Blog » THE TOP 5 GDPR MYTHS DEBUNKED
THE TOP 5 GDPR MYTHS DEBUNKED
07 May 2018
Some GDPR myths make you see a problem where you should not, or what is even worse, they prevent you from detecting a problem when you should. To have a successful GDPR compliance project, you should avoid both above faults. To help you, we debunk the 5 GDPR myths that we faced the most often during our compliance projects.
1. The consent myth 1 – I don’t have it
Companies often think that if they do not have the consent of the data subjects they cannot process their personal data.
This can be true if consent is the only possible legal basis for processing. However, in many cases you can rely on one of the other grounds that the GDPR provides for the processing and then you do not need the consent of the data subject.
In many cases the law itself provides the legal basis for processing, for example you have to collect your employees’ identification data in order to do obligatory registration before the tax authority.
Sometimes the data processing is necessary for the performance of a contract that you concluded with your client, eg. if he ordered from your e-shop you need to collect his home address so that you can deliver him your product.
2. The consent myth 2 – I have it
The opposite approach is that many think that if they have the consent of the data subject, then problem solved, the data processing is lawful.
This attitude can be quite dangerous. While in many cases consent may be an appropriate legal basis, there are legal relationships and situations where it cannot be used.
As an example, in employment relationships generally consent cannot be considered as freely given. So even if your employee signs that he gives his consent to the processing, it will be invalid and your processing activity will be unlawful.
Employee consent can only be a lawful basis if the employee solely gets benefits: like if as a Christmas present you give your employee a book voucher and therefore you request his consent to disclose his name to the bookstore.
3. I do not possess the data -I am not responsible
Clients often do not consider themselves responsible for the processing since they have not collected the data and it is not stored in their systems.
Nevertheless, you must not forget that if you determined the purpose of the processing, even if you do not carry on the processing activity, you will be the controller and at the end of the day, responsible for the processing.
To tell you an example, if you entrust a marketing company to collect the e-mail addresses of persons who might be interested in your services and send them direct marketing messages, you will be a data controller regardless that it was not you who collected the data and sent the messages to the data subjects.
4. I do not process the data, I only store it
I often hear from clients the following sentence: we just store the data in our systems, but we don’t process it.
Bad news for them: storing the data is actually a processing activity. The whole point of the GDPR is to protect personal data against misuse and damages during processing. It is self-explanatory that data can be accessed or destructed unlawfully during the storage, so it makes sense to consider storage as processing and place responsibility for the person who does that.
For example, if you store a client e-mail address list on your server, even if you don’t ‘use’ it (eg. don’t send e-mails to them), this is a processing of the data and you will be liable for it.
5. I cannot transfer data outside the EU
Clients sometimes ask from me: I have read on the Internet that after the GDPR enters into force, we cannot send personal data outside the EU so what will we do with our contacts from the US / China etc.?
It is true that transferring personal data outside the European Union is only possible with certain safety guarantees which likely makes the data-flow harder, but it is not forbidden.
For example, if the US company to whom you send personal data is registered under the Privacy Shield, data transfer will be considered as safe. Or if this option is not available, you can enter into a data transfer model contract with the recipient which could be an appropriate safeguard of the data transfer.
To sum of the above, several ‘half-truths’ regarding the GDPR are spreading nowadays. You should be very careful with them since they either bind your hands unnecessarily, or what is even worse, they create a false sense of security which can cost you an arm and a leg.
LAWFUL DISMISSAL IN HUNGARY - PART II. TERMIANTION BASED ON BEHAVIOUR
Although, considering the current labour market in Hungary, employers are trying to keep the employees at the company, there may be situations where the employment relation cannot be maintained due to behaviour or attitude. In our previous article we explained that a dismissal by the employer is far from a simple move, as the legitimate justification must meet a number of criteria. In the present article, we examine the grounds for termination based on the behaviour of the employee.Read more »
CAN YOU FIRE YOUR EMPLOYEE BECAUSE OF A BLOGPOST IN HUNGARY ? – STRASBOURG RULED
How to balance between the employer’s business interests and the employee’s right to freedom of expression? Can the employer restrict the employee’s freedom of expression and terminate his employment because of a blogpost? The European Court of Human Rights (ECHR) addressed these questions in his fresh judgement brought in the case of a Hungarian applicant. In this short article we summarize the facts of the case and the findings of the Court.Read more »
LAWFUL TERMINATION OF EMPLOYMENT IN HUNGARY – PART ONE: HOW TO JUSTIFY A DISMISSAL?
From salary to vacation leave, an employment relationship can have many sensitive parts. However, labour disputes mostly arise around the termination of the employment by the employer and specifically in connection with the justification of dismissal. Since the fault of the justification will result in unlawful termination, leading to important pecuniary consequences, in our forthcoming article series, we summarise the rules governing employment terminations and the related case-law of the Hungarian courts. In the first part we present the general rules for justifying employee termination.Read more »