Information on Regulation (EU) 2016/679 of the European Parliament and of the Council, more commonly known as GDPR
Regulation (EU) 2016/679 of the European Parliament and of the Council (hereinafter referred to as GDPR) has been in force for two years, however, it will also be applicable in all Member States from 25 May 2018.
Privacy has always been of particular importance for iData Kft., we have already kept it in view in our practices and processes so far. We also pay attention to ensuring the compliance of our services provided to you with the increasingly stringent privacy requirements.
During the preparations for GDPR, our Company has performed the following in the framework of a privacy audit:
- identifying its individual processes of data processing,
- examining concerning which of its service activities it is considered to be a controller, and in which cases it is considered to be a processor,
- preparing its Privacy and Data Security Policy, its internal Data Protection Register, and the required notices with which it is to ensure the right of the data subjects to transparent information,
- developing the process of managing requests and incidents related to personal data.
We have been employing a data protection officer for years in order to ensure that all our processes related to data protection are set up and operated appropriately.
In our work, we aim to provide all the necessary information to you, so that the transition to the new data protection regulation can be realized as easily as possible. In accordance with this, we would like to summarize the recommended steps of preparation for you.
First of all, it is worth reviewing the most important principles of data processing as per the legislation in force and entering into force:
- the principle of purpose limitation (data may only be collected and stored for pre-defined purposes)
- the principle of data minimisation (data may only be collected and stored to the extent strictly necessary for the fulfilment of the purpose)
- the principle of accuracy (the data processed should be accurate and complete)
- the principle of storage limitation (data may only be collected and stored until the fulfilment of the purpose)
- integrity and confidentiality (fair data processing)
- the principle of accountability (the controller is obligated to comply with the regulation and be able to prove compliance)
It is also worth clarifying a few basic concepts.
- Data subject: any specified natural person that is identified or – directly or indirectly – identifiable based on a piece of personal data;
- Controller: the natural or legal person, or an organization without legal personality which, alone or jointly with others, determines the purposes of the processing of data, makes the decisions concerning data processing (including the means used)and executes them, or has them executed by the processor;
- Processor: the natural or legal person, or an organization without legal personality which performs the processing of data based on a contract – including the contracts concluded based on a legislative provision;
- Personal data breach: the unlawful management or processing of personal data, in particular unauthorised access, alteration, transmission, disclosure, deletion or destruction, as well as accidental destruction or corruption;
- Personal data: data related to the data subject – in particular, the name, identification number, or one or more factors specific to the physical, physiological, mental, economic, cultural or social identity of the data subject, as well as the conclusion that can be drawn from the piece of data concerning the data subject
Based on the above and the interpretation of the European Commission, for example, the following are considered to be personal data:
- first name and last name;
- email addresses of the type firstName.lastName@company.com;
- location data (e.g. the positioning function of the mobile phone)*;
- IP address;
- cookie identifier; (separate legislation also applies to this)
- the advertising identifier of the phone;
- data stored by a hospital or physician that enable the unique identification of the person;
- license plate number.
For example, the following are not considered to be personal data:
- company registration number;
- email addresses of the type firstname.lastname@example.org;
- anonymised data.
In the course of preparation, the following steps are worth considering and performing:
- review of the data processing policy, or its creation if you did not have an existing one.
- review of your own data processing practices: you should consider what data you are processing, for what purposes, and for how long. GDPR allows the processing of personal data for pre-defined purposes, until their fulfilment. You should record your process of data processing in your data processing policy.
- considering the legal basis for processing: you should consider for all personal data you process whether you have a legal basis for their processing, whether this is active consent or a statutory obligation concerning their processing and storage. However, in cases in which the storage of personal data is a condition of the performance of the contract, you can do this without special authorisation as per the regulation.
- implementing the right to informational self-determinationin practice: you should be sure that you only process personal data for which the data subject has provided their active, preliminary consent. The consent can be considered lawful if it was voluntary, explicit, and informed. If this does not apply to your data, you must request the consent of the data subjects.
The controller must be able to prove the existence of consent towards both the authority and the data subject.
- consultation and deletion: the data subject may request the consultation of the data stored, or their deletion (them being forgotten). Consider how you can implement these.
- the handling of personal data breaches: consider what incidents may occur in your company. Examples include losing a data medium (a laptop, phone, flash drive, etc.) or any case in which personal data may fall into the wrong hands without the prior authorisation of their owner. Consider how you can prevent these. It is also worth considering how you can ensure that a personal data breach detected by any member of the organisation is reported to NAIH within 72 hours. A notification plan concerning this should be prepared.
- performing an impact assessment: if you are processing data with high expected risk from a data protection perspective, perform an impact assessment.
- employing a data protection officer: if you feel it necessary to employ a colleague who is expert in the field, or perhaps you have a statutory obligation to do so, employ a data protection officer.
In addition to the general steps of preparation, we have also gathered what is worth considering in relation to the services provided by our company to you.
- You should consider and compile the following:
- why you use a GPS tracking system,
- for how long do you need the data collected and stored,
- how justified is the creation and storage of reports,
- for how long can you retain your reports,
- how justified is the retention of reports concerning specific routes,
- The Labour Code allows the monitoring of employees during their performance of work (Labour Code, section 11). If data recording performed using GPS tracking is justified due to the job role, current legislation allows this following prior, written information. Check whether you comply with these provisions.
- Consider the installation of a private-company switch in your vehicles. The system of iData Kft. has been supporting this for over 10 years. Using this, you will dispose of less serious data, as the scope of data collected and stored is severely limited during private usage. Upon installation, you should inform the employees about how the switch should be used, and about the fact that some statistics – e.g. the number of kilometres travelled – are visible to you in all cases. If private vehicle use is allowed for the employees, this option may be important to you. If you require full information concerning this, contact our colleagues.
- Prepare a policy concerning how the data created regarding the employees are stored, and how they can view them.
- Check that the above exist in employment contracts, naturally, in addition to the presence of other general provisions of GDPR, if any change had to be introduced.
- You can track your vehicles and you can view your reports in the iTrack system. Check your access; can the privileges be justified along the current usernames, can everyone actually view what is necessary for their jobs? If you need to perform a change concerning this, request new usernames, and we will set them up according to your needs.
- Currently, we store your data in the system in accordance with the retention times agreed in your contract concluded with iData Kft., or requested by you in writing. If you have not made a statement regarding this, it shall be governed by the General Terms and Conditions. Think over whether you are satisfied with these settings, and if you wish to perform a change, you can do this by notifying our company in writing.
- If you are not sure whether you comply with the provisions of GDPR, or open issues remain concerning your processes, seek a GDPR expert. This will not be simple, as many are in a similar situation, but it is definitely worth discussing the finishing touches with an expert.
The National Authority for Data Protection and Freedom of Information, or in short, NAIH is responsible for the verification of compliance with the GDPR regulation. In Hungary, they provide help concerning the questions arising in relation to application.
If you wish to be informed of our latest news, subscribe to our newsletter!
You can find the full text of GDPR on the following link: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN
You can find further resolutions on the website of NAIH: https://naih.hu/az-adatvedelmi-reformmal-kapcsolatos-allasfoglalasok.html
The European Commission also helps in the interpretation of the regulation. Follow this link for plain language and infographics: https://ec.europa.eu/info/law/law-topic/data-protection/reform_en