CLVPartners

Data protection

Data protection updates: the data subject’s right of access and expected developments

Reading time: 7 minutes

Recently, we have received an increasing number of questions from clients regarding the scope of the data subject’s right of access and the practical requirements for responding to access requests. The topic is particularly timely, as legislative work is currently underway to amend certain procedural provisions of the General Data Protection Regulation, i.e. GDPR.

Under GDPR the right of access is one of the cornerstone data subject rights. On the one hand, it is essential for ensuring transparent data processing; on the other hand, it is one of the most frequently disputed rights in practice, with a significant proportion of supervisory authority proceedings and court cases relating to its exercise. Complying with the right of access involves much more than simply providing copies of personal data. It also requires the proper identification of the data subject, compliance with the principle of data minimisation, and the appropriate handling of potentially abusive requests.

In this newsletter, we provide an overview of the content of the right of access, the key guidance shaping its practical application in Europe, and the most recent and expected legislative developments.

The content of the right of access

Pursuant to Article 15 GDPR, the data subject is entitled to obtain confirmation as to whether or not personal data concerning him or her are being processed and, where that is the case, access to the following information:

the purposes of the processing,

the categories of personal data concerned,

the recipients to whom the personal data are disclosed,

the retention period of the data,

information on the rights available to the data subject, including the right to request rectification, erasure or restriction of processing of personal data and to object to such processing,

information on lodging a complaint with a supervisory authority and the manner thereof,

as well as the source of the data (where the data are not collected from the data subject).

One of the critical elements of exercising this right is the provision of a copy of the personal data. Case law has made it clear that this does not merely mean providing summary information, but the actual disclosure of specific data relating to the data subject. In certain cases, this may also include providing the relevant parts of complete documents (e.g. emails, reports).

The importance of handling access requests

Properly responding to access requests is not merely a procedural obligation; it is a key element of GDPR compliance as it directly supports the principles of transparency and accountability.

Where access requests are handled correctly, data controllers:

ensure compliance with the GDPR principle of transparent processing;

enable data subjects to effectively exercise their rights;

reduce the risk of supervisory investigations and administrative fines;

minimise the likelihood of disputes and litigation; and

strengthen trust in their data processing activities.

Conversely, inadequate or incomplete responses—such as failing to provide a copy of the personal data, insufficient redaction of third-party information or unjustified refusal of the request—may constitute standalone GDPR infringements and often lead to supervisory investigations following complaints lodged by data subjects.

Top 10 key considerations for exercising the right of access

Based on the European Data Protection Board (EDPB) Guidelines, the following practical considerations deserve particular attention when handling the exercise of the right of access:

  1. Access requests must be assessed based on their substance. They may not be rejected solely on formal grounds, and any request seeking access to personal data should be treated as a request to exercise the right of access.
  2. The data controller must conduct a search across all relevant systems, including electronic systems, email accounts, and archived data, and, where necessary, paper-based records.
  3. Where the data subject requests a copy of their personal data, the data controller must provide the actual personal data being processed. A summary or list alone is not sufficient. Depending on the circumstances, this may require providing the relevant excerpts from documents such as emails or reports, of course, while maintaining business confidentiality.
  4. The information provided must be intelligible. Where the disclosed data are technical, coded, or otherwise difficult to understand, explanatory information may also need to be provided.
  5. Where documents to be disclosed contain personal data relating to other individuals, the data controller must apply anonymisation or masking. Withholding the entire document is justified only in exceptional circumstances.
  6. Where the data controller has reasonable doubts regarding the identity of the requester, it must verify the data subject’s identity to ensure that personal data are disclosed only to the authorised individual, thereby safeguarding both the protection of personal data and the effective exercise of data subject rights.
  7. Identity verification should primarily rely on information already available to the data controller. Where necessary, supplementary verification measures may be used, such as email verification or online or in-person identification.
  8. Only the minimum amount of information necessary for identification may be requested. Excessive or unjustified authentication requirements may themselves constitute a breach of data protection law.
  9. Identity verification must always be proportionate and secure, taking into account the sensitivity of the personal data, the circumstances of the request, and the risk of misuse.
  10. Where appropriate, the data controller should document and be able to demonstrate that the identification and fulfilment measures applied were necessary and proportionate.

Proposed GDPR amendment – Procedural reform

Under the current GDPR framework, data subject requests must, as a general rule, be handled free of charge. A data controller may charge a reasonable fee or refuse to act on a request only where it is manifestly unfounded or excessive, in particular because of its repetitive nature. In such cases, the burden of proof rests with the data controller.

The proposed amendment to the GDPR would clarify this framework by expressly addressing abusive requests. A request could be regarded as abusive, for example, where there are reasonable grounds to believe that the data subject is exercising the right not for the purpose of protecting their personal data, but for another purpose, such as exerting pressure on the data controller or preparing for litigation.

One of the key elements of the proposal is that it would ease the data controller’s evidentiary burden. Rather than having to establish abuse with complete certainty, it may be sufficient to demonstrate that abuse is reasonably likely.

At the same time, the European Data Protection Board emphasises that any restriction of the right of access must remain exceptional, and that the concept of an “abusive request” should be interpreted narrowly. The proposal would not alter the substance of the right of access itself but is instead intended primarily to streamline procedures and promote greater consistency in regulatory enforcement.

Conclusion

The right of access remains one of the most critical areas of data protection compliance. Recent regulatory practice increasingly focuses on ensuring that data subjects receive meaningful access to information, while requiring data controllers to strike an appropriate balance between facilitating data subject rights, complying with the principle of data minimisation, and maintaining the security of personal data.

Data controllers should therefore ensure that they maintain an up-to-date record of processing activities and data inventories, establish consistent internal procedures for handling data subject requests, implement effective anonymisation and document review mechanisms, and provide regular training for employees involved in responding to such requests. It is equally important for data controllers to document the decisions taken throughout the handling of data subject requests, including the identity verification process and the factors considered when assessing whether a request may be abusive. This is particularly significant in light of the anticipated regulatory changes and increased scrutiny by supervisory authorities, which are likely to make these processes a key area of regulatory review.

