NAIH Audit Checklist 2025: Complete Preparation Guide

The Hungarian National Authority for Data Protection and Freedom of Information (NAIH) conducts both complaint-driven and proactive audits. This checklist is based on published enforcement decisions and audit patterns to help Hungarian organizations prepare effectively.

Documentation Requirements

1. Record of Processing Activities (Adatkezelési Nyilvántartás)

• Complete ROPA covering all processing activities
• Separate controller and processor registers if applicable
• Hungarian language documentation (or certified translations)
• Regular review dates documented
• Clear retention periods with legal justification

2. Privacy Notices (Adatkezelési Tájékoztatók)

• Employee privacy notice
• Customer/website privacy policy
• Cookie notice with granular consent options
• Vendor/supplier privacy notice
• Job applicant privacy notice
• All notices in Hungarian (mandatory for Hungarian operations)

3. Legal Basis Documentation

• Consent records with timestamps and specific purposes
• Legitimate Interest Assessments (balancing tests)
• Contract necessity analysis for customer data
• Legal obligation references (specific Hungarian laws)

Operational Compliance

4. Data Subject Rights (Érintetti Jogok)

• Documented DSAR handling procedure
• Response templates for each right type
• Identity verification process
• Evidence of 30-day response compliance
• Escalation procedures for complex requests
• Fee policy documentation (if applicable)

5. Data Breach Management

• Breach detection and reporting procedure
• Internal breach register (all breaches, not just reportable ones)
• Evidence of 72-hour notification assessment
• Templates for NAIH notification
• Data subject notification templates
• Post-breach review documentation

6. Third-Party Management

• Data Processing Agreements with all processors
• Due diligence records for processor selection
• Sub-processor authorization and notification evidence
• International transfer safeguards (SCCs, adequacy decisions)
• Transfer Impact Assessments for third-country transfers

Technical and Security Measures

7. Access Controls

• Role-based access control documentation
• Access review logs
• Privileged access management
• Joiners/movers/leavers process
• Multi-factor authentication where appropriate

8. Data Security

• Encryption at rest and in transit
• Backup and recovery procedures
• Secure disposal/deletion procedures
• Physical security measures
• Security incident logging

Governance

9. DPO Requirements

• DPO appointment documentation (if required)
• DPO contact details published
• Evidence of DPO independence
• DPO activity records
• NAIH DPO registration confirmation

10. Training and Awareness

• Staff training records
• Role-specific training for high-risk processing
• Training completion documentation
• Regular refresher training evidence

11. DPIA Requirements

• DPIA screening process
• Completed DPIAs for high-risk processing
• DPO consultation evidence
• Risk mitigation tracking
• DPIA review schedule

Common NAIH Audit Findings

Based on published NAIH decisions, these are the most frequent compliance gaps:

• Inadequate or missing privacy notices
• Consent mechanisms without clear affirmative action
• DSAR responses exceeding the 30-day deadline
• Missing or incomplete ROPA
• Insufficient legal basis documentation
• Inadequate international transfer safeguards
• Lack of data retention enforcement
• Missing breach notification procedures

Preparing for the Audit

• Gather all documentation in a centralized, organized location
• Prepare a data processing overview presentation
• Brief relevant staff on audit procedures
• Identify the primary audit contact person
• Review recent NAIH enforcement decisions in your sector

Streamline Your NAIH Audit Preparation

Manual compliance tracking across spreadsheets and documents makes audit preparation stressful and error-prone. A centralized compliance platform ensures all documentation is current, accessible, and audit-ready.