4 / 5TH ANNIVERSARY OF THE GDPR
5 /
GERMANY.
HUNGARY.
ITALY.
MATTHIAS NIEBUHR BDO Legal | Germany
JÓKAY ISTVÁN BDO Legal | Hungary
GABRIELE FERRANTE BDO Legal | Italy
matthias.niebuhr@bdolegal.de
istvan.jokay@bdolegal.hu
gabriele.ferrante@bdo.it
LESSONS LEARNED:
LESSONS LEARNED:
LESSONS LEARNED:
Since the introduction of the GDPR in Hungary, the Hungarian Data Protection Authority (NAIH) has been particularly active in data protection infringement proceedings, with nearly 70 cases of data protection fines imposed since 2019. While the number of proceedings is high, NAIH clearly follows the principle of gradualism in its assessment of fines - in the early years of the GDPR’s implementation the authority mainly used warnings and low level fines to encourage data controllers to behave lawfully however over the last two years an increase in the amount of fines has been observed. At the same time, data protection awareness in Hungary is increasing, thanks to the NAIH’s procedures and awareness programmes in its regulatory functions, data controllers’ data protection compliance is becoming more complete and adequate. This kind of awareness can also be observed among data subjects in the enforcement and protection of their rights.
The GDPR was meant as the single unified European regime for data protection law, promising more clarity than the multitude of member states and - in the case of Germany - even sub-federal states law provisions on data protection. This promise has only partly been kept. Neither does the GDPR cover all sectors of EU data protection law, as we are still waiting for the harmonisation of important areas such as online data protection (ePrivacy Regulation), nor has the German legislator used the opportunity to cut German legislation. The new German data protection act (BDSG) even added 22 new provisions compared to its pre-GDPR predecessor. Moreover, application of the GDPR and BDSG in Germany is complicated by 17 data protection authorities on state and federal level with not necessarily converging interpretations of the law.
In Italy, Legislative Decree No. 101 of 10 August 2018 was introduced to align the national legislation with the GDPR. However, the regulatory framework for data protection in Italy is still incomplete and lacks comprehensive coverage. The decree refers to various deontological rules, codes of conduct, guarantee measures, general authorisations, and other provisions issued by the Italian Data Protection Authority (known as the “ Garante per la protezione dei dati personali ”), which are not consolidated in a single regulatory source. Moreover, certain aspects remain unclear, such as the internal structuring of the Data Protection Officer (DPO), which continues to raise concerns among Italian companies. Additionally, the management of data breaches in Italy has been hindered by a lack of detailed guidelines from the Garante , resulting in a comparatively low number of reported data breach notifications.
GDPR was meant as the single unified European regime for data protection law
PREDICTIONS FOR THE FUTURE:
PREDICTIONS FOR THE FUTURE:
Significant efforts to strengthen data protection adequacy and awareness are expected to continue in Hungary. While continuous progress can be observed in this direction, the challenge of providing data subjects and businesses with adequate education and information on data protection remains important. The emergence of new technologies and the associated data protection issues and problems are also a major challenge. NAIH is expected in the near future to assist businesses and stakeholders by providing information on the new challenges and opportunities brought about by digital technology.
As the conversation around data protection continues to evolve, the GDPR has emerged as a crucial factor. With data becoming increasingly valuable and central to the new European strategy for data and in general for the new digital legislation from EU, the GDPR’s importance is expected to grow even further in the future. Our expectation is to witness a smoother implementation of the GDPR across small and medium-sized enterprises in Italy, as well as in other EU countries. Among the objectives is to enhance the user experience of consent management systems, moving towards preference management systems that prioritise user choice and control. This includes the introduction of Personal Information Management Systems, which will empower consumers with greater control over their personal data. In addition, cybersecurity and data breach prevention are likely to become even more prominent in the coming years, shifting the focus beyond just consent management.
PREDICTIONS FOR THE FUTURE:
Currently, the EU is rolling out a plethora of legislative instruments in the digital field, ranging from Digital Services Act, Data Act and Data Governance Act to sector specific legislation like the Regulation on the EU Health Data Space. All of this new legislation states that “it shall not affect the applicability of” or is “without prejudice to” the GDPR. However, the new legislation aims not at protecting data but making data available, creating markets and added value. This will mean a huge paradigm shift for EU and German data protection law.
Made with FlippingBook interactive PDF creator