I. International affairs – GDPR

Please note that you find detailed information in English about the NAIH’s activities in our annual reports.

  1. The Application of the General Data Protection Regulation since 26 May, 2018

The GDPR’s becoming applicable naturally brought about significant changes in the operation of the NAIH. The Hungarian data protection authority was also required to review and re-examine its activities, and thus modified them in terms of both material-law and procedural issues. In order to ensure the concord of the procedures of the Authority with the rules of the GDPR, the Privacy Act had to be amended. The Amendment Act came into effect as of 26 July 2018. To ensure concord with the GDPR, the Amendment Act introduced the authority procedure for data protection at the application of the data subject. This is based on the right of the data subject to lodge a complaint with a supervisory authority provided for by Article 77 of the GDPR, according which every data subject shall have the right to lodge a complaint with a supervisory authority if he or she considers that the processing of personal data relating to him or her infringes the Regulation. From 26 July 2018, therefore, authority procedures for data protection on application of data subjects are initiated in accordance with the rules set forth by the GDPR, the amended Privacy Act, and the Code of General Administrative Procedure.

If the data subject citizen wishes to have his or her application to be examined in the framework of an authority procedure, his or her submission has to meet formal and substantive requirements ( https://naih.hu/data-protection/investigation-by-the-authority)

Applications by e-mail primarily result in inquiry procedures.

If it so considers, the Authority may commence an authority procedure for data protection ex officio. Commencing an authority procedure is obligatory where

  • ­­it is preceded by an inquiry, and the infringement found was not remedied or its imminent threat was not eliminated in the course of the inquiry procedure, or
  • the Authority finds on the basis of its inquiry that an infringement related to the processing of personal data has occurred or there is an imminent threat of such an infringement, and a fine may be imposed according to the provisions of the GDPR.

The time provided for completing an authority procedure for data protection is 120 days. If the Authority does not terminate the procedure, or does not come to a decision on the merits of the case, within 90 days of the submission of the application, it shall notify the data subject of the actions in the procedure it has taken.

By way of notification, anyone can continue to initiate an inquiry procedure for data protection if he or she considers that the processing of personal data infringes rights or there is an imminent threat thereto. An inquiry procedure does not constitute an administrative authority procedure, and is to be applied using the derogations defined by the GDPR alongside the provisions set forth by the Privacy Act.

  1. Cooperation in cross-border cases

The NAIH regularly cooperates with data protection authorities in other Member States of the European Union under the GDPR. For the different member states' supervisory authorities to be able to share information with each other effectively, there is a special system for cooperation developed by the European Commission called: Internal Market Information system (IMI). https://ec.europa.eu/internal_market/imi-net/index_en.htm

Identifying a lead supervisory authority is relevant or necessary when the controller or processor in question is carrying out international or cross-border processing of personal data. This is the case if an organization has establishments in two or more EU member states and data processing takes place in the context of their activities or if the organization’s data processing activities substantially affect data subjects in more than one EU member state, such data processing will be deemed as cross-border data processing. The NAIH has been lead authority only in a few number of cases so far (the list of the decisions is available in Hungarian: https://naih.hu/europai-adatvedelmi-testulet-edpb ).

  1. How to communicate the contact details of the DPO? - guide of the NAIH

According to Article 37 (7) of the GDPR: „The controller or the processor shall publish the contact details of the data protection officer and communicate them to the supervisory authority.”

Based on the above, the controllers and processors are obliged to designate a data protection officer and to communicate their contact details to the supervisory authority according to the GDPR and not to national – in this case Hungarian – legislation.  Although, the quoted provision does not clearly define that the contact details of the DPO must be communicated to which supervisory authority but according to the Authority, this can be deduced from other provisions of the GDPR as follows:

In line with Article 56 (6) of the GDPR: The lead supervisory authority shall be the sole interlocutor of the controller or processor for the cross-border processing carried out by that controller or processor.

The point of view of the Authority is that in principle the obligations of the data controllers set forth by GDPR must be fulfilled towards the lead supervisory authority. Therefore, it is sufficient to communicate the contact details of the designated DPO to the lead supervisory authority, i.e. the supervisory authority of the main establishment or of the single establishment of the controller or processor. Based on the above, the Authority is of the opinion that it is necessary to identify which supervisory authority is the lead supervisory authority for the processing activities of that company or group of companies.

The guidelines 8/2022 on identifying a controller or processor’s lead supervisory authority (hereinafter referred to as: Guidelines)[1] adopted by the European Data Protection Board can help to identify the lead supervisory authority. The Authority notes that section 2.1 of the Guidelines contains information on the identification of the ‘main establishment’ for controllers: section 2.1.1 provides the criteria for identifying a controller’s main establishment in cases where it is not the place of central administration in the EEA, section 2.1.2 contains information regarding the groups of undertakings, section 2.2 refers to ‘borderline cases’, and finally, section 2.3 providers clarification regarding data processors.

