On the review obligation of undertakings and organisations that process personal data

As of 25 May 2018, the GDPR Regulation is mandatory to apply in all EU member states, pursuant to which the data controllers of undertakings and organisations subject to the Regulation must review every three years – in accordance with Act CXII of 2011 on the Right of Informational Self-Determination and Freedom of Information whether the on-going processing of personal data is still necessary for the purposes for which the data was originally processed.

The review must be carried out by all companies in the EU member states that were already processing personal data, when the GDPR Regulation entered into force on 25 May 2018. Companies that started data processing activities after this date, and therefore do not have this 3-year history, or do not carry out data processing activities at all, are not subject to this review obligation.

Companies may carry out the review themselves in the form of a self-audit, or they can hire a law firm with expertise in the data protection laws, to do it for them.

Also, in relation to the current data processing activities, it is important to point out that several circumstances have recently changed (e.g. a significant increase seen in home office work), which would justify an examination of whether there is a need to amend the current data processing activities in place, and the relevant policies.

The law requires that the review must be documented, and the documentation must be retained for 10 years, even if everything was found to be in order during the review, and if it is determined that no changes to the existing procedures are necessary.

The law does not set a time limit to carry out the review, but a failure to do so could increase the risk that the official authorities will find the Company’s data processing activities inadequate, in the course of a potential audit carried out, which could lead to a significant penalty.