CLVPartners

CLV-02
Menu

GDPR

Data and Information Security: The Relationship Between GDPR and NIS2

Data protection, News / / , , , , ,

Reading time: 6 minutes

With the rise of digitalization and data-driven decision-making, the volume of sensitive information has increased, along with the associated cyber risk. It has become necessary to establish a regulatory framework that provides guidance on managing expectations, responsibilities, and approaches shaped by the technological environment. Its two main pillars are the European Parliament and Council Directive (EU) 2022/2555 (14 December 2022) (general EU cybersecurity directive, hereinafter: “NIS2 Directive”), implemented in Hungary through Act LXIX of 2024 on Cybersecurity (“Cybersecurity Act”), and the European Parliament and Council Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and the free movement of such data, repealing Directive 95/46/EC (“GDPR”), which ensures data protection compliance.

The NIS2 Directive, the resulting national cybersecurity regulations, and GDPR apply different perspectives; however, the affected areas often overlap in practice, particularly in electronic information systems that process personal data. Therefore, aligning the requirements of these two regulatory frameworks is essential for the lawful and secure operation of the affected organizations. This article outlines the relationship between the NIS2 Directive and national regulations with GDPR, their overlaps, conflicts, and practical resolutions.

Scope of NIS2 and GDPR: Dual obligations

The GDPR applies to all organizations that qualify as data controllers, meaning they determine the purposes and means of processing personal data either independently or jointly with others. The scope of NIS2 is determined based on a complex set of criteria, which may include various enterprises depending on their activities, size, and revenue. Consequently, if an entity falls under both NIS2 and GDPR, it must comply with the rules of both frameworks simultaneously. For example, a medium- or large-sized company in the manufacturing sector may be subject to cybersecurity regulations based on its activities and size, and in the course of its activities, it typically processes at least employee and supplier data as a data controller, thus requiring the application of both the GDPR and NIS2 provisions.

In practice, electronic information systems often process personal data, such as HR systems or customer databases. In the event of an incident, both GDPR and NIS2 impose obligations on the organization. A data protection incident involves a breach of security that results in accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to personal data, whereas a cybersecurity incident refers to an event that threatens the availability, integrity, or confidentiality of data stored, transmitted, or processed in electronic information systems, or the services provided or accessible through such systems. Therefore, if a cybersecurity incident involves personal data—for example, data loss or leakage due to a phishing email or a ransomware attack—it simultaneously constitutes a data protection incident. Consequently, incident handling must comply with both regulations, and notifications to the competent authorities must be made when conditions are met. For this purpose, it is advisable to establish an internal procedure that accounts for the obligations required by both frameworks.

Proper classification of incidents is particularly important, as different types of incidents have distinct notification obligations, content requirements, and deadlines. In a data protection incident, the organization must first assess whether the event poses a risk to the rights and freedoms of natural persons. If such a risk is likely, the incident must be reported to the National Authority for Data Protection and Freedom of Information within 72 hours, and, in case of high risk, the affected individuals must also be notified. Cybersecurity incidents, on the other hand, follow a different procedure: the organization must report the incident within 24 hours based on the available information, submit a detailed report within 72 hours, and, after completing the investigation, submit a final report to the national cybersecurity incident handling center no later than 30 days. Since GDPR and cybersecurity rules define incidents and related obligations differently, situations may arise where an event qualifies as a cybersecurity incident but does not require a data protection incident report.

The practical significance of dual compliance is illustrated by a medium- or large-sized company engaged in “other machinery manufacturing,” which falls under the scope of the NIS2 Directive. If the company suffers an incident as a result of which the attacker gains unauthorized access to a server containing employees’ personal data, the event must be assessed not only from a data protection perspective but also under the Cybersecurity Act. According to the law, any threat, near-incident, or actual incident—including operational cybersecurity incidents—that causes severe disruption or financial loss to the organization or significant material or immaterial harm to others must be reported without undue delay, but no later than 24 hours, to the competent cybersecurity incident handling center. This example highlights that organizations must comply with both legal frameworks simultaneously and design incident handling accordingly.

Aligning processes at the documentation and operational levels

If an organization falls under both GDPR and cybersecurity regulations, the documentation and operational processes required by both frameworks must be aligned for dual compliance. GDPR requires that the organization maintain a data protection policy, provide a privacy notice to data subjects, and, in some cases, conduct a data protection impact assessment. Similarly, cybersecurity rules require the establishment of an information security policy. In addition, both frameworks require regulation of incident management processes and training to raise awareness among relevant staff.

The organization’s leadership is responsible for complying with NIS2 and GDPR requirements, while the data protection officer and the professional responsible for the security of electronic information systems play a key role in ensuring compliance. To avoid parallel, isolated processes, it is essential for information security and data protection officers to collaborate actively on a daily basis. Aligning the requirements of both frameworks is not merely an administrative task: its significance lies in the fact that both areas rely on the same information systems, data flows, and risks, even if they examine them from different perspectives. When an organization designs its processes in a unified, coherent manner, overlaps can be avoided, error risks reduced, and both cybersecurity and data protection requirements can be ensured. Incident management processes should be designed to ensure that any potential event is handled in a way that fulfills the obligations of both frameworks. This approach is not only resource-efficient but also strengthens legal compliance, system security, and the trust of clients, partners, and employees.