The Authority considers that it is necessary first to determine whether the company or group of companies has an establishment in the European Union. In this relation, recital (22) of the GDPR contains the following information: “Establishment implies the effective and real exercise of activity through stable arrangements. The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect.

Furthermore, based on section 2.2 of the Guidelines, in case a company, or a group of companies does not have an establishment in the EU, then: “[…] In these circumstances, the company should designate the establishment that has the authority to implement decisions about the processing activity and to take liability for the processing, including having sufficient assets, as its main establishment. If the company does not designate a main establishment in this way, it will not be possible to designate a lead authority. Supervisory authorities will always be able to investigate further where this is appropriate.

Further, if the provisions set forth in Article 3 (2) of GDPR apply to the data controller, then pursuant to Article 27, it is obliged to designate a representative in a member state. The competent authority according to the seat / place of residence of the appointed representative (as well as the place of activity of the given company) will be considered as the lead supervisory authority, and therefore the name and contact information of the DPO shall be communicated to it.

In this context, the Authority notes that where Article 3 (2) applies, but the controller or the processor did not fulfil its duty to designate a representative in the Union, therefore the lead supervisory authority is not determined, the data controller or processor has to communicate the contact details of the designated DPO to all national supervisory authorities where data processing activities may take place.

The obligation set forth in Article 27 of the GDPR is independent of which Member State the personal data of data subjects residing in are processed by the data controller.

Accordingly, if the designated representative has its registered office/residence in Hungary, the company will have its main establishment in Hungary within the EU, regardless of the fact that it does not specifically carry out its data processing operations with regard to Hungarian persons. Accordingly, in such a case, the Authority is of the opinion that the name and contact details of the DPO should be notified to the Authority.

In such cases where a group of companies with headquarters outside Hungary appoints a DPO for the entire group, the question may arises whether it is sufficient for the Hungarian Authority to receive the contact details of the DPO once, on behalf of the parent company or the Hungarian Authority requires separate notification from all the companies individually in the company group. In connection with this question the Authority draws the attention to the obligations set forth in Article 37 of the GDPR. Based on these, the controller is obliged, under certain conditions, to designate a DPO, publish the name and contact details of the DPO and communicate them to the supervisory authority.

Based on the above, the Authority is of the opinion that, as a first step, the group of companies should examine how many entities within the group are considered as independent data controllers, which are obliged to designate a data protection officer under the provisions of the GDPR.

If there are several such independent controllers operating within the group, they are subject to the obligation set out in Article 37 (7) of the GDPR separately, therefore these companies as independent controllers will be obliged to communicate the name and contact details of the DPO appointed by them, even if the designated data protection officer and contact details are the same as those of several other companies within the group of companies.

In case the lead supervisory authority of the company is the Hungarian Authority, i.e. the company has to communicate the contact details of the designated DPO towards the Hungarian Authority as follows:

Please, send the notification via the online DPO notification system of the Authority as the Authority is not able to create an account on your – or on your company’s – behalf in the online DPO notification system. The online DPO notification system on the Authority’s website is available via the following link: https://dpo-online.naih.hu. Instructional guide for DPO notification is available on the following link: https://naih.hu/adatvedelmi-tisztviselo-bejelento-rendszer.

The communication to the DPO notification system (hereinafter referred to as DPO notification system) is considered to be made only if the DPO confirms the registered data 15 days after the reception of the notification sent to them by the Authority to their e-mail address provided during the notification.

If the DPO fails to approve/confirm the registration within the aforementioned deadline the notification of the designated DPO is considered to be failed, therefore the Authority shall not publish the data of the DPO.

Finally, the Authority would like to draw your attention that one of the tasks of the DPO is ‘to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation’[2].

According to Section 2.3 of the Guidelines on Data Protection Officers (DPO’s)[3] adopted by the Data Protection Working Party set up under Article 29 of Directive 95/46/EC the data protection officer, with the help of a team, if necessary, must be in a position to efficiently communicate with data subjects[4] and cooperate[5] with the supervisory authorities concerned. This also means that this communication must take place in the language or languages used by the supervisory authorities and the data subjects concerned. The availability of a DPO (whether physically on the same premises as employees, via a hotline or other secure means of communication) is essential to ensure that data subjects will be able to contact the DPO.

 

II. International affairs – Participation in the joint supervisory activity of data protection, law enforcement

 

 

[1] Available in English via the following link https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-82022-identifying-controller-or-processors-lead_en

[2] GDPR Article 39(1)(a)

[3] https://ec.europa.eu/newsroom/article29/items/612048

[4] GDPR Article 12(1): ’The controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child.’

[5] GDPR Article 39(1)(d): ‘to cooperate with the supervisory authority’