Enable use of BCRs, Require Data Breach Registry

The Hungarian Parliament adopted by 6 July 2015 an amendment ('the Amendment') of the Act No CXII of 2011 on Informational Self-Determination and Freedom of Information ('the Information Act') that will provide for an authorization procedure of the Hungary DPA regarding the implementation of BCR’s as an adequacy instrument of data transfers in the future. (Notably, BCRs' were earlier completely omitted from the list of recognized “adequacy” instruments under Hungarian data protection laws). Considering that the new legislation does not contain any transitory provisions regarding BCRs already approved by other DPA's, it is currently unclear and further guidance from the Hungary DPA will be needed concerning how such existing BCR’s will be treated by the DPA. Accordingly, companies whose EU BCR cooperation procedure is already closed – depending on the DPA’s future guidance – might be required to make a formal filing before the Hungary DPA in order to authorize the use of BCR's within the Hungarian jurisdiction. Notably, 'ad hoc' contractual clauses will continue to be excluded from the list of recognized adequacy instruments under Hungarian data protection laws.

The Amendment also contains provisions regarding the treatment of data breaches by data controllers under Hungarian data protection laws. Data breach notification will continue to apply only with regard to telecom providers. However, the Amendment will impose an obligation on data controllers to keep a register of data breaches, including any measures introduced by the controller to remedy such breaches. This new provision only applies to controllers. But existing data processing agreements will need to be amended because data processors also will be required to register data breaches on behalf of the controller. Thus, the processing agreement should contain detailed provisions regulating how the processor should comply with such obligations relating to the recordal of data breaches.

Finally, the Bill will introduce higher fines, as the Hungary DPA will be able to impose a data protection fine up to HUF 20 Million (approximately USD 70,000.-) – twice the current maximum fine amount of HUF 10 Million.

The above indicated Amendments introduced into the Information Act will enter into force by 1 October 2015.