NIS2 and GDPR serve different purposes and approach the same events differently. GDPR’s primary objective is to protect the rights and freedoms of natural persons, whereas NIS2 focuses on strengthening information system security, safeguarding service continuity, and increasing resilience against cyber threats. Accordingly, the two frameworks impose different expectations on organizations: GDPR emphasizes data minimization and purpose limitation, while NIS2 specifically requires detailed logging, continuous monitoring, and retention of log files. This often results in NIS2 compliance requiring the storage of large volumes of technically processed personal data, which must be handled carefully from a data protection perspective.

Apparent conflicts between the two regulations can be resolved in practice through a coordinated approach. One key step is integrating information security risk assessments with GDPR data protection impact assessments, as both assess the same systems, data flows, and risk factors from different perspectives. Equally important is designing internal policies that simultaneously comply with mandatory cybersecurity measures and GDPR provisions.

Both NIS2 and GDPR require that organizations properly train all personnel who have access to information systems or process personal data. Therefore, it is advisable to align the strategic planning and content of training programs, considering risk assessment results, previous incidents, regulatory changes, and the professional opinions of the organization’s security experts. True alignment between the two regulatory areas is important not only for legal compliance but also for operational security, risk reduction, and maintaining internal and external trust.

Conclusion

GDPR and the NIS2 Directive serve different purposes but converge on many points regarding information security requirements. Dual compliance therefore requires careful alignment: interpreting the regulations consistently and integrating related procedures can ensure that an organization meets the expectations of both frameworks simultaneously. Coherent revision of professional documentation and operational processes, coordination of internal responsibilities, and alignment of regular training and audits facilitate achieving both GDPR data protection and NIS2 cybersecurity goals. Compliance with these requirements strengthens the organization’s information security and data protection resilience, meeting the relevant EU and national legal obligations.

Photo source: pexels.com, Kevin Ku

Data and Information Security: The Relationship Between GDPR and NIS2 Read More »

Online presence in the shadow of GDPR – rules for consent-based data processing

Data protection, News / / , , , ,

Reading time: 5 minutes

In order to remain competitive, it is no longer merely an advantage for companies to have an online presence, but a fundamental requirement. Websites and newsletters facilitate communication with customers, while providing an opportunity for addressees to learn about the latest services and offers firsthand. At the same time, it is important to note that this may also involve the processing of personal data, which is subject to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC („General Data Protection Regulation”; „GDPR”). Accordingly, data processing for marketing purposes is only possible with the express consent of the data subjects, in strict compliance with the requirements set out in the GDPR. In this article, we summarize the most important rules relating to consent-based data processing.

When to apply GDPR?

As outlined by the National Authority for Data Protection and Freedom of Information (“NAIH“) in its material on website privacy settings and cookies, processing the personal data of natural persons acting on behalf of the companies (e.g., employees, private person client) falls under the scope of the GDPR. For instance, collecting, recording, storing, and using a customer’s name, phone number, address, email address, or bank account number constitutes data processing. It implies that if a company processes data relating exclusively to legal persons, its activities do not fall within the scope of the General Data Protection Regulation, and therefore compliance with its provisions is not mandatory for it. However, in many cases, the contact details of the legal person (e.g., name, personal email address, position) are essential for communication, which involves data processing.

Similarly, subscribing to a newsletter, targeted requests (also known as asking for a callback), or tools that support the effective functioning of websites—such as the use of cookies or visitor measurement – it is essential for the company to process natural persons’ data, which is why this type of data processing will also fall under the scope of the GDPR.

Consent as a possible legal basis for processing personal data

The fundamental rule of data processing is that, in the absence of a valid legal basis, processing personal data is not considered to be lawful. One of the legal bases for data processing – most commonly required for data processing for marketing purposes – is the consent of the data subject.

Conditions for consent

According to the GDPR, consent is valid if it is freely given, specific, based on adequate information, and unambiguous, indicating that the data subject agrees to the processing of his/her personal data.

Freely given

Consent can be freely given if individuals can refuse and withdraw their consent without risk of external pressure or negative consequences. Therefore, it cannot be considered voluntary if the data subject has no real choice, feels pressured to consent, or faces negative consequences from the data controller if they refuse to consent. This was confirmed by the recent opinion of the European Data Protection Board (“EDPB”), which stated that so-called “pay or consent” models do not meet the requirement of freely given consent. This is due to the fact that such models are based on offering data subjects a choice: either they consent to the processing of their personal data, or they pay a fee to prevent their data from being processed.

The voluntary nature of consent also implies that the data subject has the right to withdraw the consent at any time.

Specific and appropriate information

In order for consent to be valid, the purpose of data processing must also be specific. This condition is closely linked to the condition of informed consent. Therefore, individuals must be informed of the specific purposes in simple and easily understandable language so that they have a clear understanding of the purpose for which their data is being processed. This also means that if the purposes of the data processing operation change or further data processing operations are being added, consent must be obtained from individuals again. Likewise, if a data processing operation has multiple purposes, separate consent must be obtained for each purpose for the processing to be lawful. When providing information, the data subject must also be made aware that they may withdraw their consent at any time.

Unambiguous consent

According to the GDPR, a statement by the data subject or a clear affirmative action is required for the consent to be unambiguous. This in fact means that consent can only be given through active action or statement. The EDPB considers that the comprehensive acceptance of general terms and conditions does not constitute an act of confirmation that is unambiguously expressed. The GDPR also expressly prohibits data controllers from offering pre-ticked boxes or opt-out mechanisms that require the data subject to take action to prevent consent from being given (so called opt out systems).

