Hungarian data protection authority issues key GDPR-related rulings

Hungary

During the second part of 2018 the Hungarian Data Protection Authority (NAIH) issued important opinions on GDPR issues in the areas of photocopying ID cards, eDM subscriptions and general data transfers, which Hungarian-based companies and employers must include in their data processing operations.

Photocopying

According to NAIH, companies and employers cannot copy personal documents (e.g. IDs, educational documents, etc.), unless prescribed by law. NAIH argues that since most companies or employers are not in the position to check a document’s authenticity in official databases, keeping a copy of it is irrelevant. A good alternative practice is to have an individual sign a declaration that he/she has presented what he/she believes to be the relevant official document. Another reviewer can then certify the declaration.

Providing benefits for newsletter subscriptions

NAIH examined whether it is GDPR compliant for a company to offer a marketing benefit for a subscription to a newsletter. In this case, the NAIH decided that companies must closely examine how such a benefit might influence the voluntary nature of the newsletter "opt-in". It was also deemed important for a company to determine if the "opt-out" would disadvantage a subscriber. For example, if subscribing to a newsletter is not necessary to obtain a certain service, non-subscribers should have equal access the service. But it was also noted that if a benefit (e.g. exclusive content or offer) is connected to the main function of a newsletter, the loss of such a benefit when opting out may not contradict the GDPR.

Information on recipients of personal data

According to NAIH, data controllers should name in their privacy notices the recipients of personal-data transfers, the data transferred, and the purpose of the transfer, preferably in table format. In this case, it is only necessary to provide information on the categories of recipients where the numbers are numerous. Also, the data controller would not transfer data to them in each case, and providing a full list of recipients could jeopardise the intelligibility of the privacy notice. For example, a travel agency, which organises trips to different destinations, should not list all the hotels it provides personal data to, since this information may differ from time to time.

In one case, NAIH ordered a recruitment website to indicate in its privacy notice the specific Hungarian law that allows data retention for accounting purposes, and to identify and provide information on each recipient to whom it transfers the personal data of job candidates.

For more information on this eAlert and GDPR compliance in Hungary, please contact us.