European Economic Law

Data Protection
Tamás Puskás
Digital revolution
• the emergence of the information society has brought new challenges (e.g. data theft, hacking,
phishing, etc.)
• widespread accessability of the internet
• unrestricted data processing: public and private data controllers process personal data without
limits (physical, financial, legal), and data subjects' control over data processing is reduced
• people are generating personal data about themselves on an unprecedented scale
• big data: increasingly accurate profiles of individuals can be created based on the amount of
data they share about themselves online (including text mining in comments, likes, shares, etc.)
• new services and products have appeared on the market (e.g. cloud services, social media)
• technological advances: sending email instead of letters, uploading photos to Instagram instead
of a photo, storing data in the cloud instead of a filing cabinet, etc.
• data dominant business: (e.g. Meta) companies that make a profit from the management and
marketing of personal data and other data as part of their economic activity per se.
• Cambridge Analytica scandal. Through
Facebook, C.A., a political data
analytics company, mined users' data to
profile and place paid ads to influence
users' political views. 87 million users
were involved, of which 2.7 million
were EU citizens.

• FB, Youtube etc.

 The Data

• personal data: means any information relating to an identified or identifiable

natural person (‘data subject’)
• an identifiable natural person is one who can be identified, directly or indirectly, in
particular by reference to an identifier such as a name, an identification number, location
data, an online identifier or to one or more factors specific to the physical, physiological,
genetic, mental, economic, cultural or social identity of that natural person

• special categories of personal data:

• racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union
membership, and the processing of genetic data, biometric data for the purpose of uniquely
identifying a natural person, data concerning health or data concerning a natural person's sex life or
sexual orientation
• personal data relating to criminal convictions and offences
 Hungari
EU
an
Charter of
Fundamental Fundamental Law
Rights of the
EU
Act V of 2013 on
2016/679/EU the Civil Code
Applicable Regulation
GDPR
2:42-2:43. §

law Act C of 2012 on the

Criminal Code 219-220. §

Act CXII of 2011 on the Right of

Informational Self-Determination
and on the Freedom of
Information
Other sectoral legislation (e.g. Advertising Act,
Electronic Communications Act, Credit
Institutions Act, Health Data Management Act,
Personal and Property Protection Act, etc.)
Data protection in
the legal system
•Charter of Fundamental Rights of the
European Union

•Article 8
•Protection of personal data

• Everyone has the right to the protection

of personal data concerning him or her.

• Such data must be processed fairly for

specified purposes and on the basis of the
consent of the person concerned or some
other legitimate basis laid down by law.
Everyone has the right of access to data
which has been collected concerning him
or her, and the right to have it rectified.

• Compliance with these rules shall be

Data protection in the legal
sytem
Act V of 2013 on the Civil Code
Section 2:43 [Specific personality rights]
Violation of personality rights means in particular
a) harm to life, physical integrity and health;
b) violation of personal liberty and privacy, and trespass;
c) discrimination against a person;
d) defamation or violation of good reputation;
e) violation of the right to keep personal secrets and the right to the protection of
personal data;
f) violation of the right to a name;
g) violation of the right to the protection of one’s image and recorded voice

Sanctions for instance(2:51): ceasing the violation, grievence award

Data protection in the legal
sytem
Act C of 2012 on the Criminal Code

Misuse of personal data

Section 219 (1) A person who, by violating a provision laid down in an Act or a binding legal act of the
European Union on the protection or processing of personal data and for gain or causing significant harm to
interests,
a) processes personal data in an unauthorised manner or in deviation from the purpose of processing, or
b) fails to take measures to safeguard such data is guilty of a misdemeanour and shall be punished by
imprisonment for up to one year.
Misuse of data of public interest
Section 220 (1) A person who, by violating the provisions concerning the publicity of data of public interest as
laid down in an Act,
c) conceals a data of public interest from a requesting party or fails to perform his obligation to disclose data
of public interest after being obliged to do so by a court in a final and binding decision,
d) falsifies or renders data of public interest inaccessible,
e) publishes or renders false or falsified data of public interest accessible is guilty of a misdemeanour and
shall be punished by imprisonment for up to two years.
 • the Regulation is directly applicable as opposed to
the previous EU Directive, which required
implementation and transposition into national law
• Stronger rights for data subjects
• „Privacy by design”
• Enhanced rules for data breach management
• Higher applicable fines
• significantly increases transparency, accountability
e.g. data subject must be informed in a simple, plain
language

• Extraterritorial scope
• 1. This Regulation applies to the processing of personal data in the context of the activities of an establishment
of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
• 2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a
controller or processor not established in the Union, where the processing activities are related to:
(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data
subjects in the Union; or
(b) the monitoring of their behaviour as far as their behaviour takes place within the Union.
https://docs.google.com/forms/d/e/1FAIpQLScX1RfucVxAW8zaWb
RJA-P16UbIV8BtZbM30JX2rXq0lfQh-g/viewform?usp=preview
 Principles
1. Personal data shall be
• processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and
transparency’)
• collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those
purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or
statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes
(‘purpose limitation’)
• adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data
minimisation’)
• accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are
inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’)
• kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the
personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed
solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in
accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by
this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’)
• processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or
unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational
measures (‘integrity and confidentiality’)
2. The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’)
 Data processing must
always have a purpose
(inventory processing is
prohibited)

