DLA Piper Intelligence

Data Protection
Laws of the World

Law

Hungary
Hungary

The EU Data Protection Directive 95/46/EC is currently implemented in Hungary by Act No. CXII of 2011 on Informational Self Determination and Freedom of Information which came into force on 1 January 2012 (‘Act’). Enforcement is through the National Authority for Data Protection and Freedom of Information (‘Authority’).

Last modified 25 Jan 2017
Law
Hungary

The EU Data Protection Directive 95/46/EC is currently implemented in Hungary by Act No. CXII of 2011 on Informational Self Determination and Freedom of Information which came into force on 1 January 2012 (‘Act’). Enforcement is through the National Authority for Data Protection and Freedom of Information (‘Authority’).

Last modified 25 Jan 2017
Definitions

Definition of personal data

Personal data shall mean any data relating to the data subject – in particular name, identification number or one or more factors specific to his physical, physiological, mental, economic, cultural or social identity – and any reference that can be drawn from such data in respect of the data subject. In the course of data processing, such data shall be treated as personal data as long as the connection between the data and the data subject remains restorable. The data shall be considered subject to restoration, if the data controller bears the technical measures necessary for such restoration. Unless the data controller is directly able, by its technical capabilities, to trace the data back to the data subject, data shall not be considered as ‘personal data’. 

Definition of sensitive personal data

Sensitive personal data shall mean:

  • personal data revealing racial, national or ethnic origin, political opinions and any affiliation with political parties, religious or philosophical beliefs, trade union membership or sex life, and
  • personal data concerning health, addictions, or criminal personal data.
Last modified 25 Jan 2017
Authority

National Authority for Data Protection and Freedom of Information
Address: H-1125 Budapest, Szilágyi Erzsábet fasor 22/c.

T +36 1 391 1400
F +36 1 391 1410

http:\\www.naih.hu
ügyfélszolgálat@naih.hu

Last modified 25 Jan 2017
Registration

If a data controller intends to conduct data processing, it is obliged to file a request with the Authority. Data processing must be registered by the Authority before it can occur. The Authority will charge a fee for registration. The fee that will be charged is currently unknown, but is expected to fall within the range of EUR 20-30.

Should the Authority fail to respond to a request for registration within 8 days of the filing of such a request, data processing may be commenced.

No register is held and thus no request can be filed for processing personal data relating to data subjects' employment, membership, or customer relationship with the data controller. Financial institutions, community service providers and electronic communication service providers are excluded from this exemption, ie they will be obliged to register even if they process the above data.

The notification should include the following information:

  • the purpose of processing
     
  • the types of data and the grounds for processing
     
  • the categories of data subjects
     
  • the source
     
  • the categories of data transferred, the recipients and the grounds for transfer
     
  • the name and registered office of the data controller and the data processor, the place where records are stored and/or where processing is carried out, and the data processor’s activities in connection with data processing operations
     
  • the name and contact information for the internal data protection officer (if any), and
     
  • the applied technology for data processing.
Last modified 25 Jan 2017
Data Protection Officers

The following data controllers and data processors shall appoint or commission an internal data protection officer ('DPO') (holding a law degree, a degree in economics or computer sciences or an equivalent degree in higher education) who is to report directly to the head of the organisation:

  • Authorities that control or process personal data in respect of nationwide registers, or authorities that control or process employment or criminal records
     
  • Financial institutions, and
     
  • Telecommunications service providers and public utility companies

Although the Act does not specify, it is strongly recommended to appoint a Hungarian resident as a DPO, because the various tasks of the DPO require continuous presence and availability of the DPO at the above mentioned organisations. 

If a DPO is required, but the data controller or processor fails to appoint one, the Authority may take enforcement actions as detailed below. 

As a new institution effective from 1 January 2012, the head of the Authority will convene a conference of the DPOs at least once a year to discuss data protection related matters.

Last modified 25 Jan 2017
Collection & Processing

Personal data may be collected and processed if:

  • the data subject has given his or her consent, or
     
  • this is required by an Act or by a decree of the local municipality based on the authorisation conferred by an Act concerning the specific data as defined therein.

Personal data can also be processed if it is impossible to obtain the consent of the data subject or it would cause disproportionate costs and the processing is necessary:

  • for compliance with a legal obligation to which the controller is subject, or
     
  • for the purposes of the legitimate interests of a third party, or the controller itself, where the assertion of such interests is proportionate with the interference in data protection rights.

Sensitive data may be processed if:

  • the data subject has given his or her explicit consent in writing
     
  • it is necessary to enforce an obligation prescribed by an international treaty, or for the enforcement of a constitutional right set forth in the Fundamental Law of Hungary, or prescribed by an Act for national security or law enforcement purposes regarding personal data revealing racial, national or ethnic origin, political opinions and any affiliation with political parties, religious or philosophical beliefs, trade union membership or sex life, or
     
  • the data is required by an Act for the purpose of public order in the case of personal data concerning health, addictions, or criminal personal data.

Personal data may be processed only for specified and explicit purposes, where it is necessary for exercising certain rights or fulfilling certain obligations. This purpose must be satisfied in all stages of operations of data processing.

The personal data processed must be essential for the purpose for which it was collected, it must be suitable to achieve that purpose, and it may be processed to the extent and the duration necessary to achieve that purpose.

Last modified 25 Jan 2017
Transfer

Transferring personal data of data subjects within the EEA shall be considered as data transfer within Hungary. Transferring personal data to data processors within the EEA is possible without the consent of the data subjects. Under the Act a data processor is the person that is engaged in the processing of personal data on behalf of the controller, and the data processor is carrying out ‘the technical operations in connection with the data management.’ In practice an entity will be a data processor for the purposes of the Act where it acts on the basis of the instructions (on behalf) of the data controller and follows the predetermined rules and methodology set by the data controller.

