The mandatory 3-year review is provided for by the Info Act (Act CXII. of 2011), according to which - unless other legislation specifies a different period - the controller shall review at least every three years from the start of processing, whether the processing of personal data is necessary for the purposes of the data management - points out Dr. Roland Zsidi, senior lawyer at ICT LEGAL, Dr. Termel Law Office.
This is effectively a review obligation, by which the company reviews its data processing activities. There are many reasons why a particular processing activity may need to be revised: new and discontinued processing; there may be many reasons for this; processing related to a business or activity that has been discontinued or new processing related to a new activity, introduction of teleworking (Home Office), etc...
What needs to be done?
The review obligation mainly covers data processing, so the minimum that needs to be done is that the company takes a count of the data handling already carried out and examines them one by one to see whether the data handling is (still) necessary. One part of the GDPR policy is to keep a record of data processing activities, and a review of this would be a basic requirement. However, in the course of the review, it is advisable to review the entire policy and, if necessary, to amend it and incorporate the practices of the past years into the policy.
How many years should companies keep documentation of the revision?
Documentation of the revision is mandatory and the law requires companies to keep it for 10 years, which they must make available to the National Authority for Data Protection and Freedom of Information (NAIH) upon request.
Who has to review it?
There is no legal obligation to do so, however, as companies typically use external experts for the development of the GDPR policy, it is recommended to carry out the review with the involvement of an external expert and to assess together with him the achievement of the purpose of data management - suggests Dr. Roland Zsidi, senior lawyer at ICT LEGAL, Dr. Termel Law Office.
Fines may come if the company does not carry out the mandatory review!
The review will be relevant when, at the Authority's request, the company fails to produce the review documentation. The absence of a review increases the chances of an audit finding that the processing is not in compliance with the law and is being carried out without a proper purpose and without a legal basis. In case of infringement, the Authority is likely to consider the failure to review as an aggravating circumstance which will be taken into account when imposing the fine (the level).
In such a case, the Authority is likely to issue a decision requiring the undertaking to review its data processing (to carry out the missed mandatory review) and to bring its data processing operations into compliance with the law, which may be accompanied by a fine. If the review has not been carried out since the entry into force of the GDPR, i.e. 25 May 2018, it is recommended to do it as soon as possible, which will not only allow to identify changes in data management practices, but also to detect possible unlawful data processing - points out Dr. Roland Zsidi, senior lawyer of ICT LEGAL, Dr. Termel Law Office.