1. Ide kerülhet az előadás címe A New Experience: The Dilemmas and Specialties of the Data Protection Audit in Hungary

2. 2 An independent evaluation of how certain assets are managed in relation to a particular set of standards A standard assessment tool deployed by regulatory authorities when monitoring external organizations Traditionally associated with the accounting and finance sector, but have since broadened out in scope Audit in general 1.

3. 3 Operates as a control mechanism regardless of whether an organization self-assesses or is appraised by an independent third party Checks are conducted in order to detect any irregularities or system weaknesses regarding how the organization handles the personal data The identification of measures required to ensure compliant data processing Audit in general 2.

4. 4 A systematic and independent examination of a system, a process, an operation, a dataset, etc. through a preliminary set criteria. The auditor checks how the system, process, operation, dataset, etc. is in compliance with the audit criteria and on this basis formulates a judgment which is communicated through an audit report. (Data protection) audit in general 3. Audit criteria = regulations of the Hungarian data protection act (legal and practical judgment) 1. Compliance check 2. Risk assessment

5. 5 The data protection audit is a service provided by the Authority designed to evaluate and assess data processing operations in progress or proposed along technical merits, intended to effectively implement a high level of data protection and data security system. Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information Section 69 (1) The Scope of the data protection audit according to the Hungarian DP Act

6. 6 Defining the scope and purpose of the Hungarian Data Protection Audit The Dilemma To prepare a standard assessment tool some criteria must be set -Proposed data protection must have a well documented process and flow chart -Proper documentation needed -The scope of the data protection audit should be set carefully -FOI strategies won’t be audited The Specialty The Act defines a wide range of data processing which can be audited, almost any data processing could be audited.

7. 7 Proposed data protection must have a well documented process and flow chart -Proposed data processing operations may be audited if deemed justified based on the maturity of the data processing strategy -The Authority won’t write privacy policies, only gives guidance -The strategies should have all the basic information about the data processing Proper documentation needed -The Authority has a check list about the required documentation -Some documentation could be accepted during the process Defining the scope and purpose of the Hungarian Data Protection Audit

8. 8 The scope of the data protection audit should be set carefully -If too broad the audit could become permanent data protection compliance check -If too narrow the audit could be useless to the data processor -Conflicting interests FOI strategies won’t be audited -There are still a large number of requests about auditing FOI strategies Defining the scope and purpose of the Hungarian Data Protection Audit

9. 9 According to the Hungarian Data Protection Act „Data protection audits are conducted by the Authority at the data controller’s request.” Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information Section 69 (2) Mandatory or optional?

10. 10 Investigation procedure DPA Data Controller Data subject (Anybody) Administrative proceedings Data Protection Audit Mandatory or optional? regarding to other procedures

11. 11 Mandatory or optional? The Dilemma Optional Mandatory Audit Advisory visit Certificate Standard Supervision Preliminary investigation Compliance check

12. 12 „Data protection audits are conducted by the Authority at the data controller’s request.” Advisory visit Certificate Prelinimary investigation Compliance check Mandatory or optional? The Specialty

13. 13 According to the Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information Section 69 (2) Preliminary procedure Prior to the data protection audit the Authority shall communicate to the data controller the fee payable for the data protection audit and the estimated time when the data protection audit will be conducted The data controller shall provide a statement declaring his intention to go forward with the data protection audit in the light of the conditions indicated

14. 14 Preliminary procedure - contact person - data about the data controller - information about the data processing Application Form -detailed information about the scope of the data processing -detailed information about the requested documentation Personal Consultation Data Protection Audit Agreement

15. 15 Preliminary procedure Estimated amount of consideration Time schedule Timesheet List of requested documentation The Data Protection Audit Agreement

16. 16 Preliminary procedure Selecting auditor personnel Gathering resources and information Lawyers Data Protection experts IT experts Proper IT background Information about former proceedings and investigation Article 29 Working Party Opinions Information about former court judgments Preparation for Data Protection Audit

17. 17 Preliminary procedure Practical issues Time Timeframe 6-8 weeks per audits Timeframe 8-12 audits per year Proper timesheet for invoicing Experts IT experts Data protection experts Lawyers Administrative issues Major administrative input needed Accounting support needed

18. 18 Preliminary procedure Practical issues Head of Audit Unit Lead Auditor Data protection experts Lawyers Lead IT expert IT staff Audit group 4-6 person

