The Hungarian Justice Ministry has published a draft bill on its website which contains important amendments to the Hungarian General Data Protection Act (Act 112 of 2011 on Informational Self-determination and Freedom of Information, the "Info Act"). The bill needs to be approved by the government and then passed by the parliament in order to enter into force.

The most important planned amendments are as follows:

  • Binding Corporate Rules (BCRs):

    • The Hungarian data protection legislation has been missing provisions on BCRs for decades, so it was unclear whether BCRs can be used in Hungary to ensure an adequate level of protection in cross-border data transfers. The prevailing approach, also confirmed by the Hungarian data protection regulator (the NAIH), was that the lack of legal provisions means that these cannot be accepted in Hungary. The bill would introduce the missing provisions to the Info Act enabling businesses to rely on BCRs in Hungary. The NAIH would have the power to approve BCRs which would be subject to fee amount which is currently unknown, as this would be published in a separate ministerial decree. The NAIH would have 60 days to make a decision in relation to BCRs and would also publish the name of businesses relying on BCRs on its website. The bill is silent on mutual recognition, but it contains that if the BCRs filed with the NAIH for approval in Hungary have already been approved by another data protection authority of an EEA member state, then the controller should also provide the NAIH with relevant information in order to verify this. The current text of the bill does not contain that in this case the NAIH will automatically approve the BCRs, so it would be early to state that Hungary will be part of the mutual recognition mechanism developed by the Article 29 Working Party to ease the BCR approval process at the member state level.

  • General obligation to keep a register of data breaches:

    • The government would like to impose a general obligation on all data controllers to keep a register of all data breaches (data protection incidents). Currently only electronic communications providers are subject to data breach obligations, including not only the obligation to keep a register, but also to report data breaches to the Hungarian Media and Communications Authority, and in certain circumstances also to send a notice directly to data subjects. The bill addresses only the obligation to keep the register, but is silent on reporting to the NAIH or other authority and notifying the data subject via direct means. While the bill would not impose additional obligations on telcos, the general obligation to maintain a data breach register would be a new obligation for a wide range of businesses, and would also trigger the need to review existing agreements with third party controllers and processors, as well as implement new provisions requiring reporting of data breaches detected by such third parties.

  • Stronger enforcement tools for the NAIH:

    • The regulator would be able to establish infringement even if the controller recovered compliance before the end of the investigations; it would be clearer in which cases the NAIH has to start investigations, and in which cases it has the discretion to do so. The NAIH would also have more options to publish the enforcement decisions.

  • Increasing fines:

    • According to the bill, the maximum amount of the regulatory fine of HUF 10 million (approx. EUR 33,300) would be doubled, i.e. the new maximum amount would be HUF 20 million (approx. EUR 66,600).

  • Freedom of public information provisions:

    • The bill contains amendments on freedom of information provisions.

Under the bill, the government would like the amendments to enter into force on 1 September 2015.

However, as the parliament still has to pass the bill this cannot be considered as a final date. Finally, it is also worth mentioning that the text of the bill could also be subject to further amendments.