Home / People / Márton Domokos
Portrait of Márton Domokos

Márton Domokos

Co-ordinator of the CEE Data Protection Practice, CMNO

CMS Cameron McKenna Nabarro Olswang LLP Magyarországi Fióktelepe
YBL Palace
Károlyi utca 12
1053 Budapest
Hungary
Languages Hungarian, English
Data Protection & Freedom of Information

Márton is a senior counsel within the commercial team at CMS Budapest, focusing on data protection, intellectual property, commercial transactions and the TMT sector. He is also the Co-ordinator of the CEE Data Protection Practice (CMNO).

Márton has spent time working in-house at CMS’ clients. He completed a six month secondment at a global management consulting, technology services and outsourcing company, providing day-to-day legal advice in all projects of the company, working closely with local businesses and the company headquarter’s legal department. He also spent another six month secondment period at the CEE headquarters of a multinational American technology and services conglomerate. He also completed a seven month secondment in the London headquarters of a global infrastructure, media and financial services company for the financial business unit as the member of the global data privacy team in 2014. Here, he advised on the privacy implications of new products and services, to implement privacy and bank secrecy risk control measures, to analyse global regulatory proposals, and to assist in the development of the data protection compliance programme, including the review of policies and tools.

As part of his regulatory practice, Márton continuously monitors the regulatory developments in data privacy. He regularly gives presentations (Internet Hungary, Jogi Fórum, Infotér) and publishes articles (The Privacy Advisor, Napi Gazdaság, Origo) on privacy issues. He is a regular contributor of DataGuidance, the global privacy compliance service, and a founding member of the Data Protection Board of the Direct and Interactive Marketing Association (FEDMA member).

Márton is recommended by Legal 500 in the TMC category.

more less

"He manages matters absolutely smoothly and is very helpful and always available."

Chambers, 2021

"This is one of the very few law firms with specific TMT regulatory expertise. Also, the fact that the lawyers understand our business and needs very well is a great benefit."

Chambers, 2016

Relevant experience

  • Microsoft on a full range of legal matters. Significant works include: (i) liaising with the data protection authority re the practical side of Safe Harbor adherence and call centre operation; (iii) advising the client on various regulatory matters, such as the profiling requirements under the draft EU Data Protection Regulation, permitted use of social media videos, and government surveillance rights; (iii) advising the client in a software use audit; (iv) assessing the feasibility of cloud services in the healthcare sector and in the public sector, (v) preparing various template agreements, data privacy / cloud / used software information materials; (vi) localising a CEE public procurement training deck and a client facing marketing guidance; and (vii) advising the client re the interpretation of the ECJ's "right to be forgotten" judgment.
  • Magyar Telekom on the establishment of a major e-health system (patient-doctor-pharmaceutical company communications platform), including detailed analysis on the data privacy aspects, preparing the contractual background and the data privacy consents, negotiations with the infrastructure service provider and liaising with the Data Protection Supervisory Authority.
  • British Telecom on the local data privacy requirements and VAT / archiving law aspects of the transfer of personal data from CEE into an integrated database. The tasks included preparing the required data privacy consents, employee and third party communications and making the necessary submissions for various tax and data privacy authorities. Countries involved: Czech Republic, Slovakia, Poland, Hungary, Russia and Ukraine, and also reviewing the various governmental access rights.
  • Canon on the review of its business, HR and employees guides on data privacy, adapting these guides in accordance with data transfer requirements under the local laws of the following countries: Bulgaria, Czech Republic, Hungary, Poland, Slovakia and Slovenia.
  • GE on the data privacy aspects of access to / transfer of the employee emails and the files stored by the employee in case of integrity/compliance offences and business continuity cases. Countries involved: United Kingdom, Germany, France, Italy, Poland, and Turkey.
  • Johnson & Johnson on a data privacy audit regarding the operations of the Consumer and the MD&D business lines. Advised on its day-to-day data protection and privacy questions.
  • A major Hungarian bank on the contracting and regulatory aspects of obtaining Microsoft’s cloud computing services, (with specific focus on the practice and guidance of the Hungarian Financial Supervisory Authority, the Hungarian National Authority for Data Protection and Freedom of Information and the Article 29 Working Party, the Independent European data protection consulting firm, in cooperation with the European Commission).
  • Samsung Electronics on its day-to-day data protection and privacy questions.
  • A Hungarian low cost airline in 34 jurisdictions - following an ICO investigation - on the data protection requirements re its ticket agents, such as registrations, privacy policy amendments, data processing agreements and data retention requirements. Coordinating the registration procedures.
more less

Memberships & Roles

  • Founding member of the Data Protection Board of the Direct and Interactive Marketing Association
  • Member, Budapest Bar Association
more less

