Lakatos, Köves and Partners Law Firm
What law(s) specifically govern personal data / information?
The principal data protection legislation in Hungary (and the EU) is the GDPR, which replaced Directive 95/46/EC.
Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information (“Data Protection Act”) contains (mostly procedural) provisions supplementing the GDPR and also regulates data processing activities not covered by the scope of the GDPR.
Several sectoral laws also contain data protection related provisions e.g. Act I of 2012 on the Labour Code and Act C of 2003 on Electronic Communications.
What are the key data protection principles in this jurisdiction?:
Lawful basis for processing
The GDPR provides an exhaustive list of legal bases on which personal data may be processed:
- consent of the data subject for one or more specific purposes;
- contractual necessity;
- compliance with a legal obligation of the controller to perform the relevant processing;
- protection of the vital interests of the data subject or of another natural person;
- performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; or
- legitimate interests (i.e. the processing is necessary for the purposes of legitimate interests pursued by the controller, except where the controller’s interests are overridden by the interests, fundamental rights or freedoms of the affected data subjects).
The processing of sensitive personal data requires stronger grounds and is only permitted under certain conditions, of which the most relevant are:
- explicit consent of the affected data subject;
- the processing is necessary in the context of employment or social security law; or
- the processing is necessary for the establishment, exercise or defence of legal claims.
Transparency
Personal data must be processed lawfully, fairly and in a transparent manner. Regarding the processing of personal data, controllers are obliged to provide certain information to data subjects. Such information must be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language.
Purpose limitation
Personal data may only be collected for specified, explicit and legitimate purposes and must not be further processed in a manner that is incompatible with those purposes.
Data minimisation
The processing of personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which those data are processed.
Accuracy
Personal data must be accurate and, where necessary, kept up to date.
Storage limitation
Personal data must be stored in a form that permits identification of data subjects for no longer than it is necessary for the purposes for which the personal data was initially collected.
Integrity and confidentiality
Personal data must be processed in a manner that ensures appropriate security of those data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Accountability
The controller is responsible for processing of data in accordance with the GDPR. In particular, the controller is obliged to implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in compliance with the GDPR.
What is the supervisory authority / regulator in charge of data protection?
National Authority for Data Protection and Freedom of Information (in Hungarian: “Nemzeti Adatvédelmi és Információszabadság Hatóság ” or “NAIH ” in short).
Is there a requirement to register with a supervisory authority / regulator?
No.
Is there a requirement to notify the supervisory authority / regulator?
Yes.
The names and contact details of Data Protection Officers (DPO) shall be notified with the NAIH online. This is a requirement irrespective of whether the appointment of the DPO is mandatory or voluntary.
In addition, the NAIH shall also be notified about personal data breaches.
Is it possible to register with / notify the supervisory authority / regulator online?
Yes.
Information about the online DPO notification: https://naih.hu/adatvedelmi-tisztviselo-bejelento-rendszer
Information about the online data breach notification: https://naih.hu/adatvedelmi-incidensbejelento-rendszer
What are the key data subject rights under the data protection laws of this jurisdiction?
Right to information
Pursuant to Articles 13 and 14 GDPR, data subjects have the right to be provided with information on the identity of the controller, the reasons for processing their personal data and other relevant information necessary to ensure the fair and transparent processing of personal data.
Right of access
A data subject has the right to obtain from a controller certain information in respect of the data subject’s personal data as listed in Article 15 GDPR.
Additionally, the data subject may request a copy of the personal data being processed.
Right to rectification of errors
Pursuant to Article 16 GDPR, data subjects have the right to rectification of inaccurate personal data.
Right to erasure/right to be forgotten
Data subjects have the right to erasure of their personal data (the “right to be forgotten”) if one of the reasons as listed in Article 17 GDPR apply.
Right to restriction of processing
Data subjects have the right to request restriction of the processing of personal data, which means that the data may only be processed for limited purposes as defined in Article 18 GDPR.
Right to data portability
Data subjects have a right to receive a copy of their personal data in a commonly used machine-readable format, and transfer their personal data from one controller to another or have the data transmitted directly between controllers (Article 20 GDPR).
Right to object to processing
Data subjects have the right to object, on grounds relating to their particular situation, to the processing of personal data where the basis for that processing is either public interest (Article 6 para 1(e) GDPR) or legitimate interest of the controller (Article 6 para 1(f) GDPR). The controller must cease such processing unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the relevant data subject or requires the data in order to establish, exercise or defend legal rights.
Data subjects have the right to object to the processing of personal data for marketing purposes, including profiling.
Right to withdraw consent
A data subject has the right to withdraw their consent at any time (Article 7 para 3 GDPR). The withdrawal of consent does not affect the lawfulness of processing based on consent before the withdrawal.
