The position of the National Authority for Data Protection and Freedom of Information in Hungary (hereinafter referred to as: NAIH) on the data protection reform, its (former) recommendations as well as resolutions passed in individual cases may serve as a guide for legal compliance with the General Data Protection Regulation (GDPR) of the European Union and the development of proper data processing practice.
The NAIH already had a well-established practice regarding the form and content requirements of a privacy statement, which served as the basis for data subjects’ consent even prior to the application of the GDPR, but this topic was addressed by the opinions of several Hungarian authorities after 25 May 2018 too. In this article we summarise the most important findings of the NAIH.
Starting point: without a privacy statement, a data subject’s consent does not comply with the GDPR
According to Article 4 (11) of the GDPR, ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. This means the data subject’s consent will only comply with the GDPR if the data subject gave it based on preliminary information. It is important to emphasise that in light of the principle of accountability, the controller has to be able to prove that preliminary information was given. One of the best tools for this is if the consent follows the privacy statement, where the page numbers are continuous and the sheets are stapled together.
Most important privacy statement requirements in terms of form
The Hungarian NAIH expects the privacy statement to be easy to read (appropriate font size), transparent and appropriately structured. Using a table format is good practice according to the NAIH. If the controller adopts a Q&A format, this can help the data subject understand the privacy statement. It is important that the privacy statement should be accessible for the data subject as well (e.g. in a footer on a website).
Most important privacy statement requirements in terms of content, in addition to mandatory GDPR elements
According to the NAIH’s position, in line with the preamble of the GDPR (point 58) and Article 12 (1), among other things the statement is acceptable if it considers the group of data subjects (group-specific aspects) and uses clear and plain language. One typical error in practice is that the privacy statement uses language that is too general or too complicated, does not include examples or ignores the age (as a group-specific aspect) of the data subjects.
The requirement of clean and plain language means that the privacy statement is accessible for the data subject in terms of the words used. According to the NAIH’s previous position, “if the controller wants the data processing to cover the personal data of foreign citizens (e.g. the guest book of a hostel, a tender for foreigners), the controller has to ensure that the privacy statement is available at least in English.” Based on guideline WP260 rev.01 on transparency, facilitating the application and interpretation of the GDPR and issued by the Data Protection Working Party established based on Article 29 of Directive 95/46/EC, the NAIH stated that “if it can be established that an application has data subjects living/residing in a given country such as Hungary for example, because the website is also available in this language, the privacy statement can be expected to be available in Hungarian, and in this case, the lack thereof implies a violation of the requirement for clear and plain language. In this case, due to the lack of appropriate information, the data processing would violate Article 13 of the GDPR.”
When formulating and applying the privacy statement it is recommended to take these NAIH findings into consideration and incorporate them into data processing procedures, since during a potential audit the NAIH, in line with the GDPR, will require the controller to process data in accordance with the above.
If you are interested in checking whether your company’s data processing practices in Hungary comply with GDPR requirements, please contact us and we will review them in a data protection due diligence.