The law applies to everyone, who controls data, processes data and does not use data for private purpose.
Please, involve an appropriate data protection specialist (lawyer, IT specialist) in order to comply with your obligations laid down in the Act, because ignoring the law or improper use may result serious fine in the case of an incidental authority check or a complaint of a private person.
The task in connection with the regulation is to control how and what kind of data are handled by the company. During this the followings should be identified and registered in a record:
- Lawfulness, purpose and duration of the processing
- Description of categories of personal data
- Information and contribution of data subjects
- Appropriate complementation of contracts
- Method of processing
- Access to data, description of recipients
- Method of storage
- Method of destruction
It’s important to emphasize that the handling of personal data need to have an actual purpose which can be the following:
Lawfulness of processing:
- Given consent to the processing of personal data for one or more specific purposes
- Processing is necessary for the performance of a contract
- Processing is necessary for compliance with a legal obligation
- Processing is necessary for the purposes of the legitimate interests
- Processing is necessary in order to protect the vital interests
- Exercising of official authority
means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
Data concerning health
means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status
means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction
means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law
means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller
If your company considered as an SME and does not handle data of a special category (such as such as health, ethnic, religious, racial or union membership) you do not need to designate a DPO.
If your company employs less then 250 people and doesn’t handle data of a special category, then you do not need to make a data protection record, but you have to fully complied with the provisions of the regulation.
Due to the general nature of our informing letter, the advice does not constitute a base for a decision.
We would like to inform you also, that all subjects above are not tasks of the accountant. If required, please contact a data protection specialist with the above specialties.
Budapest, 25th of May, 2018
Dr. Anikó Emese Boros tax advisor
Krisztina Gubicza cert. tax expert