Publications

  • Navigating Out of Safe Harbors - CEE Legal Matters
  • Recent EU judgments in privacy cause far reaching implications on online operations - Financier Worldwide
  • Hungary develops its national public eHealth system - eHealth Law & Policy
  • Examining the impact of Weltimmo on e-commerce activities - Data Protection Law & Policy
  • The mandatory content of data processing information and regulations – detailed recommendations by the Hungarian National Authority for Data Protection and Freedom of Information (NAIH) to companies to facilitate compliance with the Information Act (article in Hungarian) - Jogifórum
  • The Act on data protection can be also applied to companies registered in a foreign country (article in Hungarian) - Origo
  • Hungarian DPA Reinvents Privacy Notices and Policies - The Privacy Advisor
  • Latest Hungarian reforms to protect state-owned operator - World Online Gambling Law Report
  • Data Protection Act Amendments Include Rules on BCRs, Data Breaches - World Data Protection Report
  • Data subject access to CCTV recordings (article in Hungarian) – Origo
  • Hungary - DPA Requesting a Flyby - Europe Data Protection Digest / The Privacy Advisor
  • BCRs, security breaches and increased fines on the horizon - a proposed bill to modify the Hungarian Data Protection Act - Data Protection Law & Policy
  • EU Data Protection Regulation – Let’s Start Preparing (article in Hungarian) – Kreativ Online
  • Hungary Steps Up its Child Protection Measures Online - Data Protection Law & Policy
  • Hungarian DPA Cracks Down on Fortune Telling Company's Direct Marketing, Here's What You Need To Know – The Privacy Advisor
  • CMS: Data Controllers to Revise their Practices 1-2 (article in Hungarian) – Origo
  • Updated Data Processing Practices – Recent findings from the DPA on Direct Marketing (article in Hungarian) – Jogifórum
  • 2014: Key Year in Data Protection (article in Hungarian) – Napi Gazdaság
  • Hungarian DPA Suggests Refinements in IT Policies – The Privacy Adivsor
  • CMS: 2014 – New Target Date of the EU’s Data Protection Reform (article in Hungarian) – Origo
  • DPA Sets Out New Guidelines for Data Processing Agreements - World Data Protection Report
  • "We've got a guy who wants to talk, but he's constrained." – Whistleblowing Rules in the Private Sector (article in Hungarian) – Jogifórum
  • CMS: The Employee may Report Unlawful Practices in a More Secure Way (article in Hungarian) – Origo
  • New Whistle-Blowing Law Introduces New Personal Data Protection Rules - World Data Protection Report
  • New Whistleblowing Law Generates New Data Privacy Issues in Hungary – The Privacy Advisor
  • Highlights from the New DPA’s “Year One” – The Privacy Advisor
  • EU Data Protection Law – Important Changes for Companies and Authorities (1-2) (article in Hungarian) – Origo
  • "Keep bangin' on the wall of Fortress Europe" The Draft EU Data Protection Regulation (article in Hungarian) – Jogifórum
  • Cloud computing – Challenges for the Financial Players (article in Hungarian) – Tanácsadó Magazin
  • FATCA – Financial and Insurance Law Challenges from the USA (article in Hungarian) – Napi Gazdaság
  • Cookie Monster is here! Cookies and the Law – Jogifórum
  • Cloud Computing and the Law (article in Hungarian) – Napi Gazdaság
  • Data Security UK style – Cases at the ICO (article in Hungarian) – Jogifórum
  • Financial Supervisory Authority issues Circular for Hungarian Financial Institutions on the Use of Cloud Computing Technologies – The Privacy Advisor
  • Hungary – European Commission Investigates the Independence of New Data Protection Authority – The Privacy Advisor
more less

Lectures list

  • April 2016 - Bring Your Own Device – Own Devices, Shared Protection - Microsoft “Cloud Seminar – Standards, Own Devices and Legal Compliance”
  • March 2016 - The New EU Data Protection Regulation and how it affects the tasks and liabilities of companies - Management Training Centre 5th Data Protection Conference
  • January 2016 - IoT / e-commerce sector in CEE – the current state of play, trends, challenges and opportunities - Mega Mission 2016: Explore business opportunities in IoT/e-commerce in CEE
  • May 2015 - Hybrid Cloud Computing Services – Practical Tips for Contract Drafting - Microsoft – „How to Provide Top-notch Monthly IT Services?”
  • 2014-2016 - Several presentation on data protection, including cloud computing, big data, etc. - Direct Interactive Marketing Federation
  • 2014-2015 - New Data Privacy Rules for SMEs in the EU - Direct- and personal marketing, SME case studies – Fejér, Baranya, Csongrád County Chambers of Commerce
  • November 2014 - E-health – Regulatory Trends in Europe - Infotér Conference 
  • October 2014 - Big Data and Data Driven Economy in the EU - HVG Conference & Seminar – Big data in the Marketing
  • November 2013 - Smart Metering and Smart Laws - Infotér Conference
  • June 2013 - Big Data – Legal Issues in the Public Sector - Parliament of the Information Society
  • November 2012 - Regulating the Cloud - Internet Hungary
  • October 2012 - Cloud Computing in the Public Sector - Infotér Conference
  • June 2012 - Cloud Computing: Expectations and Concerns - Challenges in the cloud – Cloud Computing and Data Privacy, Legal Forum conference
  • May 2011 - Hot Topics in the Hungarian Data Protection Law and Practice – 2011 - DataGuidance – International Association of Privacy Professionals - 5th Annual European Data Protection Intensive
more less

Education

  • 2012 - LL.M. in U.S. and Global Business Law, Suffolk University, Law School, Hungary
  • 2007 - Postgraduate degree in Infocommunications Law and Technology, University of Pécs, Hungary
  • 2003 - Post-graduate degree in International Trade Law, University of European Studies, Italy
  • 2004 - Degree in Law, Eötvös Loránd University, Hungary
  • 2004 - Degree in Media Studies, University of Szeged, Hungary
more less
Intellectual Property

Márton is a senior counsel within the commercial team at CMS Budapest, focusing on data protection, intellectual property, commercial transactions and the TMT sector. He is also the Co-ordinator of the CEE Data Protection Practice (CMNO).

Márton has monitors the regulatory developments of intellectual property and other practice areas relevant to the TMC sector. He has experience in dealing with a wide range of IP issues (including trademarks, copyrights, patents and utility models) and IP dispute resolution/litigation matters, representing clients before the Hungarian Intellectual Property Office, the WIPO, the OHIM, the ordinary courts and other dispute resolution forums and advising in relation to the optimisation and safeguard of IP portfolios.

Márton has spent time working in-house at CMS’ clients. He completed a six month secondment at a global management consulting, technology services and outsourcing company, providing day-to-day legal advice in all projects of the company, working closely with local businesses and the company headquarter’s legal department. He also spent another six month secondment period at the CEE headquarters of a multinational American technology and services conglomerate.. He also completed a seven month secondment in the London headquarters of a global infrastructure, media and financial services company for the financial business unit as the member of the global data privacy team in 2014. Here, he advised on the privacy implications of new products and services, to implement privacy and bank secrecy risk control measures, to analyse global regulatory proposals, and to assist in the development of the data protection compliance programme, including the review of policies and tools.

more less

"He manages matters absolutely smoothly and is very helpful and always available."