Photo source: pexels.com, El Jundi

Data protection updates: the data subject’s right of access and expected developments Read More »

Uncertainty Surrounding U.S. Data Transfers: What to expect following the Trump v. Slaughter decision

Reading time: 4 minutes

The U.S. Supreme Court decision issued on 29 June 2026 (Trump v. Slaughter; hereinafter “Decision”) is likely to affect the legal assessment of international data transfers between the European Union and the United States and may mark a turning point in current practices in this area.

In its decision, the Supreme Court of the United States (“Supreme Court”), relying on the theory of a unified executive branch, concluded that all independent executive agencies operating in the United States are unconstitutional. The decision also directly affects the U.S Federal Trade Commission (“FTC”).

This development is of particular significance from the perspective of European data protection law, as the current EU–US Data Privacy Framework (the “EU–US Data Privacy Framework”, hereinafter “Framework”), adopted by the European Commission’s (“Commission”) Implementing Decision No. 2023/1795, designates the FTC as the independent supervisory authority responsible for ensuring compliance with data protection rules.

In our newsletter, we provide an overview of the most important rules governing data transfer practices between the European Union and the United States, and we also review what changes companies need to prepare for as a result of the Decision.

The regulatory framework for data transfers to third countries under the GDPR and the legacy of the Schrems decisions

Under Regulation 2016/679 on the protection of personal data (“GDPR”), the transfer of personal data to a third country is, as a general rule, lawful only if that country ensures an adequate level of protection. A key consideration in assessing adequacy is whether the third country has an independent and effective data protection supervisory authority capable of effectively enforcing and ensuring compliance with data protection rules. In the absence of such an authority or if it functions inadequately, a system of safeguards comparable to that at the EU level cannot be ensured. For this reason, the Commission may adopt an adequacy decision regarding a third country only if the legal system of the country under review – including through such an independent supervisory authority – ensures an adequate level of protection for personal data.

In this context, it is also important to note that the legal framework governing data transfers from the European Union to the United States has long been fraught with uncertainty. In its decisions in the Schrems I and Schrems II cases, the Court of Justice of the European Union previously invalidated the Safe Harbor framework and, subsequently, the Privacy Shield framework governing data transfers between the EU and the U.S. The court justified its decision by stating that, due to the mass surveillance practices applied in the United States and the lack of effective legal remedies, data subjects are not guaranteed a level of protection in accordance with EU data protection rules.

Thereafter, the current Framework was introduced as a sort of “third-generation” data transfer adequacy decision, which designates the FTC as the independent supervisory authority with respect to the United States. However, as a result of the Decision, it has become unclear whether the conditions necessary for the FTC’s independence continue to be met.

Why is this relevant for EU data controllers?

In the past few decades, many EU companies have outsourced their data processing activities to U.S. cloud service providers. However, the GDPR clearly stipulates that companies may lawfully transfer personal data to a third country – including the United States – only if the transfer is based on appropriate safeguards and a legal basis.

One possible legal basis for data transfers is what are known as adequacy decisions. In the context of relations between the European Union and the United States, the Framework serves currently this function. In the absence of an adequacy decision, data transfers may only take place lawfully if the organization in question provides appropriate safeguards, such as the use of the Standard Contractual Clauses (“SCC”) adopted by the European Commission or the implementation of Binding Corporate Rules (“BCR”).

If it is concluded that the FTC no longer meets the independence requirements set forth in the Framework, it is likely that the Commission will review the Framework in the future and, if necessary, repeal it.

We emphasize that this development may not be limited to data transfers carried out under the Framework. Data controllers who use SCCs or BCRs may also be affected, as, in accordance with the principle of accountability under the GDPR, companies are required to assess, as part of a data transfer impact assessment, whether the laws of the third country ensure the necessary level of protection. If this assessment concludes that the U.S.’s legal system – particularly with regard to government access or remedy mechanisms – does not provide adequate safeguards, then the use of SCCs or BCRs alone is not sufficient to maintain the lawfulness of the data transfer, and therefore they cannot provide an adequate basis for data transfers to the United States.

Recommended steps

Based on the above, the current developments require increased caution from all data controllers involved in international data transfers to the United States. The decision does not require immediate direct action; rather, it calls for a review of internal processes and appropriate risk management:

a comprehensive review of internal procedures governing data transfers;

updating data transfer impact assessments;

assessing whether it is necessary to implement additional technical measures, including, for example, the use of encryption;

identifying alternative data processing solutions.

Summary

It can therefore be concluded that the adequacy of the Framework is not clear; however, the Framework itself remains in effect until the Commission repeals it or the Court of Justice of the European Union annuls it. Consequently, the Decision does not currently have a direct impact on EU data controllers. However, companies are advised to review their practices regarding data transfers to the United States and, if necessary, prepare to implement alternative solutions.

Photo source: pexels.com, Mark Stebnicki

Uncertainty Surrounding U.S. Data Transfers: What to expect following the Trump v. Slaughter decision Read More »

Artificial Intelligence and Data Protection in Corporate Practice

Reading time:5 minutes

The use of artificial intelligence (hereinafter also referred to as AI) is no longer merely a technological issue but is increasingly also a data protection and compliance challenge. Whether it is the analysis of customer data, automated customer service chatbots, tools used to provide and develop a company’s services and improve operational efficiency, or even tools used to enhance the efficiency of HR processes, AI systems provide a significant competitive advantage. Due to the processing of personal data, the rules of the General Data Protection Regulation (GDPR) remain applicable, while the European Union’s Regulation on Artificial Intelligence (AI Act) also introduces additional obligations. In this article, we provide an overview of the main data protection and AI Act-related considerations that should be taken into account in corporate AI use in order to ensure compliance.

