On 4 May, 2020, the Hungarian Government issued a decree (Government Decree No. 179/2020) (the Regulation) regarding the restriction of data subjects’ access rights and access to public information.
The Regulation provides that during the current state of emergency, data subjects’ rights (Chapter III GDPR) related to data processing activities carried out with the purpose of prevention, study, detection etc. of the Coronavirus disease (COVID 19) shall be restricted. All measures to be taken in case of a data subject requests (such as a request for access or deletion) must be suspended until the end of the state of emergency. The deadlines applicable to such requests will commence on the day after the current emergency situation ends (which date is currently unpredictable). Furthermore, the data subjects should be informed on the aforementioned restriction without undue delay after the state of emergency ends, but no later than 90 days after the receipt of the request.
The Regulation also relaxes the notification obligations: the requirements set out in Art. 13-14 GDPR concerning data processing performed with the above purposes must be considered fulfilled in case a general privacy notice containing information on the purpose, legal basis as well as the extent of the processing is made available online.
The potential reason behind this restriction is to relax the administrative burden on the health care providers, which are currently being extremely overwhelmed with work. However, as the Regulation does not define the controllers falling under its scope, any business/employer carrying out data processing activities with the above purposes (such as the processing of travel data of the employees, their body temperature to contain the spread of Coronavirus at the workplace, etc.) must also comply with the above restrictions. This entails that businesses should consider adjusting their respective internal policies and procedures accordingly.