Data protection

What is data protection?

Data protection includes the protection of privacy and private sphere providing guarantees based on fundamental rights with regard to the personal data of natural persons (data subjects) and imposes obligations on the data controller. Data controllers are persons or organizations who or which determine the purposes and means of a data processing operation, either individually or jointly with others (joint data processing). Data processing means any operation which is performed on personal data, including collection, recording, storage and consultation.

Data protection Hungary or GDPR Hungary

Data protection law is a specific and rapidly evolving area of law; the former directive-framework was replaced by a regulation in the European Union as of 25 May 2018, whereby the General Data Protection Regulation (GDPR) became directly applicable, so that the same standards shall apply to data processing activities in all Member States, excluding domestic data processing or in the course of a personal activity and other exceptions determined by law. In addition, in the Hungarian legal environment, the existing Hungary data protection law and several other relevant data processing-related law (e.g., Labour Code, Personal and Property Protection Act) were amended in April 2019 to take into account the European Data Protection Regulation as the primary source of law. Under the EU Data Protection Regulation, the National Authority for Data Protection and Freedom of Information (Hungary data protection authority), which replaced the Data Protection Commissioner in 2012, is responsible for monitoring compliance with data protection legislation in Hungary.

Why is data protection important?

Nowadays, thanks to digitalization, the importance of personal data has increased. By collecting and analyzing information more efficiently, operators can better reach their customers, improve the quality of their services and optimize their internal work processes. The rational use of personal data also facilitates providing public services or exercising public authority. However, the high volume of data processing also entails high risks; a data breach or unlawful processing can cause significantly more damage to a data controller or a data subject than before, and therefore the protection of personal data and compliance with the principles of data processing have become a priority and an inevitable duty for all data controllers.

The added value of data protection services and the data protection advisor for an organization is not only in the compliance function of our GDPR services. In case we can work effectively with the data controller in the course of carrying out our GDPR consultancy services, this progress can reduce redundant processes and build confidence towards its employees, customers, business partners and other organizations that it is acting prudently and in accordance with the law in all aspects.

You can see our data privacy services detailed below.

GDPR audit

Based on information collected in advance through a specific questionnaire, we conduct personal interviews with employees of our clients to map their actual data processing processes and the legal data protection requirements that apply to them, as a GDPR assessment. Among other issues, we check whether the legal basis for the processing (e.g., consent to the processing of personal data given by the data subject) and the purposes of the processing are adequately specified with regard to the data processing activities and the identified categories of personal data processed by our client’s organization. The information relevant to the data protection audit (circumstances of data processing, internal processes, observations, characterization of internal documentation) will be recorded in an audit report or GDPR gap assessment, which will be provided to our client upon finalization. As a result of the data protection audits, the management will have a comprehensive overview of the current level of adequacy of data protection in their organization.

Data Privacy Assessment

For one or more interlinked data processing processes, we record the risks identified (for example, the consequences of a personal data breach) and recommend measures to mitigate or eliminate them. We would like to underline that for certain data processing operations, data protection assessments are mandatory, for example, recording a telephone conversation against legal authorization for quality assurance, or when camera surveillance takes place at the workplace. In these cases, the relevant data processing operation will be analyzed based on a more detailed set of criteria and all results of the data privacy risk assessment will be documented. In addition to the legal requirements, our work takes into account the relevant international standards and regulatory guidelines.

Preparation of the relevant GDPR-documentation

We will prepare the legal documents required by the relevant law to demonstrate compliance with the General Data Protection Regulation (GDPR), tailored to our clients’ specific needs and processes. This documentation may include, but is not limited to:

  • privacy statement and data protection declaration or general data protection declaration
  • Hungary GDPR fact sheet of the current legislation
  • privacy policy or privacy notice
  • Data management and privacy policy, data protection risk management policy
  • privacy notice for websites or webshops
  • GDPR readiness assessment
  • employee privacy notice required in the context of workplace data management
  • documentation of data protection guidelines and principles
  • consent form or information notice in relation to consent to data processing
  • workplace camera surveillance policy
  • DPO outsourcing best practices fact sheet
  • information notice on camera surveillance system
  • protocol to be used in case of review of camera footage
  • camera surveillance policy for condominiums
  • data processing agreement
  • cloud computing GDPR requirements
  • procedures for the notification, recording and handling of personal data breach
  • data processing registers or record of data processing activities
  • data privacy risk management handbook
  • data processing review protocol for mandatory data processing activities

The actual content and titles of the documents will be determined in consultation with our clients, taking into account the specific circumstances of the data processing activities to be regulated.


