CLVPartners

GDPR

The European Data Protection Board’s New Guidelines on Pseudonymisation

In the first quarter of 2025, the European Data Protection Board (“EDPB“) adopted a new guideline under reference number 1/2025 (the “Guideline“), focusing on the principles and benefits of pseudonymisation under Regulation (EU) 2016/679, the General Data Protection Regulation (GDPR). In this newsletter, we summarise the main findings of the Guidance that are relevant to practice.

What is the significance?

The rules on data processing apply in a wide range of roles, often as an employer, supplying partner or contractor. Choosing the right legal basis for data processing and complying with the principles is of paramount importance, as are the technical and organisational measures in place to ensure the security of the data processed. The GDPR considers pseudonymisation as a risk mitigation tool, whereby personal data are processed in such a way that it is not possible to identify the natural person to whom they relate without further information, i.e. identity can only be established by additional information.

It is a condition that this information – i.e. the pseudonym and the additional attribute – is stored separately and that it is ensured that the data cannot be linked to the natural person concerned unless the conditions are met. Where pseudonymisation is used, the specific risks that the method is intended to reduce must be identified and the procedure must be designed to be effective in achieving the stated aim. This may be particularly relevant in cases where the nature of the data processed would make it easy to identify the natural person. However, it is essential that pseudonymisation does not replace other data protection measures but complements them.

Supporting compliance with data protection principles

Pseudonymisation, as a good practice identified by the EU Commission, can, if properly applied, help data controllers to comply with the principles of the Regulation. According to the GDPR, data may only be collected for specified purposes and processed in a manner compatible with those purposes. Pseudonymisation reduces the risk that personal data may be further processed in a way that is incompatible with the purpose for which the data were originally collected.

For example, assigning widely different pseudonyms (e.g. employee identifiers) to data of persons with very similar identifiers (e.g. employees named Steven Smith) may not only enhance confidentiality, but also contribute to the requirement of accuracy and timeliness of personal data by reducing the possibility that data (e.g. payroll) are wrongly attributed to the wrong person.

Justification of the legal basis for processing

To demonstrate the lawfulness of processing, it is essential to indicate the appropriate legal basis. Since pseudonymisation reduces the risk to the rights and freedoms of data subjects, it can facilitate the use of legitimate interest as a legal basis (Article 6 (1) (f) GDPR). Pseudonymisation minimises the chances that the data will lead to unauthorised identification.

Likewise, pseudonymisation can help to ensure compatibility with the original purpose (Article 6 (4) GDPR). Pseudonymisation can also be a good safeguard when considering compatible purposes for further processing, as it can limit the possible consequences of the envisaged further processing for the data subjects, thus reducing the risk of further processing purposes.

How to apply?

The organisation acting as data controller must ensure that pseudonymised data cannot be linked to an individual as long as the additional information is processed separately. To achieve this, the data controller must modify the data and store additional keys and information separately so that only authorised persons can link the data.

For the sake of the efficiency of the method, pseudonymised data should not contain direct identifiers (e.g. known identification numbers such as tax identification number, ID number), because these direct identifiers can be used to easily associate data with data subjects. Instead, identifiers, unique codes that can only be assigned to data subjects using additional information may be used; this is the pseudonym. All this needs to be ensured by appropriate technical and organisational measures, such as:

– encryption,

– use of interpretation keys and separate storage,

– ensuring access only to authorised persons.

Data processed in the course of a pseudonymisation as personal data

It is important to note that pseudonymised data is still considered personal data, i.e. it is subject to the GDPR, and therefore the rights of the data subject must be ensured. For example, if the person can provide the pseudonym under which his or her data is stored and can prove that this pseudonym relates to him or her, the data controller must be able to identify the data subject, and the claims made in the exercise of the data subject’s rights must be met if any additional conditions are met.

The pseudonymisation of data reduces the risks for the data subjects, since in case of a possible unauthorised access or disclosure, with a proper pseudonymisation, the direct identification data relating to the natural person will not be disclosed (e.g. a cafeteria declaration is sent to the wrong place but only the pseudonym is indicated).