Chambers, 2021

Relevant experience

  • Multinational American technology and services conglomerate on day-to-day legal matters on region wide commercial, employment, consumer protection, data protection, competition, public procurement and miscellaneous technology-related issues. Drafting supply, service level, maintenance, standard and specific software development, project and other IT contracts.
  • Samsung Electronics on negotiations and disputes regarding copyright levies with the Hungarian Bureau for the Protection of Authors’ Rights and the Reprographic Society, domain dispute procedures before various out-of-court organisations, day-to-day IP advice in relation to web shops, drafting license agreements. Advised the client in relation to enforcing its rights to trademarks and copyrights both online and offline; drafting proper IP agreements to be used with their commercial partners or the amendments of IP law affecting the client’s business.
  • Magyar Telekom on day-to-day IP matters and advice on the acquisition of a wide range of copyright and neighbouring right protected contents (television channels for distribution, television programs for broadcast on the client's television channel, mobile content for sale to the customers, content for offering via on demand services, production of television programs, articles and other content to be published on the client’s websites).
  • A leading technology company on the manufacturing, advertisement and distribution of electronic goods in relation to providing intellectual property, general commercial and regulatory advice.
  • A Hungarian low cost airline on the registration of trademarks, handling international trademark portfolio, domain dispute procedures before various out-of-court organisations, representing the client in the course of IP infringements in digital environment.
more less

Memberships & Roles

  • Founding member of the Data Protection Board of the Direct and Interactive Marketing Association
  • Member, Budapest Bar Association
more less

Education

  • 2012 - LL.M. in U.S. and Global Business Law, Suffolk University, Law School, Hungary
  • 2007 - Postgraduate degree in Infocommunications Law and Technology, University of Pécs, Hungary
  • 2003 - Post-graduate degree in International Trade Law, University of European Studies, Italy
  • 2004 - Degree in Law, Eötvös Loránd University, Hungary
  • 2004 - Degree in Media Studies, University of Szeged, Hungary
more less
Commercial

Márton is a senior counsel within the commercial team at CMS Budapest, focusing on data protection, intellectual property, commercial transactions and the TMT sector. He is also the Co-ordinator of the CEE Data Protection Practice (CMNO).

He has substantial experience in drafting and negotiating general commercial and IT contracts, advertising, sponsorship and marketing, outsourcing, distribution and franchise agreements, commercial regulatory matters as well as data protection, privacy law and internet law issues.

Márton has spent time working in-house at CMS’ clients. He completed a six month secondment at a global management consulting, technology services and outsourcing company, providing day-to-day legal advice in all projects of the company, working closely with local businesses and the company headquarter’s legal department. He also spent another six month secondment period at the CEE headquarters of a multinational American technology and services conglomerate.. He also completed a seven month secondment in the London headquarters of a global infrastructure, media and financial services company for the financial business unit as the member of the global data privacy team in 2014. Here, he advised on the privacy implications of new products and services, to implement privacy and bank secrecy risk control measures, to analyse global regulatory proposals, and to assist in the development of the data protection compliance programme, including the review of policies and tools.

more less

"He manages matters absolutely smoothly and is very helpful and always available."

Chambers, 2021

Relevant experience

  • A multinational computer, technology and IT consulting corporation on day-to-day legal matters on region wide commercial, consumer protection, data protection and miscellaneous technology-related issues. Drafting supply, service level, maintenance, standard and specific software development, project and other IT contracts. Supporting IT contract controlling and IT infrastructure library. 6 month secondment at the client’s CEE headquarters in Vienna, supporting the regional legal department.
  • Microsoft on all commercial issues, including general commercial and data protection matters.
  • A leading multinational consumer electronics company on general commercial matters, IP, advertisement, competition, employment, data protection and regulatory issues. Significant works include: the introduction of an on-line music downloading service, the establishment and use of a customer / concerned customer database, drafting general terms and conditions and contractual templates, after-sales consumer service regulations, rules on the acceptance of fully functional or faulty goods, prevention of unfair or anti-competitive market practices, domain name disputes, introduction of anti-bribery procedures, and the establishment of a video hub.
  • A leading technology company on the manufacturing, advertisement and distribution of electronic goods in relation to providing general commercial and regulatory advice. General advice on competition, IP, environmental and product compliance, accomplishment of a product recall in the CEE, compliance with rules on digital switchover, the use of e-signatures and day-to-day e-commerce, compliance with the R&TTE Directive and other special technical regulations, and drafting and negotiating contracts with distributors. Other significant works include: product labelling, product safety, packaging, product charges, energy efficiency, pricing, noise protection, hygienic tests, waste management, warranty obligations, and product liability.
  • Samsung Electronics on all commercial issues, including general commercial matters and regulatory s, as well as establishment of numerous companies, providing day to day legal advice regarding its operations in Hungary.
  • Electronic Arts on general commercial matters and various regulatory issues on a regular basis.
more less

Education

  • 2012 - LL.M. in U.S. and Global Business Law, Suffolk University, Law School, Hungary
  • 2007 - Postgraduate degree in Infocommunications Law and Technology, University of Pécs, Hungary
  • 2003 - Post-graduate degree in International Trade Law, University of European Studies, Italy
  • 2004 - Degree in Law, Eötvös Loránd University, Hungary
  • 2004 - Degree in Media Studies, University of Szeged, Hungary
more less
Get in contact with

