Frequently Asked Questions

F

What is GDPR?

GDPR stands for the new EU General Data Protection Regulation. This Regulation entered into force in all Member States of the European Union on 25 May 2018, harmonising the data protection provisions across the EU. (However, the legislation of individual Member States also needs to be monitored as certain issues continue to fall within the competence of the Member States).

What are the main purposes of GDPR?

  • Ensuring an appropriate level of security and protection of personal data;
  • granting additional rights to natural persons (a higher degree of disposition over their personal data);
  • ensuring the transparency of the processing and use of personal data;
  • prescribing additional obligations for businesses (security and compliance measures to ensure data protection).

The existing Hungarian legislation may also provide for data processing and data protection requirements, and therefore, in some cases, GDPR does not bring any substantive changes.

Do SMEs fall under GDPR?

Yes, similarly to the current rules that apply to all controllers and processors, GDPR applies to any company that, for example, processes the personal data of natural persons in a registration system (even if the provider is not established in the EU but its services are also available to individuals established in the EU).

Therefore, a company will be subject to GDPR, as a controller, even if it has only a single employee. This is even truer if you, for example, receive job applications, enter into contracts, operate a website (or perhaps a webshop), use payroll or accounting services and so on.

What are considered personal data?

“Personal data” means any information relating to an identified or identifiable natural person. This can be practically any information that is related to a particular person and by reference to which the person can be identified, whether directly or indirectly (e.g. address, mother’s name, e-mail address, surveillance camera footage, blood group, aptitude test results, etc.).

What is processing?

“Processing” means any operation or set of operations which is performed on personal data or on sets of personal data (such as collection, recording, consultation, use, erasure or even reading).

Who is the controller and who is the processor?

“Controller” means the natural or legal person who determines the purposes and means of the processing of personal data (e.g. an employer). “Processor” means an entity which processes personal data on behalf of the controller (e.g. a payroll accounting firm).

What are the key principles of data processing?

  • Principle of purpose limitation: personal data may only be processed for purposes specified in advance;
  • principle of data minimisation and data protection by default: personal data are processed only to the extent necessary for each specific purpose of the processing;
  • principle of storage limitation: personal data are stored only as long as necessary for the purposes for which the personal data are processed;
  • principle of fair processing: the processing must fulfil the requirement of fairness;
  • principle of appropriate legal basis: the processing must be lawful;
  • principle of accuracy: the data processed should be accurate and complete;
  • principle of prior information: the processing should be based on clear, detailed, complete and easily accessible prior information;
  • rights of data subjects: data subjects shall have the right to receive information on the processing of personal data concerning them, object to the processing, or request the erasure, rectification or blocking of such data.

The above, essentially, are included in the applicable Hungarian legislation.

What novelties does GDPR bring?

  • Accountability principle;
  • new concepts: profiling, genetic or biometric data, data concerning health;
  • new legal basis for data processing: legitimate interest;
  • data protection impact assessment;
  • overriding interests of data subjects.

What does the “accountability principle” mean?

The controller is accountable for compliance with the data protection principles and must be able to demonstrate such compliance (i.e. any data protection measures need to be properly documented). In many cases, rules only serve as a framework; they do not explicitly provide what can or should be done, leaving the controller to elaborate the details. However, this also implies responsibility as the controller could be held accountable.

What is a personal data breach?

“Personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed (e.g. loss of a storage medium containing personal data, sending an e-mail to a wrong recipient, etc.). Any personal data breach shall be notified (no later than 72 hours after discovery) to the competent supervisory authority and recorded and, when the personal data breach is likely to result in a high risk, the controller shall communicate the personal data breach to the data subject.

What is “privacy by design”?

In somewhat simplified terms, this means that data protection safeguards must be integrated into products and services from the earliest possible stage of development. In other words, businesses need to consider the possible security measures before the processing activities, when designing the processing procedures (which, by the way, is also required by the Hungarian laws in force).

What does “data protection impact assessment” mean?

If a data processing activity is likely to result in a high risk to the rights of a natural person due to its nature, scope or purposes, it is necessary first to perform a data protection impact assessment. In other words, it is mandatory to review the planned data processing activity, examine its possible impacts on the data subjects, assess the risks and elaborate methods to address the issues, while properly documenting the entire process. When processing sensitive data (e.g. concerning health), an impact assessment must be carried out in all cases. Guidelines already exist on this subject, and competent supervisory authorities will later on disclose a list of data processing activities that require a data protection impact assessment.

What to do in the preparatory phase?

Achieving GDPR compliance is a long and multi-step process that requires time, resources and expertise, and may bring about significant changes within your organisation.

Exploration:

  • What kind of data processing activities are carried out?
  • For what purposes?
  • What personal data are involved?

Investigation:

  • What obligations need to be fulfilled in relation to the individual data processing activities (definition of the scope)?

Review:

  • What modifications are necessary in current contracts, data processing policies and notices, information systems, organisational measures, processes, etc. to ensure compliance?

Data processing and protection:

  • Regulating the use of, and access to, personal data;
  • modifying or preparing contracts, notices and information documents;
  • establishing security (IT, organisational, etc.) controls for the prevention, detection and management of risks and incidents;
  • redesigning data protection, information security and IT systems;
  • keeping the necessary records and registers, sending requests for data, incident reporting (drawing up an action plan).

What are my duties as an employer?

As an employer (i.e. controller), you primarily have to perform the duties listed above in connection with your employment contracts, labour standards policies and contracts entered into with processors (e.g. recruitment agency, payroll accounting firm).

In addition, it is necessary, for example, to:

  • Develop model answers to possible requests for data and information;
  • ensure the security, timely availability and searchability of personal data using IT tools;
  • organise data protection training sessions for employees;
  • create and keep a data protection register.

What happens if, for any reason, you were not prepared for GDPR by 25 May 2018?

The Regulation entered into force on this date without any “grace period”, and therefore you had to be immediately prepared for its application.

Obviously, at first there will be interpretation and practical issues, but during an inspection by the competent authority you cannot validly argue that you failed to prepare.

It is never too late to start preparing and avoid being fined.

What advantages do you gain from GDPR compliance?

  • Transparency: you will be aware of what personal data you are processing, where to store them and how to protect them (in addition, you also get a complete picture of your business processes).
  • Trust factor: By providing sufficient information and taking a proactive attitude, you can further enhance the trust of your customers and co-workers.
  • Creating added value: a review of business processes and a prudent data protection and processing strategy contribute to the protection and building of your business reputation.
  • Competitive edge: this is a result of all of the above. Three kinds of expertise are needed to ensure GDPR compliance: you have the expert knowledge about your organisation and processes, and we are happy to offer you advice on legal and information security matters.
C