Right to complain to the relevant data protection authority(ies)
Data subjects have the right to lodge complaints concerning the processing of their personal data with the competent data protection authority.
Right not to be subject to automated individual decision-making
Under certain circumstances, data subjects have the right not to be subject to a decision based solely on automated processing of data (including profiling), which produces legal effects or similarly significant effects for the data subject (Article 22 GDPR).
This is a summary only and there are some qualifications and limitations to these rights which may be relevant.
Is there a requirement to appoint a data protection officer (or equivalent)?
Yes.
Under the GDPR (Articles 37 to 39), a Data Protection Officer (DPO) must be appointed by organisations that:
- are a public authority or body (except for courts acting in their judicial capacity);
- whose core activities require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking); or
- whose core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences.
This applies to both controllers and processors. Organisations that are not required to appoint a DPO may do so voluntarily (which is encouraged by the Hungarian supervisory authority). In making a voluntary appointment, organisations should be aware that the same requirements of the position and tasks apply as if the appointment had been mandatory.
The DPO must have expert knowledge of data protection law and practices, be independent and report to the highest management level.
Do data protection/ privacy impact assessments need to be carried out in certain circumstances?
Yes.
Pursuant to Article 35(1) GDPR the controller is obliged – prior to the processing – to carry out a data protection impact assessment ("DPIA"), where the type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons.
According to Article 35(3) of the GDPR, a DPIA shall in particular be required in the case of:
- a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;
- processing on a large scale of special categories of data referred to in Article 9(1) of the GDPR, or of personal data relating to criminal convictions and offences referred to in Article 10 of the GDPR; or
- a systematic monitoring of a publicly accessible area on a large scale.
In addition to the mandatory cases provided for in Article 35(1) and (3) of the GDPR, taking into account the exceptions provided for in Article 35(10) of the GDPR, the controller is required to carry out a DPIA for the following processing operations:
- Where the processing of biometric data for the purpose of uniquely identifying a natural person refers to systematic monitoring;
- Where the processing of biometric data for the purpose of uniquely identifying a natural person concerns vulnerable data subjects, in particular, children, employees, and mentally vulnerable people;
- Where the processing of genetic data is carried out in connection with sensitive data or data of a highly personal nature;
- The purpose of the processing of genetic data is to evaluate or score a natural person;
- Scoring, where the purpose of data processing is to assess certain characteristics of the data subject, and its result has an effect on the quality or provision of the service provided and to be provided to the data subject;
- Credit rating, where the purpose of data processing is to assess the creditability of the data subject by way of evaluating personal data in large scale or systematically;
- Solvency rating, where the purpose of data processing is to assess the solvency of the data subject by way of evaluating personal data in large scale or systematically;
- Further use of data collected from third persons (in order to make decisions to refuse or cancel a service provided to the data subject);
- The use of personal data of pupils and students for assessment;
- Profiling, where the purpose of data processing is profiling by way of evaluating personal data in large scale or systematically;
- Anti-fraud activity;
- Smart meters;
- Automated decision making producing legal effects or similarly significant effects;
- Systematic surveillance (Wi-Fi tracking, Bluetooth tracking or body cameras);
- Location data;
- Monitoring employee work;
- Processing of considerable amounts of special category personal data;
- Processing of considerable amounts of personal data for law enforcement purposes;
- Processing of large amounts of data related to vulnerable data subjects for purposes different from the original purpose, in the case of, e.g., the elderly, children, and mentally vulnerable people;
- Processing of the personal data of children for profiling, automated decision making, marketing purposes or providing them information society related services directly;
- The use of new technologies for data processing;
- Processing of health data on a large scale;
- When the data controller is planning to set up an application, tool, or platform for use by an entire sector that processes special category personal data; and
- The purpose of data processing is to combine data from various sources for matching and comparison purposes.
Does this jurisdiction have any specific data breach notification requirements?
Yes, the controller is obliged to report a personal data breach to the relevant data protection authority unless the breach is unlikely to result in a risk to the rights and freedoms of the data subject(s).
Furthermore, the controller is obliged to communicate the breach to the data subject if the breach is likely to result in a high risk to the rights and freedoms of the natural persons. If the controller is in default with such obligation, the competent authority may require the controller to inform the data subject.
The controller may be exempt from notifying the data subject if the risk of harm is remote (e.g. because the affected data is encrypted), the controller has taken measures to minimise the risk of harm (e.g. suspending affected accounts) or the notification requires a disproportionate effort (e.g. a public notice of the breach).
If the controller is obliged to report a personal data breach to the competent authority or/and the data subject, it shall contact them in both cases without undue delay (and in case of the notification to the authority within 72 hours of first becoming aware of the breach).
A processor must notify any data breach to the controller without undue delay. The notification must include a description of the nature of the personal data breach including the categories and number of data subjects concerned, the name and contact details of the data protection officer or relevant point of contact, the likely consequences of the breach and the measures taken to address the breach, including attempts to mitigate possible adverse effects.