Feed

03 May 2021
Hun­gary: HUF 10 m fine levied for data breach re­lated to COV­ID-19 rap­id...
The Hun­gari­an Na­tion­al Au­thor­ity for Data Pro­tec­tion and Free­dom of In­form­a­tion (NAIH) has im­posed a HUF 10 mil­lion fine on the 11th Dis­trict Pub­lic Health De­part­ment of the Gov­ern­ment Of­fice of the Cap­it­al...
13 May 2021
Vac­cin­a­tion cer­ti­fic­ate, test­ing, mon­it­or­ing
CMS is de­lighted to in­vite you to an on­line meet­ing where CMS’s col­leagues will dis­cuss key con­sid­er­a­tions and les­sons learnt dur­ing pan­dem­ic with leg­al, pri­vacy and HR lead­ers from ma­jor com­pan­ies.Top­ics...
26 April 2021
European Com­mis­sion pro­poses first leg­al frame­work on AI
Over the last two years, the EU has paved the way for a uni­form leg­al frame­work for the de­vel­op­ment, mar­ket­ing and use of AI that con­forms with Uni­on val­ues. As a res­ult, on 21 April 2021 the European...
14 April 2021
Di­git­al Ser­vices Act (DSA): A new leg­al frame­work for the plat­form eco­nomy
The European Com­mis­sion has is­sued the draft pro­pos­al for the Reg­u­la­tion on a Single Mar­ket for Di­git­al Ser­vices (Di­git­al Ser­vices Act, the “DSA”), which cre­ates a new leg­al frame­work for di­git­al ser­vices, amends the e-Com­merce Dir­ect­ive, and pre­pares the EU law for new and in­nov­at­ive in­form­a­tion so­ci­ety di­git­al ser­vices.The DSA sets out uni­form, har­mon­ised rules for in­ter­me­di­ary ser­vice pro­viders (the “ISPs”) to foster in­nov­a­tion, growth and com­pet­it­ive­ness, to bet­ter pro­tect con­sumers and their fun­da­ment­al rights on­line, to en­sure a safe, pre­dict­able and trus­ted on­line en­vir­on­ment, to of­fer more choices for users and less ex­pos­ure to il­leg­al con­tent, to provide ac­cess to busi­ness users to EU-wide mar­kets through plat­forms, and to fa­cil­it­ate the scal­ing up of smal­ler plat­forms, SMEs and start-ups. The new draft rules es­tab­lish:a frame­work for the con­di­tion­al ex­emp­tion from li­ab­il­ity of ISPs;rules on spe­cif­ic due di­li­gence and oth­er ob­lig­a­tions tailored to dif­fer­ent cat­egor­ies of ISPs;law en­force­ment rules and a new re­gime for co­oper­a­tion of and co­ordin­a­tion between the com­pet­ent au­thor­it­ies. 1. Which di­git­al ser­vice pro­viders are covered? The DSA cov­ers those ISPs, wheth­er es­tab­lished in or out­side the EU, that provide in­ter­me­di­ary ser­vices such as con­duit ser­vices, cach­ing ser­vices, host­ing ser­vices to re­cip­i­ents (users, busi­ness users, con­sumers, in­di­vidu­als and leg­al en­tit­ies us­ing the in­ter­me­di­ary ser­vices) hav­ing an es­tab­lish­ment or res­id­ence in the EU.The defin­i­tions of con­duit, cach­ing and host­ing ser­vice pro­viders re­mained the same as in the e-Com­merce Dir­ect­ive; the DSA only re­peats those e-Com­merce Dir­ect­ive defin­i­tions word-for-word.The draft reg­u­la­tion con­tains spe­cial ob­lig­a­tions for on­line plat­form host­ing pro­viders and very large plat­forms as a spe­cial cat­egory of on­line plat­forms, and defines those host­ing ser­vices as fol­lows:On­line plat­forms are pro­viders of host­ing ser­vices which store and make avail­able in­form­a­tion to the pub­lic at the re­quest of a re­cip­i­ent of the ser­vice, e.g. on­line mar­ket­places, app stores, col­lab­or­at­ive eco­nomy plat­forms and so­cial me­dia plat­forms. However, if stor­ing or mak­ing in­form­a­tion avail­able to the pub­lic is a minor and an­cil­lary fea­ture of an­oth­er ser­vice, and can­not be used without that oth­er ser­vice for ob­ject­ive and tech­nic­al reas­ons, the ser­vice does not qual­i­fy as an on­line plat­form. This is the situ­ation with the com­ment sec­tion in an on­line news­pa­per or email and private mes­saging ser­vices.Very large on­line plat­forms are on­line plat­forms which provide their ser­vices to a num­ber of av­er­age monthly act­ive re­cip­i­ents of the ser­vice in the EU equal to or high­er than 45 mil­lion. The list of very large on­line plat­forms is pub­lished in the Of­fi­cial Journ­al of the EU. 2. No change in the li­ab­il­ity of ISPs for in­form­a­tion stored or trans­mit­ted in their ser­vices The DSA does not change the li­ab­il­ity re­gime of ISPs for il­leg­al con­tent. It only re­peats the li­ab­il­ity pro­vi­sions of the e-Com­merce Dir­ect­ive word-for-word and also main­tains the e-com­merce rule that ISPs do not have a gen­er­al ob­lig­a­tion to mon­it­or the in­form­a­tion they trans­mit or store, or to act­ively seek facts or cir­cum­stances in­dic­at­ing il­leg­al activ­ity.As an ad­di­tion, the draft reg­u­la­tion stip­u­lates that ISPs can still refer to the ex­emp­tion of li­ab­il­ity even if they con­duct vol­un­tary self-ini­ti­ated in­vest­ig­a­tions or oth­er activ­it­ies aimed at de­tect­ing, identi­fy­ing and re­mov­ing, or dis­abling ac­cess to, il­leg­al con­tent, or take the ne­ces­sary meas­ures to com­ply with the re­quire­ments of EU law. 3. What are the new ob­lig­a­tions? The DSA stip­u­lates new ob­lig­a­tions on ISPs at dif­fer­ent levels. Com­mon ob­lig­a­tions ap­ply to all kind of ISPs, in­clud­ing on­line plat­forms and very large on­line plat­forms. Host­ing pro­viders have ad­di­tion­al ob­lig­a­tions, and the DSA con­tains spe­cial ob­lig­a­tions for on­line plat­forms com­pared to oth­er host­ing ser­vices. In ad­di­tion, very large on­line plat­forms have fur­ther ob­lig­a­tions to man­age sys­tem­ic risks. 