Report: All personal data breaches will have to be recorded

The new legislation takes effect on October 1 and will bring stricter rules and transparent regulations with regards to working with personal data, the law firm said.

According to Baker & McKenzie, all data controllers will be required to keep an internal register of data breaches under the amendment (Act No. CXXIX of 2015) to the Information Act. The regulation is intended to define how data controllers must treat data breach incidents, the report said, adding that the new data breach registry requirements will apply only to controllers.

“This required register will have to include not only the scope of personal data and number of data subjects affected, but the date, the circumstances, the effects of the incident, as well as the measures taken to eliminate it,” Ádám Liber, attorney at law at Kajtár Takács Hegymegi-Barakonyi Baker & McKenzie said. “The amendment specifies the definition of data breach incidents: any unauthorized processing of data, including the unauthorized access, alteration, unauthorized transfer, disclosure, deletion, accidental loss or breach of personal data,” he added.

The regulation does not require data controllers to appoint a Data Protection Officer (DPO), nor does it specify which internal rule within the data controller’s organization must or may be tasked with keeping that internal register, according to the report. Of course, if a data controller has a DPO, then this person must keep the internal register, the report added.

As of October, data controllers will have to disclose the circumstances and the effects of any data breach incident, and also the measures taken by the controller to remedy the situation – if a data subject requires information concerning the data breach, the report noted.

According to Liber, existing data processing agreements must be amended, because data processors will be required to register data breaches on behalf of the controller. The attorney added that these processing agreements under Hungarian law – including existing agreements – should introduce detailed provisions regulating how the processor should comply with obligations relating to the recording of data breach incidents.

The report noted that as of October, Binding Corporate Rules will also have to go through an authorization procedure. To date, these rules have been completely omitted from the list of recognized “adequacy” instruments under Hungarian data protection laws.

If someone breaches the data protection laws the amendment will order a fine up to HUF 20 mln (approximately €70,000) as it authorizes the Hungary DPA to double the current maximum of the fine to this amount, the report added.