Hungary’s Data Protection Authority (NAIH) has just released nine brief opinions on GDPR interpretation*.

These opinions are based on a previously released one-page guideline for NAIH GDPR preparation*, which outlined the 12 key tasks for GDPR compliance: data protection awareness, data mapping, information obligations, data protection rights, data access, the legal basis for data processing operations, a revision of consents, protecting children's rights, data breach management, data protection by design and default/data protection impact assessments, data protection officers, and the competence of the data protection authorities.

In the opinions just released by the NAIH on GDPR interpretation, the most important points include:

  1. A NAIH analysis on GDPR aspects for the operation of municipalities (who is the data controller, when is it mandatory to prepare an internal privacy policy, and what is the personal liability of public servants?)
  2. The branch office of an insurance service provider must comply with local data protection laws, notwithstanding the rules of its parent companies and so-called "General Good" rules.
  3. The branch office of an insurance service provider may not appoint a DPO, provided that its group DPO is easily accessible and branch office staff possesses the language skills to communicate with the DPO.
  4. The proposed Hungarian legislation (to harmonise local data protection law with the GDPR) may require companies to notify NAIH of their DPO's contact details.
  5. The DPO is under no obligation to attend mandatory trainings.
  6. Managing directors, and IT and HR heads cannot be DPOs.
  7. The DPO cannot be "faceless," and even though one entity can appoint multiple DPOs, it must clearly name the person who bears privacy responsibility.

NAIH also received requests to analyse the scope of mandatory DPO appointment in more detail, and provide better data protection guidelines for accountants and payroll service providers. The NAIH's answers to these requests, however, merely repeat the provisions of the GDPR and the guidelines of the Article 29 Working Party.

NAIH also emphasised that they do not have legal obligation to answer data protection consultation requests, but may do so subject to their capacity (eg if consultations do not hinder complaint investigations.) NAIH will also try to answer requests if queried by data controllers who are having difficulties obtaining legal assistance.

* In Hungarian