3.1 Com­mon ob­lig­a­tions ap­plic­able to all ISPs Provid­ing in­form­a­tion to au­thor­it­ies based on or­ders: if an ISP re­ceives an or­der from an au­thor­ity to act against il­leg­al con­tent, the ISP must in­form the au­thor­ity without un­due delay about the ac­tions it takes and the time of those ac­tions. Fur­ther­more, if the ISP re­ceives an or­der to provide in­form­a­tion about a spe­cif­ic in­di­vidu­al re­cip­i­ent of a ser­vice, the ISP must con­firm the re­ceipt of the or­der to the au­thor­ity without un­due delay and must provide the re­ques­ted in­form­a­tion with cer­tain lim­it­a­tions.Des­ig­nat­ing points of con­tact and leg­al rep­res­ent­at­ives: ISPs must es­tab­lish a single point of con­tact for dir­ect elec­tron­ic com­mu­nic­a­tion with the au­thor­it­ies and pub­lish it. Fur­ther­more, ISPs not es­tab­lished in the EU but of­fer­ing ser­vices in the EU must des­ig­nate in writ­ing a leg­al rep­res­ent­at­ive (to­geth­er with its name and con­tact de­tails) in one of the EU coun­tries where the ISP of­fers ser­vices for re­ceipt, ex­e­cu­tion and en­force­ment of au­thor­ity de­cisions and for co­oper­a­tion with the au­thor­it­ies. This des­ig­nated leg­al rep­res­ent­at­ive can be held li­able for non-com­pli­ance with ob­lig­a­tions un­der the DSA.In­dic­at­ing re­stric­tions in terms: all re­stric­tions (in­clud­ing con­tent mod­er­a­tion, al­gorithmic de­cision-mak­ing, and hu­man re­view rules) re­lated to the use of ISPs’ ser­vices re­gard­ing in­form­a­tion provided by the re­cip­i­ents must be in­cluded in the terms and con­di­tions of the ser­vices.Pub­lish­ing an­nu­al trans­par­ency re­ports: ISPs must pub­lish de­tailed an­nu­al re­ports of any con­tent mod­er­a­tion they en­gaged in dur­ing the rel­ev­ant peri­od. These re­ports must in­clude, among oth­ers, cer­tain in­form­a­tion on the or­ders from au­thor­it­ies, no­tices on il­leg­al con­tent and com­plaints re­ceived by the ISP, as well as on con­tent mod­er­a­tion by the ISP. 3.2 Ad­di­tion­al ob­lig­a­tions on all host­ing pro­viders Man­aging no­tices on il­leg­al con­tents: the host­ing pro­vider must in­tro­duce eas­ily ac­cess­ible, user-friendly elec­tron­ic pro­cesses for man­aging no­tices on il­leg­al con­tents. The DSA lists the man­dat­ory ele­ments of such a no­tice. The host­ing pro­vider must con­firm the re­ceipt of such no­tice in a re­spond­ing email and no­ti­fy the claimant of its de­cision without un­due delay.Provid­ing reas­on­ing for de­cisions: if the host­ing pro­vider de­cides to re­move or make un­avail­able any il­leg­al con­tent provided by the re­cip­i­ent, it must in­form the re­cip­i­ent of the de­cision and give clear reas­on­ing for that de­cision. This reas­on­ing must con­tain all man­dat­ory ele­ments lis­ted in the DSA. The de­cision must be pub­lished in an an­onymised way in the Com­mis­sion’s pub­lic data­base. 3.4 Spe­cial ob­lig­a­tions of on­line plat­forms The pro­vi­sions ap­plic­able to on­line plat­forms can­not be ap­plied to SME on­line plat­forms. The fol­low­ing ad­di­tion­al ob­lig­a­tions ap­ply to on­line plat­forms, in­clud­ing very large on­line plat­forms:Com­plaint man­age­ment sys­tem: on­line plat­forms must main­tain an in­tern­al, user-friendly, eas­ily ac­cess­ible elec­tron­ic com­plaint man­age­ment sys­tem and must grant ac­cess to it to the re­cip­i­ents. The re­cip­i­ents can sub­mit com­plaints elec­tron­ic­ally here against the on­line plat­form’s de­cisions on their il­leg­al con­tent.Out of court dis­pute set­tle­ment: re­cip­i­ents af­fected by an on­line plat­form’s de­cision on il­leg­al con­tent are en­titled to turn to an out-of-court body cer­ti­fied by the di­git­al ser­vice co­ordin­at­or. The on­line plat­forms are bound by the de­cision of this body. The DSA con­tains the de­tailed rules for the pro­ceed­ings and the de­cisions of this cer­ti­fied body.Pri­or­ity for trus­ted flag­gers: on­line plat­forms must pro­cess the no­tices on il­leg­al con­tent sub­mit­ted by trus­ted flag­gers with pri­or­ity. The di­git­al ser­vice co­ordin­at­ors are en­titled to qual­i­fy an en­tity as a trus­ted flag­ger if all con­di­tions lis­ted in the DSA are met. The list of trus­ted flag­gers is pub­lished in the Com­mis­sion’s pub­licly avail­able data­base.Meas­ures against ab­us­ive no­tices and counter-no­tices: on­line plat­forms must sus­pend their ser­vices to re­cip­i­ents that fre­quently provide mani­festly il­leg­al con­tent. Fur­ther­more, on­line plat­forms must also sus­pend the pro­cessing of no­tices and com­plaints sub­mit­ted by per­sons that fre­quently sub­mit no­tices or com­plaints that are mani­festly un­foun­ded. The DSA con­tains de­tailed rules for the cir­cum­stances to be as­sessed in the case of such sus­pen­sion.Re­port­ing sus­pi­cions of crim­in­al of­fences: on­line plat­forms must promptly in­form the mem­ber states’ com­pet­ent law en­force­ment au­thor­it­ies, or in cer­tain cases Euro­pol, if they be­come aware of any sus­pi­cion of a crim­in­al of­fence in­volving a threat to the life or safety of per­sons has taken place, is tak­ing place or is likely to take place.Know Your Busi­ness Cus­tom­er: on­line plat­forms must identi­fy their traders pro­mot­ing mes­sages or of­fer­ing products or ser­vices to EU con­sumers, and must ob­tain in­form­a­tion about them lis­ted in the DSA, among oth­ers the name, con­tact de­tails, re­gis­tra­tion num­ber, copy of the ID card of the trader. More de­tailed trans­par­ency re­ports: on­line plat­forms must in­clude ad­di­tion­al in­form­a­tion in their an­nu­al trans­par­ency re­port, such as in­form­a­tion about out-of-court dis­putes, sus­pen­sions, and auto­mated con­tent mod­er­a­tion. Fur­ther­more, on­line plat­forms must pub­lish in­form­a­tion at least once every six months on the av­er­age monthly act­ive re­cip­i­ents of the ser­vice in each EU coun­try.User-fa­cing trans­par­ency of on­line ad­vert­ising: on­line plat­forms must en­sure that ad­vert­ise­ments dis­played in their ser­vices con­tain in­form­a­tion that this is an ad­vert­ise­ment, who is the ad­vert­iser, and the tar­get audi­ence of the ad­vert­ise­ments. 