data protection

Amendments with regard to the GDPR has been published

Company groups, Data protection, Employment, labour law, Medium-sized companies, News, Start-ups / 2019.04.11. / data protection, employment law, GDPR, labour law, monitoring of the workplace, workplace data management

The amendments with regards to the GDPR, which was adopted by the Hungarian Parliament on the 1st of April, was officially published today.

In order to harmonize with the GDPR, the amendments modifies over 80 sectorial law, including provisions of the Labour Code.

The majority of the amendments will come into effect at the end of April, but the modifications regarding the national accreditation and the protection of inventions by patents will come into force in May.

Amendments with regard to the GDPR has been published Read More »

Legislative changes on the bill related to GDPR

Company groups, Data protection, Medium-sized companies, News, Start-ups / 2019.03.20. / amendement, data protection, GDPR

It became necessary with the entry into force and application of the GDPR, amend the domestic sectoral laws, which proposals are expected to be adopted by the Parliament this week. The draft also affects the provisions of the Labour Code.

Provisions related to workplace data management are defined under a new title Data Process after the section of protection of privacy rights. According to this, in addition to the employer, the works council and the trade union may also request employees to make a statement or to disclose any information for exercising their rights or fulfilling their obligations as defined in the Labour Code. In regard to the provisions above, they may also request to present them a document, thus, storing and copying them cannot be necessary for the above reasons, it is sufficient to present them and record the necessary data.

Based on the draft, the processing of biometric identifiers has been further regulated, that the employee’s biometric data can be processed for the purpose of identifying the data subject if it is necessary to prevent unauthorized access to a thing or data which would endanger the life, bodily integrity or health of the employee or others, or the serious or massive irreversible harm of a significant interest protected by law.

Regarding monitoring of the workplace, it has been recorded in the draft, surprising many people that the employee may only use the computing device provided by the employer for the purpose of performing the employment relationship. The parties may differ from this rule by mutual agreement, however, by default, these devices cannot be used by the employee for private purposes at all. Although the draft provides that the employer may only monitor employment-related data when monitoring, it also qualifies, for the purposes of the above entitlement, the data necessary to verify compliance with the private use restriction.

The provisions of the above draft have not yet been adopted, so we will inform you about its subsequent adoption or possible modifications later on.

Legislative changes on the bill related to GDPR Read More »

NAIH imposed a fine of one million forints

Company groups, Data protection, Medium-sized companies, News, Start-ups / 2019.02.15. / camera recording, data protection, fine, GDPR, HDPA, NAIH

The Hungarian Data Protection Authority (NAIH) imposed a fine of one million forints on a company with a turnover of 15 million forints, which the Authority considered to be a symbolic amount of money, for not restricting and issuing copies of camera recordings, despite a request from the data subject.

The data subject wanted to use the recordings as evidence in legal proceedings, as he/she also stated in the request. The company justified its decision of not restricting and giving out a copy of the recordings because the data subject did not indicate how deleting of the camera recording would infringe his/her legitimate interest, and in connection with what legal proceedings he/she requests the restriction of processing data of the camera recordings, although it is required to do so according to the Act CXXXIII of 2005 on the private security services and the activity of private detectives (Szvmt).

According to NAIH, the company violated the data subject’s right to restrict data processing. According to Article 18 (1) (c) of the GDPR, it is sufficient for the data subject to argue that the restriction of the processing is necessary for the submission and enforcement of his legal claims. In this regard, Szvmt. is expected to be amended soon.

According to the opinion of NAIH, the company should have complied with the request of the data subject without consideration, since the reason stated by the data subject shall be sufficient to fulfill the request.

In imposing the fine, the Authority assessed the nature of the infringement as an aggravating circumstance, as it violated the applicant’s rights, furthermore, the refusal of the request has led to the deletion of the recordings, which cannot be restored. It was a mitigating circumstance that the company committed the infringement for the first time, and also that the provision referred from the Szvmt. is still in force, which could have misled the company in its decision to deny the data subject’s request.

NAIH imposed a fine of one million forints Read More »

Google fined €50 million for infringing the GDPR

Company groups, Data protection, Medium-sized companies, News, Start-ups / 2019.02.12. / CNIL, data protection, fine, GDPR, google, HDPA, NAIH

On 21 January 2019, the French Data Protection Authority (the ‘CNIL’) fined Google EUR 50 million for infringement of the GDPR. Though this decision only concerned user data, given the unprecedented amount of the fine, it should be considered a warning to all companies to ensure that their personal data management practices, including on HR matters, are GDPR compliant.
The Authority based the investigation on two complaints that arrived immediately after the entry into force of GDPR on May 25, 2018.

