What you need to know about the GDPR
Published: Nov 30, 2017
The date of application – May 25, 2018 – of Regulation (EU) 2016/679 of the European Parliament and of the Council, i.e., the new General Data Protection Regulation (the GDPR) of the EU is nearing. By that date every company that deals in any way or role with personal data management and processing must fully comply with the provisions of the GDPR. This means that the Fall of 2017 may be the last opportunity for companies to begin reviewing and revising their data processing operations, leaving enough time to undertake any necessary measures.
The GDPR will fully replace the currently applicable Data Protection Directive 95/46/EC (hereinafter: “Data Protection Directive”) and will significantly transform the role of Act CXII of 2011 on the right of informational self-determination and on freedom of information (hereinafter: Info Act), as well, limiting its application to certain issues and fields only.
The reasons for creating the GDPR were, on one hand, the need for an even smoother operation of the single market and on the other hand, the evolution of data processing technologies, coupled with an increase of inherent risks. The purpose was to create a stable, consistent legal framework, which stresses the enforceability of regulations, the accountability of data controllers and the right to self-determination. Our below summary presents the most important provisions of the GDPR, taking into account and – hopefully – dismissing some of the related misunderstandings frequently experienced in our practice. At the end of our summary, we highlight those main preparatory measures that should be taken at the earliest.
In case of issues concerning the processing of personal data, one of the key questions that must be considered is the question of what qualifies as ‘personal data’ in the first place. The GDPR expressly declares that personal data means “any information relating to an identified or identifiable natural person.” Although the GDPR does not introduce anything expressly new to this definition, only a clearer specification, our opinion is that it is essential for companies to internalize and understand this exact definition and its true meaning, as this is one of the questions regarding which we often experience misunderstandings. A lot of people believe that only identity card numbers, social security numbers, tax ID numbers and similar data qualify as personal data, therefore, they do not even realize that their work activity may have any relevance from a data protection point of view. However, this belief is mistaken – as the definition reveals: any information may qualify as personal data, given that it is related to an identified or identifiable natural person. This may mean a picture of someone, their dietary preferences, information where s/he was located at a certain point of time, their religion, sexual orientation or even their favorite music band. It is important that any information that can at least potentially be associated with a specific person belongs to the scope of personal data.
In addition to the definition of personal data, another significant definition is that of the (data) controller, as the data controller is the entity (or person) primarily responsible for complying with all data processing related obligations. The GDPR does not include anything new in this regards either, when stating that the data controller is the entity (or person) that “alone or jointly with others, determines the purposes and means of the processing of personal data.” In this respect, it is important to dismiss the often experienced misbelief that a controller can only be an entity (or person) who actually is in possession of the data. This however, is not necessary – a company contracting a partner to collect personal data for its own purposes in order to carry out an advertisement campaign and use such data for the purposes of the campaign is also considered to be a data controller without ever possessing such data, i.e., even in case such data is continuously in the possession of one or more contractual partner(s) [data processor(s)].
The main principle of the GDPR – similarly to the Info Act – is the principle of purpose limitation, which is closely related to the principle of data minimization. According to these principles, personal data can exclusively be processed if it is necessary for a specific purpose. One can conclude from this that only the personal data minimally required to realize the given purpose may be processed lawfully – in other words, data minimization is required by law. These principles may not be overruled even with the consent of the data subject. We often encounter the interpretation that the consent of the data subject is adequate and enough to justify the lawfulness of practically any data processing operation without restrictions. However, this is not the case. Collecting and processing personal data without a defined purpose, stockpiling them for later uncertain usage on the basis of the notion that ‘it may later be good for something’ is forbidden even with the consent of the data subject, according to both the currently effective regulations and the GDPR. Closely related to this concept is the principle of fair data processing, which also supports the unlawfulness of the above practice.
- The legal basis of data processing
The GDPR extends the scope of legal grounds for processing personal data in comparison to both the former Data Protection Directive and the Info Act. The contractual relationship between the parties is explicitly included as a new, independent legal ground. Instead of the Info Act’s former concept of ‘data processing necessary by law’, one can refer to the legal ground of compliance with a legal obligation, which is a wider and more flexible term.
Like the Data Protection Directive, the GDPR contains legitimate interest as a potential legal ground, provided that the given data processing successfully passed the balance of interests test. This is not a widespread legal concept in Hungary because it was not included in the Info Act. Although Article 7 lit. f) of the Data Protection Directive was directly applicable, it was rarely referred to by Hungarian data controllers as they preferred to obtain the consent of the data subjects even in areas where the legitimate interest would have been proper legal ground. This practice regularly raised concerns in many cases for example in case of an employment relationship. Once the GDPR has entered into force, the legal ground of legitimate interest should become more common and applied consistently.
- Rights of data subjects
The GDPR also extends the rights of data subjects and the new rights include the right to be forgotten and the right to data portability.
The right to be forgotten means that if the data controller has previously made the data public and is later obliged to delete it (because the data is no longer necessary for the given purpose or the data subject has withdrawn his/her consent and there is no other legal ground available for processing), the controller shall take reasonable steps to inform other controllers that are processing the personal data to erase any links to or copy or replicate those personal data.
Pursuant to the right to data portability, which is another innovation of the GDPR, the data subject shall have the right to receive the personal data concerning him or her in a structured, commonly used and machine-readable format and s/he shall have the right to transmit those data to another controller or to request the transmission of those data directly to another data controller specified by the data subject. This may become a significant provision in the future for example when someone is changing service providers.
In connection with the rights of data subjects, it must be emphasized that it is not possible to lawfully obtain exemption from ensuring such rights. For example the already applicable right to erasure by merely referring to technical obstacles. These rights have to be taken into consideration when designing any system processing personal data.
