Data protection rules such as the EU's new General Data Protection Regulation (GDPR) apply to personal data. But what does personal data mean? According to the GDPR, ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable…

In connection with the operation of a group of companies, there is a very frequent need to transfer personal data within the company group, even when some of the group companies operate outside the EU. In cases where certain members of a group of companies operate in third countries for which there…

Each year, on January 28, the Data Protection Day is celebrated. Why on January 28? The reason is that the Council of Europe’s Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data was opened for ratification on that day in 1981. In 2018, data protection…

When designing data processing activities, there is often a need to transfer the personal data to a third country (e.g. in order to carry out processing activities there). What should we do to transfer personal data to third countries lawfully? The GDPR contains relatively detailed rules on the…

Guidelines on the application and setting of administrative fines for the purposes of the Regulation 2016/679 (GDPR) were published at the end of October by the Article 29 Working Party (WP 29). In my previous post, I have outlined the principles set out in the Guidelines. In this post, I give a…

The high amount of the administrative fine, which can reach a maximum amount of EUR 20 million or, in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, makes it extremely important for data controllers and data processors to be prepared for…

Last updated: 19.06.2018! On May 25, 2018, the GDPR becomes applicable. Many data controllers and data processors are already in the process of preparing for the GDPR. Although there is no need to transpose the GDPR into Member States' respective legislation, since it is directly applicable in all…

The concept of personal data breaches was not introduced by the GDPR, but the GDPR contains a number of provisions relating to personal data breaches that data controllers (and processors) must also be aware of. What is a personal data breach? The concept of personal data breaches is closely…

The first draft of the amendment of the Hungarian regulation related to the EU's general data protection regulation has finally been released. The proposal for the amendment of Act CXII of 2011 on the right to information self-determination and freedom of information (the “Hungarian Data Protection…

Many data controllers consider consent as the primary or preferred legal basis for data processing. Although in many cases it would be justified to use another legal basis instead of the consent, data controllers often obtain consents from the data subjects. Not only data controllers have this…