NAIH has been looking at the processing of data by professional associations and at whether they need the consent of their members or not. In case of a medical association, their procession of data is based on legislation, so as long as they process data for the specific purposes laid out in the legislation they do not need the members’ consent. However, if the association wishes to conduct further data processing for purposes different from the legislation, the association must ask for its members’ consent. The NAIH also stated that professional associations do not need to provide the right of data portability when processing data based on the legislation, however in case of automated data processing based on consent, this right must be afforded.
5. The data protection prospectus must be displayed on the website not attached in a reply email or displayed in a pop-up window
The NAIH stated in its resolution that it is not in accordance with the GDPR if the data protection prospectus is attached in the footer of a reply email by the data controller, or if it is displayed in a pop-up window during electronic administration. The NAIH recommends the prospectus to be displayed under a separate menu.
6. GDPR does not provide for the creation of a data map
In one of its resolutions the NAIH looked at drawing a data map. The NAIH stated that it is not obligatory according to the GDPR, however, in order to be prepared for the Regulation, the drafting a data map of data processing activities is considered an efficient practice.
7. The GDPR applies to data stored on paper
The NAIH received multiple inquiries as to whether the GDPR applies to data that is stored on paper. The NAIH has detailed the regulations of the GDPR in connection with the above problem in its resolutions and reaffirmed that the GDPR applies to paper based data instances that are stored for record keeping purposes. The GDPR register includes all paper based lists, notes that are in a searchable format – e.g. if the data are listed alphabetically. The NAIH has already stressed that the GDPR does not apply to paper based data not stored for record keeping purposes, however the planned amendment to Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information (hereinafter referred to as Privacy Act) – that will most likely take effect this summer – will order the application of the GDPR on all paper based data. Thus, all the regulation will be the same for all of the data stored on paper.
8. The amendment to the Info act is expected in the spring
The NAIH has engaged in speculation on when the amendment to the Privacy Act would be approved by the Parliament. According to NAIH the amendment has not been submitted yet, and most likely it will be submitted this spring so that the Parliament may have a vote on it before the GDPR deadline of May 25th. The NAIH will not publish the data protection impact assessment record until the above deadline, so companies will have to wait to see what shall be considered as high risk data processing, which will make the above assessment mandatory.