In an earlier blog, I wrote that the UK and Irish regulators are being more lenient about the amount of time it may take for organizations to respond to individual rights requests. On May 4, 2020, the Hungarian government issued a governmental decree suspending the rights of individuals under Articles 15 through 22 of the General Data Protection Regulation (GDPR) – the rights of access and the rights to rectification, erasure, restriction of processing, data portability, object, and be subject to automated individual decision-making, including profiling. The suspension was until the end of the state of emergency that was declared due to the coronavirus pandemic.
Last week, on June 2, 2020, the European Data Protection Board (EDPB) issued a statement criticizing the action of the Hungarian government. It stated in part:
- Legislative measures which seek to restrict the scope of individual rights must be foreseeable to the persons subject to them, including with regard to their duration in time, and because the restrictions were imposed for a duration not precisely limited in time, they did not meet the foreseeability criterion.
- Restrictions must be a necessary and proportionate measure to safeguard an important objective of general public interest such as public health. Individual rights can be restricted but not denied, and in the EDPB’s view, restrictions suspending or postponing the application of individual rights, without any clear time limitation, equates to a de facto suspension of those rights and amounts to a complete obstacle against the exercise of the rights themselves.
The EDPB’s statement in response to the Hungarian government’s action is a reminder that, during the pandemic, even though a state of emergency exists, the individual rights set forth in the GDPR are still in effect. Organizations, as needed, may take addition time to respond to requests from individuals, but they still must respond to those requests. GDPRsimple, www.keepgdprsimple.com, an automated web and mobile tool, can help businesses respond to individual rights requests under the GDPR and keep track of the requests and their responses to them.