The Hungarian Data Protection Authority (NAIH) published its "black list" on processing activities that shall be subject to data protection impact assessment, in line with Section 35 (4) of the GDPR. The European Data Protection Board provided its opinion on the draft list at the end of September and the Hungarian Data Protection Authority finalised its list on the basis of EDPB's opinion.
The list contains items like:
- processing of biometric data aiming at systematic monitoring
- processing of biometric data concerning vulnerable data subjects
- processing of genetic data in connection with sensitive data or data of a highly personal nature
- processing of genetic data for evaluating or scoring a natural person
- credit rating
- solvency rating
- further use of data collected from third persons
- the use of the personal data of pupils and students for assessment
- smart meters
- automated decision making producing legal effects or similarly significant effects
- systematic surveillance
- location data
- monitoring employee work
- processing of considerable amounts of special categories of personal data
the processing of considerable amounts of personal data for law enforcement purposes
- processing of large amounts of data related to vulnerable data subjects for purposes different from the original purpose, in the case of
- the processing of the personal data of children for profiling, automated decision making, marketing purposes or providing them information society related services directly.
- the use of new technologies for data processing
- the processing of health data.
- when the data controller is planning to set up an application, tool, or platform for use by an entire sector to process also special categories of personal data.
- the purpose of data processing is to combine data from various sources for matching and comparison purposes.
No "white list" has been published in Hungary yet.