In this article, we provide a brief overview of the most important new rules applicable to Hungarian data protection laws after 1 October 2015.
BCRs accepted after 1 October 2015
Binding corporate rules (BCR) have so far not been recognized by Hungarian law and, thus, could not be used whenever personal data were transferred to a non-EEA country. As per the amendments to Hungarian data protection laws, under certain conditions it will be permitted to use BCR when transferring personal data to a country other than an EEA member state.
Under the definition included in the Information Act, the BCR is an internal data protection code accepted by a data controller or group of data controllers active in more than one country, including in at least one EEA country, and approved by the Hungarian Data Protection and Freedom of Information Authority ("DPA"), which code is binding on the data controller or group of data controllers and ensures the protection of personal data when transferring them to a third country (i.e. non-EEA country) through the unilateral undertaking by the data controller or group of data controllers.
The data controller may request the approval of the BCR before the DPA. The request has certain mandatory elements and thus must contain:
(i) the purpose of data processing, the legal basis of data processing, the data subjects involved, a description of the data pertaining to the data subjects, the source of data, the duration of the data processing, the categories of the data transferred, the recipients and the legal basis for transfer, including transfers made to third countries, the name and address of the data controller and the data processor, the place of the actual data management and data processing and the data processor's activities in connection with data management operations, the nature of the data processing technique used and the name of and contact information for the internal data protection officer, if applicable, with regards to the data to be managed by the data controller or group of data controllers, or the data protection registration number;
(ii) the draft of the BCR;
(iii) the data certifying the binding nature of the BCR; and
(iv) if the BCR has been already approved by the data protection authority of an EEA country, the data certifying such approval.
The DPA will have 60 days to decide on the approval of the BCR. The DPA may decide to approve, suggest amendments to or reject the BCR. The DPA will publish on its website the names of data controllers applying BCRs.
Under the amendments, a fee will be payable for the approval procedure which will have to be determined by a decree of the Minister of Justice. Such a decree has not yet been published.
A data protection incident
According to the new rules, a data protection incident is the unlawful management or processing of personal data and, in particular, gaining unauthorized access to, and the alteration, transfer, publication, deletion or destruction of personal data, as well as the accidental termination of and damage to such data.
For the purposes of checking the measures in connection with data protection incidents and the information of the persons concerned, the data controller will be required to keep a registry of all data protection incidents which will contain the personal data concerned, the group and number of persons affected by the incident, the time, circumstances and effects of the data protection incident, the measures taken to undo the incident and any other data as required by law describing data management operations.
The amount of the maximum fine raised to HUF 20 million
The DPA has so far had the power to impose a maximum fine of HUF 10 million for data protection non-compliance. As from 1 October 2015, the DPA may impose a maximum fine of HUF 20 million (approx. USD 72,000).
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.