By Zoltan Kozma (Senior Associate, Budapest)
The Hungarian Data Protection Authority published on its website a 12 step guide on how to get ready for the GDPR. Similar to the guides already issued by other DPAs from various jurisdictions (e.g. UK and Belgium), the guide includes 12 steps data controllers and data processors should follow in order to achieve compliance. Although this is a useful initial guideline from the Hungarian DPA for controllers and processors, it still leaves room for interpretation. Further guidance and other tools can be expected from the DPA to assist with preparation for GDPR compliance by 25 May 2018.
The guide includes the following steps:
1. Increase awareness
Awareness must be ensured within the organization to get ready for compliance with the GDPR.
2. Criteria of the data controlling activities must be reviewed
Purpose and context of the data processing activities, together with the concept of processing the personal data must be reviewed. With a well prepared data protection policy, compliance with the accountability principle and lawful processing can be achieved.
3. Appropriate information should be provided to data subjects
Attention must be paid to the fact that where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data. The principle of transparency requires that any information addressed to the public or to the data subject be concise, easily accessible and easy to understand, and that clear and plain language and, additionally, where appropriate, visualisation be used.
4. Rights of data subjects
Rules regarding the rights of data subjects and data processing procedures must be checked. The most important new right of data subjects is data portability, which means that data subjects shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided. Data subjects must be able to have their data deleted from any accessible sources.
5. Right of access by the data subjects
New rules regarding access requests and timescales to respond must be checked. The controller should be obliged to respond to requests from the data subject without undue delay and at the latest within one month. That period may be extended by two further months where necessary.
Right of access can be ensured by a secure online system through which data subjects can have easy and quick access to their information.
6. Legal basis for processing personal data
Data processing activities must be looked at within the organization and in compliance with the legal bases provided for in the new Regulation, informational self-determination must be ensured. Be aware that on the basis of ‘right to be forgotten’, if requested by the data subject, the personal data must be erased without undue delay, should the data subject withdraw his or her consent to the data processing. Accordingly, consent means a stronger erasure obligation on the side of the data controller.
7. Conditions of consent must be reviewed
If processing is based on consent, data processing operations must be checked to ensure compliance with the new criteria of the GDPR. Like the Info Act, the GDPR has references to both ‘consent’ and ‘explicit consent’. The difference between the two is not determined in either the Info Act or in the GDPR, however, in any case consent is only valid if it is freely given, specific, informed and unambiguous.
8. More emphasis on children’s rights
If an organization processes children’s data, more emphasis should be placed on children’s rights in relation to information society services. In relation to the offer of information society services directly to a child, the processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where the child is under the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child. Member States may provide by law for a lower age for those purposes, provided that such lower age is not below 13 years.
9. Notification of data breach
Pursuant to the current rules of the Info Act, data breaches must be recorded by the controller and information must be provided only at the request of the data subjects.
Pursuant to the new rules in the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.
10. Data protection by design and data protection impact assessment
Under the new rules, in certain cases data controllers must carry out a data protection impact assessment. Although this might impose administrative burden on data controllers, however, in the case of high risk data processing situations it can be justifiable to carry out a data protection impact assessment.
The controller shall consult the supervisory authority prior to processing where a data protection impact assessment indicates that the processing would result in a high risk, in the absence of measures taken by the controller to mitigate the risk.
11. Data protection officers
The GDPR requires more data controllers to appoint data protection officers than the Info Act, e.g. if the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale.
12. Competence of supervisory authorities
Under the GDPR each supervisory authority shall be competent for the performance of the tasks assigned to it and exercise of the powers conferred on it in accordance with the GDPR on the territory of its own Member State.
The supervisory authority of the main establishment or of the single establishment of the controller or processor shall be competent to act as lead supervisory authority for the cross-border processing carried out by that controller or processor.
Should the activity of the organization not be limited to only one country, it must be checked in which country most of the data processing is carried out (usually the seat of the parent company) and on this basis it should be reviewed which country’s supervisory authority will proceed as lead supervisory authority in respect of the data processing.