Fundamentals of Data must always have a

legal data legal basis/lawful
grounds
processing
Information + exercise of
other data subjects'
rights must always be
ensured
 Purpose of data processing

• What is the purpose of the processing? There must always be a purpose, otherwise
it is an inventory processing (= something that will be useful later) which is illegal

• Example: purpose may be to send a newsletter, to monitor the health of a patient

when providing a health service, to record school results, to provide an electronic
communication service, to confirm hotel room reservations, to contact contracting
partners etc.
 • Data subject's consent e.g. to subscribe to a
newsletter
• Performance of a contract e.g. providing contact
details before booking a hotel room
• Legal obligation e.g. to keep invoices for 8 years
under the Accounting Act
Legal basis • Protection of vital interest e.g. sharing of missing
hikers' cell data with rescue teams
• Exercise of official authority vested in the
controller or in the public interest e.g. municipal
cameras
• Legitimate interest of the controller or third party
e.g. fraud prevention list, credit check
Rights of the data subject

Right to
Right of access
Right to Right to erasure (‘right
by the data
Information – rectification – to be
subject –
Article 13-14 Article 16 forgotten’) –
Article 15
Article 17

Right to
Right to data
restriction of Right to object
portability –
processing – – Article 21
Article 19
Article 18
Obtained from data subject – Art 13.
Not from data subject – Art. 14.
• the identity and the contact details of the controller; the controller's
representative;
• the contact details of the data protection officer
• the purposes and legal basis of the processing; (the legitimate interests pursued)
• transfer personal data to a third country or international organisation
• the period for which the personal data will be stored, or the criteria used to
determine that period;
• rights of the data subject
• the right to withdraw consent at any time
• the right to lodge a complaint with a supervisory authority;
 • when such a restriction respects the essence of the
fundamental rights and freedoms and is a necessary and
proportionate measure in a democratic society to safeguard:
• national security
• defence
• public security
• the prevention, investigation, detection or prosecution of
Restriction criminal offences or the execution of criminal penalties,
including the safeguarding against and the prevention of
s – Art. 23 threats to public security
• the protection of judicial independence and judicial
proceedings
• a monitoring, inspection or regulatory function connected,
even occasionally, to the exercise of official authority in the
cases referred to in points (a) to (e) an
• the protection of the data subject or the rights and freedoms
of others
• the enforcement of civil law claims.
Data Security Guidance
https://www.dataprotection.ie/en/organisations/know-your-obligations/data-
security-guidance

• Data collection and retention policies

• Access control
• Automatic srcreen savers
• Encryption
• Anti-virus software • Logs and audit trails
• Firewalls • Back-up systems
• Software patching • Incident response plans
• Remote access • Disposal of equipment
• Wireless network • The human factor
• Portable device • Certification
Data breach

‘personal data breach’ means a breach of security leading to the accidental or

unlawful destruction, loss, alteration, unauthorised disclosure of, or access to,
personal data transmitted, stored or otherwise processed
Data breach - Supervisor
The controller shall without undue delay, where feasible, not later than 72 hours notify the supervisory
authority
unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons
Not made within 72 hours, shall be accompanied by reasons for the delay

(a) describe the nature of the breach

categories, number of data subjects; categories, number of personal data records concerned
(b) name and contact details of the DPO or other contact point
(c) describe the likely consequences of the personal data breach
(d) describe the measures taken or proposed to be taken; measures to mitigate its possible adverse
effects.
The controller shall document any personal data breaches, comprising the facts relating to the personal
data breach, its effects and the remedial action taken. That documentation shall enable the supervisory
authority to verify compliance
Data breach – Data subject
Breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller
shall communicate the personal data breach to the data subject without undue delay.
The communication shall describe in clear and plain language the nature of the breach and contain at
least the information and measures that must be sent to the authority
Communication shall not be required if
(a) the controller has implemented appropriate technical and organisational protection measures; in
particular those that render the personal data unintelligible to not authorised persons such as
encryption
(b) the controller has taken subsequent measures which ensure that the high risk is no longer likely to
materialise
(c) it would involve disproportionate effort. (Public communication)
If the controller has not communicated to data subject, the supervisory authority may require
to do so or
may decide that any of the conditions where notification not required are met.
National Authority for Data Protection
and Freedom of Information (NAIH)

•The lawful processing of personal data is

supervised by a supervisory authority, the National
Authority for Data Protection and Freedom of
Information (NAIH), an autonomous public
administration body, whose president is appointed
by the President of the Republic for a 9-year term
on the proposal of the Prime Minister.
•Procedures of the authority:
Investigation - on request
Data Protection Authority procedure - by
investigation or ex officio
Case law
• The plaintiff, Mihai Bărbulescu, a private
individual who worked for a company in
Romania, brought a lawsuit over the data
processing of his workplace correspondence
after his employer monitored his
communications via a workplace chat service
and used his personal messages to justify his
dismissal.
• In his complaint, Bărbulescu alleged that his
employer had violated his right to privacy by
monitoring his work messages and using them
as evidence. The applicant was not properly
informed about the extent and nature of the
monitoring and whether the employer had
access to the actual content of the messages.
 Case law
• However, the employer argued that the
employees were aware of the monitoring of
workplace communications and that the
monitoring was necessary to protect the
interests of the workplace. The internal rules
clearly prohibit private use of the internet.

The Court ruled for Bărbulescu based on

although he was violating company protocols,
he was not informed appropriately about the
extent of the surveillance, thus his rights were
infringed.