Legislation And Regulations

What national laws regulate the processing of personal data in your jurisdiction?

Various pieces of legislation contain rules on the processing of personal data, including Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) ("GDPR"), the Act no. CXII of 2011 on the Right to Informational Self-Determination and the Freedom of Information ("Info Act") and a number of sector specific laws (including but not limited to the Labour Code, the Act on the processing of health data, the Act implementing the EU's whistleblowing directive, the Act on telecommunication services, the Act on insurance activity, the Act on advertisement, the Accounting Act, the Taxation Act, etc.).

The GDPR contains the basic general rules when it comes to the processing of personal data, including the principles of data protection law, the rights of the data subjects and the obligations of controllers and processors. In addition, it also contains rules on the enforcement of the provisions of data protection laws, including the powers of the supervisory authorities and sanctions.

The Info Act, amongst others, supplements the GDPR where permitted. For example, it names the supervisory authority in charge of enforcement and sets forth procedural rules.

Furthermore, the European Data Protection Board ("EDPB") plays an essential role in making sure that the provisions of the GDPR are applied consistently throughout the EU by issuing guidelines, opinions, decisions and recommendations.

To whom do the laws apply?

The GDPR contains rules on its material and territorial scope. Namely, it applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system, where personal data means any information relating to an identified or identifiable natural person. (The GDPR does not apply in certain scenarios, e.g. processing by a natural person in the course of a purely personal or household activity.) The GDPR applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union. Also, it applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:

1. the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
2. the monitoring of their behaviour as far as their behaviour takes place within the Union.

The Info Act contains similar rules with respect to Hungary as regards material and territorial scope. It is worth mentioning that the Info Act provides that the rules of the GDPR also apply to the processing of personal data which do not form part of a filing system and that it also contains rules on the processing of the personal data of a deceased person.

Scope of protection

What type of data is covered by the law?

Personal data means any information relating to an identified or identifiable natural person. There are two main types of personal data: "ordinary" and "special category" personal data. The latter category means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.

Processing special category personal data is, in general, prohibited, and it is only allowed if both a proper legal basis (Article 6, GDPR) and a condition (Article 9, GDPR) are fulfilled.

Anonymous data fall out of the scope of the GDPR. Anonymous data are such data based on which no natural person can be identified (by anyone).

What are the main exemptions (if any)?

The GDPR does not apply to the processing of personal data:

1. in the course of an activity which falls outside the scope of Union law (in this regard, if personal data is processed for the purposes of national defence and/or national security);
2. by the Member States when carrying out activities which fall within the scope of Chapter 2 of Title V of the TEU;
3. by a natural person in the course of a purely personal or household activity;
4. by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.

The GDPR does not apply to the processing of the data of deceased persons. However, it permits Member States to adopt legal regulations on that topic. The Info Act contains such rules.

Also, the GDPR does not apply to the processing of anonymous data.

What rights do the laws grant to the data owners?

Data subjects have different rights under the GDPR. Namely, (i) the right of information; (ii) the right to request access; (iii) the right to rectification; (iv) the right to erasure ("right to be forgotten"); (v) the right to restriction of processing; (vi) the right to data portability; (vii) the right to object to the data processing; (viii) the right to not be subject to automated decision-making; and (ix) the right to withdraw consent at any time.

Data subjects can exercise their rights at any time. The controller is required to properly and timely handle the data subject request.

Under the GDPR, Member States may restrict data subjects' rights when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard (a) national security, (b) national defence, (c) public security, (d) the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security; (e) other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, including monetary, budgetary and taxation a matters, public health and social security; (f) the protection of judicial independence and judicial proceedings; (g) the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions; (h) a monitoring, inspection or regulatory function connected, even occasionally, to the exercise of official authority in the cases referred to in points (a) to (e) and (g); (i) the protection of the data subject or the rights and freedoms of others; (j) the enforcement of civil law claims.

If a data subject feels that their data privacy rights may have been violated, they can turn to the Hungarian data protection authority (Nemzeti Adatvédelmi és Információszabadság Hatóság) (NAIH) or to court and seek damages and/or a so-called "harm fee".

Processing requirement and main obligations

What are the lawful grounds for processing personal data or sensitive personal data (if different)?

For the processing of "ordinary" personal data, a valid legal basis out of those listed below is necessary:

1. the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
2. processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
3. processing is necessary for compliance with a legal obligation to which the controller is subject;
4. processing is necessary in order to protect the vital interests of the data subject or of another natural person;
5. processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
6. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

In addition to having a proper legal basis as mentioned above, the processing of "special category" personal data requires also a specific condition from those listed in Article 9 (2), GDPR. As per Article 9 (2), GDPR, the following conditions may be used:

1. the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject;
2. processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject;
3. processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;
4. processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects;
5. processing relates to personal data which are manifestly made public by the data subject;
6. processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;
7. processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;
8. processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;
9. processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy;
10. processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

What are the main obligations imposed by the law?

