Lakatos, Köves & Partners
The following law(s) specifically govern personal data / information:
Act CXII of 2011 - on the Right of Informational Self-Determination and on Freedom of Information
The key data protection principles in this jurisdiction are:
- purpose limitation principle right of access;
- necessity principle; and
- data minimization principle.
The supervisory authority / regulator in charge of data protection is:
National Authority for Data Protection and Freedom of Information (in Hungarian: “Nemzeti Adatvédelmi és Információszabadság Hatóság”).
Is there a requirement to register with a supervisory authority / regulator?
Is it possible to register with / notify the supervisory authority / regulator online?
Is there a requirement to notify the supervisory authority / regulator?
In the case of a data breach (according to the GDPR).
The key data subject rights under the data protection laws of this jurisdiction are:
- right to prior information;
- right of access;
- right to rectification;
- right to restriction of data processing; and
- right to erasure.
Is there a requirement to appoint a data protection officer (or equivalent)?
Data controllers and data processors shall designate a data protection officer:
- if the data controller and/or the data processor is vested with public responsibilities, or other public functions provided for by other legislation, excluding courts; or
- if required by an act or binding legislation of the European Union.
Do data protection/ privacy impact assessments need to be carried out in certain circumstances?
According to the list published by Hungarian Data Protection Authority, data controllers shall carry out a data protection impact assessment in the following cases of data processing:
- Where the processing of biometric data for the purpose of uniquely identifying a natural person refers to systematic monitoring;
- Where the processing of biometric data for the purpose of uniquely identifying a natural person concerns vulnerable data subjects, in particular, children, employees, and mentally vulnerable people;
- Where the processing of genetic data is carried out in connection with sensitive data or data of a highly personal nature;
- The purpose of the processing of genetic data is to evaluate or score a natural person;
- Scoring, where the purpose of data processing is to assess certain characteristics of the data subject, and its result has an effect on the quality or provision of the service provided and to be provided to the data subject;
- Credit rating, where the purpose of data processing is to assess the creditability of the data subject by way of evaluating personal data in large scale or systematically;
- Solvency rating, where the purpose of data processing is to assess the solvency of the data subject by way of evaluating personal data in large scale or systematically;
- Further use of data collected from third persons (in order to make decisions to refuse or cancel a service provided to the data subject);
- The use of personal data of pupils and students for assessment;
- Profiling, where the purpose of data processing is profiling by way of evaluating personal data in large scale or systematically;
- Anti-fraud activity;
- Smart meters;
- Automated decision making producing legal effects or similarly significant effects;
- Systematic surveillance (Wi-Fi tracking, Bluetooth tracking or body cameras);
- Location data;
- Monitoring employee work;
- Processing of considerable amounts of special category personal data;
- Processing of considerable amounts of personal data for law enforcement purposes;
- Processing of large amounts of data related to vulnerable data subjects for purposes different from the original purpose, in the case of, e.g., the elderly, children, and mentally vulnerable people;
- Processing of the personal data of children for profiling, automated decision making, marketing purposes or providing them information society related services directly;
- The use of new technologies for data processing;
- Processing of health data;
- When the data controller is planning to set up an application, tool, or platform for use by an entire sector that processes special category personal data; and
- The purpose of data processing is to combine data from various sources for matching and comparison purposes.
Does this jurisdiction have any specific data breach notification requirements?
The controller is obliged to report a personal data breach to the relevant data protection authority unless the breach is unlikely to result in a risk to the rights and freedoms of the data subject(s).
Furthermore, the controller is obliged to communicate the breach to the data subject if the breach is likely to result in a high risk to the rights and freedoms of the natural persons. If the controller is in default with such obligation, the competent authority may require the controller to inform the data subject.
The controller may be exempt from notifying the data subject if the risk of harm is remote (e.g. because the affected data is encrypted), the controller has taken measures to minimise the risk of harm (e.g. suspending affected accounts) or the notification requires a disproportionate effort (e.g. a public notice of the breach).
If the controller is obliged to report a personal data breach to the competent authority or/and the data subject, it shall contact them in both cases without undue delay (and in case of the notification to the authority within 72 hours of first becoming aware of the breach).
A processor must notify any data breach to the controller without undue delay. The notification must include a description of the nature of the personal data breach including the categories and number of data subjects concerned, the name and contact details of the data protection officer or relevant point of contact, the likely consequences of the breach and the measures taken to address the breach, including attempts to mitigate possible adverse effects.
The EDPB (European Data Protection Board) has issued guidelines on the data breach notification, detailing requirements for data breach notifications (Guidelines 01/2021 on Examples regarding Data Breach Notification).
The following restrictions apply to the international transfer of personal data / information:
- Where a data controller or data processor receives personal data under an act, international agreement or binding legislation of the European Union, and the transferring data controller or data processor indicates to the recipient at the time of transfer of the personal data, the processing conditions (a-e) are as follows:
- the purposes for which it can use the data;
- the time limits for processing the data;
- the potential recipients of the data;
- the restrictions of the data subject’s rights afforded under this Act; or
- specific other conditions for processing.