The legal relevance of automation

In practice, one of the most important questions is what exact role the given AI system plays in the data processing workflow. The functioning of the applied technology and the way data is used fundamentally determine the legal classification of the AI system, as well as the data protection and compliance obligations of the company. From a data protection perspective, there is a significant distinction between automated data processing, profiling, and automated decision-making:

Automated data processing:

This is a technical process; data processing is considered automated where the collection, organisation, and retrieval of data take place without human intervention, by software (for example, a system automatically sorting incoming applications in alphabetical order, or categorising incoming customer requests or documents).

Profiling:

Under the GDPR, profiling means that the system does not merely organise data, but draws conclusions about, evaluates, or ranks data subjects. If the system, based on personal data, scores or filters individuals in any form according to certain personal characteristics – such as their financial situation, preferences, interests, reliability, or even abilities or suitability – this may qualify as profiling.

Automated decision-making:

This occurs where the process is not only technically automated, but the AI system itself makes the final decision without human intervention, and this decision produces legal effects concerning the individual or similarly significantly affects them. A typical example is when the software automatically rejects (excludes) an applicant from a process without human approval based on certain criteria.

In practice, these categories are often not separate processes. Even a simple technical automation can easily evolve into a process that raises issues of profiling or automated decision-making. Therefore, each AI-based process must be assessed individually based on data usage and the actual functioning of the system.

Data protection considerations

Where a company integrates AI technology into its internal processes or services provided to customers, the nature of the system’s operation must be assessed from a data protection perspective in order to classify the type of data processing. During this assessment, it must be determined whether profiling or automated processing takes place, and whether there are circumstances requiring a data protection impact assessment (DPIA).

According to the guidance of the National Authority for Data Protection and Freedom of Information (NAIH), the use of new technologies may in itself carry a high level of risk. However, a DPIA is particularly necessary where the processing involves the evaluation, scoring, or prediction of personal characteristics of natural persons; where automated decision-making results in exclusion or rejection without human intervention (e.g. during recruitment filtering); or where the technology is used for systematic, software-based monitoring of employee performance or productivity.

In addition, an appropriate legal basis for processing must be ensured, and in certain cases the consent of the data subject may be required. Furthermore, in line with the transparency principles of the GDPR and the AI Act, data subjects must be clearly and comprehensibly informed about the use of AI, its purpose, the basic logic of its operation, and their rights, including the right of access, erasure, objection, and the important right to request human review of decisions made by the system.

Based on our experience, the following are the most commonly used AI software programs applied by companies that involve the processing of personal data, which is why it is necessary to review the data processing documentation:

ChatGPT

Microsoft 365 Copilot

Google Gemini

Perplexity

Claude

Conclusion

The introduction of artificial intelligence is not merely an IT issue, but a complex legal and data protection compliance task. Since AI-based systems almost always involve the processing of personal data, it is advisable to address these issues already before the deployment of such systems, in light of GDPR requirements and regulatory expectations. Establishing transparent, secure, and legally compliant operation from the design phase onwards not only reduces legal risks, but also forms a fundamental basis for long-term business success and trust. If a company plans to implement or has already implemented an AI solution, it is necessary to review it from a data protection perspective and update the data protection documentation accordingly.

Photo source: pexels.com, Egor Komarov

Artificial Intelligence and Data Protection in Corporate Practice Read More »

The EDPS 2025 Annual Report: A New Era in Corporate Data Protection and Technological Compliance

Reading time: 6 minutes

The European Data Protection Supervisor (EDPS) has published its 2025 Annual Report (hereinafter: the “Report“), providing a detailed account of its activities to protect personal data in a rapidly changing digital world. The Report clearly signals that the European data protection and digital regulatory environment has entered a new phase: the focus is no longer merely on formal GDPR policies, but on the actual operational controls of AI systems, cloud services, and international data transfers. The investigations typically center on tools and processes that most organizations use on a daily basis: Microsoft 365, cloud infrastructure, generative AI solutions, mobile applications, and HR systems. In this article, we present the main findings of the Report and outline the key aspects and recommendations necessary for compliance.

AI Governance: A new dimension of compliance

One of the most important messages of the Report is that corporate control over artificial intelligence (AI governance) will shortly develop into a standalone, high-priority compliance area. Artificial intelligence is no longer an experimental technology; it has become an integral part of daily operations within EU institutions and an increasing number of organizations. In preparation, the EDPS has already taken the first major steps:

Established a dedicated AI unit: It has strengthened its newly created AI unit to prepare for supervisory duties under the EU Artificial Intelligence Act.

Mapped generative AI usage: It assessed the current AI ecosystem regarding prohibited practices and high-risk systems, and published a report highlighting the dominant areas of AI use and enforcement priorities.

Launched an AI regulatory sandbox program: Within the framework of a pilot project, it created a safe regulatory testing environment for developing and testing innovative AI systems under supervisory oversight.

Issued a new AI risk management guide for identifying and mitigating technical risks associated with the development and deployment of AI systems.

Regulatory focus is intensifying particularly in the following specific areas:

the corporate use of generative AI tools;

the compliance of off-the-shelf AI solutions;

the strict control of high-risk AI systems;

the legal relationship between AI and personal data;

the technical risk management of AI systems.

In a corporate environment, this means that the use of AI is no longer exclusively an IT or innovation issue, but a key legal, compliance, and data protection risk area. Therefore, organizations must prepare now to introduce, document, supervise, and use AI solutions in their daily operations in accordance with the requirements of the GDPR and the EU Artificial Intelligence Act.

Microsoft 365 and enterprise IT systems

In 2025, the EDPS further strengthened its oversight over large IT systems, including cloud services similar to Microsoft 365. The lesson from previous investigations is that compliance is not solely a contractual matter but requires an assessment covering the entire lifecycle of data processing.

The investigations focused on issues that are also critical for large enterprises:

international data transfers to third countries;

the transparency of complex sub-processing chains;

the control of access to data;

the existence of appropriate technical and organizational guarantees.

