On 25 May 2018, the General Data Protection Regulation (GDPR) entered into force in all EU Member States. By this date, all data controllers who control personal data of European Union citizens were required to review their data controlling activity and to adjust their processes, regulations, safeguards to the requirements of the GDPR. However, in our experience, companies are still not aware of the amount of data they control and/or process, nor of the relevant regulations applying to them.
One of the crucial points of data privacy relates to employee data. Usually, the most data cumulates at the HR departments through recruiting, admission and pay-roll processes. Companies should always keep close watch over their data flow, also, educate their employees regularly to do the same.
The other issue commonly overlooked in commercial relations is controlling the data of all the business partners/clients (e.g. email addresses, names, phone numbers, signatures) while carrying out the core activity of the company. Adequate and thorough notifications are required in most cases.
There is a special focus on the data privacy aspects of CCTV surveillance (either carried out in storage or factory facilities or in office settings) and electronic entry systems. General practice suggests that separate policies and notifications need to bring attention to the application of these devices.
Further, the guidelines published by Hungarian Data Protection Authority (“HDPA”) during the outbreak of COVID-19 pandemic put an emphasis on good practices of controlling sensitive (e.g. health) data during management of a health crisis.
In order to fully comply with the GDPR, comprehensive privacy policies need to be prepared that regulate any and all data controlling activities of a company. Further, statutory notifications and where applicable, written consents need to be prepared, thus encompassing, among others, the full scope of data controlling activities, data security measures, special grounds for the controlling of sensitive data, assessment of the opposing interests of the data subject and the company as controller.
Alternatively, Binding Corporate Rules (“BCR”) may be created and applied to the data controlling and data transfers within a company group. Data transfers between subjects of the same BCR are allowed if the adequate GDPR-safeguards are in place, even if certain members are non-EU entities.
On a further note, under the GDPR, a written agreement should be concluded between the data controller and the data processor. The latter controls personal data upon the instruction of the data controller. The GDPR also defines the minimum content of such written data processing agreement.
The HDPA may impose a fine for any breach of the GDPR or national regulations in the amount up to 4% of the world-wide turnover realized by the company and its company group in the last closed financial year or EUR 20,000,000, whichever is higher.
Considering the detailed regulation and spill-over effect of data privacy to the full scope of a company’s activities, an all-encompassing data privacy audit reviewing the related documents and the company’s data controlling processes could help identifying the data streams within the company, the gaps in compliance, and facilitate the preparation of an entire package of fully compliant GDPR documents tailored to the individual needs of each company.