On 11 July 2011, the Hungarian Parliament accepted Act CXII of 2011 on Informational Self-Determination and Freedom of Information (“Privacy Act”). The new Privacy Act repeals Act LXIII of 1992 on the Protection of Personal Data and the Disclosure of Information of Public Interest.
The most important changes introduced by the Privacy Act are as follows:
New rules for data processors
- No consent. Personal data may be processed without the consent of the individual, provided that: (i) obtaining the consent proves impossible or involves a disproportionate effort and (ii) the processing is necessary for the compliance with a legal obligation; or (iii) the processing is necessary for the purpose of legitimate interests and such necessity is proportionate to the restriction of privacy.
- Consent from minors. Parents’ or legal guardians’ approval is not required for the validity of the data privacy consent of a person over the age of 16.
- Data security. Additional data security obligations are introduced.
- Automated processing. The possibility of automated processing of data and the relevant information obligations are refined.
- Data transfer registry. Data controllers shall keep a data transfer registry, which shall contain the date, legal basis and addressee of the data transfer, together with the scope of the data transferred.
- Information obligations. If it was impossible or there would have been unreasonable costs to provide information on the data processing to the relevant persons personally, the information may be provided through general publication.
- Blocking of personal data. Instead of deletion, the data processor can also block the personal data if so requested or if it can be assumed that deletion would be prejudicial to the legitimate interests of the relevant person.
- Continued data processing. Even if the person concerned revokes his/her data privacy consent, the data processing may be continued if: (i) it is necessary for compliance with a legal obligation; or (ii) it is necessary for the purpose of the legitimate interests and such necessity is proportionate to the restriction of privacy.
New Data Protection Supervisory Authority (DPA)
- Increased scope of authority. The new DPA - which is an administrative body that replaced the previous independent ombudsman - shall have an increased scope of authority, including the right to impose fines between HUF 100,000 (approx. EUR 370) and HUF 10,000,000 (approx. EUR 37,037).
- Meeting of data privacy officers. The DPA will organise a meeting for internal data privacy officers at least once a year. The purpose of the meeting is to provide professional liaison between the data privacy officers and the DPA and to ensure the unified application of the law. Data privacy officers of organisations which are not obliged to appoint such officers can also attend, subject to prior registration with the DPA.
New registration rules
- Pre-condition of the data processing. The commencement of any data processing will be subject to its registration in the Data Protection Registry. (Previously, data processing could be commenced after the filing of the registration form; the registration itself was not a precondition.)
- Fee for registration. Registration for the Data Protection Registry will no longer be free of charge. The fee will be determined by another law to be passed in the future.
- Registration of the technology used. The Data Protection Registry kept by the DPA shall also contain the data processing technology applied by the data processor.
- Registration of client data processing. Financial institutions, public utility companies and electronic communications service providers shall register their data processing activities in the Data Protection Registry in relation to their clients’ data. (Formerly, this kind of data processing was exempt from the notification obligation.)
Data controllers and data processors shall review their current data processing practices to confirm whether they comply with the new rules, and introduce the necessary changes. Most sections of the Privacy Act shall come into force on 1 January 2012 so data processors will have several months to ensure compliance with the new provisions. The existing notifications shall be amended and the newly required notifications shall be completed by 30 June 2012.