Blog » THE COUNTDOWN TO EU DATA PROTECTION REGULATION HAS BEGUN
THE COUNTDOWN TO EU DATA PROTECTION REGULATION HAS BEGUN
27 March 2017
I can imagine that when you hear the words data protection, you may not really be excited. What is worse you may skip to read this article. You probably think that when running your business, you have much bigger problems than data protection compliance. Still, I encourage you to give it 5 minutes and read through this short summary about the 5 most important impacts of the Data Protection Regulation (GDPR) on your business. The GDPR will only enter into force in May 2018 so this is the perfect time to familiarize yourself with the new rules.
Don’t let the term “EU Regulation” fool you, the GDPR catches global organisations outside the European Union, too, if they offer goods or services to EU citizens or residents. This means that if you have a company in China and you are targeting consumers in Hungary, your company will be subject to the GDPR.
To raise the stakes, not only the territorial reach has been expanded, but also the personal scope of the GDPR. Currently, the data protection is the sole responsibility of the data controller (the one who owns the data). The GDPR changes this and provides that the processor who carries out the data processing on behalf of the controller, will also be held responsible for data protection.
At the end of the day, however, the main responsibility remains by the controller as he is expected to choose a processor who provides sufficient guarantees that the processing will be in line with the GDPR.
The scariest innovation of the GDPR which will be probably attracting the attention of executives and shareholders are the fines which can be imposed for data protection infringements.
The current data protection law in Hungary allows the Data Protection Authority to impose a fine of maximum 20 Million Hungarian Forints. Additionally, the authority cannot impose fines against small and medium enterprises for the first data protection infringement.
Luckily, the GDPR does not change everything: the maximum amount of 20 Million remains. The only difference is that the currency will be Euro, not Forint. Or, in case it is higher, the maximum amount of the fine is 4 % of your annual worldwide turnover. So be careful of being a profitable business with crappy data protection. At this point of time, it is not certain whether the SMEs’ exemption from fine in case of the first infringement will remain in force or not.
When imposing fines, the authority shall consider among others the nature, gravity and duration of the infringement. In addition, the GDPR leaves to the Member States to lay down further sanctions.
K.I.S.S. – Keep it simple, stupid
You as a controller must inform and remind the consumers of their data protection related rights.
Good news for companies who like to keep it simple and bad news for lawyers who are obsessed with legal jargon: the GDPR explicitly requires that the information provided should be in clear and plain language. The information must also be transparent and easily accessible.
Furthermore, data controllers are expected to help the consumers to exercise their data protection related rights. This includes that the request of the consumer to exercise his data protection related rights can only be refused if the controller proves that he cannot identify the consumer.
Data protection officer
The role of data protection officers is not entirely unfamiliar for Hungarian companies. Currently, employing a data protection officer is obligatory only in certain sectors, for example in case of financial institutions or electronic communication service providers. Small and medium enterprises are exempt from employing a data protection officer regardless of their activity.
The GDPR again brings changes concerning data protection officers. Both data controllers and data processors shall designate a data protection officer if their activity requires regular and systematic monitoring of data subjects or if they process special categories of data (eg. data concerning health). SMEs remain exempt from this obligation except they are processing sensitive data.
The data protection officer will need sufficient expert knowledge and he shall either be employed at the company or work under a service contract.
Recording & impact assessment
As a new obligation, data controllers need to maintain a record of data processing activities. The record shall include the categories of recipients to whom personal data will be disclosed. For example, in case you send the personal data of your employees to your lawyer for contract drafting or to your accountant who does the payroll, this needs to be included in your record.
Again, SMEs are not obliged to keep records, except the processing is not occasional or sensitive data is concerned.
Another important innovation is the so called data protection impact assessment. In case the data processing is likely to result in a high risk to the rights of natural persons, the data controller shall prior to the processing carry out an assessment of the impact of processing operations on the protection of personal data.
As you can see a lot of big changes are coming, thus it is worth to start re-examining your procedures and processes to ensure compliance with the GDPR. In our following article we will give you useful tips how you can be prepared when the GDPR will enter into force next year.
IS THE JUDGE BIASED BECAUSE OF UNFAVOURABLE JUDGMENT IN OTHER CASE?
Can a judge be disqualified from deciding the legal dispute on the grounds of bias if he has delivered a judgment unfavourable to the plaintiff in another case? Can a court be biased if the plaintiff has "challenged" a previous decision of the court before the European Court of Human Rights? In this article, we answer these questions by analysing a recent judgment of the Hungarian Supreme Court.Read more »
CAN INCOMPATIBLE WORKPLACE BEHAVIOUR BE A GROUND FOR DISMISSAL IN HUNGARY?
Refusal of employer 's instructions, unjustified absence, intentional damage: some cases where the justification for dismissing an employee is relatively easy to determine. What happens, however, if the employee does not commit a severe breach of duty similar to the one above, but his or her colleagues consider him incompatible, with whom it is impossible to cooperate, or even afraid of him or her. Can dismissal be justified by behaviour that is incompatible with others and creates disharmony in the working environment? In our article, we seek the answer to this question in the light of Hungarian judicial practice.Read more »
CAN A JUDICIAL ERROR CREATE HUNGARIAN JURISDICTION DESPITE A PLACE OF PERFORMANCE ABROAD?
Can a defendant, domiciled abroad, be sued in Hungary under the Brussels I Regulation in the event of defective performance of an international sales contract if the place of performance is abroad? Can the jurisdiction of a Hungarian court be established based on the fact that the lower court expressly established its jurisdiction at the beginning of the litigation? How is the EXW clause to be interpreted within the meaning of the Brussels I Regulation? In our article, we analyse the recent decision of the Supreme Court of Hungary.Read more »