Guidance on the DPA Registration of Financial Service Providers

The Hungarian Information Act (effective from 1 January 2012) requires the notification and registration of customer related data processing activities of financial service providers (namely banks, insurance companies and investment service providers) located in Hungary, which is a prerequisite of commencing data processing operations. Yesterday, the Hungarian Data Protection Agency has released a comprehensive guidance on the DPA registration requirements of financial service providers located in Hungary, which document defines the exact scope of DPA notification requirements.

–        In its guidance, the DPA acknowledged that notification and registration requirements are very broadly formulated under the Information Act as these apply to every kind of customer related data records and processing activities by financial service providers. This includes, inter alia, surveillance (including security CCTV), marketing activities, money laundering records, records relating to the central credit information system, records relating to contracts, handling of customer complaints etc. which processing activities must be therefore duly notified to the Registry.

–        the DPA confirmed that lines of businesses shall be notified to the DPA for registration purposes and not the individual financial products; accordingly, several individual financial products of the same business line can be covered by the same notification of the financial service provider;

–        notably, independent intermediaries must separately register data processing activities with the DPA as these persons are considered as data controllers, whereas dependant intermediaries / agents must be registered on the part of the financial service provider as a data processor.

–        Finally, the DPA confirms that registration of data processing activities for marketing purposes is also a must, however, individual marketing campaigns can be covered by the same general registration, thus, there is no need to notify individual campaigns to the Registry.

The DPA registration must cover the following details: the purpose of processing; applicable legal basis, scope of data subjects; description of data types processed; source of the data; data retention periods; in case of transfer, the type of data transferred, transferees and the legal basis of the transfer, equally including data transfers to third countries; name and address of the controller, as well as the data processor, place of data processing, description of the activity of the processor; type of data processing technology applied; as well as the name and contact details of the DPO of the controller.

If the financial service provider does not register, data processing cannot be continued and the DPA may impose a fine up to ca. EUR 35.000, as well as prohibit data processing and data transfer.