Duration and demonstration of the contribution

The General Data Protection Regulation does not provide for any limitation on the duration of consent. However, this does not mean that personal data can be processed indefinitely with the consent of the data subject. The duration of consent depends in each case on the context of the data processing in question. In order to determine the duration correctly, it is therefore necessary to assess the circumstances of the data processing.

Furthermore, the GDPR stipulates that during data processing, the data controller must always be able to adequately demonstrate the existence of the consent.

Without claiming to be exhaustive, we merely refer to the fact that the General Data Protection Regulation lays down additional conditions in relation to the consent of children and special categories of data.

Summary

The online presence of companies—for example, through websites and newsletters—is essential to maintaining competitiveness, but it can also involve the processing of personal data, which falls under the scope of the GDPR. Personal data may only be processed on an appropriate legal basis, the existence of which is essential in all cases. When developing and enhancing their marketing strategies, it is crucial for companies to simultaneously establish and review their data processing frameworks to ensure that their data processing activities comply with the GDPR.

Photo source: pexels.com, Tara Winstead

Online presence in the shadow of GDPR – rules for consent-based data processing Read More »

The European Data Protection Board’s strategy and the proposal to ease the GDPR to reduce the administrative burden on businesses

Data protection, News / / , ,

The European Data Protection Board’s strategy and the proposal to ease the GDPR to reduce the administrative burden on businesses

Reading time: 4 minutes

The European Data Protection Board has published its report for 2024 (“Report“) again this year, setting out the fundamental goals of its strategy for the period up to 2027, one of them is to promote compliance with data protection rules. In May this year, the European Commission (“Commission“) submitted a proposal (“Simplification Proposal“) aimed at simplifying the GDPR in order to reduce the administrative burden on businesses, which was also welcomed by the European Data Protection Board. In this article, we summarize the main conclusions of the Report and future strategy of the Board, and address the Simplification Proposal.

The role of European Data Protection Board in the field of data protection

The European Data Protection Board’ has a multifaceted mission and legal mandate:

  • ensures the consistent application of EU data protection rules,
  • promotes effective cooperation between data protection authorities in the European Economic Area (EEA),
  • supports the harmonised enforcement of the GDPR,
  • examines issues relating to the application of the regulation,
  • issues guidelines, recommendations, and best practices to promote the consistent application of the GDPR and review their application where necessary.

Key findings of the Report

The European Data Protection Board may examine and issue an opinion on any matter of general application or having implications in more than one Member State, at the request of any supervisory authority, the Chair of the European Data Protection Board, or the European Commission. The European Data Protection Board continues its activities this year, adopting new guidelines on pseudonymization, which we discussed in this article. The European Data Protection Board announces coordinated enforcement actions every year. In 2024, it focused on the right of access, while in 2025, it plans to review the enforcement of the right to erasure, as reported in this article.

The European Data Protection Board also continued its active dialogue with data subjects and organizations involved in data processing, which resulted in the publication of articulate factsheets. For example, in a such factsheet, the Board presented the most significant positive and negative effects of artificial intelligence on cybersecurity. (The factsheet in English can be opened in this link).

Strategy for the period between 2024-2027

In its strategy for the period 2024–2027, the European Data Protection Board has set out four main pillars of objectives.

  • promoting consistent application of data protection rules and compliance,
  • strengthening international cooperation between data protection authorities,
  • ensuring data protection in an emerging digital environment covering multiple regulatory areas (e.g., artificial intelligence),
  • support for global dialogue on privacy and data protection issues.

The Board also confirmed that it intends to continue to play an active role in shaping the regulatory environment for small and medium-sized enterprises („SME”). In addition, it has set as a priority to help SMEs comply with the law through specific tools and to contribute to raising public awareness of the importance of data protection rights.

Simplification Proposal

The Commission pointed out that the complexity of EU legislation hinders market entry and limits growth potential. In order to achieve the objective, set out in the report, in May 2025 it published its fourth so called omnibus package, in which the Commission proposed amendments to various EU rules, including those relating to GDPR rules on record keeping obligation.

According to the GDPR the record of processing activities currently is a fundamental tool for data controllers and processors to identify and document their data processing activities. For illustrative purposes only, we mention that such elements the purpose of data processing, the categories of data subjects and recipients, the retention period, and, where applicable, the transfer of data to third countries.

According to the applicable regulation, data controllers and data processors are only exempt from the obligation to maintain their record of processing activities if they employ fewer than 250 persons. However, companies with fewer than 250 employees are also required to keep records if

  • the processing is likely to result in a risk to the rights and freedoms of data subjects;
  • the processing is not occasional;
  • the processing concerns special categories of data or personal data relating to criminal convictions and offenses.

Due to the subjective nature of the list, we recommend that companies striving for compliance keep records in all cases in order to minimize risks.

This was also recognized by the Commission, namely that even with a threshold of 250 employees, there were very few cases in which companies were exempt from the record keeping requirement. Therefore, according to the Simplification Proposal, in the future, companies that employ fewer than 750 employees and whose turnover does not exceed EUR 150 million or whose total assets do not exceed EUR 129 million will not be required to keep records. Data processing activities that are expected to impose a high risk on data subjects, such as employees or customers, would continue to be subject to the company’s record keeping obligation.

