COVID-19 Leads to Hungarian Government Easing GDPR Regulations

Due to the COVID-19 Pandemic, the Hungarian government has eased the policing of the legislation enacted to work with the European Union’s General Data Protection legislation to protect the rights of data subjects.

The decision, Decree No. 179/2020 was released on May 4 and follows the Hungarian government issuing a state of emergency, for an indefinite period, on 31 March.  As there is a stat of emergency declared, the Hungarian government can effectively govern through the issuance of government decrees.

The decree suspends measures introduced by articles 15 to 22 of the GDPR – in relation to personal data processed for the purpose of preventing, recognizing and investigating the COVID-19 disease and stopping its spread – until the current state of emergency comes to an end.

Some of the ramifications of this includes:

  • The 30-day GDPR deadline for answering COVID-19 – related data subject requests will start only on the first day after the termination of the state of emergency. In other word any group that receives a request will not have to move to address it until the end of the COVID-19 state of emergency that is now in place for an indefinite period of time.
  • Any Data controller(s) involved in tackling the COVID-19 pandemic is free to interpret the new legal provisions widely and broaden its restrictions as it applies to personal data as much as they can.
  • Data controllers are not required to provide data subjects with personalized information as listed in articles 13 and 14 of the GDPR including the specific data processed, the aim and legal basis of the data processing, and identity of the data controller, notification of data transfers to third parties and to third countries, the guaranties of these data transfers, their retention periods, and all information about data protection rights for data subjects.
  • The DPA will only begin proceedings on the first day after the termination of the COVID-19 state of emergency even for complaints that have already been submitted.
  • Any request for public information cannot be submitted personally or orally to any organisation with public-service duties.
  • Any public-service providing organisation must adhere with an eligible request for public information within 45 days instead of 15 days, a deadline that can be prolonged for one time only by 45 days.

There is no indication, as of yet, how long the state of emergency will remain in place.  All provisions of the new government decree are applicable for current, as well as future requests.

HIPAA Violation Penalties

Most Common HIPAA Violations Causes