Interestingly, if the security of the pseudonymised data is compromised, leading to an unauthorised reversal of the pseudonymisation, this may constitute a data breach and appropriate action may need to be taken depending on the circumstances of the specific case.

Conclusion

The Guideline provides a useful framework for the use of pseudonymisation as a data processing safeguard. It is not only a technical tool, but a set of data protection procedures that contribute to the compliance with the GDPR rules, while at the same time helping to ensure data processing and related rights. The introduction of pseudonymisation is appropriate based on a review of the data processing strategy in place, but it also requires technical and organisational measures and the appropriate completion of the data processing documentation.

Image source: Markus Winkler, Pexels.com

Review of the right to erasure in 2025

In October 2020, the European Data Protection Board (“EDPB“) adopted a document on a coordinated enforcement framework under Regulation (EU) 2016/679 of the European Parliament and of the Council on the General Data Protection Regulation, the GDPR, under which each year a specific data protection issue is examined by Member State authorities on the basis of a framework and methodology defined by the EDPB. These harmonised actions aim, among other things, to facilitate compliance and raise awareness.

This year, the EDPB intends to examine the way in which the right of erasure is exercised and its provision by data controllers. In this article, we summarise the most important facts in this regard.

The importance of the review

In 2025, the EDPB intends to examine the right to erasure, as this is one of the most frequently exercised data subject rights since the entry into force of the GDPR, but there are a large number of complaints to supervisory authorities about its enforcement. To this end, the EDPB, with the help of Member States’ authorities, will this year examine practices in relation to the exercise of the right to erasure and assess how data controllers handle requests for erasure received by them and how they apply the conditions and exceptions to the exercise of this right set out in the GDPR.

What is the right to erasure?

The GDPR sets out the basic rights that the data controller – whether an employer, supply partner or contractor – must inform the data subject of in advance and provide them to the data subject during data processing. Among other things, the data subject has the right to request the erasure of personal data relating to him or her, which the data controller must do without undue delay.

However, the right to erasure is subject to conditions, which may be exercised in one of the following cases:

  • if the personal data are no longer necessary for the purposes for which they were processed;
  • if the data processing was based on the data subject’s consent and the data subject has withdrawn it;
  • if the data subject objects to the processing, where the legal basis for the processing is the protection of the legitimate interests of the controller or of a third party;
  • if the data have been unlawfully processed; or if there is a legal obligation to delete the data.

Ensuring the right of the data subject

The data controller must at all times ensure that the rights of data subjects with regard to the data processing of personal data of natural persons are adequately protected. One of the most important steps is to guarantee the availability of the data controller and to enable contact, which should be achieved through mechanisms that facilitate the exercise of the data subject’s rights.

In the event of any request by a data subject concerning the processing of personal data, the controller shall ensure the exercise of the data subject’s right to be informed as soon as possible after receipt of the request, but not later than 1 month or, if it needs further information, to contact the data subject without delay to deal with the request, preferably through the communication channel used by the data subject. If the data controller does not comply with the data subject’s request, it shall also provide a statement of reasons.

In order for the data controller to be able to assess and comply with the data subject’s request, it is important that the data controller has appropriate organisational and technical measures in place. Ensuring the exercise of the right is of paramount importance, because in case of inappropriate data processing, the data subject can file a complaint with the competent authority – in Hungary the National Authority for Data Protection and Freedom of Information – or even with the courts.

Tasks related to data processing

Since the entry into force of the GDPR in 2018, organisations have developed a wide range of data management practices and there have been significant changes in the legislation in the areas affected by data processing.

At the same time, we see that companies that treat GDPR compliance as a one-off project do not review their processes, documents and background legislation (every few years), and therefore the data privacy policy does not reflect reality after years, for which they can be held liable.