The CNIL has examined the complained data processing operations and found two types of infringement.

• Violation of the obligation to have a legal basis for advert personalization processing:

The CNIL observed that the information on the data processing activities provided to users was neither easily accessible nor always clear or comprehensive. Essential information required to sufficiently inform data subjects of storage purposes, periods or categories of personal data used for ads personalization was spread across various documents.

• Violation of the obligation to have a legal basis for advert personalization processing:

Google relied on data subjects’ consent to process data for ad personalization purposes. However, the Authority found that this agreement did not constitute specific, informed and unambiguous consent for the data subjects, because they had to ‘agree’ to Google’s entire privacy policy and terms and conditions in order to access the its products. The CNIL concluded that the data subjects’ consent was not freely given, because they had not been sufficiently informed due to the use of multiple documents and the unclear depiction of the services and websites that would be involved in the ad personalization section.

Further, the CNIL noted that before creating a Google account, each user was asked to agree to the company’s terms of service and privacy policy, which he or she could only amend at a later time by going into ‘more options’ and de-selecting ad personalization.

This is the first time that the CNIL has applied the new sanction limits provided by the GDPR since its entry into force on 25 May 2018. In imposing the fine, the Authority took into account the serious breach of the main principles of the GDPR, according to which the maximum amount to be imposed could be EUR 20 million or 4 % of the company’s global annual turnover. The factors taken into consideration in the Authority’s decision whether to impose a fine or its amount, were the fact that Google’s violations were not one-off incidents or limited in time, but rather continuous breaches of the GDPR, and that their data process cover a wide range of data subjects. Lastly, the CNIL pointed out that as the company’s business model was partly based on ad personalization, Google had all the more reason to ensure that it complied with its GDPR obligations.

The fines serve as a lesson for employers that they need to ensure that the information provided to applicants and employees on the processing of their personal data is clear, unambiguous and easily accessible.

Google fined €50 million for infringing the GDPR Read More »

Blacklist on Data Protection Impact Assessment (DPIA)

Company groups, Data protection, Medium-sized companies, News, Start-ups / 2018.12.12. / black list, data protection, Data Protection Impact Assessment, DPIA, GDPR, HDP A, impact assesment, NAIH

Under Article 35 (4) of regulation (EU) 2016/679 of the European Parliament and of the Council („GDPR”), the National Authority for Data Protection and Freedom of Information
(„NAIH”) established a list of the kind of processing operations which
are subject to the requirement for a data protection impact assessment („black list”).
According to article 35 of the GDPR: Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.

The GDPR defines some circumstances when a DPIA is to be carried out:
• a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and upon which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;
• processing on a large scale of special categories of data, or of personal data relating to criminal convictions and offences; or
• a systematic monitoring of a publicly accessible area on a large scale.

The black list contains the following processing activities when a DPIA is to be carried out:
• processing of biometric or genetic data;
• scoring;
• credit or solvency rating;
• further use of data collected from third persons;
• the use of the personal data of pupils and students for assessment;
• profiling;
• anti-fraud activity;
• smart meters;
• automated decision making producing legal effects or similarly significant effects;
• systematic surveillance;
• location data;
• monitoring employee work;
• processing of considerable amounts of special categories of personal data;
• processing of considerable amounts of personal data for law enforcement purposes;
• the processing of the personal data of children for profiling;
• the use of new technologies for data processing;
• the processing of health data;
• an application, tool, or platform for use by an entire sector;
• combine data from various sources.

Blacklist on Data Protection Impact Assessment (DPIA) Read More »

Resolution on criteria for setting administrative fines

Company groups, Data protection, Medium-sized companies, News, Start-ups / 2018.09.21. / administrative fine, data protection, GDPR, HDPA, NAIH

In its resolution published on 19 September 2018, the National Authority for Data Protection and Freedom of Information (NAIH) assessed the criteria to take into consideration during the process of setting a fine, especially the level of the fine that NAIH may impose in case of the first infringement of the data protection regulations.

