Data processor information, privacy rights and intra-group transfers

Recently, NAIH (Hungary’s Authority for Data Protection and Freedom of Information) imposed HUF 1 m fine (EUR 3,200) against a company that offered a prize draw competition for customers without providing adequate privacy information. The company shall amend its privacy notice in accordance with NAIH’s findings and make it available on its website. The underlying resolution provides further guidance to companies to ensure that their data processing operations are in compliance with local requirements. NAIH's approach is strict in comparison to most EU DPAs. This strict approach is likely to continue after the GDPR becomes mandatory.

NAIH’s main findings include:

Privacy notices shall contain a detailed list of the data processors involved, including their specific activity and for how long they can access a participant’s data.
Privacy notices shall provide detailed information on the participants’ data protection rights and remedies (e.g. the deadlines for the company to fulfil the individuals’ requests, and the competent court for the matter.)
Companies shall obtain a separate consent for the transfer of personal data to another company in its group (that will send marketing messages to the customers), and conclude a data transfer agreement for this purpose.
The contents of the company’s mandatory registration in the Data Protection Registry shall always match the information provided in the privacy notice, such as the scope of data, the purpose for processing it, and the data retention period.

As part of GDPR compliance, companies should revise their privacy notices, the information they provide on data processors, their consent forms to verify if they are compliant with the above resolution. As of 25 May 2018, there will be no registration obligation in the Data Protection Registry but it cannot be excluded that NAIH will check the former registrations in case of an inspection. Therefore, it is also advisable for companies to check whether their privacy notices mirror the information they provided in the registration.

Register now for your free, tailored, daily legal newsfeed service.

Data processor information, privacy rights and intra-group transfers

Filed under

Laws

Popular articles from this firm

Hungary fines two companies for GDPR infringement *

Free parking of electric vehicles in Budapest - Hungarian government supports e-Mobility *

Hungary: Data Protection Aspects of Blockchain *

Hungary launches new registry and registration procedures for companies as of 1 July 2023 *

Hungary introduces new Whistleblower Protection Act *

Related practical resources PRO

Related research hubs