We recommend that companies that meet any of the following criteria should review their data processing documentation and, if necessary, align it with their actual processes:

  1. Introduction of new software
  2. Reorganisation of a business unit or certain processes
  3. Choosing new suppliers
  4. Modifying cooperation with customers
  5. Outsourcing of processes – either to a third country or within the EU
  6. Introduction of certificates (ISO, Tisax, etc.)
  7. Compliance with new legislation (e.g. Complaints Act, GPSR, Pay Transparency Directive)
  8. Changes in the group (e.g. new investor owner)
  9. Change of communication platform (e.g. intranet, chatbot)
  10. Create or merge databases

Image source: Freepik.com

Data Protection Officers are under the spotlight in the European Data Protection Board’s latest coordinated enforcement action

Since 25 May 2018, there is hardly a company that has not had to deal with a Data Protection Officer, or DPO. It has been 5 years since the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC („General Data Protection Regulation”; hereinafter: “GDPR“) came into force, but this does not and cannot mean that “the machine is running, the creator rests.” In view of the continuous development of case law, a review of the regulations may be necessary from time to time.

In 2023, the European Data Protection Board (“EDPB“) decided to conduct a coordinated enforcement action focusing specifically on the designation and operation of DPOs. The coordinated action involves 26 European data protection authorities.

The Data Protection Officer is responsible for protecting the rights and freedoms of data subjects and ensuring compliance with data protection rules. Impartiality and independence are among the requirements for DPOs that most often come to the attention of the authorities. Impartiality and objectivity ensure that the officer is able to closely monitor data management processes, effectively manage data breaches and advise the organisation on compliance with the GDPR and other relevant data protection rules. Impartiality guarantees that the DPO represents data protection issues of all interested parties, be it the employees, contractors, or the management of the organisation. The DPO shall be an expert who has no interest in the organisation or its data processing activities. Conflict of interest also means that the appointed data protection professional must not be in a position or engage in an activity that could jeopardise objective and independent decision-making.

A number of decisions on DPOs have been taken by national authorities in previous years, with the following conclusions:

  • The DPO must not only be registered with the competent authority of the mother company, but the organisation must also notify other relevant authorities if the organisation has other branches and the DPO can operate there too.
  • It is not possible to hire an external company as an outsourced DPO and at the same time also appoint a third party as DPO.
  • If the DPO is in charge of compliance, audit and risk management, the independence or impartiality of the role may be compromised.
  • The DPOs are not allowed to engage in a role as the controller’s representative before the data protection authority, as this could jeopardize the impartiality or independence of the DPO.
  • The DPO can be withdrawn if the DPO no longer has the appropriate professional skills or fails to comply with data protection regulations.
  • The DPO cannot be ordered, and therefore it is a breach of the GDRP if the DPO cannot act on his or her own, but only on the instructions of the head of the company (or any other person with the right to make decisions in the company).

A control plan may formalise the DPO’s procedure, but a direct instruction does not comply with the GDPR.

  • It is also a breach of the GDPR to have several hierarchical levels between the DPO and the senior management of the organisation because this way the DPO is no longer directly accountable to the management.
  • It is not an appropriate solution if the DPO is appointed, but the DPO also performs compliance functions in the company, thus compromising independence and impartiality. The authority in the case confirmed that the DPO cannot perform a role that allows him or her to determine the purposes and means of processing personal data.
  • Similarly, it has been held to be contrary to the prohibition of conflicts of interest, if the DPO is also a managing director of two subsidiaries which are responsible for processing data for the main company. In this case there is a conflict of interest because the DPO supervises the adequacy of the data processing tasks, while having a legitimate interest in the profits and operations of the data processing companies.

As the EDPB will focus on DPOs in its coordinated enforcement actions in 2023, we can expect to see a growing number of decisions in which the determining data protection authority makes decisions in principle on the functioning and impartiality of the DPOs. Further guidelines or statements may be issued by national or EU authorities.

Practical problems with cookie data management

Introduction

In today’s digital world, methods and technologies for collecting and processing personal data (e.g. cookies) are extremely widespread because they allow data controllers to learn essential information about us. For example, after a single search for a shoe on the Internet, we are almost inevitably confronted with advertisements for the same or similar shoes on other platforms.

The relationship between data controllers and individuals is fundamentally unequal, as average users are typically unaware of the many ways in which their personal data are handled. To balance this, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector (“ePrivacy Directive“) and Regulation 2016/679/EU on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR“) were adopted to ensure privacy and the protection of personal data. These EU laws set out minimum requirements for data controllers to compensate for asymmetric relationships.

