What novelties does GDPR bring?
- Accountability principle;
- new concepts: profiling, genetic or biometric data, data concerning health;
- new legal basis for data processing: legitimate interest;
- data protection impact assessment;
- overriding interests of data subjects.
What does the “accountability principle” mean?
The controller is accountable for compliance with the data protection principles and must be able to demonstrate such compliance (i.e. any data protection measures need to be properly documented).
In many cases, rules only serve as a framework; they do not explicitly provide what can or should be done, leaving the controller to elaborate the details. However, this also implies responsibility as the controller could be held accountable.
What is a personal data breach?
“Personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed (e.g. loss of a storage medium containing personal data, sending an e-mail to a wrong recipient, etc.). Any personal data breach shall be notified (no later than 72 hours after discovery) to the competent supervisory authority and recorded, and, when the personal data breach is likely to result in a high risk, the controller shall communicate the personal data breach to the data subject.
What is “privacy by design”?
In somewhat simplified terms, this means that data protection safeguards must be integrated into products and services from the earliest possible stage of development. In other words, businesses need to consider the possible security measures before the processing activities, when designing the processing procedures (which, by the way, is also required by the Hungarian laws in force). What does “data protection impact assessment” mean? If a data processing activity is likely to result in a high risk to the rights of a natural person due to its nature, scope or purposes, it is necessary first to perform a data protection impact assessment. In other words, it is mandatory to review the planned data processing activity, examine its possible impacts on the data subjects, assess the risks and elaborate methods to address the issues, while properly documenting the entire process.
When processing sensitive data (e.g. concerning health), an impact assessment must be carried out in all cases. Guidelines already exist on this subject, and competent supervisory authorities will later on disclose a list of data processing activities that require a data protection impact assessment.