The Authority is being guided by the provisions of the Regulation (EU) 2016/679 of the European Parliament and of the Council (“Regulation”) and the Act CXII of 2011 on Informational Self-determination and Freedom of Information (“Info Act”) with regard to the determination of the fine.

Article 83 (1) of the Regulation states, that the administrative fines shall be effective, proportionate and dissuasive. Pursuant to Preamble (148) in a case of a minor infringement or if the fine likely to be imposed would constitute a disproportionate burden to a natural person, a reprimand may be issued instead of a fine.

This provision was completed by Section 75/A of the Info Act according to which the Authority shall exercise its competence provided for in Article 83 (2)-(6) of the Regulation in due consideration of the principle of proportionality, in particular with the provision that in the event of any non-compliance with the Regulation for the first time, the Authority shall in principle issue warning to the data controller or data processor in order to arrange the remedy of the infringement.

The Authority shall take into account the Data Protection Working Party (WP29) guidelines on the application and setting of administrative fines for the purposes of the Regulation 2016/679, available at the following link: http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=611237

Resolution on criteria for setting administrative fines Read More »

The National Authority for Data Protection and Freedom of Information regulates “cookies”

Company groups, Data protection, Medium-sized companies, News, Start-ups / 2017.03.09. / cookie, data protection, GDPR, HDPA, webshop

The National Authority for Data Protection and Freedom of Information published a notice about the data protection requirements of “cookies” this February.
The National Authority for Data Protection and Freedom of Information in its February announcement summarised the experiences on the data protection requirements of the “cookies” used by webshops, with a clear intention to create a legitimate and coherent practice.

The Authority draws attention to the fact that the at the same time, on 25 May 2018, both the new regulations on the general data protection and the new electronic communication regulation will enter into force, and the latter will regulate and standardise the cookies in the European Union.

The publication pointed out that to the direct marketing newsletters (DM Letters) not only the Law on Advertising and the Electronic Commerce Act shall be applied, but the Data Protection Law as well.

The National Authority for Data Protection and Freedom of Information regulates “cookies” Read More »

The new EU General Data Protection Regulation has been approved

Company groups, Data protection, Medium-sized companies, News, Start-ups / 2016.04.28. / data protection, GDPR, regulation

After long years of negotiations, on 14 April 2016 the EU Parliament approved the general data protection regulation (“Regulation”), which – compared to the current rules – means changes both for private persons and companies.

The Regulation shall replace the current EU Directive, being implemented by the member states in certain cases quite different ways, and a new, consolidated regime shall be directly implemented by the member states.

The Regulation will enter into force after two years from its approval, however, due to the significant changes included therein, it is advisable for companies to start reviewing their internal rules and prepare for their potential amendments. The infringement of the new rules may be subject to a fine of up to 20.000.000 EUR, or in case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year (whichever is higher).

Should you have any questions regarding the above, please feel free to contact us.

Dr. Marianna Csabai

H-1126 Budapest, Tartsay Vilmos u. 3.

Tel: + 36 1 488 7008

Fax: + 36 1 488 7009

E-mail:

CLVPartners news

The new EU General Data Protection Regulation has been approved Read More »

News on adendment of information act with the effect form 1 October, 2015

Company groups, Data protection, Medium-sized companies, News, Start-ups / 2015.11.04. / BCR, data protection, forwarding of data, GDPR, Information Act, personal data, safe harbour

The act CXII of 2011 on information self-determination and freedom of information („Information Act”) has been amended with the effect of 1 October, 2015.

The amendments provide new possibilities regarding the forwarding of personal data to third countries as it is possible for the datacontroller to provide adequate level of protection to forward the data to third countries with the preparation and application of binding corporate rules („BCR”). It is a significant change also in the light of the recent EU Court decision on the invalidity of the Safe Harbour agreement.

Moreover to the significant amendments above the provisions of Information Act regarding the rights of affected people are amended as well and the amount of fine give by NAIH is also amended as it can be twenty million forints at the highest (instead of the prior ten million forints).

Should you have any questions regarding the above, please feel free to contact us.

Dr. Marianna Csabai

H-1126 Budapest, Tartsay Vilmos u. 3.

Tel: + 36 1 488 7008

Fax: + 36 1 488 7009

E-mail:

CLVPartners news

News on adendment of information act with the effect form 1 October, 2015 Read More »

How to find us

Practice areas

Legal news & trends