Hungary: New EU data protection rules apply as of May 2018
The new General Data Protection Regulation (GDPR) introduces uniform Europe-wide data protection standards. The new regulation focuses on better protection plus free movement of personal data. The new GDPR will bring both reliefs and new challenges for companies: abolition of general notification obligations will reduce bureaucracy. However, organizations will be confronted with new duties as to transparency and information.
Companies must in particular:
• carry out Impact assessments in order to check that their data processing complies with the new regulation;
• create directories of processing activities;
• comply with enhanced notification requirements in the case of data breaches;
• implement “privacy by default” settings for devices;
• check whether appointment of a data protection officer (DPO) is necessary. A DPO is required if the company handles sensitive personal data such as on health or revealing political opinions.
The GDPR also introduces the principle of accountability, i.e. companies must be able to demonstrate that data processing is performed in line with the GDPR.
Companies will face increased fines for infringements. The maximum penalty can reach 20 Mio. EUR (6.2 Billion HUF) or up to 4 % of annual worldwide turnover of the preceding financial year, whichever is higher.
The GDPR facilitates transmission of personal data within a company group. According to the GDPR a legitimate interest might exist in transferring personal data within a group of companies for internal administration purposes. Restrictions on data transfer in third countries will still apply. Introduction of Binding Corporate Rules (BCR) can mean a solution for intra-group transfers.
Checklist for your company:
• Carry out compliance audits. In particular:
• Analyze current data flows (in particular intra-group transfers and transfers to third countries).
• Identify the existing legal basis and measures for providing an adequate level of data protection.
• Consider appropriate technical and organizational measures to ensure compliance with the new regulation.
• Review contracts with current processors.
• Check whether affected persons were informed sufficiently and in clear language easy to understand.
• Consider introducing a Code of Conduct for employees.
Source: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)