On 31 May 2019, the Hungarian National Authority for Data Protection (NAIH) issued a new ruling on the erasure of personal data and the destruction of data carriers (e.g. disks, pendrives, and electronic data) used for storing personal information.
Focussing on both employee and client data, the ruling states that companies must erase personal data in such a way that no links can be made to the identities of individuals. In case of electronically stored data, the mere reformatting of hard disks or other data-storage devices or carriers is not enough. According to the NAIH, companies may use free software products like DBAN or a form of HDD-wipe software to perform deletions.
If companies outsource data erasure (especially, the destruction of data-carrier devices) to third-party service providers, theprovider should be certified and able to issue an official destruction protocol at the end of the process. (The NAIH provides no further details on certification.)
Companies must verify the erasure of data in writing, although the possession of a destruction protocol may be sufficient as long as it includes the full information verifying the data erasure, such as identification of the data carrier (e.g. a registration or serial number) and the method used to destroy the device. Unfortunately, the NAIH does not offer further details, such as how this protocol is able to prove the actual desctruction of a particular piece of data linked to one individual.
In the light of this opinion, companies should review their existing data-retention and erasure strategies, prepare their own erasure protocols and make sure detailed provisions for the retention period of personal data, methods of data erasure, and the responsibilities of the various parties are included in contracts with service providers.
If you have any questions on this NAIH opinion or data-protection regulatons in Hungary, please contact one of our local CMS experts: