GDPR harmonisation and specific data protection obligations

With the effect of 26 July 2018, the Hungarian Parliament amended the former data protection act - Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (“Info Act”) – to ensure harmonisation with the GDPR.

The structure of the amended Info Act is the following:

• specific provisions which apply in addition to the GDPR, including procedural rules, matters concerning which the GDPR permits derogation or the application of national laws;
• specific provisions which apply to data processing operations which fall outside the scope of the GDPR; and
• implementation of Directive (EU) 2016/680 of the European Parliament and of the Council (Law Enforcement Directive) to govern data processing for law enforcement, national security and national defence purposes.

In this article, we summarise the specific provisions of the Info Act, which apply in addition to the GDPR, and their practical implications for the organisations.

1. Scope

The Info Act applies to all kind of data processing operations, except to the processing of personal data by a natural person in the course of a purely personal or household activity. This is an addition to the GDPR, and covers manual data processing operations as well. (The GDPR applies only to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.)

The Info Act applies

• if the data controller’s (i) main establishment; or (ii) only place of business in the EU is in Hungary; or
• the data processing operations of a data controller or its data processor are related to (i) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data;
• subjects in Hungary; or (ii) the monitoring of the data subjects’ behaviour as far as their behaviour takes place within Hungary.

2. Additional requirements for data processing necessary for compliance with a legal obligation or for public tasks

Article 6 1. c) and e) of the GDPR (Lawfulness of processing) enable data processing if (i) it is necessary for compliance with a legal obligation to which the controller is subject; or (ii) for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

The Info Act defines these kind of data processing operations as “mandatory data processing operations” and provides that organisations can rely only on laws and municipality decrees in these cases.

Such laws and municipality decrees shall define the following:

• the identity of the data controller;
• the purpose, term and conditions of the data processing;
• the type of data;
• the access rights to the data; and
• when it is necessary to revise the data processing purpose.

If an organisation is processing personal data on the basis of legal instruments which are not laws or municipality decrees (e.g. governmental decrees, or decrees from a ministry or an authority like the Hungarian National Bank or the Hungarian Media and Infocommunications Authority), it may choose another legal basis, e.g. legitimate interests. However, this restrictive provision may be in conflict with Recital (41) of the GDPR: “where this Regulation refers to a legal basis or a legislative measure, this does not necessarily require a legislative act adopted by a parliament, without prejudice to requirements pursuant to the constitutional order of the Member State concerned.”)

In case of “mandatory data processing operations”, data controllers shall periodically assess whether a particular data processing is necessary for achieving its purpose. The Info Act also addresses the case when the relevant law / municipality decree does not define the time for this. In such a case, the data controller shall revise the purpose itself at least every 3 years, calculated from the commencement of the processing. The data controller shall (i) document the circumstances and results of such revision; and (ii) keep such documentation for 10 years and present it to the Hungarian National Authority for Data Protection and Freedom of Information (“NAIH”) at its request. Data controllers shall revise pre-GDPR data processing operations on 25 May 2021 at the latest.

3. Processing of personal data relating to criminal convictions and offences

The Info Act provides that data controllers can process personal data relating to criminal convictions and offences in accordance with the rules on the processing of special categories of personal data. The practical implication of the above is that companies can process such data mainly (i) based on the explicit consent of the individual; (ii) for carrying out the obligations and exercising specific rights in the field of employment and social security and social protection law; or (iii) for the establishment, exercise or defence of legal claims. Organisations shall revise the legal basis of their data processing operations accordingly.

4. Legal claims of the affected persons and responsibility of the data controller and the data processor

Individuals can seek effective judicial remedy at the court when their data protection rights are infringed and without prejudice to any available administrative or non-judicial remedy. In Hungary, the competent court is the tribunal (törvényszék) at the domicile or habitual residence of the claimant. In addition to the payment of the individual’s direct and indirect damages, the court can also impose a general compensation fee for the infringement (sérelemdíj). The court can also publish its judgment with the identification of the data controller or the data processor if the infringement is affecting a large scale of individuals, the infringer is carrying out public tasks, or the gravity of the infringement requires the publication. The Info Act authorises NAIH to join any litigation to facilitate the winning of an individual.

5. Data protection rights of the deceased people

Until now, Hungarian law did not regulate the data protection rights pertaining to deceased people. Now the Info Act ensures that within 5 years of the death of an individual, the person designated by the individual – in an administrative declaration, public document or in a private document with full probative force – may exercise the data protection rights of the departed. In the absence of such provision, the close relative of the departed may exercise the right to rectification, as well as the right to object to the data processing, the right to be forgotten and the right to the restriction of the processing. Organisations should update their Subject Access Rights procedures to ensure that individuals can exercise the data protection rights pertaining to the deceased people as well.

6. Other significant provisions in the Info Act

• The Info Act established specific and permanent confidentiality obligation for DPOs. Organisations should revise the confidentiality clauses of the contract with their DPOs to ensure harmonisation with the Info Act;
• NAIH will convene and set the agenda of the “conference of data protection officers” each year. This conference shall serve as a regular interaction point between data protection officers and NAIH;
• In accordance with the GDPR, organisations shall not register their data processing operations with the NAIH anymore. However, NAIH can verify the registrations made before 25 May 2018; therefore, it is advisable for companies to ensure that their practices and data protection notices are in line with the contents of their existing registrations at NAIH;
• The Info Act does not provide for further significant deviations from the GDPR. For example, in relation to the offer of information society services directly to a child, the processing of the personal data of a child shall be lawful where the child is at least 16 years old.