The Commission estimates that this measure would exempt around 38,000 businesses in the EU from the registration requirement and reduce the administrative burden on businesses by around EUR 400 million per year.

The European Data Protection Board expressed its endorsement of the Simplification Proposal. At the same time, it also made data controllers aware of the fact that keeping records of data processing activities not only makes it possible to comply with the regulations but also serves as a useful tool for meeting other GDPR requirements.

In summary, it is clear that companies are still expected to:

  • have up-to-date information regarding their data processing (whether with or without a record);
  • ensure transparency in data processing and to take data processing considerations into account when designing their processes.
  • consciously consider what documentation obligations they have;
  • to enforce the stricter regulations in key areas.

Image soruce: pexels.com, Marco

The European Data Protection Board’s strategy and the proposal to ease the GDPR to reduce the administrative burden on businesses Read More »

Personal data breaches and tasks related to their management

Data protection, News / / , , ,

Alongside technological development, numerous tools and methods have emerged with the aim of gaining unauthorized access to personal data. Although the tools used for cyber-attacks are becoming increasingly sophisticated, personal data continues to be most at risk from human error and carelessness. Regulation (EU) 2016/679 of the European Parliament and of the Council (the “General Data Protection Regulation,” “GDPR“) sets out detailed requirements for businesses and organizations regarding the collection, storage, and processing of personal data, compliance with which is essential for the protection of personal data and the proper enforcement of data security. The GDPR also contains provisions on how data controllers should act in the event of a personal data breach. In this article, we summarize the most important facts about personal data breaches.

Definition of the personal data breach

During the course of processing personal data, data controllers must take the measures specified in the GDPR to ensure the security of data processing. Personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

For an incident to be considered a personal data breach, the violation of data security must be of such a nature that it poses a substantial risk to the protection of personal data. Data controllers need to be aware that it is not only the loss of personal data that constitutes a personal data breach. Personal data breach include:

  • Breaches of confidentiality, which may occur through the unauthorized disclosure of personal data (e.g., an email sent to the wrong recipient, or if documents containing personal data are saved in the wrong place, they may be shared with persons who are not otherwise authorized to access them, including other employees of the company). However, confidentiality breaches may also result from intentional conduct (e.g., unauthorized access through phishing attacks).
  • Breaches of integrity, which occur when personal data that has been processed is altered (e.g., when a person with access to accounting records – whether authorized or unauthorized – rewrites payments or breaks into the database in such a way that personal data gets deleted).
  • Breaches of availability, which refer to the destruction of processed data (whether accidental deletion or temporary server failure) or loss of access to data (e.g., loss or theft of a laptop or data storage device containing a copy of the customer database).

In summary, a personal data breach occurs when personal data is accessed without authorization, transferred without permission, or becomes inaccessible due to, for example, encryption by ransomware, accidental loss, or destruction.

Consequences of a personal data breach

Personal data breaches, if not handled properly and in a timely manner, can cause serious physical, financial, or non-financial damage to the people involved. Such consequences may include financial loss, identity theft, damage to reputation, or disclosure of confidential information. Furthermore, data protection incidents may lead to a loss of trust in the company as a data controller, and their improper handling may result in sanctions by the authorities.

Procedure to follow in the event of personal data breaches

Given that personal data breaches can have serious consequences, the data controller is obliged to handle the situation in accordance with the GDPR upon becoming aware of the breach. However, this requires that anyone who notices such a breach immediately report it to the designated data protection officer. It is advisable to set out the procedure for this in internal regulations.

Record of the personal data breaches

Under the GDPR, the data controller must keep a record of personal data breaches, including the facts relating to the breach, its effects and the remedial action taken.

Reporting personal data breaches

Personal data breaches shall be reported to the National Authority for Data Protection and Freedom of Information (“NAIH“) without undue delay and, where feasible, no later than 72 hours after the personal data breach has come to the knowledge of the controller. If the notification is not made within 72 hours, the reasons for the delay must be attached to the notification.

For the notification, the NAIH also provides a form available on its website, which can be submitted electronically (e.g., via official storage space or e-Paper service) by data controllers who are required to conduct electronic administration or who voluntarily undertake to do so.

The report must include:

  • the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
  • the name and contact details of the data protection officer or other contact point where more information can be obtained;
  • the likely consequences of the personal data breach;
  • and the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
  • Last but not least, the report must include a copy of the relevant section of the report of the personal data breaches relating to the incident in question.

The report may be omitted only in the case of so-called ‘bagatelle’ incidents. Such incidents are those which are unlikely to pose a risk to the rights and freedoms of natural persons, but even in such cases, the incident must be recorded in the register.

Communication with the data subject

When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay. The purpose of this measure is to enable the persons concerned to take the necessary precautions (e.g. reporting the theft of identity documents, blocking bank cards).

Risks should be assessed individually for each incident. During the process, aspects such as the type of personal data (e.g., special data) and the amount of data, the number of data subjects, and the possibility of identifying data subjects must be taken into account.

The data subjects do not need to be informed of a high-risk data protection incident if:

  • personal data is encrypted in such a way that it cannot be interpreted;
  • the data controller has since implemented appropriate protective measures;
  • or would require disproportionate effort on its part. (In such cases, the persons concerned shall be informed by means of public communication or similar measure whereby the data subjects are informed in an equally effective manner.)