The GDPR and Hungarian law contains many obligations that controllers and processors are required to fulfil. Such obligations include:

1. properly designing data processing operations in advance,
2. giving due information to the data subjects concerned in a timely manner (preparing privacy policies, by-laws),
3. preparing legitimate interest assessments, as required, prior to processing,
4. preparing data protection impact assessments, as required (and consulting with NAIH if the assessment indicates that the processing would result in a high risk), prior to processing,
5. preparing registry of processing activities,
6. appointing a data protection officer, if necessary,
7. appointing a representative, if necessary,
8. taking adequate technical and organisational measures (data security measures) with a view to ensuring a level of security appropriate to the risks of processing,
9. having proper internal policies in place, as justified,
10. complying with the rules applicable to transfer of personal data to a third country,
11. properly handling data subject's requests,
12. building data protection awareness within the controller's/processor's organisation (internal education),
13. properly handling data breaches and security breaches.

Do the laws establish a data retention period to be observed?

The GDPR does not contain any specific retention time. Instead, it only contains the principle of storage limitation, which requires that personal data is to be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.

Certain Hungarian laws contain different retention times. For example, the Accounting Act contains an 8-year retention time for accounting documents, the Taxation Act contains a 5-year retention time. Where the specific Act ordering a certain kind of data processing does not contain any rule on retention time, the controller is required to properly determine the retention time and carry out a documented review every three years if the processing of data is in line with the law (and is required to keep such review documentation for at least 10 years). Also, if a given data processing is not mandatory and there is no retention time, the controller is responsible for duly setting the retention time.

Must the data processing activities be recorded under the law?

Yes. The GDPR requires both controllers and processors to have a registry of processing activities.

In case of controllers, the registry must contain the following information:

1. the name and contact details of the controller and, where applicable, the joint controller, the controller's representative and the data protection officer;
2. the purposes of the processing;
3. a description of the categories of data subjects and of the categories of personal data;
4. the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;
5. where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;
6. where possible, the envisaged time limits for erasure of the different categories of data;
7. where possible, a general description of the technical and organisational security measures.

In case of controllers, the registry must contain the following information:

1. the name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and, where applicable, of the controller's or the processor's representative, and the data protection officer;
2. the categories of processing carried out on behalf of each controller;
3. where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;
4. where possible, a general description of the technical and organisational security measures.

National authority and DPO

Is there a Data Protection National Authority? If so, what is the National Authority main role?

Yes. NAIH is the supervisory authority overseeing, amongst others, data protection matters. The main roles and powers of the authority are named in the GDPR.

Under the Info Act, NAIH conducts authority checks, inspections and authority procedures.

NAIH takes part in the operation of the EDPB, cooperates with other supervisory authorities, organises and provides annual training for data protection officers, opines bills and draft laws containing rules on the processing of personal data, issues information sheets and guidelines on issues of data protection, publishes some of its resolutions, etc.

Does the law impose the obligation of designating a data protection officer (DPO)? If so, what is the role of the DPO under the law?

Hungarian law does not impose such an obligation. However, the GDPR does.

Under the GDPR (Article 37 (1)), the controller and the processor must designate a data protection officer where:

1. the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
2. the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
3. the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10.

Even if it is not required by law, an entity may still decide to appoint a DPO.

When appointed, the contact details of the DPO must be notified to NAIH.

The DPO has at least the following tasks:

1. to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to the GDPR and to other Union or Member State data protection provisions;
2. to monitor compliance with the GDPR, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
3. to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35;
4. to cooperate with the supervisory authority;
5. to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter.

Cross-border transfers

What rules regulate the transfer of data outside your jurisdiction?

Transferring personal data within the EU/EEA qualifies as domestic transfer.

If personal data were to be transferred to a non-EEA country (or any personal data processed in the EU were to be accessed by an entity outside the EEA), in addition to the "general" rules of the GDPR, additional special rules apply as per Chapter V of the GDPR requiring the application of additional guarantees/safeguards.

In addition to having to meet the rules of the GDPR that are applicable anyways – if an entity wishes to transfer personal data to a non-EEA country (or wishes to make the data accessible for an entity from a non-EEA country), certain special rules apply.

For example, if the target country is not approved as a safe country in an adequacy resolution of the EU (when no special additional rules apply to the transfer), the data transferor (data exporter) and the data recipient (data importer) need to conclude e.g. so-called standard contractual clauses (SCC) as approved by the European Commission prior to the transfer. There are four main types of such SCC, namely, controller to controller SCC, controller to processor SCC, processor to controller SCC and processor to processor SCC. Depending on the data protection status of the transferor and the recipient, the respective SCC would need to be used.

Furthermore, taking into account the so-called Schrems II decision of the Court of Justice of the European Union, it is not enough to have and sign SCC, but certain additional measures are also required. Namely, prior to the transfer, a number of steps and measures must be taken. For example, the transferor and the transferee must assess the law of the recipient's country (it must be inspected how the given law handles fundamental rights and essential data processing guarantees) and must adopt adequate supplementary measures, as necessary and include them in the standard contractual clauses and effectively apply them. Also, adequate procedural steps must be taken and the level of protection must be re-evaluated at regular intervals.