NGOs such as None of Your Business (“NOYB“) are helping to ensure that these rights are effectively enforced. As a result of NOYB’s work the European Data Protection Board’s Cookie Banner Taskforce has published its newest report. In this, the Taskforce has identified 7 main cookie management practices which it considers to be inadequate in the light of the relevant legislation. These are briefly summarized below in order to help website operators to adapt their practices and users to be more aware of them:

No reject button on the first layer: It does not meet the requirements for consent if the information window on cookies that require consent only offers the option “accept” or “more information”, but without containing a button to reject the cookies.

Pre-ticked boxes: Indeed inadequate to pre-tick the boxes from the available options that the data controller prefers when setting cookies.

Use of a link: The accept button for cookie-related data management typically pops up automatically on all pages, but some data controllers provide the rejection option only through a separate link, making it difficult for users to make a voluntary choice and putting pressure on them.

Deceptive button colours and contrast: For valid consent it is also an important factor how the possibilities are visually represented. Indeed, if the colour or contrast of the buttons displayed is misleading for the data subject (e.g. if, in addition to the clear display of the accept button, the contrast between the colours of the reject and additional options button is so minimal that the text is almost unreadable), the consent given will most likely be considered invalid. Of course, this should always be considered on a case-by-case basis.

Misrepresentation of the legal basis: It is not lawful for the site operator to base data processing first on the consent of the visitor or, in the absence of consent, on legitimate interest. In this respect, it is particularly unlawful where the user has no possibility to object to the consent, given that in the absence of consent, the controller will process the data on the basis of his legitimate interest, as this may give the impression that the data subject can only consent to the processing and has no other choice.

Inaccurately classified “essential” cookies: The Taskforce has highlighted in its report, that many data controllers classify cookies as essential or strictly necessary, that in fact shall not be considered as essential.

No withdraw icon: A further requirement for consent is that it should be revocable at any time, in the same simple way as it was given by the data subject. Thus, data controllers should also provide for this possibility in relation to cookies (e.g. by placing a floating revocation button or link).

Summary

As can be seen from the above, data controllers must act in such a way as to ensure that users have access to the right information and are thus put in a position to make decisions. Of course, it is the responsibility of the data subjects to actually inform themselves and thus act and make decisions as informed users with regard to their own data (e.g. by customizing their preferences, leaving the visited pages after use, reading the NAIH’s information notices, the controller’s privacy policy).

New guidelines of the EDPB on data controllers and data processors

The European Data Protection Board (“EDPB” or “Board”) has adopted the final version of guidelines no. 07/2020 on the concepts of controller and processor in the GDPR on its meeting of 7 July 2021, which renews and replaces the previous guidance no. 1/2010 of the Article 29 Data Protection Working Party on the same subject.

The definition of roles of data controller and data processor has been and continues to be the most controversial issue of data protection law, both during and prior to the entry into effect of the GDPR, as the assumed role determines the obligations and thus the corresponding responsibility. For this reason, the new EDPB guidelines are essential for all actors involved in data processing activities.

  1. Identifying the data controller

According to the GDPR, the person determining the purposes and means of the processing of personal data shall be considered the data controller. Among the elements of the concept, the new guideline explained the means of data processing in most detail, implementing a sharper distinction compared to the previous guidance.

In the opinion of the Board, when identifying the data controller, the means of data processing shall be understood only as the essential means, which are the following:

  • type of personal data which are processed
  • duration of the processing
  • the categories of recipients with access to the data (including transfers of data)
  • the categories of data subjects

The EDPB also emphasizes that actual access to personal data is not a requirement to be considered the data controller.

  1. Identifying the data processor

According to the GDPR, the data processor is the person who performs the processing operations on behalf of the data controller. The EDPB identified two explicit and one implied condition for the identification of the data processor. The two explicit conditions are as follows:

  • The data processor is a separate entity from the data controller;
  • The processing operations are performed solely on behalf of the data controller and the data are not processed for any purpose or interest other than those of the data controller.

In addition to the above, the third implied condition is that the discretion of the data processor includes the choice of non-essential means of data processing, such as the location of data storage, the software and methodology used for data processing operations.

There must be a written contract between the data controller and the data processor regarding the data processing, the absence of a contract constitutes an infringement of the GDPR on part of both actors.