 Summary

Personal data breaches represent a very broad definition of data security breaches. Such breaches can cause serious financial or non-financial damage to those involved, and if they are not handled properly, they can result in fines of up to several million forints. Data controllers are obliged to ensure the protection of personal data already during the processing of data. Therefore, prevention should be the primary focus. Properly implemented security measures (e.g., establishing authorization systems, adequate protection of passwords and devices) may be suitable for preventing breaches from occurring. In order to determine and comply with these, it is advisable to prepare internal procedures and action plans in advance and review them at regular intervals, as well as to provide data protection training to persons involved in data processing (e.g. employees) at appropriate intervals. In the event of a concrete personal data breach, it is also recommended to involve an expert, given the special rules of formalized official procedures and the need for individual assessment.

Image source: pixabay, pexels.com

Personal data breaches and tasks related to their management Read More »

The European Data Protection Board’s New Guidelines on Pseudonymisation

News, Data protection / / , ,

In the first quarter of 2025, the European Data Protection Board (“EDPB“) adopted a new guideline under reference number 1/2025 (the “Guideline“), focusing on the principles and benefits of pseudonymisation under Regulation (EU) 2016/679, the General Data Protection Regulation (GDPR). In this newsletter, we summarise the main findings of the Guidance that are relevant to practice.

What is the significance?

The rules on data processing apply in a wide range of roles, often as an employer, supplying partner or contractor. Choosing the right legal basis for data processing and complying with the principles is of paramount importance, as are the technical and organisational measures in place to ensure the security of the data processed. The GDPR considers pseudonymisation as a risk mitigation tool, whereby personal data are processed in such a way that it is not possible to identify the natural person to whom they relate without further information, i.e. identity can only be established by additional information.

It is a condition that this information – i.e. the pseudonym and the additional attribute – is stored separately and that it is ensured that the data cannot be linked to the natural person concerned unless the conditions are met. Where pseudonymisation is used, the specific risks that the method is intended to reduce must be identified and the procedure must be designed to be effective in achieving the stated aim. This may be particularly relevant in cases where the nature of the data processed would make it easy to identify the natural person. However, it is essential that pseudonymisation does not replace other data protection measures but complements them.

Supporting compliance with data protection principles

Pseudonymisation, as a good practice identified by the EU Commission, can, if properly applied, help data controllers to comply with the principles of the Regulation. According to the GDPR, data may only be collected for specified purposes and processed in a manner compatible with those purposes. Pseudonymisation reduces the risk that personal data may be further processed in a way that is incompatible with the purpose for which the data were originally collected.

For example, assigning widely different pseudonyms (e.g. employee identifiers) to data of persons with very similar identifiers (e.g. employees named Steven Smith) may not only enhance confidentiality, but also contribute to the requirement of accuracy and timeliness of personal data by reducing the possibility that data (e.g. payroll) are wrongly attributed to the wrong person.

Justification of the legal basis for processing

To demonstrate the lawfulness of processing, it is essential to indicate the appropriate legal basis. Since pseudonymisation reduces the risk to the rights and freedoms of data subjects, it can facilitate the use of legitimate interest as a legal basis (Article 6 (1) (f) GDPR). Pseudonymisation minimises the chances that the data will lead to unauthorised identification.

Likewise, pseudonymisation can help to ensure compatibility with the original purpose (Article 6 (4) GDPR). Pseudonymisation can also be a good safeguard when considering compatible purposes for further processing, as it can limit the possible consequences of the envisaged further processing for the data subjects, thus reducing the risk of further processing purposes.

How to apply?

The organisation acting as data controller must ensure that pseudonymised data cannot be linked to an individual as long as the additional information is processed separately. To achieve this, the data controller must modify the data and store additional keys and information separately so that only authorised persons can link the data.

For the sake of the efficiency of the method, pseudonymised data should not contain direct identifiers (e.g. known identification numbers such as tax identification number, ID number), because these direct identifiers can be used to easily associate data with data subjects. Instead, identifiers, unique codes that can only be assigned to data subjects using additional information may be used; this is the pseudonym. All this needs to be ensured by appropriate technical and organisational measures, such as:

– encryption,

– use of interpretation keys and separate storage,

– ensuring access only to authorised persons.

Data processed in the course of a pseudonymisation as personal data

It is important to note that pseudonymised data is still considered personal data, i.e. it is subject to the GDPR, and therefore the rights of the data subject must be ensured. For example, if the person can provide the pseudonym under which his or her data is stored and can prove that this pseudonym relates to him or her, the data controller must be able to identify the data subject, and the claims made in the exercise of the data subject’s rights must be met if any additional conditions are met.

The pseudonymisation of data reduces the risks for the data subjects, since in case of a possible unauthorised access or disclosure, with a proper pseudonymisation, the direct identification data relating to the natural person will not be disclosed (e.g. a cafeteria declaration is sent to the wrong place but only the pseudonym is indicated).

Interestingly, if the security of the pseudonymised data is compromised, leading to an unauthorised reversal of the pseudonymisation, this may constitute a data breach and appropriate action may need to be taken depending on the circumstances of the specific case.