A key message of the Report is that a service agreement or a “GDPR-compliant” label alone is no longer sufficient. Supervisory practice increasingly examines actual operational controls, technical measures, and documented risk assessments. For this reason, it is definitely recommended to conduct a limited review of supplier contracts from a data protection perspective – based on our recommendation, it is sufficient to do this once and then incorporate a control into the process that ensures compliance in the event of changes or that allows for periodic reviews and follow-up checks.

International data transfers

Data transfers to third countries remain a high-priority enforcement area. The EDPS emphasizes that appropriate contractual clauses are not sufficient on their own. In assessing compliance, an increasingly important role is played by the actual content of the Transfer Impact Assessment (TIA), the evaluation of the legal and practical environment of the third country, and the real-world operation of the applied technical and organizational measures. In modern cloud-based systems, according to data protection law, remote access also constitutes a data transfer. If a third-country IT engineer (e.g., from India or the United States) logs into a database stored in Europe for support or system maintenance purposes, the data legally leaves the EEA. These risks can only be meaningfully assessed by a TIA. This is particularly relevant in environments where global cloud infrastructures or centralized IT support operate. In practice, this means that companies should assess whether data transfers outside the EU occur due to the nature of the supplier’s operations or due to the processes required by the corporate group, and classify them accordingly.

The future of data protection will be technologically focused

Based on the EDPS Report, European data protection practice has definitively shifted in a technological direction. At the center of the supervisory focus stands the understandable and accountable operation of artificial intelligence, the continuous monitoring of cloud services, and the complete fusion of cybersecurity and data protection. Data protection compliance is thus no longer an isolated legal task, but a shared, daily responsibility of corporate management, procurement, digital transformation, and IT security.

Based on the EDPS Report, it is clearly visible: in the coming years, organizations that recognize this paradigm shift and build a real, auditable technological governance system – rather than just a formal, paper-based GDPR compliance – will hold a clear competitive advantage.

Photo source: pexels.com, Fotó: Jcmotive

The EDPS 2025 Annual Report: A New Era in Corporate Data Protection and Technological Compliance Read More »

CLVPartners has achieved outstanding results in the 2026 guides of Chambers and Partners Europe© and Legal 500©

We are pleased to announce that Chambers and Partners© and Legal 500© have ranked our firm for the 13th consecutive year in 2026, and in multiple categories: we are one of the few firms in Hungary to have been recognized in the areas of labor law, commercial law, corporate law, and M&A, as well as data protection.

This year marks a particularly significant milestone for us, as we have moved up one category and achieved a higher band rating.

As a boutique law firm competing against the largest international firms with nearly 100 employees, this achievement is a significant recognition for us, one that reaffirms our professional commitment and our dedication to providing our clients with the highest level of service.

We are particularly pleased that our managing partner, Anna Papp, has also received individual recognition and was listed in the guide among Hungary’s notable practitioners in the field of labour law.

We would like to share some feedback that is particularly valuable to us, which our clients provided to the certification body:

„The law firm’s technical strength, practical mindset and outstanding client care make it genuinely distinctive within the employment law market.”

„The team is approachable, easy to reach and provides timely advice, even on short notice. Its ability to balance quick turnarounds with well-considered, practical guidance is a key strength.”

“The firm has particularly extensive experience in designing whistleblowing systems and managing data protection requirements for internal workplace investigations. This includes ensuring that the principle of ‘privacy by design’ is upheld even when investigating sensitive corporate matters or reports of harassment.”

“CLVPartners is always flexible, proactive, and solution-oriented. Their approach is holistic: beyond solving the immediate problem, they highlight areas we may not have considered but which are essential.”

“Anna Papp demonstrates flexibility, preparedness, extensive experience, precision and client focus. In addition to her comprehensive expertise, she also understands the practical side of things.”

“We can count on Anna Papp for all our questions. We don’t have a problem that she doesn’t have a suggestion for. Her professional knowledge and dedication are outstanding”.

“Barbara Seregély has extensive experience in cross-border mergers and acquisitions and corporate law.”

“Anikó Hrebenku delivers an excellent client experience, ensuring that each matter is handled by experts who provide consistent support.”

We would like to thank our clients for their trust and valuable feedback throughout the year. We remain committed to continuing to effectively support our clients’ day-to-day operations.

Photo source: pexels.com, Fotó: Pixabay

CLVPartners has achieved outstanding results in the 2026 guides of Chambers and Partners Europe© and Legal 500© Read More »

Current Activities of the European Data Protection Board to Support GDPR Compliance

Reading time: 7 minutes

The European Data Protection Board has published its Work Programme for 2026–2027 (hereinafter: the “Programme”), adopted on 11 February 2026, The Programme provides not only strategic directions but also concrete tools to support organisations’ day-to-day compliance. This article summarises the consultation results and the key plans set out in the European Data Protection Board’s Programme.

Background

In its 2024–2027 strategy, the European Data Protection Board identified four interlinked priorities. These include strengthening the consistent application of data protection rules and further priority is deepening supporting organisations in complying with the law. A cooperation among data protection authorities, particularly in cross-border cases. The strategy also emphasises ensuring that data protection is effective in a fast-evolving digital environment affecting multiple regulatory areas, including applications of artificial intelligence. Moreover, the European Data Protection Board aims to actively foster and shape international dialogue on privacy and personal data protection. The Programme supports the implementation of the European Data Protection Board’s 2024–2027 strategy, based on the identified priorities and the most important needs of stakeholders.

Main elements of the programme

The Programme builds on the consistent application of Regulation (EU) 2016/679 of the European Parliament and of the Council (“GDPR”) and sets out the European Data Protection Board’s activities for 2026–2027 along four pillars: harmonisation and compliance, a common culture of enforcement, challenges in the digital regulatory environment, and global data protection dialogue.