The EDPB emphasized that the GDPR also imposes stricter obligations on data processors compared to the previous regulation. In addition, in the data processing agreement, the data controller may indirectly hold the data processor responsible for the performance of the data controller’s obligations under the GDPR, therefore, in order to limit the data controller’s liability, the most important thing is to select a responsible data processor, and conclude a processing agreement which duly takes into account all responsibilities.

  1. A person under the direct control of the data controller or data processor

Compared to the concepts of data controller and data processor, the role under the direct control of the data controller or data processor set out by Article 29 of the GDPR is less frequently discussed, but in practice the majority of natural persons perform data processing operations in this capacity.

This category includes a person who is not separate from the data controller or data processor. For example, neither the managing director nor a department of the company can be considered a separate entity from the company.

This category also includes a person who, although carrying out processing operations on behalf of the controller, has no independent decision-making power over these operations at all. Directly under the direct control are mainly workers and employees, but it is important to note that from the point of view of data protection law, not only workers employed under the Labour Code should be considered as employees, but also, where appropriate, staff employed under a service or agency contract.

When identifying direct control, in addition to the type of legal relationship, it is therefore necessary to examine the decision-making rights of the individual, his or her integration into the organization of the data controller or data processor, and the control exercised by the data controller or data processor.

For persons under direct control, the GDPR contains a single requirement that personal data may not be processed contrary to the instructions of the data controller. It is also possible and recommended in case of the persons under direct control to impose the obligations of the GDPR, as well as to sanction any conduct that infringes data protection law, in a contract or internal regulations.

Should you have any questions regarding the above, feel free to contact us.

CLVPartners news

 

President of HDPA tempers position on thermometers!

The Head of the Hungarian Data Protection Authority in his interview made an announcement contrary to the Authority’s previous official position.

Unlike in Spring, in the current epidemiological situation in Hungary it is no longer disproportionate to implement body temperature measurement as a general measure, however, recording the results is still considered unjustifiable, because as health related data it would be considered a special category of personal data which should be especially protected.

The Head of the Hungarian Data Protection Authority in his interview made an announcement contrary to the Authority’s previous official position, that unlike in Spring, in the current epidemiological situation in Hungary it is no longer disproportionate to implement body temperature measurement as a general measure, however, recording the results is still considered unjustifiable, because as health related data it would be considered a special category of personal data which should be especially protected.

As a reminder, the Authority’s guidelines issued on 11 March 2020 and its confirmatory official position issued on 28 April 2020 considered disproportionate the requirement of screening tests with any diagnostic device (in particular, but not exclusively, with a thermometer), as the epidemiological situation in Spring did not warrant such measures.

The HDPA president’s statement did not affect the rest of the previously issued guidelines and official position, therefore all data processing in connection with the novel coronavirus epidemic such as body temperature measurement may only be introduced in the legitimate interest of the employer, substantiated by a proportionality test and the measurement shall be conducted by healthcare professionals or under their professional supervision under Article 9 (3) of the GDPR.

The Authority invariably requires employers to prefer measures which do not require the processing of personal data (basic hygiene, provision of disinfectants, adequate cleaning, provision of protective equipment, distance between workers).

Should you have any questions regarding the above, feel free to contact us.

GPDR after Brexit – Data transfers outside the EU

After years of negotiations the United Kingdom has officially left the European Union, therefore the UK has become a “third country”. We would like to take this opportunity to point out the special rules concerning the UK and data transfers outside the EU in general.
Data transfer to the UK

As we have noted in our latest article on Brexit, some changes need time to enter into force. According to the withdrawal agreement concluded between the UK and the EU, there will be a transition period until 31 December 2020. In this transition period, the GDPR is still applicable in the UK, so the UK would not be considered as a third country until the end of this year.

What happens after the transition period?

It is very important to note that any data processed before the end of the transition period shall continue to be processed in accordance with the GDPR. Thus, personal data transferred to the UK during the transition period shall be guaranteed the same level of safety as currently provided by the GDPR and data subjects have no cause to worry about their right to privacy.

After the transition period, the UK and the EU still need to iron out the specifics of data protection. Certainly, for most data controllers that would be most convenient if the UK continued to apply the GDPR.