Conclusion

The Guideline provides a useful framework for the use of pseudonymisation as a data processing safeguard. It is not only a technical tool, but a set of data protection procedures that contribute to the compliance with the GDPR rules, while at the same time helping to ensure data processing and related rights. The introduction of pseudonymisation is appropriate based on a review of the data processing strategy in place, but it also requires technical and organisational measures and the appropriate completion of the data processing documentation.

Image source: Markus Winkler, Pexels.com

The European Data Protection Board’s New Guidelines on Pseudonymisation Read More »

Review of the right to erasure in 2025

News, Data protection / / , , ,

In October 2020, the European Data Protection Board (“EDPB“) adopted a document on a coordinated enforcement framework under Regulation (EU) 2016/679 of the European Parliament and of the Council on the General Data Protection Regulation, the GDPR, under which each year a specific data protection issue is examined by Member State authorities on the basis of a framework and methodology defined by the EDPB. These harmonised actions aim, among other things, to facilitate compliance and raise awareness.

This year, the EDPB intends to examine the way in which the right of erasure is exercised and its provision by data controllers. In this article, we summarise the most important facts in this regard.

The importance of the review

In 2025, the EDPB intends to examine the right to erasure, as this is one of the most frequently exercised data subject rights since the entry into force of the GDPR, but there are a large number of complaints to supervisory authorities about its enforcement. To this end, the EDPB, with the help of Member States’ authorities, will this year examine practices in relation to the exercise of the right to erasure and assess how data controllers handle requests for erasure received by them and how they apply the conditions and exceptions to the exercise of this right set out in the GDPR.

What is the right to erasure?

The GDPR sets out the basic rights that the data controller – whether an employer, supply partner or contractor – must inform the data subject of in advance and provide them to the data subject during data processing. Among other things, the data subject has the right to request the erasure of personal data relating to him or her, which the data controller must do without undue delay.

However, the right to erasure is subject to conditions, which may be exercised in one of the following cases:

  • if the personal data are no longer necessary for the purposes for which they were processed;
  • if the data processing was based on the data subject’s consent and the data subject has withdrawn it;
  • if the data subject objects to the processing, where the legal basis for the processing is the protection of the legitimate interests of the controller or of a third party;
  • if the data have been unlawfully processed; or if there is a legal obligation to delete the data.

Ensuring the right of the data subject

The data controller must at all times ensure that the rights of data subjects with regard to the data processing of personal data of natural persons are adequately protected. One of the most important steps is to guarantee the availability of the data controller and to enable contact, which should be achieved through mechanisms that facilitate the exercise of the data subject’s rights.

In the event of any request by a data subject concerning the processing of personal data, the controller shall ensure the exercise of the data subject’s right to be informed as soon as possible after receipt of the request, but not later than 1 month or, if it needs further information, to contact the data subject without delay to deal with the request, preferably through the communication channel used by the data subject. If the data controller does not comply with the data subject’s request, it shall also provide a statement of reasons.

In order for the data controller to be able to assess and comply with the data subject’s request, it is important that the data controller has appropriate organisational and technical measures in place. Ensuring the exercise of the right is of paramount importance, because in case of inappropriate data processing, the data subject can file a complaint with the competent authority – in Hungary the National Authority for Data Protection and Freedom of Information – or even with the courts.

Tasks related to data processing

Since the entry into force of the GDPR in 2018, organisations have developed a wide range of data management practices and there have been significant changes in the legislation in the areas affected by data processing.

At the same time, we see that companies that treat GDPR compliance as a one-off project do not review their processes, documents and background legislation (every few years), and therefore the data privacy policy does not reflect reality after years, for which they can be held liable.

We recommend that companies that meet any of the following criteria should review their data processing documentation and, if necessary, align it with their actual processes:

  1. Introduction of new software
  2. Reorganisation of a business unit or certain processes
  3. Choosing new suppliers
  4. Modifying cooperation with customers
  5. Outsourcing of processes – either to a third country or within the EU
  6. Introduction of certificates (ISO, Tisax, etc.)
  7. Compliance with new legislation (e.g. Complaints Act, GPSR, Pay Transparency Directive)
  8. Changes in the group (e.g. new investor owner)
  9. Change of communication platform (e.g. intranet, chatbot)
  10. Create or merge databases

Image source: Freepik.com

Review of the right to erasure in 2025 Read More »

Data Protection Officers are under the spotlight in the European Data Protection Board’s latest coordinated enforcement action

News, Data protection / / , , , ,

Since 25 May 2018, there is hardly a company that has not had to deal with a Data Protection Officer, or DPO. It has been 5 years since the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC („General Data Protection Regulation”; hereinafter: “GDPR“) came into force, but this does not and cannot mean that “the machine is running, the creator rests.” In view of the continuous development of case law, a review of the regulations may be necessary from time to time.

In 2023, the European Data Protection Board (“EDPB“) decided to conduct a coordinated enforcement action focusing specifically on the designation and operation of DPOs. The coordinated action involves 26 European data protection authorities.

The Data Protection Officer is responsible for protecting the rights and freedoms of data subjects and ensuring compliance with data protection rules. Impartiality and independence are among the requirements for DPOs that most often come to the attention of the authorities. Impartiality and objectivity ensure that the officer is able to closely monitor data management processes, effectively manage data breaches and advise the organisation on compliance with the GDPR and other relevant data protection rules. Impartiality guarantees that the DPO represents data protection issues of all interested parties, be it the employees, contractors, or the management of the organisation. The DPO shall be an expert who has no interest in the organisation or its data processing activities. Conflict of interest also means that the appointed data protection professional must not be in a position or engage in an activity that could jeopardise objective and independent decision-making.