3.5 Very large on­line plat­forms’ spe­cial ob­lig­a­tions for man­aging sys­tem­ic risks The draft reg­u­la­tion con­tains the fol­low­ing spe­cial ob­lig­a­tions for very large on­line plat­forms for man­aging sys­tem­ic risks:Risk man­age­ment ob­lig­a­tions: very large on­line plat­forms must con­duct an­nu­al risk as­sess­ments on the sig­ni­fic­ant sys­tem­ic risks stem­ming from the func­tion­ing and use of their ser­vices in the EU. Fur­ther­more, based on these risk as­sess­ments, they must put in place reas­on­able, pro­por­tion­ate and ef­fect­ive risk mit­ig­a­tion meas­ures for the sys­tem­ic risks they identi­fy. The DSA con­tains a de­tailed list of those risk-mit­ig­a­tion meas­ures.Ex­tern­al risk audit­ing and pub­lic ac­count­ab­il­ity: very large on­line plat­forms must con­duct an­nu­al audits on com­pli­ance with the DSA and the code of con­duct via an in­de­pend­ent, ex­tern­al pro­fes­sion­al aud­it­or. The aud­it­or must is­sue a writ­ten audit re­port in­clud­ing the man­dat­ory ele­ments lis­ted in the DSA in writ­ing.Trans­par­ency of re­com­mend­er sys­tems: if a very large on­line plat­form uses a re­com­mend­er sys­tem, it must in­clude the main para­met­ers of and cer­tain in­form­a­tion about this sys­tem in its terms and con­di­tions, and must en­sure op­tions for users not in­volving pro­fil­ing.More trans­par­ency in on­line ad­vert­ising: very large on­line plat­forms must make pub­licly avail­able, through APIs, an an­onymised re­pos­it­ory about the on­line ad­vert­ise­ments dis­played on the plat­form. The re­pos­it­ory must con­tain the con­tent of the ad­vert­ise­ments, each ad­vert­iser’s name, the peri­od when each ad­vert­ise­ment was dis­played, and cer­tain in­form­a­tion about the tar­get audi­ence of each ad­vert­ise­ment.Data shar­ing with au­thor­it­ies and re­search­ers: very large on­line plat­forms must provide ac­cess to the data to the di­git­al ser­vice co­ordin­at­or or the Com­mis­sion for mon­it­or­ing and as­sess­ing com­pli­ance with the DSA, and must grant ac­cess to the data to vet­ted aca­dem­ic, in­de­pend­ent re­search­ers for con­duct­ing re­search that con­trib­utes to the iden­ti­fic­a­tion and un­der­stand­ing of sys­tem­ic risks. Data ac­cess must be en­sured via APIs or on­line data­bases.Com­pli­ance of­ficer: very large on­line plat­forms must ap­point at least one pro­fes­sion­al com­pli­ance of­ficer to mon­it­or com­pli­ance with the DSA. The com­pli­ance of­ficer’s name and con­tact de­tails must be provided to the di­git­al ser­vice co­ordin­at­or and the Com­mis­sion.Ad­di­tion­al trans­par­ency re­port­ing du­ties: very large on­line plat­forms must pub­lish trans­par­ency re­ports every six months and must pub­lish and sub­mit ad­di­tion­al re­ports lis­ted in the DSA to the di­git­al ser­vice co­ordin­at­or and the Com­mis­sion. 4. Com­pet­ent au­thor­it­ies, for­um shop­ping All EU mem­ber states must des­ig­nate a com­pet­ent na­tion­al en­force­ment au­thor­ity for the DSA and the same or an­oth­er au­thor­ity as the di­git­al ser­vice co­ordin­at­or. Each di­git­al ser­vice co­ordin­at­or has the power of in­vest­ig­a­tion and is en­titled to de­mand in­form­a­tion from the ISPs and any oth­er per­son on sus­pec­ted in­fringe­ments of the DSA, to carry out on-site in­spec­tions, to ask staff of the ISPs to give ex­plan­a­tions, to or­der the ces­sa­tion of an in­fringe­ment, to im­pose fines, and to ad­opt in­ter­im meas­ures.The EU mem­ber state in which the main es­tab­lish­ment of the ISP is loc­ated will have jur­is­dic­tion over the ISP. If an ISP does not have an es­tab­lish­ment in the EU but of­fers ser­vices in the EU, it will be deemed to be un­der the jur­is­dic­tion of the EU mem­ber state where its leg­al rep­res­ent­at­ive resides or is es­tab­lished, which en­ables for­eign ISPs to choose the EU jur­is­dic­tion by des­ig­nat­ing its leg­al rep­res­ent­at­ive. If the ISP fails to ap­point a leg­al rep­res­ent­at­ive, all EU mem­ber states will have jur­is­dic­tion over that ISP.The DSA es­tab­lishes the European Board for Di­git­al Ser­vices, an in­de­pend­ent ad­vis­ory group of di­git­al ser­vice co­ordin­at­ors on the su­per­vi­sion of ISPs with ad­vis­ory tasks for di­git­al ser­vice co­ordin­at­ors and the Com­mis­sion.The DSA in­tro­duces en­hanced su­per­vi­sion for very large plat­forms. In this case, the di­git­al ser­vices co­ordin­at­or will con­sider all opin­ions and re­com­mend­a­tions of the European Board for Di­git­al Ser­vices and the Com­mis­sion. The Com­mis­sion and the Board is en­titled to re­com­mend that the di­git­al ser­vice co­ordin­at­or in­vest­ig­ates the in­fringing activ­ity. The Com­mis­sion is en­titled to ini­ti­ate its own pro­ceed­ings against a very large on­line plat­form in cases defined in the DSA. The DSA con­tains spe­cial rules for pro­ceed­ings ini­ti­ated by the Com­mis­sion against a very large plat­form, with spe­cial pro­ced­ur­al rights and ob­lig­a­tions. 