Blog
Blog » DO NOT PLAY THE PAPERS! – 5 MUST-HAVE DOCUMENTS TO BE GDPR COMPLIANT
DO NOT PLAY THE PAPERS! – 5 MUST-HAVE DOCUMENTS TO BE GDPR COMPLIANT
09 March 2018
Last week during a GDPR related meeting with one of our clients, he told us: honestly, I have the feeling that this GDPR project is all about paperwork. Although it is not entirely true, we totally agree with our client that a huge part of the compliance project is drafting and adopting several documents. In this article we summarized the 5 basic types of documents that you must have in order to achieve GDPR-compliance.
1. Records of data processing activities
It is clear from the GDPR that both data controllers and data processors shall maintain a record of processing activities which contains certain information (eg. categories of processed data, data transfers to third countries etc.)
The content of the controllers’ and processors’ records is different: for example, while the records of a controller contain the data detention periods, it is obviously not an element of the processors’ records as he is not the one who establishes these periods.
If during the review of your processing activities you were identified both as a controller and a processor, we have great news for you: you need to maintain two records. For example, the haulier is a controller in relation with his own employees (record 1) but is a processor in relation with the data of his client’s customers (record 2).
2. Internal data protection and data processing policy
The GDPR sets forth that controllers shall implement appropriate technical and organizational measures to ensure the GDPR compliance which include the adoption of data protection policies.
Thus, it is kind of obligatory to adopt an internal data protection policy which describes all data processing activities, the liabilities and tasks in relation with the data protection in the organization, the measurements made in relation with data security, the rights of the data subjects and how to handle their requests.
3. Information „packages”
One of the most important goal of the GDPR was to ensure that data subjects are well informed, they understand what happens with their personal data and they have effective rights in relation with the processing of their data.
You as a controller are expected to provide all the necessary information to the data subject and help them to enforce their rights. Hence, you shall implement different information “packages” (as known as privacy policies) among others to your employees and to your private person customers. Further, if you receive personal data through your webpage, you will need to have and publish a webpage privacy policy, too.
4. Data breach incident records
Considering all the information security measures you implemented in order to be GDPR-compliant, you should not experience any data breach incidents at all. However, unfortunately even the best practices cannot exclude the possibility of an incident.
Thus, on a “hope for the best but prepare for the worst” basis you will need to have a data breach incident records. This documents the data breaches, their effects and the actions you have taken to mitigate the risks.
5. Data processing contracts
Regardless that you are a controller or a processor (or both if different contexts) you will need to conclude a (data processing) contract with the other party (processor or controller)
This contract among others clearly sets forth the responsibilities of both parties in relation with the certain processing activities. It is important to mention that the contact shall be in writing (including electronic form).
If you are a processor it is your interest to act in accordance with the data processing contract as otherwise you may be considered as a controller which clearly increases your liabilities.
To sum up the above: GDPR is not only about paperwork but it is clearly a very important and big part of your compliance project. Indeed, if the supervisory authority knocks on your door that he wants to investigate your processing activities, first thing he will tell you is: show me your data protection related documents.
-
CJEU DECISION IN A GDPR-RELATED CASE: DOES THE VIOLATION OF THE GDPR AUTOMATICALLY CONSTITUTE NON-MATERIAL DAMAGE?
Does the infringement of the data subjects’ rights by the controller give automatically rise to compensation? Can the controller be exempted from liability solely on the basis that the damage was the result of the fact that its employee did not comply with its instructions? What are decisive criteria to determine the amount of damages? In this article we analyse the fresh decision of the CJEU which addressed the previous questions.
Read more » -
HUNGARY – PERSONAL SCOPE EXTENSION OF JURISDICTION CLAUSE TO NON-SIGNATORY UNDER BRUSSELS IBIS
Does the principle of independence of the choice-of-court agreement require that parties shall expressly transfer the dispute resolution clause in case of transfer of the main contract? When can the personal scope of a jurisdiction agreement be extended to a non-signatory? A Hungarian appellate court decided upon these questions under the Brussels Ibis Regulation in a recent judgment
Read more » -
SETTING ASIDE ARBITRAL AWARDS IN HUNGARY
Given that there is no right of appeal in arbitration proceedings, it is important to be aware of what other legal remedies are available to you against an arbitral award. According to the Hungarian Arbitration Act, the parties may request the competent state court to set aside the award, which is a “mandatory” remedy, which cannot be waived by the parties in advance.
Read more »