A number of decisions on DPOs have been taken by national authorities in previous years, with the following conclusions:

  • The DPO must not only be registered with the competent authority of the mother company, but the organisation must also notify other relevant authorities if the organisation has other branches and the DPO can operate there too.
  • It is not possible to hire an external company as an outsourced DPO and at the same time also appoint a third party as DPO.
  • If the DPO is in charge of compliance, audit and risk management, the independence or impartiality of the role may be compromised.
  • The DPOs are not allowed to engage in a role as the controller’s representative before the data protection authority, as this could jeopardize the impartiality or independence of the DPO.
  • The DPO can be withdrawn if the DPO no longer has the appropriate professional skills or fails to comply with data protection regulations.
  • The DPO cannot be ordered, and therefore it is a breach of the GDRP if the DPO cannot act on his or her own, but only on the instructions of the head of the company (or any other person with the right to make decisions in the company).

A control plan may formalise the DPO’s procedure, but a direct instruction does not comply with the GDPR.

  • It is also a breach of the GDPR to have several hierarchical levels between the DPO and the senior management of the organisation because this way the DPO is no longer directly accountable to the management.
  • It is not an appropriate solution if the DPO is appointed, but the DPO also performs compliance functions in the company, thus compromising independence and impartiality. The authority in the case confirmed that the DPO cannot perform a role that allows him or her to determine the purposes and means of processing personal data.
  • Similarly, it has been held to be contrary to the prohibition of conflicts of interest, if the DPO is also a managing director of two subsidiaries which are responsible for processing data for the main company. In this case there is a conflict of interest because the DPO supervises the adequacy of the data processing tasks, while having a legitimate interest in the profits and operations of the data processing companies.

As the EDPB will focus on DPOs in its coordinated enforcement actions in 2023, we can expect to see a growing number of decisions in which the determining data protection authority makes decisions in principle on the functioning and impartiality of the DPOs. Further guidelines or statements may be issued by national or EU authorities.

Data Protection Officers are under the spotlight in the European Data Protection Board’s latest coordinated enforcement action Read More »

Practical problems with cookie data management

News / / , , , ,

Introduction

In today’s digital world, methods and technologies for collecting and processing personal data (e.g. cookies) are extremely widespread because they allow data controllers to learn essential information about us. For example, after a single search for a shoe on the Internet, we are almost inevitably confronted with advertisements for the same or similar shoes on other platforms.

The relationship between data controllers and individuals is fundamentally unequal, as average users are typically unaware of the many ways in which their personal data are handled. To balance this, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector (“ePrivacy Directive“) and Regulation 2016/679/EU on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR“) were adopted to ensure privacy and the protection of personal data. These EU laws set out minimum requirements for data controllers to compensate for asymmetric relationships.

NGOs such as None of Your Business (“NOYB“) are helping to ensure that these rights are effectively enforced. As a result of NOYB’s work the European Data Protection Board’s Cookie Banner Taskforce has published its newest report. In this, the Taskforce has identified 7 main cookie management practices which it considers to be inadequate in the light of the relevant legislation. These are briefly summarized below in order to help website operators to adapt their practices and users to be more aware of them:

No reject button on the first layer: It does not meet the requirements for consent if the information window on cookies that require consent only offers the option “accept” or “more information”, but without containing a button to reject the cookies.

Pre-ticked boxes: Indeed inadequate to pre-tick the boxes from the available options that the data controller prefers when setting cookies.

Use of a link: The accept button for cookie-related data management typically pops up automatically on all pages, but some data controllers provide the rejection option only through a separate link, making it difficult for users to make a voluntary choice and putting pressure on them.

Deceptive button colours and contrast: For valid consent it is also an important factor how the possibilities are visually represented. Indeed, if the colour or contrast of the buttons displayed is misleading for the data subject (e.g. if, in addition to the clear display of the accept button, the contrast between the colours of the reject and additional options button is so minimal that the text is almost unreadable), the consent given will most likely be considered invalid. Of course, this should always be considered on a case-by-case basis.

Misrepresentation of the legal basis: It is not lawful for the site operator to base data processing first on the consent of the visitor or, in the absence of consent, on legitimate interest. In this respect, it is particularly unlawful where the user has no possibility to object to the consent, given that in the absence of consent, the controller will process the data on the basis of his legitimate interest, as this may give the impression that the data subject can only consent to the processing and has no other choice.

Inaccurately classified “essential” cookies: The Taskforce has highlighted in its report, that many data controllers classify cookies as essential or strictly necessary, that in fact shall not be considered as essential.

No withdraw icon: A further requirement for consent is that it should be revocable at any time, in the same simple way as it was given by the data subject. Thus, data controllers should also provide for this possibility in relation to cookies (e.g. by placing a floating revocation button or link).

Summary

As can be seen from the above, data controllers must act in such a way as to ensure that users have access to the right information and are thus put in a position to make decisions. Of course, it is the responsibility of the data subjects to actually inform themselves and thus act and make decisions as informed users with regard to their own data (e.g. by customizing their preferences, leaving the visited pages after use, reading the NAIH’s information notices, the controller’s privacy policy).

