Data Protection Newsletter 2018/1.

Amendment of the data protection act (Data Protection Act) comes into effect –Summary

1. Preliminaries

As we believe that the up-to-date information on the amendment of legal provisions is essential for our Clients, we intend to inform our Client on the significant amendments regularly or on ad-hoc basis by publishing newsletters.

As of 26 July, 2018, the amendment of Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information (Data Protection Act), which was partly modified on the day of 25 August, became effective. By which amendment, the aim of legislative authority was to harmonize the domestic data protection regulations with the regulations of the general data protection regulation (as its well-known GDPR).

Unfortunately, the amendment of the sectoral laws (e.g.  act on processing of personal data concerning health) has still not been published, as they probably are to be admitted during the fall session of the Parliament. Meanwhile, by the present newsletter, we intend to summarize those significant amendments, which may be important to our Clients.

1. Brief summary of the amendment of the Data Protection Act
2. Concept system / principles / additional provisions

Beside the introduction of the concept system of the GDPR, the amendment of the Data Protection Act determined the directions of the principles of data processes covered by the GDPR and in case of data processes covered by the GDPR, it constituted the additional provisions thereto, regarding which the GDPR provides authorization to the (national) legislation of the member state.

2. Legal grounds / Obligatory review

The amendment of the Data Protection act states that in case of data processing required to the fulfilment of a legal obligation, the types of the processed data, the aim and conditions of the data processing and other circumstances of the data processing are still determined by an act or a local governmental decree..

The Data Protection Act stipulates that, unless stipulated otherwise, the review of the term and necessity of the data processing, which is in order to fulfill a legal obligation, shall be performed in every three years. The result of the review shall be documented and maintained for a ten-year period which shall be made available upon the request of the data protection authority (NAIH).

3. Right to bring the case before court

The amendment of the Data Protection Act specifies the conditions of judicial law enforcement. The natural person concerned by the data processing is entitled to turn to court against the data controller and data processor, if it judges that the data processing violated the legal regulations. The data subject may bring the law suit even before the tribunal competent based on its habitation / residence. The compliance of the data processing shall be proven by the data controller and the data processor. Should the court state the infringement of the law, it obliges the data controller / data processor to terminate the unlawful data processing procedure, to reconstruct the lawfulness of the data processing and to perform a definitely determined conduct in order to ensure the validation of the right of the data subject. In addition, if necessary, the court also order on the claim of indemnification and tort. As the Data Protection Act provided the opportunity, in certain cases, the court may order the publication of the judgment.

4. ‘Posthumous’ data processing

The amendment of the Data Protection Act sets out the validation of entitlement to dispose of the personal data of a deceased person following the decease thereof, appoints the scope of persons authorized to exercise the concerned rights, stipulates the documentation background required to certify the entitlement (inter alia the fact and the date of the decease of the data subject shall be certified by the death certificate or judicial judgment).

5. Protection of high risk data processing

If the data protection authority (NAIH) qualifies a certain type of data processing as high risk and it publishes so and the planned data processing applies similar type of procedure or set thereof, concerning the planned data processing, the high risk shall be presumed. However, if the authority states that it shall not be considered as high risk data processing and it publishes so and the planned data processing applies exclusively similar type of procedure or set thereof during the data processing type of such statement, concerning the planned data processing, it shall be presumed that it is not a high risk data processing.

6. The confidentiality obligation and conference of the data protection controller

The obligations stipulated in the GDPR on the data protection controller are completed by a confidentiality obligation, which shall be effective during and following the existence of the data protection controller relationship and it also orders on the annual conference of the Data Protection Controllers, which shall be convened by the president of the NAIH and the aim of which is professional communication.

7. Information regarding fine

The Data Protection Act does not modify the highly stated and well-known ‘enormous’ amount of fine defined by the GDPR. However, it limits the amount thereof exclusively in the case of financial entities in min. one hundred thousand max. twenty million forints.

In line with a prior amendment and having regard to the provisions of the GDPR, the NAIH exercises its power with regard to the principle of proportionality expressly as in case of the first infringement of the – legal – regulations on processing the personal data it primarily orders to remedy the infringement by warning the data controller and the data processor.

The institution of the warning will probably be the sanction in the cases of infringement stated in the review of data process of small and medium-sized enterprises. However, this shall not affect the right to bringing the case before the court, therefore in case of unlawful data processing, the enterprises of SME sector may also be obligated to pay indemnification and tort.

8. Content of the data protection register

The content of the data protection register will be blocked and may only be used for the reviews concerning the period prior to entering into force of the amendment of the Data Protection Act. The registration of the data processing to the data protection register and the issue of the registration number will terminate. It will be the obligation of the data controller and the data processor to register and document its own internal data protection register in the form, with the content and by the conditions defined by the relevant legal regulations.

Should you have any questions or queries regarding the information in the above newsletter or in connection with data processing, please do not hesitate to contact Germus and Partners Attorneys-At-Law, which has extensive expertise, theoretical and practical experience in the field of data protection law and is able to provide you practical and client-oriented solutions.

The information above is only for your information and shall not be considered as legal advice of Germus and Partners Attorneys-At-Law or any attorneys or trainee lawyers thereof.

You may contact us anytime via office@germus.hu, we are at your kind disposal.