It seems exceptionally appropriate to ask back: Who is asking? Well, not because there are exceptions to which it does not apply, but to be able to answer the second, "how" question... both are affected, but it does not matter from which position.
Based on the questions above, it can be assumed that the questioner already knows, but it does not hurt to clarify what the GDPR is.
The GDPR (General Data Protection Regulation) is a General Data Protection Regulation created by the EU legislators in 2016, which after a two-year grace period enters into force on May 25 this year and its provisions must be applied with binding force.
In the domestic legal system there is a similar regulation, Infotv., but its harmonization is essential, although it is currently stuck in the legislative process. Thus, the harmonization of the two regulations, EU and Hungarian, can only be expected towards the end of the year at the earliest. This can even be problematic due to possible "contradictions" between them.
In any case, those who previously met Infotv. rules, it is simpler, it is easier to review the difference between the two regulations and it is easier to prepare for the rules of the GDPR. protection of the personal data of citizens, but it extends this to the handling of the personal data of every person as a customer in the EU, and even makes their transmission to third countries subject to conditions. etc., as it contains provisions regarding the data manager and data processor that collects and processes citizens' personal data. There is a need for a certain change of attitude, because the regulation puts the emphasis on prevention, and the data controller is even obliged to prove that he has done everything to comply with the rules.
But what causes a problem? Unfortunately, in the majority of cases, many people are not even aware of whether and what personal data is being processed. That is why it is advisable for every business to assess this, since it depends on what rules should be applied in the future in order to achieve data protection goals. Do not forget the personal data of employees, which all employers register as a result of legal authorizations. But here we should also consider that if the payroll is not performed by an employee, but by an external contractor, then the rules apply to him as well.
However, similar rules also apply to personal data stored on an electronic data carrier, in an IT system, to their saving, storage, such as databases, e-mails, log files, log-in and log-out data, camera recordings and more... However, it is important to highlight some special ones, such as the database of newsletter recipients, website visitor data or payment information that appears separately in the case of online stores.< /p>
The customer database of the newsletters still causes many problems for Infotv. under its scope, this is a known problem. But it doesn't even occur to many that their website can collect personal data that already falls under the scope of the regulation, even though it is not even possible to log in and collect data from visitors. This is achieved thanks to the widely used Google Analytics, through the use of cookies installed on the website visitor's computer.
The situation is similar with online shopping and payment information, as these are also personal data, which are often forwarded to accountants, couriers and even banks provide information on customer payments.
Personal data can only be collected and processed on the basis of authorization, be it the customer's personal or statutory authorization, but only for the period specified in the authorization or until it is revoked , must then be verifiably destroyed. It is important that it cannot remain on an electronic data carrier as part of a previous data backup.
Special attention must be paid to data protection incidents, data leaks or unauthorized access, which must be reported to the supervisory authority.
Unfortunately, the scope of the topic it goes far beyond the scope of this post, so at the moment we can only try to raise awareness. A good piece of advice for those who are even a little uncertain is to find a competent consultant who will guide and prepare them for the task, because according to the rules, data protection measures must be tailored to the "company" and no two companies (organizations) are the same.
Maybe we can also give advice on the matter...