The data recipient shall process the personal data to the extent and by way of the means stipulated in the processing conditions and shall ensure the data subject’s rights in accordance with the processing conditions.
- The data recipient shall be allowed to process personal data irrespective of the processing conditions and may enforce the data subject’s rights subject to the transferring data controller’s prior consent. The data recipient may process personal data and ensure the rights of the data subject, regardless of the data processing conditions, if the data controller transferred data has given its prior consent;
- Prior to the data transfer, the data controller and/or the data processor acting on the controller’s behalf or following the controller’s instructions, shall assess the degree of accuracy, completeness and up-to-date nature of personal data to be transferred;
- The above three conditions apply to all transfers of data, not just where the data is transferred outside the jurisdiction; and
- The data controller shall give prior consent to the data transfer if it does not conflict with the legal provisions applicable to legal entities falling under Hungarian jurisdiction. The data controller shall consider the circumstances of the data transfer, including the need and purpose of the transfer, in particular, if there is an adequate level of protection provided to the recipient of the data transfer (including indirect data transfers).
International Data transfers (i.e. jurisdictions outside the European Economic Area (“EEA”)) can only take place if the transfer is subject to an “Adequacy Decision” or the recipient has implemented certain safeguards required by the GDPR.
The EU Commission has issued decisions concerning an adequate level of protection on the basis of Article 45 para 3 GDPR for the following countries: Andorra; Argentina; Canada; Faroe Islands; Guernsey; Isle of Man; Israel; Japan; Jersey; New Zealand; Republic of Korea; Switzerland; the United Kingdom; and Uruguay.
For a data transfer to all other countries the controller is obliged to ensure compliance for international data transfers, as follows:
- The transfer may be based on the consent of the relevant data subject
- The transfer may be based on Standard Contractual Clauses (“SCCs”). The SCCs, drafted by the EU Commission, may be adopted by controllers and processers. SCCs are available for transfers among controllers, and for transfers between a controller (as exporter) and a processor (as importer). Notwithstanding the application of the SCC, before transferring data, the controller must verify that an adequate level of data protection can indeed be ensured in the third country, and if necessary, take appropriate measures.
- The transfer may be based on contracts agreed between the data exporter and data importer provided that they meet the protection standards outlined in the GDPR. Additionally, prior approval by the relevant data protection authority is key.
- The transfer may be based on Binding Corporate Rules (“BCRs”), in particular within a group of entities. For BCRs prior approval by the relevant data protection authority is needed. Most importantly, the BCRs need to include a mechanism to ensure they are legally binding and enforced by every member in the group of entities.
Do the data protection laws in this jurisdiction have “extra-territorial effect” (i.e. do they apply to organisations outside this jurisdiction)
Where personal data is processed within the meaning of the General Data Protection Regulation, the provisions of the Hungarian Data Protection Act and other regulations provided for by Hungarian Law (laying down conditions for the protection of personal data and for the processing of personal data) shall apply. This does not include where an act or binding legislation of the European Union provides otherwise, if:
- the main establishment of the data controller, or the single establishment of the data controller in the European Union is located in Hungary; or
- the single or main establishment of the data controller in the European Union is not located in Hungary, however, the processing operations carried out by the controller or processor acting on the controller’s behalf or following the controller’s instructions, are related to:
- the offering of goods or services, irrespective of whether a payment to data subjects located in Hungary is required; or
- the monitoring of the data subjects’ behaviour takes place in Hungary, then the laws will have extra-territorial effect.
Does your jurisdiction have any rules specifically dealing with marketing:
Yes, Hungarian law prohibits sending marketing messages without prior consent of the data subject (i.e. the recipient of such messages). Therefore, Hungarian law does not allow marketing messages to be sent using legitimate interest as a legal basis.
Do different rules apply to business-to-business and business-to-consumer marketing?
The business recipient is not subject to the Hungarian Data Protection Act and Advertising Act, unless it is clear that the recipient of the marketing message is receiving the message in a personal capacity rather than as a representative or employee of a legal entity.
Does your jurisdiction have any rules specially dealing with electronic marketing (for example, by email, text message, WhatsApp message, online ads etc):
Yes, the following is prohibited:
- Sending marketing messages without the prior consent of the Data Subject;
- Requesting consent via e-mail, as this is considered as a marketing message itself; and
- Rendering the provision of information society services by making it contingent upon the recipient of the service providing consent for processing their personal data for purposes other than what is necessary for provision of the information society services in question, if this service is not available from any other service provider.
The following rules specifically deal with cookies:
GDPR rules, and European Data Protection Board guidance applies.
The consequences of non compliance with data protections laws (including marketing laws) are:
The practice of fines is still in its infancy, however, the highest fine was recently imposed on a large telecommunications company and amounted to HUF 10 million (approximately EUR 27,777).
In broad terms, multinational organisations should be aware of the following key factors if they process personal data / information from individuals within this jurisdiction, without being located there:
It should be considered that the rules on marketing messages currently conflict with the general requirements of the GDPR and E-Privacy Directive.
Multinational organisations should be aware of the following upcoming data protection developments:
According to available information, no relevant changes in the law are expected in the near future.