Harmonisation and legal clarity

The European Data Protection Board will continue to issue detailed yet accessible guidance on topics considered critical by stakeholders during events and consultations, such as anonymisation and pseudonymisation, data processing based on legitimate interests, “consent or pay” models, and targeted updates on guidance for data protection officers.

The European Data Protection Board also intends to facilitate GDPR compliance with new practical tools, particularly for small and medium-sized enterprises (SMEs), including templates and guidance. To this end, a public consultation was conducted between 5 November and 3 December 2025 to identify which practical templates would most effectively support GDPR compliance.

The consultation highlighted the greatest demand for templates on records of processing activities, data protection impact assessments, legitimate interest assessments, privacy notices, transfer impact assessments, data processing agreements, data breach notification forms, and risk assessment templates. The European Data Protection Board has prioritised three templates in the Programme—legitimate interest assessment, records of processing activities, and privacy notices—to provide consistent, practical support, especially for organisations with limited resources.

In addition, the European Data Protection Board supports controllers and processors in developing and implementing compliance measures, for instance, through opinions on certification schemes, codes of conduct, and accreditation.

Stronger enforcement culture and cooperation

The second pillar aims to ensure consistency in the application and enforcement of the GDPR and to enhance cooperation among its members. The European Data Protection Board will continue to support the development of cooperation and enforcement tools and promote the sharing of expertise. Efforts will also focus on giving greater attention to priority issues and creating consistency.

In line with these objectives, the European Data Protection Board will focus on the consistent application of the GDPR and effective cooperation between authorities. To this end, it will update, among other things, its guidelines on handling cross-border cases, its principles on imposing fines, and its rules on mutual assistance and emergency procedures. As part of its action on the Coordinated Enforcement Framework (CEF), in 2026 it will focus on fulfilling the obligations under Articles 12-14 of the GDPR regarding transparent information, communication and measures for the exercise of data subjects’ rights. Where necessary, it will set up working groups to provide operational platforms for cases requiring cooperation on enforcement matters. To ensure the effective functioning of the consistency mechanism, it will adopt opinions addressed to national supervisory authorities with a view to supporting consistent decision-making.

Data protection at the intersection of digital legislation

The European Data Protection Board’s priority is to ensure coherence across EU digital legislation. In the rapidly evolving technological and market environment, data protection interacts closely with multiple other EU laws, such as the AI Regulation. This increases the importance of consistent interpretation, coordinated action by authorities, and clear guidance. The European Data Protection Board collaborates with other regulators, including competition and consumer protection authorities, to support the new cross-regulatory environment. Key technological topics include generative AI, telemetry and diagnostic data, and blockchain-related data protection issues.

Global data protection dialogue and data transfers

The European Data Protection Board continues to promote global dialogue on privacy and data protection, focusing on international cooperation between its members and third-country authorities, especially those with EU adequacy decisions.

Conclusion: more support, greater legal certainty

A key message of the Programme is that GDPR compliance is not merely a matter of regulatory oversight, but a process that can be actively supported and structured. Templates, harmonised guidance, and enhanced authority cooperation aim to make GDPR application more predictable and practical. At the same time, each organisation must tailor its data processing documents and procedures to its own business processes and risks. The European Data Protection Board seeks to strengthen fundamental rights, support organisational compliance, and ensure that European data protection remains coherent and competitive in a fast-changing digital environment.

Photo source: pexels.com, MART PRODUCTION

Current Activities of the European Data Protection Board to Support GDPR Compliance Read More »

Data protection considerations related to the development of AI models

Reading time: 5 minutes

Artificial intelligence (“AI“) is a rapidly evolving family of technologies that contributes to a wide range of economic, environmental, and social benefits across all sectors and social activities. By improving predictive accuracy, optimizing operational processes and the allocation of resources, and enabling the personalization of digital solutions available to individuals and organizations, the use of AI can confer a decisive competitive advantage on businesses while also delivering beneficial social and environmental outcomes.

The use of artificial intelligence, alongside its potential benefits, is also associated with certain risks. In order to mitigate these risks, Regulation (EU) 2024/1689 of the European Parliament and of the Council on artificial intelligence (“AI Act”) has been adopted, several provisions of which have already entered into force. At the same time, the development of many AI models involves the use of personal data, which raises the question of how the AI Act affects data processing activities related to AI systems.

The relationship between the AI Act and the GDPR

The AI Act makes it clear that it does not amend the application of existing EU rules on the processing of personal data, including the requirements set out in the GDPR. Accordingly, organizations falling within the scope of the AI Act must, in the course of their data processing activities, comply fully with the provisions of the GDPR.

Through the enforcement of the right to the protection of personal data, the GDPR also supports the effective exercise of other fundamental rights, including, inter alia, freedom of thought and expression, the right to information and education, and the freedom to conduct a business. On this basis, it can be concluded that the GDPR establishes a legal framework that facilitates responsible innovation, including the responsible development and deployment of AI-related technologies.

Data protection considerations in relation with the development of AI Models

In connection with the development of AI models, the European Data Protection Board (“EDPB”) adopted a standalone opinion on data protection aspects arising in relation to the processing of personal data in the context of artificial intelligence models (“Opinion”).

The Opinion examines how personal data may be used in the development of AI models and highlights the issues requiring particular attention when placing on the market AI systems developed using personal data.

Lifecycle of AI Models

The EDPB divides the lifecycle of AI models into two stages, emphasizing that data processing may occur in either of them. The first stage covers the processes preceding the deployment of the model (including e.g. its creation, development, the training, the fine-tuning). The second stage relates to the deployment phase, encompassing the use of the model following its development.

Existence of a legal basis for data processing by data controllers

One of the cornerstones of data protection regulation is that personal data may only be processed where a specific legal basis exists. The Opinion reiterates the general expectation that data controllers must determine the appropriate legal basis for their processing activities.

