GDPR-Data processing tasks in connection with the General Data Protection Regulation

The law applies to everyone, who controls data, processes data and does not use data for private purpose.

Please, involve an appropriate data protection specialist (lawyer, IT specialist) in order to comply with your obligations laid down in the Act, because ignoring the law or improper use may result serious fine in the case of an incidental authority check or a complaint of a private person.

The task in connection with the regulation is to control how and what kind of data are handled by the company. During this the followings should be identified and registered in a record:

Lawfulness, purpose and duration of the processing
Description of categories of personal data
Information and contribution of data subjects
Appropriate complementation of contracts
Method of processing
Access to data, description of recipients
Method of storage
Method of destruction

It’s important to emphasize that the handling of personal data need to have an actual purpose which can be the following:

Lawfulness of processing:

Given consent to the processing of personal data for one or more specific purposes
Processing is necessary for the performance of a contract
Processing is necessary for compliance with a legal obligation
Processing is necessary for the purposes of the legitimate interests
Processing is necessary in order to protect the vital interests
Exercising of official authority

Definitions

Personal data

means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person

Data concerning health

means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status

Processing

means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction

Controller

means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law

Processor

means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller

If your company considered as an SME and does not handle data of a special category (such as such as health, ethnic, religious, racial or union membership) you do not need to designate a DPO.

If your company employs less then 250 people and doesn’t handle data of a special category, then you do not need to make a data protection record, but you have to fully complied with the provisions of the regulation.

Due to the general nature of our informing letter, the advice does not constitute a base for a decision.

We would like to inform you also, that all subjects above are not tasks of the accountant. If required, please contact a data protection specialist with the above specialties.

Budapest, 25th of May, 2018

Dr. Anikó Emese Boros tax advisor

Krisztina Gubicza cert. tax expert