The Hungarian Data Protection Authority (DPA) recently published a Recommendation, on the obligation, to provide information to data subjects before the initiation of data processing. The DPA recommends that all data controllers review their privacy policies (and notifications) to make certain that they are compliant with this Recommendation.

The DPA warns that a well drafted privacy policy or notification in itself will not render the data processing lawful. The information to be provided to the data subjects before the data processing is only a part of a complex process, which should be the outcome of the careful planning of the whole data processing activity by the data controllers. In accordance with this Recommendation it is also expected from larger data controllers (organizations with more complex data processing) to have a detailed privacy policy, which should explain the rights and obligations of the employees processing personal data within the organization in the form of a handbook. In the case of any changes in the data processing, the DPA recommends modifying both the information provided (the notification) and privacy policies.

In accordance with the Hungarian Data Protection Act (Info Act) before data processing takes place the data subjects shall be clearly, and elaborately, informed of all aspects concerning the processing of their personal data. According to the DPA the simplest form of providing such information is the preparation of a ‘data processing notification’ and the data controllers must make it sure that the data subjects get acquainted with this notification before the data processing takes place.

In the Recommendation the DPA elaborates on this obligation and sets out the following detailed requirements towards data controllers:

General requirements regarding the quality and accessibility of the information to be provided:

  1. The notification must be understandable

It is not acceptable if the legal requirements are quoted word by word. The notification must determine the data processing activity with succinct words which are regularly used in everyday life. It is suggested to use examples to illustrate the data processing.

  1. The notification must be readable and well structured

It is strongly recommended to prepare the notification in a table format where there is more complex data processing activity (e.g. indication of data processing activity, purpose, legal basis, type of data, term of processing etc.). Q&A format is also a good practice.

  1. The notification must adapt to the data subjects

E.g., if the data subjects are foreigners, it is recommended to have the notification in English.

  1. The notification is not a legal statement

The DPA emphasizes that the notification and the consent for data processing are different legal instruments. Informed consent is based on appropriate information to be provided to the data subjects on the data processing.

  1. The notification must contain information on the specific data processing activity of the data controller

In the case of more complex data controller organizations, personal data can be accessed by more persons. Data subjects should know how such organizations operate in order to make an informed decision on the processing of their personal data.

  1. The notification must be accessible

It is recommended that the notification is published on the web page of the data controller.

The Recommendation also details the specific requirements under the Info Act, according to which the data subject must be informed – among others – of the (1) data controller, (2) purpose of the data processing, (3) legal basis of the data processing, (4) type of data processed, (5) term of the data processing, (6) use of data processor, (7) persons entitled to access to the personal data, (8) means of data security applied by the controller (10) rights and remedies of the data subjects.

The Recommendation is important for all data controllers to whom Hungarian laws apply, as the Hungarian DPA is entitled to impose fines for the breach of data protection laws up to the maximum amount of HUF 20 million (app. EUR 65,000). On an equally important note, according to a very recent judgement of the Court of Justice of the European Union (in a case where the Hungarian DPA imposed fine on a foreign company), data protection legislation of a Member State may be applied even to a foreign company which exercises in that State, through stable arrangements, a real and effective activity.