5. Sanc­tions The DSA does not con­tain an ex­haust­ive list of sanc­tions for an in­fringe­ment of the reg­u­la­tion; the Mem­ber States will set out the rules on sanc­tions. The draft reg­u­la­tion defines the fol­low­ing max­im­um amount of pen­al­ties:6% of the an­nu­al in­come or turnover of the ISP for in­fringing the ob­lig­a­tions in the DSA;1% of the an­nu­al in­come or turnover of the ISP for sup­ply­ing in­cor­rect, in­com­plete or mis­lead­ing in­form­a­tion, fail­ing to reply or rec­ti­fy in­cor­rect, in­com­plete or mis­lead­ing in­form­a­tion, and fail­ing to sub­mit to an on-site in­spec­tion;5% of the av­er­age daily turnover in the pre­ced­ing fin­an­cial year per day, cal­cu­lated from the date ap­poin­ted by the de­cision in the case of daily, peri­od­ic pen­alty pay­ments. 6. Next steps The European Par­lia­ment and Mem­ber States will dis­cuss the Com­mis­sion’s pro­pos­al ac­cord­ing to the or­din­ary le­gis­lat­ive pro­ced­ure, which will take at least 18 months. Once ad­op­ted, the DSA will dir­ectly ap­ply across the EU and ISPs will have three months to pre­pare for the new leg­al re­gime.We will con­tinu­ously mon­it­or the status of the le­gis­lat­ive pro­cess and keep you up­dated on any changes to the draft text of the DSA.
12 April 2021
EU Di­git­al Ser­vices Act gives new leg­al frame­work for plat­form eco­nomy
The European Com­mis­sion has is­sued the draft pro­pos­al for the Reg­u­la­tion on a Single Mar­ket for Di­git­al Ser­vices (Di­git­al Ser­vices Act or DSA), which cre­ates a new leg­al frame­work for di­git­al ser­vices...
06 April 2021
Hun­gary de­clares it law­ful to col­lect in­form­a­tion that a work­er is pro­tec­ted...
The NAIH, Hun­gary’s data pro­tec­tion au­thor­ity, has is­sued a guid­ance on how em­ploy­ers can law­fully de­term­ine wheth­er an em­ploy­ee is pro­tec­ted against COV­ID-19. Em­ploy­ers must ad­apt their in­tern­al policies...
06 April 2021
EU is­sues draft of Di­git­al Mar­kets Act aimed at cre­at­ing a new and fair...
The European Com­mis­sion has pub­lished a draft pro­pos­al for a new com­pet­i­tion law frame­work for large on­line plat­forms, called the Di­git­al Mar­kets Act (DMA). The Com­mis­sion pro­posed the DMA due to the...
01 April 2021
Di­git­al Mar­kets Act: a new and fair busi­ness frame­work for large plat­forms
The European Com­mis­sion has pub­lished the draft pro­pos­al for a new com­pet­i­tion law frame­work for large on­line plat­forms, called the Di­git­al Mar­kets Act (the “DMA”). The reas­on the Com­mis­sion pro­posed the DMA is that a small num­ber of large on­line plat­forms cap­ture the biggest share of over­all value gen­er­ated in Europe’s di­git­al eco­nomy, and these plat­forms have emerged by be­ne­fit­ting from sec­tor char­ac­ter­ist­ics such as strong net­work ef­fects, of­ten em­bed­ded in their own plat­form eco­sys­tems. These plat­forms rep­res­ent the key struc­tur­ing ele­ments in today’s di­git­al eco­nomy, in­ter­me­di­at­ing the ma­jor­ity of trans­ac­tions between end users and busi­ness users. A few large plat­forms in­creas­ingly act as gate­ways or gate­keep­ers between busi­ness users and end users, and en­joy a long-term, en­trenched po­s­i­tion, of­ten as a res­ult of the cre­ation of con­glom­er­ate eco­sys­tems around their core plat­form ser­vices, which re­in­forces ex­ist­ing entry bar­ri­ers.The DMA deals with those large on­line plat­forms act­ing as gate­keep­ers in di­git­al mar­kets. The DMA aims to en­sure that:these plat­forms be­have fairly on­line;in­nov­at­ors and tech­no­logy start-ups will have new op­por­tun­it­ies to com­pete and in­nov­ate in the on­line plat­form en­vir­on­ment without hav­ing to com­ply with un­fair terms and con­di­tions that lim­it their de­vel­op­ment;con­sumers will have more and bet­ter ser­vices to choose from, more op­por­tun­it­ies to switch their pro­vider if they so wish, dir­ect ac­cess to ser­vices, and fairer prices. Who are the gate­keep­ers? Gate­keep­ers are core plat­form ser­vices which meet the qual­it­at­ive and quant­it­at­ive cri­ter­ia set out in the DMA. Core plat­form ser­vices in­clude on­line in­ter­me­di­ation ser­vices, search en­gines, so­cial net­work­ing ser­vices, video-shar­ing plat­form ser­vices, num­ber-in­de­pend­ent in­ter­per­son­al com­mu­nic­a­tion ser­vices, op­er­at­ing sys­tems, cloud com­put­ing ser­vices, ad­vert­ising ser­vices in­clud­ing any ad­vert­ising net­works, ad­vert­ising ex­changes and any oth­er ad­vert­ising in­ter­me­di­ation ser­vices, provided by a pro­vider of any of the core plat­form ser­vices lis­ted above.A core plat­form ser­vice qual­i­fies as a gate­keep­er, if:it has a sig­ni­fic­ant im­pact on the in­tern­al mar­ket, which is pre­sumed if it achieves an an­nu­al EEA turnover equal to or above EUR 6.5 bil­lion in the three pre­ced­ing fin­an­cial years, or where the av­er­age mar­ket cap­it­al­isa­tion or the equi­val­ent fair mar­ket value of the un­der­tak­ing to which it be­longs amoun­ted to at least EUR 65 bil­lion in the pre­ced­ing fin­an­cial year, and it provides a core plat­form ser­vice in at least three Mem­ber States;it op­er­ates a core plat­form ser­vice which serves as an im­port­ant gate­way for busi­ness users to reach end users, which is pre­sumed if it has more than 45 mil­lion monthly act­ive end users es­tab­lished or loc­ated in the Uni­on and more than 10,000 yearly act­ive busi­ness users es­tab­lished in the EU in the pre­ced­ing fin­an­cial year;it en­joys a long-term, en­trenched po­s­i­tion in its op­er­a­tions or it is fore­see­able that it will en­joy such po­s­i­tion in the near fu­ture, which is pre­sumed if the thresholds in point b) were met in each of the three pre­ced­ing fin­an­cial years.   