However, the EDPB found that, as a general rule, an AI model developer may rely on legitimate interest as a legal basis, provided that the existence of such legitimate interest is duly substantiated. For this purpose, a three-step test – already familiar to those with experience in data protection compliance practice – serves to properly assess whether a legitimate interest genuinely exists.

The EDPB emphasizes that the balancing test must take into account whether the data subjects can reasonably expect their personal data to be used. The Opinion is significant in this regard because it sets out several criteria intended to assist data protection authorities in assessing the “reasonably foreseeable” criteria

The Opinion also recalls that, where it appears that the interests, rights, and freedoms of data subjects override the legitimate interests of the data controller or of a third party, all is not lost. Namely, the data controller may consider the implementation of mitigating measures to limit such adverse effects. These may include, for example, pseudonymization, or measures aimed at masking personal data or replacing them with fictitious personal data within the training dataset. The introduction of appropriate data protection measures can make data processing lawful again.

Anonymity

The GDPR classifies as personal data any information relating to an identified or identifiable natural person, whether directly or indirectly. According to the position of the EU institution, in the context of AI model development, personal data may only be used where they are properly anonymized, such that even in the event of a potential reverse engineering of the model, the identification of data subjects is not possible. With regard to anonymization, the EDPB emphasizes that the competent data protection authorities must assess, on a case-by-case basis, whether the organization developing the AI model has complied with this requirement. The body also sets out several recommended technique that may be suitable for preserving anonymity (e.g. prevent or limit the extraction of personal data used for training purposes).

Summary

The EU body emphasizes in its Opinion that compliance with data protection requirements governing the processing of personal data must be ensured throughout both the development and deployment of AI models. It is evident that the expansion of AI and its potential risks are being treated and monitored as a priority in law enforcement, and therefore numerous regulatory guidelines from authorities can be expected in the near future.

Photo source: pexels.com, Tara Winstead

Data protection considerations related to the development of AI models Read More »

Data and Information Security: The Relationship Between GDPR and NIS2

Reading time: 6 minutes

With the rise of digitalization and data-driven decision-making, the volume of sensitive information has increased, along with the associated cyber risk. It has become necessary to establish a regulatory framework that provides guidance on managing expectations, responsibilities, and approaches shaped by the technological environment. Its two main pillars are the European Parliament and Council Directive (EU) 2022/2555 (14 December 2022) (general EU cybersecurity directive, hereinafter: “NIS2 Directive”), implemented in Hungary through Act LXIX of 2024 on Cybersecurity (“Cybersecurity Act”), and the European Parliament and Council Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and the free movement of such data, repealing Directive 95/46/EC (“GDPR”), which ensures data protection compliance.

The NIS2 Directive, the resulting national cybersecurity regulations, and GDPR apply different perspectives; however, the affected areas often overlap in practice, particularly in electronic information systems that process personal data. Therefore, aligning the requirements of these two regulatory frameworks is essential for the lawful and secure operation of the affected organizations. This article outlines the relationship between the NIS2 Directive and national regulations with GDPR, their overlaps, conflicts, and practical resolutions.

Scope of NIS2 and GDPR: Dual obligations

The GDPR applies to all organizations that qualify as data controllers, meaning they determine the purposes and means of processing personal data either independently or jointly with others. The scope of NIS2 is determined based on a complex set of criteria, which may include various enterprises depending on their activities, size, and revenue. Consequently, if an entity falls under both NIS2 and GDPR, it must comply with the rules of both frameworks simultaneously. For example, a medium- or large-sized company in the manufacturing sector may be subject to cybersecurity regulations based on its activities and size, and in the course of its activities, it typically processes at least employee and supplier data as a data controller, thus requiring the application of both the GDPR and NIS2 provisions.

In practice, electronic information systems often process personal data, such as HR systems or customer databases. In the event of an incident, both GDPR and NIS2 impose obligations on the organization. A data protection incident involves a breach of security that results in accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to personal data, whereas a cybersecurity incident refers to an event that threatens the availability, integrity, or confidentiality of data stored, transmitted, or processed in electronic information systems, or the services provided or accessible through such systems. Therefore, if a cybersecurity incident involves personal data—for example, data loss or leakage due to a phishing email or a ransomware attack—it simultaneously constitutes a data protection incident. Consequently, incident handling must comply with both regulations, and notifications to the competent authorities must be made when conditions are met. For this purpose, it is advisable to establish an internal procedure that accounts for the obligations required by both frameworks.

Proper classification of incidents is particularly important, as different types of incidents have distinct notification obligations, content requirements, and deadlines. In a data protection incident, the organization must first assess whether the event poses a risk to the rights and freedoms of natural persons. If such a risk is likely, the incident must be reported to the National Authority for Data Protection and Freedom of Information within 72 hours, and, in case of high risk, the affected individuals must also be notified. Cybersecurity incidents, on the other hand, follow a different procedure: the organization must report the incident within 24 hours based on the available information, submit a detailed report within 72 hours, and, after completing the investigation, submit a final report to the national cybersecurity incident handling center no later than 30 days. Since GDPR and cybersecurity rules define incidents and related obligations differently, situations may arise where an event qualifies as a cybersecurity incident but does not require a data protection incident report.

The practical significance of dual compliance is illustrated by a medium- or large-sized company engaged in “other machinery manufacturing,” which falls under the scope of the NIS2 Directive. If the company suffers an incident as a result of which the attacker gains unauthorized access to a server containing employees’ personal data, the event must be assessed not only from a data protection perspective but also under the Cybersecurity Act. According to the law, any threat, near-incident, or actual incident—including operational cybersecurity incidents—that causes severe disruption or financial loss to the organization or significant material or immaterial harm to others must be reported without undue delay, but no later than 24 hours, to the competent cybersecurity incident handling center. This example highlights that organizations must comply with both legal frameworks simultaneously and design incident handling accordingly.

