Data protection

Based on information collected in advance through a specific questionnaire, we conduct personal interviews with employees of our clients to map their actual data processing processes and the legal data protection requirements that apply to them, as a GDPR assessment. Among other issues, we check whether the legal basis for the processing (e.g., consent to the processing of personal data given by the data subject) and the purposes of the processing are adequately specified with regard to the data processing activities and the identified categories of personal data processed by our client’s organization. The information relevant to the data protection audit (circumstances of data processing, internal processes, observations, characterization of internal documentation) will be recorded in an audit report or GDPR gap assessment, which will be provided to our client upon finalization. As a result of the data protection audits, the management will have a comprehensive overview of the current level of adequacy of data protection in their organization.

For one or more interlinked data processing processes, we record the risks identified (for example, the consequences of a personal data breach) and recommend measures to mitigate or eliminate them. We would like to underline that for certain data processing operations, data protection assessments are mandatory, for example, recording a telephone conversation against legal authorization for quality assurance, or when camera surveillance takes place at the workplace. In these cases, the relevant data processing operation will be analyzed based on a more detailed set of criteria and all results of the data privacy risk assessment will be documented. In addition to the legal requirements, our work takes into account the relevant international standards and regulatory guidelines.

We will prepare the legal documents required by the relevant law to demonstrate compliance with the General Data Protection Regulation (GDPR), tailored to our clients’ specific needs and processes. This documentation may include, but is not limited to:

• privacy statement and data protection declaration or general data protection declaration
• Hungary GDPR fact sheet of the current legislation
• privacy policy or privacy notice
• Data management and privacy policy, data protection risk management policy
• privacy notice for websites or webshops
• GDPR readiness assessment
• employee privacy notice required in the context of workplace data management
• documentation of data protection guidelines and principles
• consent form or information notice in relation to consent to data processing
• workplace camera surveillance policy
• DPO outsourcing best practices fact sheet
• information notice on camera surveillance system
• protocol to be used in case of review of camera footage
• camera surveillance policy for condominiums
• data processing agreement
• cloud computing GDPR requirements
• procedures for the notification, recording and handling of personal data breach
• data processing registers or record of data processing activities
• data privacy risk management handbook
• data processing review protocol for mandatory data processing activities

The actual content and titles of the documents will be determined in consultation with our clients, taking into account the specific circumstances of the data processing activities to be regulated.

In order to raise awareness and advice on data protection, we provide personal or online training to our clients’ employees, and we will prepare questionnaires, check-tests and additional training materials upon request. The training will be documented by a record, which may be used as evidence of the education in any subsequent proceedings before the data protection authority (DPA). The training will also provide an opportunity to discuss practical data protection issues with our clients in order to develop good data processing practices.

We will check whether our client is actually using the appropriate documentation which was prepared during the GDPR compliance risk assessment in its practical operation and whether any data protection risks previously identified by us or others have been mitigated. We do this using the same methodology as in the data privacy audits, except that we focus on our recommendations and risks that were previously recorded, as well as on new or changed data processing activities that have occurred since the first assessment. A record of the audit findings will be kept for traceability.

By answering specific data protection-related legal questions, providing consultations and drafting legal opinions, we help our clients to make confident decisions supported by legal expertise. The assistance of a data protection lawyer in dealing with and interpreting both internal and external data protection legal issues is of prominent importance, as it allows us to deal with legal issues more quickly and with a higher level of assertion of our client’s interests, whether it is a partner’s consultation on data protection-related matters or a data protection-related legal dispute with an employee, where the other party is also likely to be supported by a GDPR specialist or data protection law firms. In addition, by using data privacy lawyer, it is possible to avoid situations where our clients may be damaged, such as compensation for the unlawful use of camera surveillance system or a data protection fine.

’Personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed. In the event of a data breach, we will assist our clients in identifying the circumstances of the incident, formulating a recommended course of action, as well as in reporting the incident and informing the data subjects. Examples of data breach: e-mail attachment containing personal data sent to the wrong address, unlawful access to a database containing personal data, loss of a storage medium (laptop, thumb drive) containing personal data, ransomware attack on an IT-system that encrypts all data.

We represent our clients as privacy attorney in data protection related proceedings (primarily in Hungary), in responding to data subjects’ requests and in litigation and out-of-court data protection-related legal disputes. In cases involving data protection issues, the advantage of the use of privacy lawyer is that our clients do not have to use the capacities of their own data privacy consultant or in-house counsel to pursue their claims, risking a breach of the relevant conflict of interest rules, but can instead use the services of an external data privacy specialist and can therefore manage the case more efficiently.

The DPO, who replaces the internal data protection commissioner, is independent from the data controller’s organization, an expert in data protection as well as practices it. It is mandatory to appoint a DPO in certain cases, but any data controller who is not subject to this obligation may optionally appoint a DPO. In the performance of his or her duties, the DPO, as a GDPR expert, has an advisory and supervisory role within the organization and his or her involvement in data protection matters is essential. Who may become a DPO? Under the provisions of the GDPR, anyone who meets the above professional requirements and is able to perform the duties of the position independently and without breaching the relevant conflict of interest rules of the organization of the data controller. The renumeration of the DPO is subject to the individual agreement of the parties and the DPO may be appointed by an employment contract or a service agreement, as an outsourced data protection officer. We fill the position for our clients as external DPO and we also assist the appointed DPO of our clients as data protection consultant. Our DPO expert service includes the ongoing performance of all the data protection-related tasks described on our website, given that it is the responsibility of the client’s external data protection officer to carry out these tasks.