Friday, February 1, 2013

Audit Services of the Hungarian DPA


Audit Services of the Hungarian DPA

As from 1 January 2012 the Hungarian DPA opens its services for providing audit services. The audit service is regulated by the Privacy Act, however data controllers and experts still have a lot of concerns regarding the service. In Hungary no other authority has the same entitlement.
 
According to chapter 39 of the Privacy Act the data protection audit „is a service provided by the authority designed to evaluate and assess data processing operations in progress or proposed along technical merits, intended to effectively implement a high level of data protection and data security system”. The unclear wording of the act raises concerns and suggests that it is possible to request that the authority analyze the technical system and safety of the technical equipment used by the data controllers. Proposed data processing operations may be audited if deemed justified based on the elaboration of the data processing concept.
 
The audit service can be conducted by the Authority solely at the data controller’s request. It is not clear, whether it can be requested by any of the controllers if there are more than one controllers, or the controllers shall request it jointly.  For the data protection audit an administrative service fee shall be charged in the amount decreed by the relevant minister. This fee is not yet made available to public, however, based on official communications it will be determined on a case by case basis.
 The Authority records the results of the data protection audit in also called audit report, however there are no guidelines for the minimum content of such report. The audit report may also contain recommendations for the data controller. The audit report shall be considered public, unless the controller requests otherwise.
 It is important to note that the audit service does not qualify as negative clearance, the authority may open any procedure during the audit. However, if the data controller complies with the recommendations of the authority, no fines can be applied for the same conduct.

 
If you have any questions regarding this issue, feel free to contact our Partner:

Dr. Andrea Klára Soós

andrea.soos@gfplegal.com

+ 36 1 270 99 00