On July 6, 2015, the Hungarian Parliament adopted certain amendments (“Amendment”) to Act CXII of 2011 on the Right of Informational Self-determination and on Freedom of Information (“Data Protection Act”). Its purpose is to further develop data protection rules and the right to access public information with a view to the practical experiences encountered after the Data Protection Act entered into force on 1 January 2012. The data protection provisions of the Amendment focus on the recognition of Binding Corporate Rules (BCRs), the introduction of administrative obligations on data security breaches, and providing increased rights to the Hungarian Authority for Data Protection and Freedom of Information (Nemzeti Adatvédelmi és Információszabadság Hatóság – NAIH). The Amendment will come into effect on the first day of the third month after its publication in the official gazette for laws (Magyar Közlöny). Presumably this will be on October 1, 2015.
The most important implications of the Amendment are that:
- all companies should start keeping internal security breach registers;
- companies already using BCRs can extend the scope of the BCRs to Hungary too;
- companies with Hungarian headquarters should consider introducing BCRs within their corporate group, in order to make their intra-group data transfers outside the EEA easier.
Binding Corporate Rules (BCRs)
According to the demands of the industry and data privacy professionals, the Amendment recognises Binding Corporate Rules (kötelező szervezeti szabályozás), which would make the intra-group data transfers outside the EEA for Hungarian companies easier.
The request for the approval of BCRs shall contain:
- the purpose, term, location and legal basis of the data processing;
- the source and the scope of the data;
- the scope of the people affected;
- the description of the data transfers (data type, transferee, legal basis);
- the name and address of the data controller(s) and the data processor(s);
- the description of the activities of the data processor(s);
- the description of the data processing technology;
- the contact details of the internal data protection officer (if any);
- the draft of the BCRs;
- data certifying the binding nature of the BCRs;
- data showing if the BCRs were already approved in another EEA Member State.
The Amendment provides NAIH with 60 days to decide on a request for the approval of BCRs. The fee payable for the approval shall be determined by the competent Ministry. Once approved, NAIH will disclose the name of the data controller using BCRs on its website.
Internal Data Security Breach Register
In line with the amended Directive 2002/58/EC, electronic communications service providers in Hungary have mandatory data security breach notification obligations. There were no mandatory data security breach notification obligations in other sectors. The Amendment does not introduce notification obligation for other sectors but requires keeping an internal register of data security breaches. Such an Internal Data Security Breach Register shall contain the data affected, the scope and number of the people affected, the date, the circumstances, the effects of the breach, the measures taken to eliminate the breach, and any other data which data protection laws require the processing of. Electronic communications service providers can fulfil the above obligation by keeping the specific internal register required by electronic communications laws. The Amendment emphasises that the Internal Data Security Breach Register shall also cover breaches by data processors.
Fines which can be imposed by the NAIH
The Amendment increases the maximum amount of the fine which can be imposed by NAIH from 10,000,000 HUF (approx. 33,300 EUR) to double that sum, 20,000,000 HUF (approx. 66,600 EUR).
Act CXII of 2011 on the Right of Self-Determination in Respect of Information and the Freedom of Information (“Data Protection Act”)
The final draft of the amendment is available here
(latest draft, only in Hungarian)