Bírságolhat a Hatóság, ha háromévente nem vizsgáljuk felül a GDPR dokumentációt!

The authority may be fined if we do not review the General Data Protection Regulation documents every three years!

06/30/2022 11:00 PM

The mandatory review is carried out every 3 years by Info tv. (CXII Act 2011), under which – if no other legislation establishes a different period – the data controller shall review at least every three years from the start of data management whether the processing of personal data is necessary to achieve the purpose of data management – brought to the attention of Dr. Zeddi Rowland, Senior Advocate at ICT LEGAL, Dr. Termel Law Office.

This is practically an audit obligation, during which a company reviews its data management activities. There may be several reasons why a particular data management activity should be modified: managing new and discontinued data; Which can have many causes; Managing data related to the business branch or field of activity that has been terminated in the meantime, or managing new data related to a new field of activity, entering remote work (home office), etc.

What do I do?

The audit obligation primarily covers data management, so the bottom line that needs to be done is for the company to take into account the data management that the company does and examine them one by one to see if data management is (still) really necessary. A record of data management activities is one part of the GDPR, and a review of this will also be a requirement. However, during the review, it is advisable to review the entire Regulation and, if appropriate, amend it, to incorporate the practice of past years into the Regulations.

How many years do companies have to keep audit related documents?

See also  Britain will not throw a lifeline to Eurostar

The audit must be documented and the legislation requires a 10-year retention commitment, which the company must make available at the request of the National Data Protection and Freedom of Information (NAIH).

Who should review?

Legislation does not impose an obligation in this respect, however, just as companies typically use an outside expert to develop GDPR regulations, it is therefore recommended that the review be conducted with the participation of an outside expert and a joint assessment of perception. For the purpose of data management – Dr. Zsidi Roland, ICT LEGAL, Senior Advocate for Dr. Termel Law Office.

A fine may be imposed if the company does not perform the mandatory audit!

The audit will be important when the company cannot provide audit documents at the request of the authority. In the absence of an audit, during a potential audit, the chance of data management not complying with legal requirements increases, and data management being performed without an appropriate purpose and legal basis. In the event of a violation, the Authority is likely to assess the non-review as an aggravating circumstance, which will be taken into account when imposing (amount) of the fine.

In such a case, the authority would likely oblige the company in its decision to review its data management (the missed mandatory review procedure) and bring the data management operations into line with legislation, for which the authority may impose a fine. If the review has not been carried out since the entry into force of the General Data Protection Regulation, that is, May 25, 2018, it is recommended to replace it as soon as possible, which not only allows to identify changes in data management practice, but also increases the likelihood of filtering possible illegal data management — Dr. Zedi Rowland, Senior Advocate at ICT LEGAL, and Dr. Termel Law Office point out.

See also  These will be the best hairstyles for 2022: we show short, medium and long hairstyles - beauty and fashion

Leave a Reply

Your email address will not be published.