Practical problems with cookie data management Read More »

New guidelines of the EDPB on data controllers and data processors

Company groups, Data protection, Medium-sized companies, News, Start-ups / / , , , , ,

The European Data Protection Board (“EDPB” or “Board”) has adopted the final version of guidelines no. 07/2020 on the concepts of controller and processor in the GDPR on its meeting of 7 July 2021, which renews and replaces the previous guidance no. 1/2010 of the Article 29 Data Protection Working Party on the same subject.

The definition of roles of data controller and data processor has been and continues to be the most controversial issue of data protection law, both during and prior to the entry into effect of the GDPR, as the assumed role determines the obligations and thus the corresponding responsibility. For this reason, the new EDPB guidelines are essential for all actors involved in data processing activities.

  1. Identifying the data controller

According to the GDPR, the person determining the purposes and means of the processing of personal data shall be considered the data controller. Among the elements of the concept, the new guideline explained the means of data processing in most detail, implementing a sharper distinction compared to the previous guidance.

In the opinion of the Board, when identifying the data controller, the means of data processing shall be understood only as the essential means, which are the following:

  • type of personal data which are processed
  • duration of the processing
  • the categories of recipients with access to the data (including transfers of data)
  • the categories of data subjects

The EDPB also emphasizes that actual access to personal data is not a requirement to be considered the data controller.

  1. Identifying the data processor

According to the GDPR, the data processor is the person who performs the processing operations on behalf of the data controller. The EDPB identified two explicit and one implied condition for the identification of the data processor. The two explicit conditions are as follows:

  • The data processor is a separate entity from the data controller;
  • The processing operations are performed solely on behalf of the data controller and the data are not processed for any purpose or interest other than those of the data controller.

In addition to the above, the third implied condition is that the discretion of the data processor includes the choice of non-essential means of data processing, such as the location of data storage, the software and methodology used for data processing operations.

There must be a written contract between the data controller and the data processor regarding the data processing, the absence of a contract constitutes an infringement of the GDPR on part of both actors.

The EDPB emphasized that the GDPR also imposes stricter obligations on data processors compared to the previous regulation. In addition, in the data processing agreement, the data controller may indirectly hold the data processor responsible for the performance of the data controller’s obligations under the GDPR, therefore, in order to limit the data controller’s liability, the most important thing is to select a responsible data processor, and conclude a processing agreement which duly takes into account all responsibilities.

  1. A person under the direct control of the data controller or data processor

Compared to the concepts of data controller and data processor, the role under the direct control of the data controller or data processor set out by Article 29 of the GDPR is less frequently discussed, but in practice the majority of natural persons perform data processing operations in this capacity.

This category includes a person who is not separate from the data controller or data processor. For example, neither the managing director nor a department of the company can be considered a separate entity from the company.

This category also includes a person who, although carrying out processing operations on behalf of the controller, has no independent decision-making power over these operations at all. Directly under the direct control are mainly workers and employees, but it is important to note that from the point of view of data protection law, not only workers employed under the Labour Code should be considered as employees, but also, where appropriate, staff employed under a service or agency contract.

When identifying direct control, in addition to the type of legal relationship, it is therefore necessary to examine the decision-making rights of the individual, his or her integration into the organization of the data controller or data processor, and the control exercised by the data controller or data processor.

For persons under direct control, the GDPR contains a single requirement that personal data may not be processed contrary to the instructions of the data controller. It is also possible and recommended in case of the persons under direct control to impose the obligations of the GDPR, as well as to sanction any conduct that infringes data protection law, in a contract or internal regulations.

Should you have any questions regarding the above, feel free to contact us.

CLVPartners news

 

New guidelines of the EDPB on data controllers and data processors Read More »

President of HDPA tempers position on thermometers!

Company groups, Data protection, Employment, labour law, Medium-sized companies, News, Start-ups / / , , , ,

The Head of the Hungarian Data Protection Authority in his interview made an announcement contrary to the Authority’s previous official position.

Unlike in Spring, in the current epidemiological situation in Hungary it is no longer disproportionate to implement body temperature measurement as a general measure, however, recording the results is still considered unjustifiable, because as health related data it would be considered a special category of personal data which should be especially protected.

The Head of the Hungarian Data Protection Authority in his interview made an announcement contrary to the Authority’s previous official position, that unlike in Spring, in the current epidemiological situation in Hungary it is no longer disproportionate to implement body temperature measurement as a general measure, however, recording the results is still considered unjustifiable, because as health related data it would be considered a special category of personal data which should be especially protected.

As a reminder, the Authority’s guidelines issued on 11 March 2020 and its confirmatory official position issued on 28 April 2020 considered disproportionate the requirement of screening tests with any diagnostic device (in particular, but not exclusively, with a thermometer), as the epidemiological situation in Spring did not warrant such measures.

The HDPA president’s statement did not affect the rest of the previously issued guidelines and official position, therefore all data processing in connection with the novel coronavirus epidemic such as body temperature measurement may only be introduced in the legitimate interest of the employer, substantiated by a proportionality test and the measurement shall be conducted by healthcare professionals or under their professional supervision under Article 9 (3) of the GDPR.

The Authority invariably requires employers to prefer measures which do not require the processing of personal data (basic hygiene, provision of disinfectants, adequate cleaning, provision of protective equipment, distance between workers).

Should you have any questions regarding the above, feel free to contact us.

President of HDPA tempers position on thermometers! Read More »

CLVPartners
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.