In order to raise awareness and advice on data protection, we provide personal or online training to our clients’ employees, and we will prepare questionnaires, check-tests and additional training materials upon request. The training will be documented by a record, which may be used as evidence of the education in any subsequent proceedings before the data protection authority (DPA). The training will also provide an opportunity to discuss practical data protection issues with our clients in order to develop good data processing practices.

Follow-up GDPR compliance audit

We will check whether our client is actually using the appropriate documentation which was prepared during the GDPR compliance risk assessment in its practical operation and whether any data protection risks previously identified by us or others have been mitigated. We do this using the same methodology as in the data privacy audits, except that we focus on our recommendations and risks that were previously recorded, as well as on new or changed data processing activities that have occurred since the first assessment. A record of the audit findings will be kept for traceability.

GDPR consultant service

By answering specific data protection-related legal questions, providing consultations and drafting legal opinions, we help our clients to make confident decisions supported by legal expertise. The assistance of a data protection lawyer in dealing with and interpreting both internal and external data protection legal issues is of prominent importance, as it allows us to deal with legal issues more quickly and with a higher level of assertion of our client’s interests, whether it is a partner’s consultation on data protection-related matters or a data protection-related legal dispute with an employee, where the other party is also likely to be supported by a GDPR specialist or data protection law firms. In addition, by using data privacy lawyer, it is possible to avoid situations where our clients may be damaged, such as compensation for the unlawful use of camera surveillance system or a data protection fine.

Handling of data breaches

’Personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed. In the event of a data breach, we will assist our clients in identifying the circumstances of the incident, formulating a recommended course of action, as well as in reporting the incident and informing the data subjects. Examples of data breach: e-mail attachment containing personal data sent to the wrong address, unlawful access to a database containing personal data, loss of a storage medium (laptop, thumb drive) containing personal data, ransomware attack on an IT-system that encrypts all data.

Legal representation

We represent our clients as privacy attorney in data protection related proceedings (primarily in Hungary), in responding to data subjects’ requests and in litigation and out-of-court data protection-related legal disputes. In cases involving data protection issues, the advantage of the use of privacy lawyer is that our clients do not have to use the capacities of their own data privacy consultant or in-house counsel to pursue their claims, risking a breach of the relevant conflict of interest rules, but can instead use the services of an external data privacy specialist and can therefore manage the case more efficiently.

DPO services

The DPO, who replaces the internal data protection commissioner, is independent from the data controller’s organization, an expert in data protection as well as practices it. It is mandatory to appoint a DPO in certain cases, but any data controller who is not subject to this obligation may optionally appoint a DPO. In the performance of his or her duties, the DPO, as a GDPR expert, has an advisory and supervisory role within the organization and his or her involvement in data protection matters is essential. Who may become a DPO? Under the provisions of the GDPR, anyone who meets the above professional requirements and is able to perform the duties of the position independently and without breaching the relevant conflict of interest rules of the organization of the data controller. The renumeration of the DPO is subject to the individual agreement of the parties and the DPO may be appointed by an employment contract or a service agreement, as an outsourced data protection officer. We fill the position for our clients as external DPO and we also assist the appointed DPO of our clients as data protection consultant. Our DPO expert service includes the ongoing performance of all the data protection-related tasks described on our website, given that it is the responsibility of the client’s external data protection officer to carry out these tasks.

This website is maintained by Dr. Miklós Péter Ákos, attorney at law registered in the Budapest Bar Association (registered office: 1028 Budapest, Piszke utca 14., tax number: 42982117-2-41, BAR ID number: 36079442) in accordance with the laws and internal regulations applicable to lawyers, which, together with information on client rights, is accessible at The blog posts and articles on the website do not constitute specific legal advice, an offer or a solicitation. It is intended to inform the website visitors about the areas of expertise of Dr. Miklós Péter Ákos attorney at law. The website has been prepared in accordance with the Hungarian Bar Association (MÜK) Presidium's Resolution No. 2/2001 (IX.3.) on the "Content of the website of the Hungarian Bar Association" and with the provisions of Chapter 10 of the MÜK's Rules of Procedure No. 6/2018 (26.III.). Legal notice​

Web: ZK DESIGN - Ügyvédhonlap