It’s Never Too Late – Gentle Reminder to the GDPR and the Hungarian Privacy Act
Published: Apr 18, 2019
On July 25, 2018, that is exactly two months after the prescribed time-limit for the application of Regulation (EU) 2016/679 of the European Parliament and of the Council, i.e., the new General Data Protection Regulation (hereinafter: GDPR), the Hungarian legislative harmonization targeting amendment (Act XXXVIII of 2018, hereinafter: Amending Act) of Act CXII of 2011 on Informational Self-Determination and Freedom of Information (hereinafter: Privacy Act), which intended to clarify a number of areas and answer some questions following the application of the GDPR, was promulgated and entered into force on July 26, 2018.
Set forth below are the main changes of the Privacy Act, focusing primarily on those rules of data processing that are within the scope of GDPR with particular regard to the fact that internal and inter-company data processing generally fall into this category.
The most important change introduced by the Amending Act was the significant limitation in the scope of the Privacy Act. Since July 26, 2018, the Privacy Act is primarily applicable to the processing of personal data for law enforcement, national security and national defense purposes. Some rules applicable to data processing fall however within the scope of GDPR, meaning that provisions of the Privacy Act and the GDPR must be applied simultaneously.
In addition, the Privacy Act contains provisions for data processing to which – on the basis of the rules of GDPR specific to the scope – the GDPR would not be applicable, but do not qualify as data processing for law enforcement, national security and national defense purposes (thus for example paper-based data processing, not being recorded in the system of register): regarding these types of data processing the Privacy Act prescribed the application of the GDPR, and in certain areas maintained its complementary scope.
The Amending Act stipulated in detail, which data processing are subject to the complementary scope and prescribed the simultaneous application of the GDPR and the Privacy Act, such as:
• the data processor has its center of activity, or its sole place of business in Hungary;
• the data processing operation is either related to providing goods and services for persons staying in Hungary or the observation of their behavior in Hungary.
2. Mandatory review every three years
An important novelty, which is expected to place considerable burden on data controllers and is due to the adoption of the Amending Act, is the mandatory review that has to be carried out once in every three years in cases where the legal basis of the data processing is the compliance with a legal obligation to which the data processor is subject, or the processing is necessary for the performance of a task carried out in the public interest, and the relevant law does not prescribe the duration of the data processing or another (even longer) review period of time. In the framework of the review it shall be assessed whether the processing of personal data is still necessary to achieve the stated objective of the data processing. The review and the outcome must be recorded, the records must be kept for ten (10) years, and upon request must be made available to the Hungarian National Authority for Data Protection and Freedom of Information (hereinafter: Authority). For data processing operations that started before May 25, 2018, the first review must be carried out before May 25, 2021.
3. Judicial remedy
The Privacy Act will continue to allow data subjects to seek judicial remedy when they suspect that their personal data had been compromised and processed unlawfully. It is another new element of the Privacy Act that judicial proceedings can be initiated directly against the data processor and not only the data controller, provided that the infringement arose explicitly in connection with data processing operations that fall within the processor’s sphere of competence.
The Amending Act did not introduce other significant changes in the field of access to justice. A reversed burden of proof continues to prevail and it is for the data controller to prove that the processing was in compliance with the law. A legal action can be brought in the competent court based on the place of residence or the place of stay of the concerned data subject.
If the court finds that there was a breach of law, it can order termination of the infringement, assess restitution, and oblige the controller to immediately cease its activity, pay compensation and an additional grievance award. It is in the discretion of the court to make the judgment public with the identifying data of the processor and the controller. This consequence implying serious risk to an entity’s good reputation can only be applied when a large number of people are affected by the infringement, the defendant is a public-sector entity, or the seriousness of the infringement justifies disclosure.
It is an important new rule that the processor(s) and the controller(s) are jointly and severally liable vis-á-vis the data subject for any damages caused and for the payment of the grievance award.
4. Data protection from the cradle to the grave, and even afterwards
By regulating data protection questions raised after the death of the data subject, the Amending Act has implemented a few new provisions. It has instituted a so-called „after-death” proceedings. The amended Privacy Act enables the data subject to appoint a person in a deed, who, upon the data subject’s death can exercise his/her rights guaranteed by the GDPR (except the right to data portability) for five (5) years following the death of the data subject. The lack of such deed will not prevent close relative(s) of the deceased data subject to exercise the same rights vis-à-vis the infringing data processor within the same five (5) year period.
5. Data protection officer instead of internal data protection officer
By eliminating the internal data protection officer position the Amending Act has eliminated the difficulties of legal interpretation caused by the co-existence of the data protection officer position instituted by the GDPR and the internal data protection officer introduced by an earlier version of the Privacy Act.
The Privacy Act stipulates that the data protection officer during the term of his/her engagement and thereafter without any time limit is obliged to keep confidential any personal data, classified information, secrets protected by law and secrets obtained in the course of professional activities that may have been learnt in relation to exercising his/her duties and any other data, fact or circumstance that the employing processor or controller is not required to make available to the public.
6. No more data protection register and data protection audit
The Amending Act eliminated the data processing register and the Authority shall only use the information incorporated therein regarding any proceedings initiated to investigate data processing operations that took place before July 26, 2018. The data protection audit of the Authority was also repealed and the amended Privacy Act laid down the grounds for data protection certification that was introduced by the GDPR.
7. Supervision of data processing operations of courts of law and judicial authorities
The supervision of data processing operation of courts of law and other judicial authorities has been introduced as a new legal instrument, and takes place when a data subject (party to litigation, witness, expert, or anyone with legitimate interest in the outcome of the objection), files a data protection objection. Upon receipt of the objection the court shall examine if the presiding judge, a member of the panel, or the judicial staff has proceeded in compliance with the legal requirements applicable to the protection of personal data or committed a breach, and will proceed accordingly thereafter.
The content of this newsletter is for information purposes only and should not be treated as legal advice by KNP LAW Nagy Koppany Varga and Partners or any of their attorneys. For more information please contact us.