When foreign lawyers or clients seek advice regarding the Hungarian regulatory environment of data protection, and would like to assess whether Hungarian data protection law poses any specific issues they need to observe when doing business in Hungary, the evident advice is that there is nothing to be afraid of, as Hungarian data protection laws are, as a result of the accession of Hungary to the EU, fully harmonized with the relevant EU laws, which are more or less familiar to most of the clients.
Although the above is true in general, it is time to stop for a moment and think it over again. Is it true that Hungarian data protection law (Act LXIII of 1992 on protection of personal data and transparency of public data, the "DPA") fully transposes the relevant EU directive, i.e., the 95/46/EC Directive (the "Directive")? Are there legal institutions which are missing from the Hungarian legal system? Are there specific Hungarian "inventions" in our legal system which are not compatible with community law?
First I propose to go back to the basics and explore the definitions. Under community law, the distinction between "data controller" and "data processor" is evident. The decisive element is that data "controlling" involves a decision on the use of the personal data, while "processing" describes all the activities what are physically or technically possible with the data. Although the definitions in the DPA seem to be in line with the Directive, in Hungarian practice processing is often confused with a computerized technical process.
Another are of concern are the exemptions from the general rules. Under Article 3 of the DPA, the legal title required for lawful controlling of personal data is either the consent of the data subject or a specific authorization of law. (Such authorizations are provided by the acts on electronic communications, police, etc.) On the other hand, Article 7 of the Directive provides other titles (see paragraphs (a) to (f) of Article 7 for details). Apparently, Article 3 of the DPA is a misinterpretation of the corresponding rules of the Directive. In practical life, the inability to base a data controlling on the additional titles (exemptions) causes significant practical problems for companies which would like to act prudently and legally, but whose room to maneuver is very much restricted by the rigidity of the DPA.
The third, and (at least in our practice) the most frequent problem is the issues of consents and the provision of information for purposes of obtaining the consent. General principle of data protection law is that all data controlling requires (if not authorized by law) the consent of the data subject. Before asking for the consent, the data subject should be put in a position so that he/she is able to assess the consequences of his/her consent, i.e., assess whether the proposed controlling poses any risks to his/her privacy or otherwise. To this end, the data subject should be provided sufficient information on the nature and circumstances of the data controlling, such as the purpose and duration of the data controlling. The DPA precisely sets forth the scope of information to be provided in its Article 6(2). In the event the data is transferred to a third party, similar information on the third party should be provided before asking for the consent.
In Hungary, no real best practice has been developed as to the depth and level of information to be provided. Companies can (and should) rely on the above general rules and also the relevant notices and recommendations of the data protection commissioner. However, the general rule implies, and this is further supported by the data protection commissioner, that the information to be provided should be most specific, and should include all the details of the data controlling, and in the event of a data transfer, the exact identity of the recipient (including full (company) name, address, etc.).
On the other hand, the Directive seem to provide a more relaxed regime for information provision: Article 10(c) suggests that it is also sufficient when the information provided relates to the "categories" of recipients of personal data.
This ambiguity causes significant practical problems for companies wishing to act legally. Let's assume that a company which regularly collects personal data from its customers, clients, etc. outsources the processing of such data to a third party data processing entity. Let's also assume that the company, in order to be fully compliant with Hungarian law, precisely notified the data subjects about the exact identity of the data processing entity. What is the right practice when the data controlling company is not satisfied with the data processor and wishes to replace it with another entity? Although this is totally reasonable from a business perspective, the company may not be able to do this without enormous efforts, as it needs to notify all its clients, consumers, contacts, etc. about the identity of the new data processor and ask for a new consent for the processing by this new entity. If the company has links to thousands (or even millions) of data subjects, the above practice is more than unreasonable.
In the practice, the companies need to find the right balance between flexibility (provision of a reasonable amount of information) and being conservative, i.e., the provision of maximum information on the data controlling and processing. The position of the data protection commissioner suggests that a conservative view should be taken. It is very likely that a court would take the position of the data protection commissioner very seriously in a court procedure, even though the courts are not bound by such position. Thus, the companies are recommended to take a rather conservative view. Unfortunately the right depth of information to be provided has never been tested in a court litigation, and a concept of "reasonable amount" of information (let alone a sophisticated test to assess whether the information provided by a company has been sufficient) has not been developed by the courts.
- 63/64 -
Without elaborating in detail on the definition of personal data and private or trade secrets, it is generally true that personal data is every data through which a private individual can be identified, while there are also information which are not personal data in the strict sense but which still belong to the private sphere of a private individual (personal secrets or private information) or a company (trade secrets). The two types of information falls under somewhat different (although not at all independent) legal protection regimes (i.e., specific data protection laws and protection of personal rights including privacy under the civil law).
In practical life, it is very common that a single piece of information constitutes both a personal data and private information, or at least some portions of the information (incorporated e.g. in a company memorandum or an email) are personal data (names, addresses, telephone numbers) while other parts are rather private information only (contents of the conversation).
A Jogkódex-előfizetéséhez tartozó felhasználónévvel és jelszóval is be tud jelentkezni.
Az ORAC Kiadó előfizetéses folyóiratainak „valós idejű” (a nyomtatott lapszámok megjelenésével egyidejű) eléréséhez kérjen ajánlatot a Szakcikk Adatbázis Plusz-ra!
Visszaugrás