New resolutions of the Hungarian Data Protection Authority on GDPR
The Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation, „GDPR”) will be directly applicable as of 25 May 2018 in all organizations controlling personal data. The Hungarian National Authority for Data Protection and Freedom of Information (“NAIH” / “Hungarian Authority”) receives thousands of questions on the applicability of the GDPR. For this reason, the NAIH has published answers to some of these questions.
The Hungarian Authority’s resolutions deal with several aspects of the GDPR, including the Data Protection Officer (DPO), the applicability of the GDPR to a municipality or the question whether the Hungarian branch of a foreign company must apply Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information.
Even though the questions affect different points of the GDPR, most of them are related to the DPO-s. The DPO is not an unknown notion in the Hungarian data protection law, since – although under different name and rules – the so-called “internal data protection officer” had similar tasks. Given the fact that the applicable law will be different, NAIH has specified the GDPR’s provisions on the data protection officers.
The data protection officer must be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices. According to NAIH’s interpretation, GDPR does not specify the approved certifications. However, organizations must assess and identify their data processes and mandate a DPO whose qualification correlates to their processes (risk-based approach). The Hungarian Authority underlines that a DPO may be a staff member of the data controller or processor or may fulfil the tasks on the basis of a service contract. In the latter case, if the appointed DPO is a legal entity (e.g. a company) the data controller/processor must appoint a natural person whose contact details will be published and registered at NAIH. As a best practice, NAIH advises to state-owned companies to appoint a DPO even though it would not be mandatory for them according to the GDPR.
After a two-year period of adjustment, the GDPR will be applicable from 25 may 2018. By this time all organisations must comply with it, and companies who infringe the rules of the GDPR may expect administrative fines up to EUR 20,000,000 or 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.