The EDPB (European Data Protection Board) has issued guidelines on the data breach notification, detailing requirements for data breach notifications (Guidelines 01/2021 on Examples regarding Data Breach Notification).
What restrictions apply to the international transfer of personal data / information?
International Data transfers (i.e. jurisdictions outside the European Economic Area (“EEA”)) can only take place if the transfer is subject to an “Adequacy Decision” or the recipient has implemented certain safeguards required by the GDPR.
The EU Commission has issued decisions concerning an adequate level of protection on the basis of Article 45 para 3 GDPR for the following countries: Andorra; Argentina; Canada (commercial organisations); Faroe Islands; Guernsey; Isle of Man; Israel; Japan; Jersey; New Zealand; Republic of Korea; Switzerland; the United Kingdom; the United States (commercial organisations participating in the EU-US Data Privacy Framework) and Uruguay.
For a data transfer to all other countries, the controller is obliged to ensure compliance for international data transfers, as follows:
- The transfer may be based on Standard Contractual Clauses (“SCCs”). The SCCs, drafted by the EU Commission, may be adopted by controllers and processers. SCCs are available for transfers among controllers, and for transfers between a controller (as exporter) and a processor (as importer). Notwithstanding the application of the SCC, before transferring data, the controller must verify that an adequate level of data protection can indeed be ensured in the third country, and if necessary, take appropriate measures.
- The transfer may be based on contracts agreed between the data exporter and data importer provided that they meet the protection standards outlined in the GDPR. Additionally, prior approval by the relevant data protection authority is key.
- The transfer may be based on Binding Corporate Rules (“BCRs”), in particular within a group of entities. For BCRs prior approval by the relevant data protection authority is needed. Most importantly, the BCRs need to include a mechanism to ensure they are legally binding and enforced by every member in the group of entities.
- The transfer is covered by one of the permitted derogations set out in Article 49 of the GDPR (in the absence of an adequacy regulation or appropriate safeguard), such as the explicit consent of the data subject, the transfer is necessary for the performance of a contract between the data subject and data controller at the data subject's request or in the interest of the data subject, or the transfer is necessary for the establishment, exercise or defence of legal claims.
Do the data protection laws in this jurisdiction have “extra-territorial effect” (i.e. do they apply to organisations outside this jurisdiction)?
With regard to its geographic scope, the GDPR combines the principles of establishment, market place and territoriality.
Pursuant to the principle of establishment, the GDPR is applicable for processing activities carried out in the context of the activities of an establishment of a controller or a processor in the EU, regardless of whether the processing itself takes place in the EU.
Pursuant to the principle of the market place, the GDPR is applicable for the processing of personal data of data subjects situated in the EU by a controller or processor who is not situated in the EU, where the processing activities are related to (i) the offering of goods or services to such data subjects situated in the EU, irrespective of whether a payment of the data subject is required; or (ii) the monitoring of their behaviour as far as their behaviour takes place within the EU (principle of the territoriality).
What rules specifically deal with marketing?
In Hungary, Act XLVIII of 2008 on the Essential Conditions of and Certain Limitations to Business Advertising Activity (“Advertising Act”) deals with marketing:
- The Advertising Act prohibits sending marketing messages without prior and express consent of the data subject (i.e. the recipient of such messages) (except in case described in point 4 below). Therefore, marketing messages cannot be sent using legitimate interest as a legal basis.
- The statement of consent may be made out in any way or form, on condition that it contains the name of the person providing it, and - if the advertisement to which the consent pertains may be disseminated only to persons of a specific age - his place and date of birth, furthermore, any other personal data authorized for processing by the person providing the statement, including an indication that it was given freely and in possession of the necessary legal information.
- Consent may be withdrawn at any time, without restriction and without giving reasons, and free of charge. In this case, the name and all other personal data of the person making the statement shall be immediately deleted from the specified register and no further advertising may be communicated to him/her.
Do different rules apply to business-to-business and business-to-consumer marketing?
The business recipient is not subject to the Advertising Act, unless it is clear that the recipient of the marketing message is receiving the message in a personal capacity rather than as a representative or employee of a legal entity.
What rules specially deal with electronic marketing (for example, by email, text message, WhatsApp message, online ads etc)?
See answer above to question “What rules specifically deal with marketing?”.
What rules specifically deal with cookies?
Pursuant to Article 5 of the EU ePrivacy Directive, the storage of cookies (or other data) on an end user’s device requires prior consent.
Article 5 of the EU ePrivacy Directive has been implemented in Hungary in Section 155 of Act C of 2003 on Electronic Communications. According to Section 155(4) of this Act, “[o]n the electronic communication terminal equipment of a subscriber or user, information may be stored, or accessed, only upon the user’s or subscriber’s prior consent granted in possession of clear and comprehensive information about implications.”
