Legitimate processing of PII

Legitimate processing – grounds

Does the law require that the holding of PII be legitimised on specific grounds, for example to meet the owner’s legal obligations or if the individual has provided consent?

There must be a specific ground on which the controller may hold PII. As a general rule, six legal grounds exist:

  • the data subject’s consent;
  • necessity for the performance of a contract (to which the data subject is party or to take steps at the request of the data subject prior to entering into a contract);
  • necessity for compliance with a legal obligation to which the controller is subject (Data Protection Act adds that such legal obligation must be set out in an act of parliament or a municipal decree);
  • necessity to protect the vital interests of the data subject or of another natural person;
  • necessity for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; and
  • necessity for the purposes of the legitimate interests of the controller or by a third party.

The Authority argues that, in the case of holding PII, apart from having one of the six above legal grounds, the controller must also check whether one of the conditions of article 9 of the GDPR applies (eg, the data subject needs to give explicit consent or the processing needs to be necessary to exercise or defend legal claims).

Legitimate processing – types of PII

Does the law impose more stringent rules for specific types of PII?

Apart from the general rules for holding sensitive PII (see question 11), Hungarian law restricts the processing of certain sensitive PII. The most relevant restrictions are the following:

  • Health data may be processed only based on consent of the data subject or if the controller is authorised to process the data based on the authorisation of Act XLVII of 1997 on processing of health data and for the purposes defined in the act.
  • Employees’ biometric data may be processed for identification purposes under limited conditions (eg, unauthorised access would lead to threat to life or health).
  • Employees’ or job applicants’ criminal data may be processed for vetting purposes only if the applicable Hungarian legislation authorises it or if it is necessary to protect the employer’s significant financial interests, or to protect secret information (set by law), or to protect some other specific legitimate interests of the employer (such as storage of firearms or chemical materials).

Data handling responsibilities of owners of PII

Notification

Does the law require owners of PII to notify individuals whose PII they hold? What must the notice contain and when must it be provided?

The GDPR applies directly. Controllers must notify data subjects whose PII they hold. The notice must contain the elements of article 13 of the GDPR (if PII is obtained from data subjects) or article 14 of the GDPR (if PII is not obtained from data subjects).

The Authority takes a granular approach as it requires detailed notice about elements of article 13 or 14 of the GPDR on the purpose level. This means that the controller must first specify the purpose as precisely as possible (see question 18) and then all the relevant information for each data processing purpose must be provided.

As a general rule, the notice must be provided at the time the PII is collected from the data subject or (if the PII is not directly collected from the data subject) within a maximum of one month after obtaining the PII.

Exemption from notification

When is notice not required?

It is not necessary to notify the data subject about the processing of PII if:

  • the data subject already has the information (however, in this case, according to the Authority, the controller must be able to prove that the provision of information has already happened, that all necessary aspects of the data processing has been shared with the data subject and that there have not been changes in the processing);
  • the provision of such information proves impossible or would involve a disproportionate effort;
  • obtaining or disclosure is expressly laid down by the EU or member state law to which the controller is subject and which provides appropriate measures to protect the data subject’s legitimate interests; or
  • when the personal data must remain confidential subject to an obligation of professional secrecy regulated by EU or member state law, including a statutory obligation of secrecy.
Control of use

Must owners of PII offer individuals any degree of choice or control over the use of their information? In which circumstances?

The GDPR applies directly and based on this the individuals may exercise control over their information via requesting access, rectification, erasure of PII, or restriction of their PII or portability of their PII.

The Authority argues that controllers must develop their data processing in a way that individuals have easy control over their PII during the entire life cycle of the processing.

Data accuracy

Does the law impose standards in relation to the quality, currency and accuracy of PII?

PII must be accurate and kept up to date where necessary. Inaccurate PII must be erased or rectified without undue delay. Healthcare is an exemption where the original inaccurate data must be kept in medical records.

Amount and duration of data holding

Does the law restrict the amount of PII that may be held or the length of time it may be held?

The controller may not collect PII that is unnecessary or irrelevant for the purpose (data minimisation) and may hold PII only until it is necessary for the purpose (storage limitation).

If the scope of PII is set by specific national law, then only those PII may be processed. Otherwise, the controller shall decide on its own about the amount of PII but in line with the data minimisation principle.

If the specific national law sets the retention periods, those retention periods shall apply. If such law determines the circumstances of processing (such as the scope of PII and authorised persons) but not the duration of processing, the necessity of processing should be reviewed every three years. In other cases, the controller shall decide on its own about the duration of processing but in line with the storage limitation principle.

Finality principle

Are the purposes for which PII can be used by owners restricted? Has the ‘finality principle’ been adopted?

PII may only be processed for a specified, explicit and legitimate purpose. The Authority adds that the purpose needs to be as specific as possible (eg, ‘marketing’ is incorrect, as it allows different interpretations, ‘sending newsletters’ is correct as it allows only one interpretation). If the data was collected for one purpose, it should not be used for another in principle - however, certain exceptions apply (see question 19).

Use for new purposes

If the finality principle has been adopted, how far does the law allow for PII to be used for new purposes? Are there exceptions or exclusions from the finality principle?

Exceptions apply from the finality principle in the following cases:

  • if the new processing is for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes;
  • if the data subject gave consent to the processing for the different purpose; or
  • if the processing for new purpose is based on such EU or member state law that aims to achieve certain purposes (eg, home security or public safety) and the processing is necessary and proportionate to the purpose.

If none of the above applies, the controller may carry out a compatibility check according to the GDPR rules to check whether the old purpose is compatible with the new one.