DAC Beachcroft in collaboration with Bogsch & Partners –  Budapest, Hungary

What does this cover?

Significant amendments to the Hungarian General Data Protection Act came into effect on 1 October 2015, most notably the following:

  1. The upper limit on data protection fines has doubled to HUF 20,000,000 (c. EUR 65,000); and  
  2. The definition of a data protection breach event and the obligation to register such a breach has been introduced to local legislation.  

The second of these changes creates a new obligation for data controllers to monitor their data processing partners more thoroughly and to amend data processing contracts so that data processors have strict obligations to inform data controllers about the date of the breach, the circumstances surrounding breach, the personal data involved in the breach, the number of individuals affected by the breach and plans to be put in place to avoid such breaches occurring in the future.

There is still no express obligation to inform the affected data subjects of such a breach, however, all reported information as listed above must be given to an affected data subject if he/she requests it. Despite the lack of an explicit obligation to inform, under in certain circumstances a legal duty to inform may conceivably arise under general civil law provisions on acceptable conduct and under the duty to diminish any harm caused.

What action could be taken to manage risks that may arise from this development?

Companies should consider the changes to Hungarian Data Protection law and ensure that policies are amended to reflect the new obligations, in particular the new security breach reporting requirements.

Submitted by Dr. Tamás Gödölle, Attorney at Law at Bogsch & Partners –  Budapest, Hungary