What are the consequences of non compliance with data protections laws (including marketing laws)?
In case of non-compliance with the data protection laws, the Hungarian supervisory authority (“NAIH”) may take different measures, as to issue warnings, to order the data processing operations to comply with the GDPR, to impose temporary or definitive limitation and may, instead of and in addition to these, impose administrative fine. The administrative fine may be up to EUR 10,000,000 / 20,000,000, or in the case of an undertaking, up to 2% / 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
In the Hungarian practice, however, the imposed fines are much lower. In fact, NAIH does not immediately impose fines, it normally applies different measures first based on examination of several factors e.g. the nature and severity of the breach. The highest fine imposed by the NAIH was HUF 250,000,000 (approx. EUR 630,000). In this specific case, the breach was caused by a bank against hundreds of thousands of banking customers by analysing their voice without proper legal basis and customer information.
In case of non-compliance with the marketing laws, the National Media and Infocommunications Authority (NMHH) is competent, who may take different measures e.g. order the termination of the infringing situation, prohibit the continuation of the infringing conduct, and impose administrative fine. The administrative fine may be between HUF 50,000 (approx. EUR 126) to HUF 500,000 (approx. EUR 1,260).
In broad terms, multinational organisations should be aware of what key factors if they process personal data / information from individuals within this jurisdiction, without being located there?
Controllers and processors who are not established in the EEA are generally required under Article 27 of the GDPR to designate a representative in the EEA where their activities fall within the territorial scope of the EEA data protection regime under Article 3 of the GDPR, specifically if they involve processing personal data of data subjects within the EEA in connection with the provision of goods or services, or the monitoring of the behaviour of data subjects located in the EEA.
There are no significant additional factors.
What upcoming data protection developments should multinational organisations be aware of?
ePrivacy Regulation: it has been planned to replace the ePrivacy Directive currently in force, but its adoption has been delayed for years. In fact, on 11 February 2025, the European Commission made available its 2025 work program, in which it announced the withdrawal of its proposal for the ePrivacy Regulation due to lack of consensus of its adoption. The withdrawal means that the current ePrivacy Directive and its national transposition will remain in force. In Hungary the National Media and Infocommunications Authority (NMHH) currently carries out the public authority tasks under the existing ePrivacy Directive.
EU Data Act (effective from 11 January 2024, most provisions directly applicable from 12 September 2025): as a "counterpart" to the Digital Governance Act, it regulates the inclusion of private sector data in the public sector and the sharing of data between private sectors, in particular in the case of jointly generated data, and also explicitly facilitates the users of data-generating network-connected devices to access and share their data with third parties (right to data portability).
EU AI Act (effective from 1 August 2024, directly applicable in stages from 1 February 2025): it provides a uniform definition of AI systems at EU level, following the previous OECD definition, and sets different levels of obligations for producers, importers and users of AI through risk-based regulation. In addition to prohibited AI systems, it regulates high-risk and limited-risk AI systems. It does not impose additional obligations on low risk AI systems that do not fall into either category (e.g. spam filters). The AI Act establishes liability for the development and use of typically multi-stakeholder AI in a similar way to product liability rules, and fleshes out the information, transparency and accountability requirements already established in data protection law. To support innovation, it allows testing of AI in a regulatory sandbox and in real-life conditions, subject to certain safeguards (e.g. involvement of data protection authorities). The AI Act also establishes an extensive institutional set-up to address AI issues. It is still to be decided by Member States whether the AI monitoring authority will be separate and how it will fit in with other similar authorities.
Proposal for the simplification of the GDPR: On 21 May 2025, the European Commission introduced their fourth simplification Omnibus package (“Omnibus IV”). The package features a proposal to amend the GDPR by introducing a new category of companies, “small mid-cap enterprises” (“SMCs”), defined as those with fewer than 750 employees and either up to €150 million in turnover or up to EUR 129 million in total assets. In contrast, small enterprises have fewer than 50 employees and an annual turnover of up to EUR 10 million while medium enterprises are those with fewer than 250 employees and an annual turnover of up to EUR 50 million (together: “SMEs”). The goal of introducing this category, and the goal of Omnibus IV more broadly, is to ease the transition for companies from SME to SMC stages by reducing administrative burdens. For example, the proposal broadens the existing derogation under Article 30(5) GDPR, exempting companies (including SMCs) with fewer than 750 employees from maintaining records of processing activities, except when such processing poses a high risk to individuals' rights and freedoms. Furthermore, it expands the scope of Articles 40 and 42 GDPR (which relate to codes of conduct and certification) to explicitly include the needs of both SMEs and SMCs. Given the draft regulation amending the GDPR as per above is still at the proposal stage, it may not be until the end of 2026, at the earliest, before it is formally adopted.