Data protection

This question can be interesting in respect of the latest change in Hungarian health data processing: doctors performing health on the workplace tests are obliged to upload the entire files to the common health space where access is not as limited as it should be. The concrete case adjudicated by the European Court of Justice concerns the processing of COVID vaccination data, also based on national law. For processing based on a legal obligation to which the controller is subject, Member Statesmay maintan and introduce specific provisions determining more specific requirements and can also describe features of the processing, including measures to ensure fair and lawful processing. Processing of special categories of data (including health data) for reasons of substantial public interest (in any area) or of public interest in the area of public health requires that the élaw should provide for suitable and specific measures to safeguard the fundamental rights and interests of the data ...

There is an article, number 9, in the data protection regulation for EU institutions (Regulation (EU) 2018/1725, called EUDPR). The transmission to other EU institutions or to another controller within the same institution is, however, only subject to recital 21. In the GDPR , even the recitals do not mention transmission of personal data to other European organisations. Of course, the use of processors is regulated in both acts, but not the transmission to another controller. It can be concluded that the transmission to entities under the same legislation is not covered while transmission from EU institutions to entities under a regulation which has a wider scope, is. The reason is clear: protection by the EUDPR is intended to be stricter. For example, EU institutions are not allowed to process data based on legitimate interest. Therefore transmission to another controller, who may process data based on legal bases unavailable for EU institutions, is restricted to cases where the sam...

 A lot happened since Schrems-II , among others the European Data Protection Board published a FAQ document , a guidance on essential guarantees for surveillance measures      and submitted another guidance , on measures that supplement transfer tools. Transfer tools are either safeguards which ensure that data subjects enjoy adequate protection of their privacy at the place and in the organisation to where their data are transferred or derogations which enable transfer essentially without adequate protection. I used the term adequate protection and previously the view was that the protection ensured need not be identical with that in the EU. The Schrems II judgment, however, speaks about equivalent protection and this is stronger. In case the derogations (according to article 49 GDPR) are used, the EDPB is of the view that the last sentence of Article 44 GDPR (All provisions in this Chapter shall be applied in order to ensure that the level of protection of natural...

  The Privacy Shield is dead, long live the Standard Contractual clauses? - not so simple Slowly the dust settles on the decision of the European Court of Justice invalidating the Privacy Shield, the most used basis of transfer of personal data to the U.S. The Court found no reason to invalidate the other frequent basis, the Standard Contractual causes but attached stringent conditions to their use. Some see the apocalypse coming, some say we cannot dispose of U.S: companies and try to find other solution. Staying in the middle, we try to shed light on what the 129-pages judgment means. I asked Andrea Jelinek, chair of the EDPB on behalf of portfolio.hu - the answers were published in Hungarian , I am waiting for the English version. See below for a very interesting aspect of her answers. Indeed, the SCC can be used as a legal basis to transfer personal data to a third country, but only if its clauses can be complied with. It was often said that the new data protection legal fram...

Legal requirements The GDPR and Regulation (EU) 2018/1725 (the EUDPR) have changed somewhat the rules concerning transfer of personal data to jurisdictions which are not considered to provide adequate protection of personal data. On one hand the conditions are clearer, on the other hand, new types of safeguards have been introduced. It has to be noted, that there are two possible situations: transfer from a European Institution as controller to another controller and transfer to a processor. At the moment these cases are mostly treated together, although there are some differences. One safeguard which is common between the old and new rules is the use of standard contractual clauses approved by the European Commission (the only change is that the approval procedure has been set within the framework of Comitology, namely the investigation procedure) and the EDPS can also adopt contractual clauses but these also have to be approved by the Commission under the same procedure...

We hear most often about the surveillance by security services of the U.S. but also European states need to get information about what criminal organisations and terrorists plan and who participate in them. On the other hand the total surveillance state raises justified suspicions, in particular in post-communist countries. Moreover, information does not always come from direct surveillance by the state, government agencies would also like to have access to the most possible data collected and stored by private actors for their own purposes. Although processing of data for prevention and fighting crime does not belong under the general Data Protection Regulation (GDPR), neither under the e-privacy directive, the collection of data by private organisations does. On Wednesday the 15 th January the opinion of the advocate general of the European Court of Justice (ECoJ) was published in three such cases (joint cases C-511/18 and C-512/18, C-623/17 and C-520/18). A French, a British an...