- Data breaches
The GDPR pays special attention to data breaches and significantly extends the related recording and notification obligations. The GDPR introduces a three-level system whereas data breaches must be (i) recorded on internal records, (ii) reported to the competent data protection authority and (iii) communicated to the data subjects. Companies shall be obliged to report data breaches to the competent data protection authority in accordance with the new rules. The GDPR does not specify the form of reporting and we expect that this issue will be regulated in an amendment to the Info Act to ensure that notifications can be initiated via an online platform available on the website of the Hungarian National Authority for Data Protection and Freedom of Information (hereinafter: NADPFI).
- Data protection impact assessment
Another important provision of the GDPR is the obligation to perform data protection impact assessment prior to any potentially high risk data processing, including using new technologies or profiling technologies. It will be the duty of the controller to carry out the impact assessment. As a principle rule, the assessment must be carried out only in case of new data processing procedures commencing after May 25, 2018. In case of procedures initiated before that date, the assessment must be carried out only where there are any changes in the data processing.
The objective of the impact assessment is to identify and mitigate risks. In order to achieve it, it is indispensable to describe the planned operations with accurate details, examine and present the purpose(s) and the legal grounds of data processing and assess the necessity and proportionality of the processing operations in order to establish whether the processing of the data in question is necessary for the given purpose(s) and the limitation of the rights resulting from the data processing is proportionate to the given purpose(s). Data processing operations meeting more than one of the following criteria will qualify as ones generating high risk: (i) the processing involves a substantial amount of personal data or (ii) affects a large number of data subjects, (iii) the data subjects no longer have free disposal of the data, (iv) the processing results (or may result) in discrimination, on the basis of such data, (v) the data subjects are vulnerable persons (pl. children but, according to certain interpretations, employees fall into the same category, (vi) the processing involves profiling, (vii) the behavior and/or the movement of the data subjects is recorded, (viii) the processing may harm reputation, (ix) may cause financial loss or at least risk to the data subjects, or (x) sensitive data are involved.
The Data Protection Working Party operating on the basis of Article 29 of the Data Protection Directive (hereinafter: Working Party No. 29) already issued their guidelines regarding the detailed regulation of an impact assessment procedure. The guidelines may provide assistance in carrying out an assessment (WP248). If the data protection impact assessment confirms the high risk level of the planned operations, the GDPR makes it obligatory to carry out a prior consultation with the competent data protection authority.
- Data protection officer
The GDPR abolishes the role of the currently appointed internal officers and introduces the post of data protection officers. It will be obligatory to appoint a data protection officer if the main activity of the company or a closely related activity qualifies as profiling in terms of the GDPR. The name and the contact details of the data protection officer have to be published by all corporations concerned.
- Other changes
The GDPR stipulates specific regulations and strives to limit the so-called profiling. It introduces the new category of pseudonymized personal data and pays special attention to the processing of genetic and biometric data. It compels controllers to widely apply the principles of ‘privacy by design’ and ‘privacy by default’. It expressly regulates the situation of joint data controllers and the relationship between these parties. In comparison with the previous regulations, it pays more attention to the role of data processors and lists the compulsory minimum content of the contracts they conclude.
The protection of children (persons below the age of 16) becomes especially important, in relation to which it may be necessary to work out procedures to filter data subjects and make sure that the data of children is not processed or at least processed with appropriate restrictions, with special regard to the legal ground of data processing.
The GDPR regulates the transfer of data to third countries (countries outside of the EEA) in more detail, requiring provision of a wider scope of information in these cases, but leaving the possibilities provided by former regulations open.
The GDPR specifically addresses the possibility to issue codes of conduct and certification procedures. It also deals with the administrative structure to be adjusted to the new data protection framework and lays down the primary rules of cooperation between national data protection supervisory authorities, applying a customer-friendly, one-stop-shop mechanism.
- Practical guidelines
Though some of the new regulations may seem confusing, it is safe to say that the application of the GDPR will not entail conceptual changes for companies that are already operating in full compliance with the stipulations of the Data Protection Directive and the Info Act.
Publication of the NADPFI’s guidelines are still pending but several foreign authorities, headed by the British and the Belgian authorities have already published their guidelines on the application of the GDPR.
- The future of the Info Act
Contrary to general belief, the Info Act will not be repealed when the GDPR shall enter into force but is likely to be amended and harmonized with the GDPR. The forerunner of that process was the proposal on the amendment to the Info Act for harmonization purposes, which was published on the government’s website in August 2017.
The future of data protection audit is another question. It is unclear whether it can comply with the GDPR and if it can, in what form it will survive.
- Preparation for the application of the GDPR
The cornerstone of the preparation for the application of the above rules is increasing data protection awareness within every company. We strongly recommend organization of internal professional trainings in anticipation of the new rules. This would shed light on any outstanding issues and assist to avoid the possibility of violating the GDPR that my trigger serious consequences and fines.
As the next step in preparation, it is indispensable to completely review and catalog the data processing operations performed by the company. Data processing purposes and concepts must be assessed and reviewed with the help of an expert. It may be necessary to amend or change the legal grounds referred to obtain new consents. If the company processes the data of children or carry out any activity that would qualify as profiling, we strongly recommend to pay special attention to the relevant provisions of the GDPR and introduce strict compliance safeguards.
It is also important to prepare for the application of the new rules regarding data breach incidents. In this relation, it may be necessary to develop appropriate internal regulations, review contracts concluded with data processors, and provide appropriate training to employees receiving new data breach incidents related tasks.
Out data regulatory team is available to prepare your company for the GDPR presented tasks and challenges and assist you on any other data protection related issues.
The content of this newsletter is for information purposes only and should not be treated as legal advice by KNP LAW Nagy Koppany Varga and Partners or any of their attorneys. For more information please contact us.