DAC Beachcroft in collaboration with Bogsch & Partners – Budapest, Hungary
What does this cover?
The Hungarian DPA’s recommendation elaborates on the requirements of notices that shall be provided to data subjects prior to the start of processing their personal data.
It is a constitutional requirement that everyone shall be given the opportunity to follow up and check any data processing that concerns them, in order that data subjects can be aware of who processes their personal data, when, where and for what purposes. In the preamble of the recommendation, the DPA stated that the requirements for the content of notices set out in the relevant Act are not exhaustive.
In the recommendation, the DPA determined two sets of requirements:
1. General principles laid down by the DPA in the recommendation
The notice provided by the data controller shall:
- Be clear: repeating the words of the relevant Act is not adequate – the use of everyday wording is suggested.
- Be readable and understandable: the notice shall be structured and easy to understand.
- Align with the set of concerned data subjects: if in the course of the data processing the set of data subjects can easily be determined, then the notice shall align with the specific requirements of such data subjects.
- Not be considered as a disclaimer: the notice itself is not a disclaimer, however, the information therein may have great impact on the data subjects’ consent (which is indeed a disclaimer). Should the notice be considered as a disclaimer, its clarity and transparency would be weakened by the details required by law.
- Describe unique data processing: the document fulfils its role as a notice if it contains the unique data processing regulations concerning the specific data controller.
- Be available and accessible: the notice shall always be accessible for the data subject at the time when his/her personal data is being collected.
2. Detailed explanations of the requirements required by law (Section 20(2) Hungarian Data Protection Act)
The data controller shall notify the data subject on the following data:
- Data controller: name and contact details of the data controller (including email and postal address), as well as a website where the data processing information is accessible.
- Purpose of data processing: the purposes shall be formed in a way that the data subject can easily determine the activity which the processing of his/her personal data is related to. The purposes shall be adequately particular and clear.
- Legal basis of the processing: beyond simply indicating the word 'consent', the notice shall contain the particular provision on which the processing is based upon.
- Processed data: all pieces of data wished to be processed shall be listed - using generic terms is not adequate.
- Data processing period: data subjects shall be notified about the data processing period in connection to the indicated purpose(s).
- Data processor: if the data controller relies on a data processor, the same data shall be indicated for the data processor as is included for the data controller.
- Third parties with access to the data: all third parties that have access to the personal data of the data subject have to be listed, as well as details regarding what they do with the data and for what purpose.
- Data security measures: the data controller shall indicate what security measures are used for ensuring the adequate safety of the processed personal data.
- Rights and enforcement opportunities: the data controller shall notify the data subject of where they can file data processing related complaints with and within what timeframe. Explaining specific data subject rights is also suggested.
What action could be taken to manage risks that may arise from this development?
Under the statutory data processing requirements, it is sufficient that the data controller simply notifies the data subjects of the respective legal provision.
However, the DPA states that data controllers can be reasonably expected to provide data subjects with extensive notices. The DPA recommends data controllers review and update their data processing notices accordingly. Companies should carry out such reviews and make any amendments that are necessary in light of these recommendations.
In our opinion, by publishing the recommendation, this signals the DPA plans to examine the data processing notices in more detail in the future.
Submitted by Dr. Tamás Gödölle, Attorney at Law at Bogsch & Partners – Budapest, Hungary