The Act makes it possible to transfer personal data to third countries (ie to countries outside of the EEA) if the conditions (legal bases) of the data processing are satisfied (see above) and an adequate level of protection is afforded in such third countries.*

Adequate level of protection is afforded if: a) this is established by binding legislation of the European Union, or b) there is an international agreement between the third country and Hungary to this effect, or c) using binding corporate rules within a group of companies. On the basis of the foregoing, the use of EU model clauses may afford adequate protection, however, we note that as a result of the Schrems decision of the Court of Justice of the European Union (C-362/14) the US-EU safe harbor regime is no longer regarded as a valid basis for transferring personal data to the US.

Last modified 25 Jan 2017
Security

Data controllers, and within their sphere of activity, data processors must ensure personal data protection and must implement technical and organisational measures, as well as adequate procedural rules to enforce the provisions of the Act and other regulations concerning confidentiality and security of data processing.

Personal data must be protected against unauthorised access, alteration, transfer, disclosure, deletion, accidental deletion or damage as well as against being unable to access the data due to the change in the applied technology.

If multiple possibilities for data processing solutions exist, the solution to be chosen should provide a higher level of security for personal data, unless this would result in a disproportionate burden for the data controller.

Last modified 25 Jan 2017
Breach Notification

There is no mandatory requirement in the Act to report data security breaches or losses to the Authority or to data subjects.

As an exception, however, electronic communication service providers must immediately report data security breaches to the National Media and Infocommunications Authority under Act No. 100 of 2003 on Electronic Communications.

Last modified 25 Jan 2017
Enforcement

Enforcement is through the National Authority for Data Protection and Freedom of Information. The leader of the Authority is the President, nominated by the Prime Minister and appointed by the President of the Republic, for a total term of 9 years. 

The Authority has several instruments to enforce compliance, the most important being:

  • ordering the correction of inadequate personal data
  • ordering the block deletion or termination of illegally controlled personal data
  • prohibiting the illegal controlling or processing of personal data
  • prohibiting the transfer of personal data to foreign countries
  • ordering the notification of the affected party, if the data controller illegally refused to do so, and
  • imposing a fine ranging from HUF 100,000 (cca. EUR 350) to HUF 10,000,000 (cca. EUR 35,000)
Last modified 25 Jan 2017
Electronic Marketing

The Act will apply to most electronic marketing activities, as there is likely to be processing and use of personal data involved (eg an email address is likely to be ‘personal data’ for the purposes of the Act).

Also, pursuant to Act 48 of 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising Activities, unless otherwise provided by specific other legislation, advertisements may be conveyed to natural persons by way of direct contact (hereinafter referred to as ‘direct marketing’), such as through electronic mail or equivalent individual communications only upon the express prior consent of the person to whom the advertisement is addressed. The request for the consent may not contain any advertisement, other than the name and description of the company.

The statement of consent may be made in any way or form, on condition that it contains the name of the person providing it, and – if the advertisement to which the consent pertains may be disseminated only to persons of a specific age – his place and date of birth, furthermore, any other personal data authorised for processing by the person providing the statement, including an indication that it was given freely and in possession of the necessary legal information.

The statement of consent may be withdrawn freely any time, free of charge and without any explanation. In this case all personal data of the person who has provided the statement must be promptly erased from the records and all advertisements must be stopped.

Pursuant to Act 100 of 2003 on Electronic Communications (‘EC Act’), applying automated calling system free of any human intervention, or any other automated device for initiating communication in respect of a subscriber for the purposes of direct marketing, providing information, public-opinion polling and market research shall be subject to the prior consent of the subscriber.

Last modified 25 Jan 2017
Online Privacy

The EC Act deals with the collection of location and traffic data by public electronic communications services providers ('CSPs') and use of cookies (and similar technologies).

Traffic Data

With certain special exceptions set out in the EC Act (eg invoicing, collecting subscriber fees, law enforcement, national security and defence), traffic data relating to subscribers and users processed and stored by CSPs while providing such services must be erased or made anonymous when it is no longer needed.

CSPs may use certain traffic data as referred to in the EC Act for the provision of value added services or for marketing purposes subject to the subscriber’s or user’s prior consent, to the extent necessary for the provision of such services or for marketing purposes. CSPs shall provide the possibility for users or subscribers to withdraw their consent at any time.

Location Data

CSPs shall be authorised to process location data only upon the prior consent of the subscribers or users to whom the data are related, and only to the extent and for the duration as it is necessary for the provision of value added services.

Users and subscribers shall have the right to withdraw their consent at any time.

CSPs shall be required to comply with any request for location information in connection with specific subscribers or users, if made by the investigating authority, the public prosecutor, the court or the national security service pursuant to the authorisation conferred in specific other legislation, to the extent required to discharge their respective duties.

Cookie Compliance

Pursuant to the EC Act, on the electronic communication terminal equipment of a subscriber or user, information may be stored, or accessed, only upon the user’s or subscriber’s prior consent granted in possession of clear and comprehensive information, which information inter alia includes the purpose of processing.

The competent Hungarian Authorities have not issued any guidance in respect of the interpretation of ‘consent’ and how this consent should be obtained in practice. General practice is that consent can be obtained via browser settings, however, as mentioned so far this has not been confirmed by the opinion or the guidance of the Authorities yet.

Last modified 25 Jan 2017
Contacts
Zoltán Kozma
Zoltán Kozma
Senior Associate
T +36 1 510 1100
Last modified 25 Jan 2017