Also, the EDPB issued two recommendations after the Schrems II decision. Namely,

(i) Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (available at https://edpb.europa.eu/sites/default/files/consultation/edpb_recommendations_202001_supplementarymeasurestransferstools_en.pdf) and

(ii) Recommendations 02/2020 on the European Essential Guarantees for surveillance measures, which is available at https://edpb.europa.eu/sites/default/files/files/file1/edpb_recommendations_202002_europeanessentialguaranteessurveillance_en.pdf

Based on Recommendations 1/2020, the following assessment must be made by the data exporter and data importer:

1. "Know your transfer" (e.g. who can have access to the data, how the principle of proportionality is respected),
2. Which transfer tool is used (e.g. SCC, binding corporate rules),
3. Assessment of the law of the recipient's country (please see Recommendations 2/2020),
4. Adopting supplementary measures (if necessary, based on the assessment as per no. 3 above),
5. Taking of formal procedural steps for the adoption of your supplementary measure may require,
6. Re-evaluation of the level of protection at regular intervals.

Recommendations 2/2020 informs how the assessment of the law of the recipient country is to be made. Based on the document, it is to be assessed how the given law handles fundamental rights and how the European essential guarantees can be assured in that country (i.e. processing should be based on clear, precise and accessible rules; necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated; independent oversight mechanism of the data processing must be ensured and effective remedies need to be available to the individuals whose data are processed).

There are only a few of safe non-EEA countries in regard of which no additional guarantees/safeguards have to be used, please see the list here: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en)

Is it necessary to notify the National Authority prior to the international transfer?

In general, no. However, if the transfer is not based on an adequacy resolution (Article 45, GDPR) or another guarantee, such as e.g. an SCC (Article 46, GDPR) and none of the cases listed in Article 49, GDPR applies, there is a very narrow possibility to transfer data.

Namely, where a transfer could not be based on a provision in Article 45 or 46, GDPR, including the provisions on binding corporate rules, and none of the derogations for a specific situation referred to in the first subparagraph of Article 49 is applicable, a transfer to a third country or an international organisation may take place only if the transfer (a) is not repetitive, (b) concerns only a limited number of data subjects, (c) is necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject, and (iv) the controller has assessed all the circumstances surrounding the data transfer and (v) has on the basis of that assessment provided suitable safeguards with regard to the protection of personal data. The controller is required to inform the supervisory authority of such transfer.

Security standards, data breaches, and sanctions

Do the laws impose any information security standards and/or requirements?

The GDPR is a technology neutral piece of legislation. It only provides that controllers and processors are required to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.

Do the laws establish any kind of mandatory notification duty?

Yes. As per the GDPR, the DPO's contact details must be notified to the supervisory authority. (The very narrow data transfer mentioned above must also be notified to the supervisory authority.)

Furthermore, in the case of a personal data breach, the controller must without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the competent supervisory authority, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.

Processors are required to notify the respective controller(s) without undue delay after becoming aware of a personal data breach.

The notification to the supervisory authority must at least:

1. describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
2. communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
3. describe the likely consequences of the personal data breach;
4. describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

Where, and in so far as, it is not possible to provide the information within 72 hours, the information has to be provided in phases without undue further delay.

Also, when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller is required to communicate the personal data breach to the data subject without undue delay. The communication to the data subject is not required if any of the following conditions are met:

1. the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption;
2. the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialise;
3. it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.

What are the sanctions for noncompliance with data protection laws?

The sanctions are provided for in the GDPR. As regards fines, depending on the violation, the maximum amount can be EUR 10 million, or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the undertaking for the preceding financial year, whichever is higher, or EUR 20 million, or in the case of an undertaking up to 4% of the total worldwide annual turnover of the undertaking for the preceding financial year, whichever is higher.

In addition, NAIH may order certain obligations too, such as e.g. the deletion of data, prohibition of processing (e.g. transfer).

Other comments

Other comments

Non-compliant companies may be subject to sanctions, including fines by NAIH, the deletion of data, etc.. To date, the highest amount of fine (in terms of the amount) ever imposed by NAIH was HUF 250 million (approx. EUR 630,000), which was levied on a bank for unlawfully using artificial intelligence for the purposes of assessing (potential) customer calls. At the same time, percentage wise, the highest fine ever imposed reached around 15% of the revenues of the given company (which was a beauty salon) for unlawfully collecting audio and video image of the customers using the services of the salon. In general, one may say that the amounts of fine vary between about HUF 5 million (approx. EUR 12,600) and HUF 100 million (approx. EUR 252,000) but we note that each case if different and the amount of fine depends on various factors the authority takes into account when deciding about sanctions.

With the proliferation and use of newer and newer technologies, including also AI-based solutions, controllers and processors will need to be even more careful and vigilant when it comes to designing their data processing operations and must take into account not only data processing legislation but, as the case may be, also the content of the EU's AI Act.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.