It is a legal obligation of the Hungarian Data Protection Authority (NAIH) to organise the annual conference of data protection officers (DPOs). Due to the obligations in the GDPR regarding the appointment of DPOs, the number of DPOs registered by the Hungarian DPA increased significantly, therefore, in 2019, the annual conference of the DPOs was organised by the DPA in a manner that video presentations of the employees of the DPA (including the President and the Vice-president) were published on the DPA's websitie regarding some of the most important topics and also information in the form of Q&As became available based on the questions of the DPOs that had been sent to the DPA in the course of a survey conducted by the DPA in November, 2019. (The materials are available here in Hungarian: https://naih.hu/dpo-konferencia-2019.html.)
The main topics of the conference were the followings:
- setting of administrative fines,
- conducting balancing tests,
- requirements regarding the appointment of DPOs,
- obligations in connection with data breaches,
- lawfulness of data processing (main issues in connection with the different legal bases of processing),
- experiences in connection with exercising the data subject rights,
- rules of the main procedures of the Hungarian DPA, etc.
In the available written Q&A materials, there are some important findings that should be considered in connection with data processing activities:
1."What is the appropriate way of personal identification in case of exercising rights via electronic means (e-mail)?" (Question no. 3)
This question can be very important, especially, in the light of the administrative fine imposed on 1&1 GmbH in Germany. According the Hungarian DPA, the request for further information cannot be automatic, the controller shall examine whether, based on the request and the available additional information, he has any doubt regarding the identity of the data subject. "For example, there is no reasonable doubt if the request is received from an email address that has already been processed by the controller and there is no reason that may verify reasonable doubts of the controller about the identity of the sender of the email."
Even if there is a reasonable doubt regarding the identity of the person submitting the request, only such personal data may be requested from the data subject that is already processed by the data controller, i.e. the controller shall be able to compare the requested data with the data already processed by the controller. In the course of identification, controllers shall take into account the principle of data minimisation. For example, it is possible to use a combination of the data selected from the four natural personal identification data, the address and the case number.
2. “In case of companies processing larger databases and customer records, daily / weekly backups are prepared. Such backups are stored on separate data storage devices for a certain period of time. In the event that the personal data of a data subject shall be erased, is it also necessary to erase his/her persona data from the separately stored backups or is it enough to refer to the fact that such data are not used, there is no access to them and such will be erased after the expiry of the gerenal limitation period?" (Question no. 5)
The DPA, referring to Articles 17 and 25, concludes that ".... data controllers should design their systems in a way that, if it is necessary, they can erase the personal data also from the backups."
3. "Compliance with the data erasure obligation: how can the controller prove that the data has been deleted from the database? What would the Authority investigate in this respect in a potential procedure?" (Question no. 9)
If the data controller applies a system that e.g. logs such operations, then the relevant log entry shall be submitted, or other objective evidence is required depending on the given data processing activity. In addition, a written statement from the representative of the controller has a probative value, in which he/she states, in the knowledge of his/her criminal liability, that the erasure has been performed and the time of the erasure is also stated.
4. "How the personal rights regarding voice and image regulated in the Act V of 2013 on the Civil Code are related to the GDPR, and the rules regarding the lawfulness of processing set out in the GDPR?" (Question no. 15)
According to the DPA, the rights of data subjects may be restricted in line with Article 23 of the GDPR, if the restrictions are proportionate and necessary in a democratic society. For example, the provisions of the Civil Code regarding pictures showing a group of people (picture of mass or crowd; in Hungarian: tömegfelvétel) shall be regarded as such restrictions. (According to the Civil Code, no consent is necessary for such pictures.) However, such rules of the Civil Code may only be applicable under certain conditions and cannot be interpreted extensively. Where the GDPR does not allow derogations, the provisions of the GDPR shall be applied instead of the Civil Code.
5. "Can the electronic access control system be linked to the register of working time and what legal basis is can beapplied in this case?" (Question no. 16)
According to the DPA, it is possible but the two databases used for two different purposes of data processing shall be separated.
6. Questions regarding the processing of copies of IDs in the context of employment relationship (Question no. 25)
The Hungarian DPA confirms its former position that the presentation of the document is in line with the applicable laws, making copies of the documents does not comply with the principles of purpose limitation and data minimisation because the documents also contain personal information that are not necessary for the employment relationship. In addition to this, the copy of the ID has no probative value.
The Authority would accept that copies are made if the employer as data controller develops a practice where only those data are copied from the document that can anyway be processed by the employer. In this case, there is no new data processing activity but it is a way that can help ensuring data accuracy.
+1: Question no. 6 regarding online direct marketing is very interesting because in its answer the Authority refers to the possibility to process personal data for direct marketing purposes based on the legitimate interest of the controller in line with the GDPR; however, there is no reference to the advertisment laws based on the e-privacy directive (Directive 2002/58/EC, as amended) that require consent for such data processing. The answer of the authority does not contain any hint how this contradiction can be solved by controllers.