Aligning processes at the documentation and operational levels

If an organization falls under both GDPR and cybersecurity regulations, the documentation and operational processes required by both frameworks must be aligned for dual compliance. GDPR requires that the organization maintain a data protection policy, provide a privacy notice to data subjects, and, in some cases, conduct a data protection impact assessment. Similarly, cybersecurity rules require the establishment of an information security policy. In addition, both frameworks require regulation of incident management processes and training to raise awareness among relevant staff.

The organization’s leadership is responsible for complying with NIS2 and GDPR requirements, while the data protection officer and the professional responsible for the security of electronic information systems play a key role in ensuring compliance. To avoid parallel, isolated processes, it is essential for information security and data protection officers to collaborate actively on a daily basis. Aligning the requirements of both frameworks is not merely an administrative task: its significance lies in the fact that both areas rely on the same information systems, data flows, and risks, even if they examine them from different perspectives. When an organization designs its processes in a unified, coherent manner, overlaps can be avoided, error risks reduced, and both cybersecurity and data protection requirements can be ensured. Incident management processes should be designed to ensure that any potential event is handled in a way that fulfills the obligations of both frameworks. This approach is not only resource-efficient but also strengthens legal compliance, system security, and the trust of clients, partners, and employees.

NIS2 and GDPR serve different purposes and approach the same events differently. GDPR’s primary objective is to protect the rights and freedoms of natural persons, whereas NIS2 focuses on strengthening information system security, safeguarding service continuity, and increasing resilience against cyber threats. Accordingly, the two frameworks impose different expectations on organizations: GDPR emphasizes data minimization and purpose limitation, while NIS2 specifically requires detailed logging, continuous monitoring, and retention of log files. This often results in NIS2 compliance requiring the storage of large volumes of technically processed personal data, which must be handled carefully from a data protection perspective.

Apparent conflicts between the two regulations can be resolved in practice through a coordinated approach. One key step is integrating information security risk assessments with GDPR data protection impact assessments, as both assess the same systems, data flows, and risk factors from different perspectives. Equally important is designing internal policies that simultaneously comply with mandatory cybersecurity measures and GDPR provisions.

Both NIS2 and GDPR require that organizations properly train all personnel who have access to information systems or process personal data. Therefore, it is advisable to align the strategic planning and content of training programs, considering risk assessment results, previous incidents, regulatory changes, and the professional opinions of the organization’s security experts. True alignment between the two regulatory areas is important not only for legal compliance but also for operational security, risk reduction, and maintaining internal and external trust.

Conclusion

GDPR and the NIS2 Directive serve different purposes but converge on many points regarding information security requirements. Dual compliance therefore requires careful alignment: interpreting the regulations consistently and integrating related procedures can ensure that an organization meets the expectations of both frameworks simultaneously. Coherent revision of professional documentation and operational processes, coordination of internal responsibilities, and alignment of regular training and audits facilitate achieving both GDPR data protection and NIS2 cybersecurity goals. Compliance with these requirements strengthens the organization’s information security and data protection resilience, meeting the relevant EU and national legal obligations.

Photo source: pexels.com, Kevin Ku

Data and Information Security: The Relationship Between GDPR and NIS2 Read More »

Online presence in the shadow of GDPR – rules for consent-based data processing

Reading time: 5 minutes

In order to remain competitive, it is no longer merely an advantage for companies to have an online presence, but a fundamental requirement. Websites and newsletters facilitate communication with customers, while providing an opportunity for addressees to learn about the latest services and offers firsthand. At the same time, it is important to note that this may also involve the processing of personal data, which is subject to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC („General Data Protection Regulation”; „GDPR”). Accordingly, data processing for marketing purposes is only possible with the express consent of the data subjects, in strict compliance with the requirements set out in the GDPR. In this article, we summarize the most important rules relating to consent-based data processing.

When to apply GDPR?

As outlined by the National Authority for Data Protection and Freedom of Information (“NAIH“) in its material on website privacy settings and cookies, processing the personal data of natural persons acting on behalf of the companies (e.g., employees, private person client) falls under the scope of the GDPR. For instance, collecting, recording, storing, and using a customer’s name, phone number, address, email address, or bank account number constitutes data processing. It implies that if a company processes data relating exclusively to legal persons, its activities do not fall within the scope of the General Data Protection Regulation, and therefore compliance with its provisions is not mandatory for it. However, in many cases, the contact details of the legal person (e.g., name, personal email address, position) are essential for communication, which involves data processing.

Similarly, subscribing to a newsletter, targeted requests (also known as asking for a callback), or tools that support the effective functioning of websites—such as the use of cookies or visitor measurement – it is essential for the company to process natural persons’ data, which is why this type of data processing will also fall under the scope of the GDPR.

Consent as a possible legal basis for processing personal data

The fundamental rule of data processing is that, in the absence of a valid legal basis, processing personal data is not considered to be lawful. One of the legal bases for data processing – most commonly required for data processing for marketing purposes – is the consent of the data subject.

Conditions for consent

According to the GDPR, consent is valid if it is freely given, specific, based on adequate information, and unambiguous, indicating that the data subject agrees to the processing of his/her personal data.

Freely given

Consent can be freely given if individuals can refuse and withdraw their consent without risk of external pressure or negative consequences. Therefore, it cannot be considered voluntary if the data subject has no real choice, feels pressured to consent, or faces negative consequences from the data controller if they refuse to consent. This was confirmed by the recent opinion of the European Data Protection Board (“EDPB”), which stated that so-called “pay or consent” models do not meet the requirement of freely given consent. This is due to the fact that such models are based on offering data subjects a choice: either they consent to the processing of their personal data, or they pay a fee to prevent their data from being processed.

The voluntary nature of consent also implies that the data subject has the right to withdraw the consent at any time.

Specific and appropriate information

In order for consent to be valid, the purpose of data processing must also be specific. This condition is closely linked to the condition of informed consent. Therefore, individuals must be informed of the specific purposes in simple and easily understandable language so that they have a clear understanding of the purpose for which their data is being processed. This also means that if the purposes of the data processing operation change or further data processing operations are being added, consent must be obtained from individuals again. Likewise, if a data processing operation has multiple purposes, separate consent must be obtained for each purpose for the processing to be lawful. When providing information, the data subject must also be made aware that they may withdraw their consent at any time.