However, in the event of a “no-deal” Brexit or if the “deal” excludes data protection, the rules of transferring data outside the EU would have to be applied to the UK.

Data transfers outside the EU

One of the most emphasized general rule of the GDPR is that transferring data outside the EU is not allowed only with a very few exceptions. There are three categories of these exceptions, “adequacy decisions” in Article 45, “appropriate safeguards” in Article 46 and “derogations for specific situations” in Article 49.

Adequacy decisions

With regards to Brexit, the second best scenario would be an EU Commission adequacy decision. Data may be transferred without any special rules or authorizations to third countries deemed to provide an adequate level of data protection. While the decision falls to the discretion of the Commission, we expect this to be a very likely outcome, as the UK has high standards of data protection in their national legislation.

Appropriate safeguards

Should the UK not be found adequate, the next option is for the data controller or processor to provide appropriate safeguards. These safeguards are subject to the approval/ adoption of the Commission and/or the supervisory authority. The most relevant of these safeguards are as follows:

• binding corporate rules (BCR) of a corporate group (approved by the supervisory authority);
• standard data protection clauses (adopted by the Commission);
• standard data protection clauses (adopted by a supervisory authority and approved by the Commission);
• an approved code of conduct together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights;
• an approved certification mechanism together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights.

The abovementioned options require either significant effort from the data controller (i.e. drafting BCRs or codes of conduct) or a proactive supervisory authority (i.e. drafting and adopting standard clauses). Since the GDPR’s entry into force, no standard clauses have been adopted yet. Consequently, most data controllers might find appropriate safeguards a barrier too high to entry.

Derogations for specific situations

The last option is derogations for specific situations, to be applied for exceptional cases and will not serve as legal basis for systematic or regular transferring of personal data. The most relevant of these situations are as follows:

• explicit consent of a data subject informed of the risks of transfer to the third country;
• transfer is necessary for the performance of a contract between the data subject and the data controller or a contract concluded in the interest of the data subject;
• transfer is necessary for the establishment, exercise or defence of legal claims;
• transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent.

In any event, if the data controller uses these derogations as basis for data transfer outside the EU, the transfer may only take place if it is not repetitive and concerns only a limited number of data subjects, in addition the controller must demonstrate a compelling legitimate interest and inform the supervisory authority as well as the data subject. This is considered the least favourable option for data controllers because of their obligations to inform.

GDPR – One Year On

As 25 May 2018 approached, many organisations faced these new European privacy rules with increasing concern. One of the main reasons for this was undoubtedly the extremely high fines that can be imposed for breaches of the GDPR: the majority of infringements can be punished by a fine of up to EUR 20 million or 4% of total worldwide annual turnover for the previous financial year (the higher of the two).
The level of fine imposed will depend on an assessment by the national data protection authority (DPA) of mitigating or aggravating circumstances listed in the GDPR including the nature, seriousness and duration of the infringement, whether the data involved was sensitive and any previous breaches.
A year on, with the first wave of decisions and fines now issued by a number of DPAs and investigations ongoing in others, it is interesting to examine the initial effects of the GDPR in the EU. Has it managed to enhance protection for people’s privacy? Did the concern expressed at its potential impact turn out to be justified? Are different trends emerging in different EU countries? These and other questions are discussed below.

Several companies involved in Hungarian Data Protection Authority (NAIH) procedures have been fined. The usual amount of the fine is between HUF 500,000 and HUF 1 million, (approximately EUR 1500 and EUR 3000).
In one of its most relevant recent decisions, the NAIH imposed a fine of HUF 1 million on a company with a turnover of HUF 15 million, which it considered a symbolic amount, for not restricting and issuing copies of camera recordings, despite a request from a data subject. The data subject wanted to use the recordings as evidence in legal proceedings, as stated in the request. The company justified its decision on several grounds, including the fact that the data subject did not indicate how deleting the recording would infringe his or her legitimate interest, and in connection with what legal proceedings he or she made the request (although required to do so under Hungarian law).
According to NAIH, the company violated the data subject’s right to restrict data processing. Under Article 18 (1) (c) of the GDPR, it is sufficient for the data subject to argue that restricting processing is necessary for the submission and enforcement of legal claims. There is no need to justify the right and the legitimate interest further than that. The conflicting Hungarian legal provision has been amended by the GDPR implementation law mentioned below.