19. 19 according to Act CXII of 2011 on the Right of Informational Self-Determination and on FOI Section 69 (4) Audit report The Authority shall record the results of the data protection audit in an audit report The audit report may also contain recommendations for the data controller The audit report shall be made available in compliance with the regulations on business secrets, however, at the data controller’s request the Authority shall publish the report or the summary evaluations of the report on its website

20. 20 The guidance should focus on practical solutions An executive (decision maker) should be present from the audited organization Mutual cooperation required for useful guidance Audit report Guidance

21. 21 Audit report 1. Executive summary 2. Defining the scope 3. Introducing the Methodology 4. Summarizing the findings 5. Legal compliance assessment 6. Data protection risk assessment 7. Issuing guidance8. Follow up

22. 22 The Authority treats audit reports as confidential documents, they are therefore not published, though the organization concerned is free to do so The Authority reserves the right however to comment on any aspect of a particular named audit in the annual report All organizations audited within a given year will be listed in the annual report Audit report Confidentiality

23. 23 Audit report Recommendations Minor recommendation For higher level of data protection Major issueMinor issue Mandatory Major recommendation

24. 24 The data protection audit shall not exclude the exercise of the Authority’s other competencies defined in the data protection act. Mediation tool if too many infringements data protection administrative proceedings Capability only if it doesn’t hinder other proceedings only 8-12 audits per year Data protection audit Other issues Lobby aim to achieve agreement with the audited organization regarding the final report, but this is not always possible

25. 25 The fee (consideration) charged shall constitute revenue for the Authority. according to Act CXII of 2011 on the Right of Informational Self- Determination and on FOI Section 69 (3) The data controller shall pay a fee (consideration) for the data protection audit The amount of the fee (consideration) shall be determined by the Authority as commensurate for the activities to be performed, however, it may not exceed five million forints Data protection audit Other issues

26. 26 The amount of the fee (consideration) shall be determined by the Authority as commensurate for the activities to be performed, however, it may not exceed five million forints Main criteria for determining the amount of the fee (consideration): the complexity of the data processing the number of the data subjects involved in the data processing the excessiveness of the personal data controlled the annual revenue of the data controller Data protection audit Other issues

27. 27 Audit report TimesheetInvoice Audit closure Maximum amount of consideration is declared in the audit agreement, but in most cases the amount of the consideration calculated from the timesheet is less than the maximum amount Data protection audit Other issues

28. 28 The Data Protection Audit was based on European examples Irish Data Protection Commissioner Visited the office and participated in an audit The Authority reviewed some audit procedures during evolving our own audit resource [UK, France, Germany, Finland] Data protection audit Other issues

29. 29 Data protection audit procedure Request Defining the scope Gathering information Checking the legal compliance of the documentation Assessing data protection related risk Issuing the audit report Follow up Compliance certificate

30. 30 Data Protection Audit Methodology getting to know the data processing assessing the basic legal compliance Summarizing table getting detailed knowlage about the data processing deep analysis of the data processing Questionnaires list about the proper documentation detailed analysis of the legal compliance identifying data protection risk Assessment of the documentation clarifying uncertain details data protection risk assessment Audit meetings Personal consultation and interview with the employees consultation about the final draft report definying follow up time schedule Closing meeting

31. 31 General summary about the methodology Questionnaire based Personal consultation Documentation analysis On site visit, Advisory visit Risk Assessment Data Protection Audit Methodology

32. 32 Audits of the kind carried out by the Authority are compliance based A compliance audit typically examines an organization's procedures, policies, systems and records in order to assess whether the organization is generally in compliance with requirements under data protection legislation Data Protection Audit Methodology

33. 33 The main focus of the data protection audit Compliance with DP Legislation Compliance with DP Standards Defining Risks Recommendations Positive Findings Data Protection Audit Methodology

34. 34 The audit report specifies a time schedule when the audited organizations are contacted by staff from the Authority with a particular focus on establishing what actions have been taken to implement the recommendations as set out in the final audit report. Follow up procedures are usually conducted in writing The final report could only be amended with the compilance clause if the measures taken were deemed satisfactory Data Protection Audit Follow up procedure

35. 35 The first experiences - lack of prior planning - lack of proper documentation - no useful documentation for the data subject (mainly just formal compliance) - the role of the data processors are not clear enough - lack of data processing agreements - lack of control by the data controller over the data processor Data Protection Audit First experiences

36. 36 Relation to privacy seals In most of the cases the audited organization is inquiring about a European Data Protection Seal Data Protection Audit Relation to privacy seals

37. 37 Thank you for your attention!