DAC Beachcroft in collaboration with Bogsch & Partners – Budapest, Hungary
What does this cover?
Amendments to the Hungarian General Data Protection Act now allow businesses operating in Hungary to use Binding Corporate Rules (BCRs) as an instrument for guaranteeing an adequate level of protection in the context of international transfers of personal data. This is of particular significance following the CJEU's Safe Harbor decision.
Under the new rules a local authorisation procedure applies to the approval of BCRs in Hungary and/or to their respective extension to Hungary.
The Hungarian DPA issued guidance that confirms that it may either act as the lead authority, or act as the DPA not involved in the mutual recognition process as a lead (or co-lead). In the latter case once the EU cooperation procedure and mutual recognition procedure are closed, the applicant must contact the Hungarian DPA by submitting the necessary paperwork and accompanying fee in order for its existing BCRs to apply in Hungary. The Hungarian DPA then has 60 days from the day of filing to decide whether or not to approve the BCRs.
Any company whose BCRs have previously been approved in another EU member state are required to file a request asking the Hungarian DPA to recognize the use of its BCRs in Hungary.
What action could be taken to manage risks that may arise from this development?
None – for interest only.
Submitted by Dr. Tamás Gödölle, Attorney at Law at Bogsch & Partners – Budapest, Hungary