In addition, the company failed to inform the data subject about the reasons for its decision and the legal remedies available to the data subject.
In imposing the fine, the authority assessed the nature of the infringement as an aggravating circumstance, as it violated the applicant’s rights. The refusal of the request also led to the deletion of the recordings, which cannot be restored. It was a mitigating circumstance that the company committed the infringement for the first time, and also that the conflicting national legal provision. was still in force, which could have misled the company in its decision to deny the data subject’s request.

Hungary has implemented the GDPR with an implementation act came into force on 26 April 2019. The aim of the amendments is the harmonisation of sectoral laws in order to apply the GDPR. The GDPR implementation act amends 86 acts to comply with the GDPR, including the Labour Code. As a result, employees’ documents, the processing of the criminal records and the agreements relating to the use of work-related IT equipment must be reviewed.
Experience has shown that the NAIH is active; several proceedings have been initiated checking the data processing practices of operators and assessing compliance.

GDPR „OMNIBUS” Act overwrites the usual HR process

On 26 April 2019, Hungary’s new ‘Omnibus Act’ implementing provisions of the GDPR took effect. This article examines its significant impact on employers and the continuing uncertainty surrounding some of the changes it introduces.

Only a few months ago, employers were required to readjust their processes in preparation for GDPR implementation and now the new so-called ‘Omnibus’ act that amends the Labour Code, among other changes has entered into force (on 26 April 2019). The new regulation requires immediate and very significant work from HR departments, while there are several open issues to be jointly interpreted by labour lawyers together with HR and data protection professionals on how to ensure their daily practice is compliant with the new but ambiguous regulations.

The bottleneck is a result of the fact that Hungarian lawmakers were well behind schedule with implementation of GDPR, leaving employers only a few days to review the new processes, since all employers must comply with all requirements from day one. There is a strong hope that (as has happened in several previous cases) the Omnibus Act will very shortly be corrected by a new amendment.

The GDPR ‘Omnibus’ Act amends 86 acts including the Labour Code in order to comply with GDPR regulations.

This amendment requires the review of labour contracts, HR processes and significant HR policies such as recruitment, selection, new employees’ induction process, operations, the data management of access control systems and use of employer’s devices, just to mention the most common areas concerned.

Employers and all organisations should have complied with the new regulations within a couple of days of entry into force.

Although the new requirements contain more details than the published draft bill, there are still several open issues on how to implement them in practice. For example what is the meaning of, and what are the criteria for the necessity and proportionality test contained in the new regulations in relation to limitations on employees’ personal human rights (in connection with e-mail, internet, device or video surveillance, etc.)? The GDPR only includes the privacy impact assessment and the ‘balancing test’ for ‘legitimate interest’.

The usual process of recording a new employee’s data is basically overridden by the new rule that the employer may only request presentation of an ID card and other personal documents, but no copies can be made, even with the consent of the employee. This will mean that proper identification of the employee would be difficult. The provision of false data by the employee may result in annulment of employment, but with a lack of proper evidence and documentation, the employer may not be in a position to act.

Handling of criminal data records is more strictly regulated, and in the future the basic rule is that no criminal record clearance may be requested from employees. Exceptional and very strict criteria are set for cases when the employer may require an employee to present criminal record clearance, but the precise criteria can be decided by the employer if a serious business risk for the organisation would arise from an employee with undisclosed criminal record working for it.

Finally, the amendment relating to data managed by the biometric access control systems (digital fingerprint, iris/retina scanning, face identification systems), and also the use of the employers’ devices is based on new principles, meaning that a review of internal policies relating to these issues must be conducted.

Amendments with regard to the GDPR has been published

The amendments with regards to the GDPR, which was adopted by the Hungarian Parliament on the 1st of April, was officially published today.

In order to harmonize with the GDPR, the amendments modifies over 80 sectorial law, including provisions of the Labour Code.

The majority of the amendments will come into effect at the end of April, but the modifications regarding the national accreditation and the protection of inventions by patents will come into force in May.

CLVPartners
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.