The data processing operations specified by the GDPR as data processing based on legal obligation and in the public interest are defined by the Info Act as ‘mandatory data processing operations’ that can only be based on laws and municipality decrees.
Such laws and municipality decrees shall determine the details of the data processing, such as the type of data, the purpose, term and conditions of the data processing, the access rights to the data, the identity of the data controller and the revision of the necessity of the data processing.
In the case of ‘mandatory data processing operations’, data controllers shall periodically assess whether a particular data processing is necessary for achieving its purpose. The data controller shall revise the purpose at least every three (3) years, calculated from the commencement of the processing. The data controller shall keep the documentation about the revision for ten (10) years and present it to the Hungarian National Authority for Data Protection and Freedom of Information (‘NAIH’) at its request. Data controllers must revise pre-GDPR data processing operations by 25 May 2021 at the latest.