Unambiguous consent

According to the GDPR, a statement by the data subject or a clear affirmative action is required for the consent to be unambiguous. This in fact means that consent can only be given through active action or statement. The EDPB considers that the comprehensive acceptance of general terms and conditions does not constitute an act of confirmation that is unambiguously expressed. The GDPR also expressly prohibits data controllers from offering pre-ticked boxes or opt-out mechanisms that require the data subject to take action to prevent consent from being given (so called opt out systems).

Duration and demonstration of the contribution

The General Data Protection Regulation does not provide for any limitation on the duration of consent. However, this does not mean that personal data can be processed indefinitely with the consent of the data subject. The duration of consent depends in each case on the context of the data processing in question. In order to determine the duration correctly, it is therefore necessary to assess the circumstances of the data processing.

Furthermore, the GDPR stipulates that during data processing, the data controller must always be able to adequately demonstrate the existence of the consent.

Without claiming to be exhaustive, we merely refer to the fact that the General Data Protection Regulation lays down additional conditions in relation to the consent of children and special categories of data.

Summary

The online presence of companies—for example, through websites and newsletters—is essential to maintaining competitiveness, but it can also involve the processing of personal data, which falls under the scope of the GDPR. Personal data may only be processed on an appropriate legal basis, the existence of which is essential in all cases. When developing and enhancing their marketing strategies, it is crucial for companies to simultaneously establish and review their data processing frameworks to ensure that their data processing activities comply with the GDPR.

Photo source: pexels.com, Tara Winstead

Online presence in the shadow of GDPR – rules for consent-based data processing Read More »

Data Subject Rights and the Importance of Consent in Online Content Creation

Reading time: 4 minutes

With the development of digital platforms, anyone can become a content creator today: a smartphone, a good idea, and a few clicks are enough for our messages, videos, or pictures to reach thousands of people. However, online presence carries not only creative opportunities but also legal responsibilities and risk. When sharing various types of content – such as posts or videos – especially if identifiable persons appear in them, the processing of personal data occur.

General applicability of the GDPR

The General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council (“GDPR”), on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, serves a dual purpose: it ensures the protection of individuals’ personal data while also providing a framework for the free flow of such data within the European Union. The GDPR sets out in detail the rights of data subjects and the obligations of data controllers.

At the same time, the GDPR does not be applicable in certain exceptional cases; one such exception applies when a natural person processes personal data exclusively for personal purposes. Examples include private correspondence whether on paper or electronically, storage of addresses or contact details, personal notes or diaries, family photographs, communication on social networks, and other online activities. These exceptions must be interpreted narrowly, and data processing only falls outside the scope of the GDPR if it serves a purely private purpose – that is, it has no community, professional, or economic aspect. Thus, if data can be accessed by an indefinite number of persons or is made public, the activity no longer qualifies as private data processing. In the case of data processing carried out by business entities, personal or household use cannot be invoked. Therefore, the publication of any online content containing personal data (such as photographs, audio recordings, or other information) – whether it concerns employees or any other natural person – requires appropriate legal diligence in all cases.

Data processing related to online content creation

Digital platforms widely enable users to create and share photos, videos, or audio recordings – even of other people. The question may arise whether data protection rules apply in such cases. Since uploaded recordings – including images, voices, or other identifiable information – constitute personal data and are made accessible to the public, their processing falls under the GDPR.

One of the fundamental principles of data protection is that any processing of personal data must be based on a valid legal basis. When a data controller undertakes any activity involving the processing of personal data, it must carefully assess which legal basis best suits the intended purpose. In the context of content creation, data processing most commonly relies on the data subject’s consent.

Obtaining consent is crucial, as recording or publishing someone else’s image or voice is only lawful if the data subject has given explicit, informed, and prior consent. Simply tolerating the presence of a camera or answering a question does not constitute valid consent. This demonstrates how strictly the GDPR defines the requirement of a lawful basis: unlike the Hungarian Civil Code (“Civil Code”), which allows certain exceptions for public figures or mass recordings, the GDPR does not provide such derogations. This highlights the coexistence of parallel legal frameworks – compliance with the Civil Code does not necessarily mean compliance with data protection law, thus each legal regime has distinct requirements for lawful conduct.

Consequences of Non-Compliance

Publishing content online without a valid legal basis – such as consent – constitutes a violation of data protection rules. Unlawful data processing can have serious consequences, including regulatory procedures and administrative fines. If a recording is made or published without permission and results in significant harm to an individual’s interests, the act may not only be unlawful under data protection law but could also amount to a criminal offence or establish a claim for non-pecuniary damages under the Civil Code, depending on the circumstances. Liability always lies with the person who created or published the recording.

Particularly high-risk situations include cases involving children, healthcare settings, political opinions, or other sensitive personal data. If such content is shared without the data subject’s knowledge or consent, it does not qualify as private activity and is considered full-fledged data processing under the GDPR. In such cases, data subjects have the right to request information, withdraw consent, demand deletion of recordings, and pursue legal remedies.

Summary

Presence in the online space – particularly in the context of corporate communications, marketing, or HR content creation – requires careful data protection practices. What may not entail legal consequences under the Civil Code can still constitute a data protection violation.

Consent is therefore not a mere formality, but one of the fundamental prerequisites for lawful data processing. Organizations – whether content creators or employers – are advised to establish internal procedures, training programs, or policies to manage the data protection risks associated with online content creation.

Respecting data subject rights, properly documenting consents, and complying with GDPR requirements are not only matters of legal compliance, but also essential for maintaining corporate reputation and trust.

Photo source: pexels.com, Plann

Data Subject Rights and the Importance of Consent in Online Content Creation Read More »

CLVPartners
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.