What are the gate­keep­ers’ main ob­lig­a­tions? Do’s and Don’ts     What kind of tools and powers do the Com­mis­sion and oth­er bod­ies have? The DMA grants powers and dif­fer­ent pro­ced­ur­al rights to the European Com­mis­sion and es­tab­lishes the Di­git­al Mar­kets Ad­vis­ory Com­mit­tee for is­su­ing opin­ions in is­sues re­lated to the DMA.The DMA gives the Com­mis­sion the fol­low­ing powers:to des­ig­nate core plat­form ser­vices that meet the DMA cri­ter­ia as gate­keep­ers;to re­view ad-hoc the status of gate­keep­ers on re­quest or on its own;to re­view at two-year in­ter­vals the status of gate­keep­ers;to spe­cify meas­ures to be taken by gate­keep­er to com­ply with the DMA;to sus­pend cer­tain gate­keep­er ob­lig­a­tions un­der the DMA at a gate­keep­er’s re­quest, if the gate­keep­er demon­strates that com­pli­ance with that spe­cif­ic ob­lig­a­tion would en­danger its eco­nom­ic vi­ab­il­ity;to ex­empt a gate­keep­er from cer­tain ob­lig­a­tions un­der the DMA on the grounds of pub­lic mor­al­ity, pub­lic health or pub­lic se­cur­ity;to ini­ti­ate mar­ket in­vest­ig­a­tions:lower-ro­manto ex­am­ine wheth­er a pro­vider of core plat­form ser­vices should be des­ig­nated as a gate­keep­er;in­to sys­tem­at­ic non-com­pli­ance by a gate­keep­er;to ex­am­ine wheth­er cer­tain ser­vices in the di­git­al sec­tor should be ad­ded to the list of core plat­form ser­vices and identi­fy prac­tices that might lim­it the con­test­abil­ity of core plat­form ser­vices or might be un­fair.The DMA grants in­vest­ig­at­ive, en­force­ment and mon­it­or­ing powers to the Com­mis­sion dur­ing its pro­ceed­ings, based on which the Com­mis­sion is en­titled to:re­quest in­form­a­tion from any un­der­tak­ings and from the gov­ern­ments and au­thor­it­ies of EU mem­ber states;ac­cess data bases and al­gorithms;in­ter­view any private per­son or leg­al en­tity to col­lect in­form­a­tion re­lat­ing to the sub­ject-mat­ter of an in­vest­ig­a­tion;con­duct on-site in­spec­tions at the premises of any un­der­tak­ings, in­clud­ing to­geth­er with aud­it­ors and ex­perts;or­der in­ter­im meas­ures against a gate­keep­er on the basis of a prima facie find­ing of an in­fringe­ment of ob­lig­a­tions un­der the DMA;mon­it­or the ef­fect­ive im­ple­ment­a­tion and com­pli­ance with the ob­lig­a­tions un­der the DMA.   What will the sanc­tions for non-com­pli­ance be? If the Com­mis­sion ad­opts a non-com­pli­ance de­cision in which it finds that a gate­keep­er does not com­ply with one or more ob­lig­a­tions un­der the DMA, the Com­mis­sion may fine a gate­keep­er.The max­im­um amount of a fine is 10% of the total world­wide an­nu­al turnover of the gate­keep­er in the case of a ma­ter­i­al breach of the ob­lig­a­tions un­der the DMA, and a max­im­um 1% in the case of a less ser­i­ous breach of ob­lig­a­tions un­der the DMA.The Com­mis­sion is also en­titled to or­der peri­od­ic pen­alty pay­ments of up to 5% of the av­er­age daily turnover in cer­tain cases defined in the DMA.In the case of sys­tem­at­ic breaches of the DMA ob­lig­a­tions by gate­keep­ers, ad­di­tion­al rem­ed­ies may be im­posed after a mar­ket in­vest­ig­a­tion. Such rem­ed­ies will need to be pro­por­tion­ate to the of­fence com­mit­ted. If ne­ces­sary and as a last re­sort, non-fin­an­cial rem­ed­ies can be im­posed. These can in­clude be­ha­vi­our­al and struc­tur­al rem­ed­ies, e.g. the di­vestit­ure of (parts of) a busi­ness.   What are the next steps? The European Par­lia­ment and Mem­ber States will dis­cuss the Com­mis­sion’s pro­pos­al ac­cord­ing to the or­din­ary le­gis­lat­ive pro­ced­ure, which will take at least 18 months. Once ad­op­ted, the Act will dir­ectly ap­ply across the EU and the core plat­form ser­vice pro­viders will have six months to pre­pare for the new leg­al re­gime.We will con­tinu­ously mon­it­or the status of the le­gis­lat­ive pro­cess and keep you up­dated on any changes to the draft text of the DMA.
29 March 2021
EDPS & EDPB re­lease joint opin­ion on the Data Gov­ernance Act
On 10 March 2021, the EDPB and the EDPS re­leased their joint opin­ion on the Data Gov­ernance Act (DGA), the European Com­mis­sion’s Pro­pos­al for a Reg­u­la­tion on European data gov­ernance. The DGA is an...
24 March 2021
EDPB Guidelines on Vir­tu­al Voice As­sist­ants
The European Data Pro­tec­tion Board (EDPB) pub­lished its draft Guidelines 02/2021 on Vir­tu­al Voice As­sist­ants (VVAs), which are soft­ware ser­vices that take voice as an in­put, identi­fy and ex­ecute a com­mand...
19 March 2021
EDPB is­sues guidelines on Con­nec­ted Cars
After a pub­lic con­sulta­tion pro­ced­ure, the European Data Pro­tec­tion Board (EDPB) ad­op­ted and pub­lished the fi­nal ver­sion of Guidelines 01/2020 on the pro­cessing of per­son­al data in the con­text of con­nec­ted...
23 February 2021
Coronavir­us Pro­tec­tion Cer­ti­fic­ate
The Hun­gari­an gov­ern­ment has just is­sued De­cree No. 60/2021 (II.12.) on the Cer­ti­fic­a­tion of Pro­tec­tion Against Coronavir­us, set­ting down de­tailed rules on how in­di­vidu­als can prove that they are pro­tec­ted...