At its extraordinary session on 17 July 2018, the Hungarian Parliament adopted the national law supplementing the General Data Protection Regulation (GDPR). The amendment of Act No. CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information (the Amendment) implements certain important substantive and procedural rules for the application of the GDPR and sanctions for non compliance. The new legislation will enter into force after its publication in the Official Gazette, currently expected in early August,. 

The adoption of the Amendment is one of several GDPR related developments occurring after the establishment of the new Parliament, following Hungary's April 2018 general elections.  The new Government also implemented legislation (Act XIII of 2018) designating the Hungarian Data Protection and Freedom of Information Agency (Hungarian DPA) as Hungary's GDPR supervisory authority, which entered into force on 30 June 2018.

Because Hungary did not introduce needed legislative changes before the GDPR became effective on 25 May 2018, significant legal uncertainty regarding the application and enforcement of the GDPR's provisions exists in Hungary. Although the Amendment addresses some important data processing issues, others remain unresolved. The Amendment is a next step in the process  

Some of the Amendment's main provisions are summarized below:

  • Territorial application: The Amendment says that the Hungarian data protection law is applicable if

a)         the controller's main establishment is located in Hungary; or the controllers’ only place of business within the European Union is in Hungary; OR

b)         the controller's main establishment is not located in Hungary or the controller’s only place of business within the European Union is not in Hungary, but the controller's or its processor(s)'s data processing operation(s) (i) relate to the offering of goods or services to data subjects located in Hungary, irrespective of whether a payment of the data subject is required; OR (ii) relate to the monitoring of data subject’s behavior which occurs in Hungary.

  • Substantive scope: The Amendment extends the GDPR's application to manual data processing, even if the personal data are not contained or intended to be contained in a filing system.
  • Deceased persons: The GDPR applies to living individuals. The Amendment grants the relatives of a deceased person the ability to exercise the right of erasure and to obtain a restriction on processing upon request made within five years following the death.
  • Data processing by judicial authorities: The Amendment says that data processing activities by courts will be supervised by the courts and not by the Hungarian DPA.
  • Child's consent: The age of consent applicable to a child's consent relative to information society services, remains 16 years of age under the Amendment.
  • Mandatory data processing: Data processing activities based on Articles 6(1)(c) and (e) of the GDPR must be required by an act of Parliament or by a municipality decree. This means in practice that the requirements of Government Decrees, Ministerial Decrees, and Decrees of the National Bank of Hungary or of the Hungarian Media and Info-communication Authority may not be invoked as mandatory legal basis for data processing under Hungarian laws.
  • Statutory review of data processing activities: The Amendment requires the data controller to review data processing activities based on GDPR Articles 6(1)(c) and (e) at least every three years, if applicable law does not establish a specific time limit for retaining the data or for conducting the revision of data processing. This review must be documented. The related documentation must be retained for 10 years and be presented to the Hungarian DPA upon its request. If the data processing started before 25 May 2018, the controller must perform the first revision till 25 May 2021 at the latest.
  • Processing of criminal records data: Personal data relating to criminal convictions and offences may be processed - unless the law provides otherwise - on the legal basis applicable to special categories of personal data. Practically, this means that personal data regarding criminal records (such as the criminal record certificate) may be processed with the data subject's explicit consent or if the data processing is necessary for the establishment, exercise or defense of a legal claim.
  • Processing of health data: The Amendment maintains the currently applicable rules regarding the processing of health data, including the obligation to obtain written (practically, wet signature or at least a Qualified Electronic Signature) consent for such processing.
  • DPO: the Amendment established the confidentiality obligations applicable to Data Protection Officer. 

It does not vary the threshold for appointing a data protection officer (which would have been possible under the opening clause of GDPR Article 37 (4)).

The Amendment creates the Conference of Data Protection Officers, whose purpose is to keep contact with DPOs and to establish a uniform privacy related legal practice.

  • Private right of action: The Amendment authorizes individuals to bring private actions against data controllers and processors for GDPR violations. The individual may claim both damages and exemplary damages. Data controllers and processors have the burden of proving their compliance with the legal provisions.
  • Penalty provisions and sanctions:

The Hungarian DPA may publish its decision regarding the issuance of data protection fine  and may identify the controller or the processor in the publication if (i) the decision concerns (A) a wide range of persons, (B) the activity of a state budget authority or (ii) the gravity of the infringement justifies publication of the decision.

The data protection fine that may be imposed on a state budget authority is capped at a maximum of HUF 20 million (ca EUR 60,000) 

  • DPA registration obligations: The Amendment's ministerial reasoning confirms that no local registration of data processed under the GDPR is required. However, it says that the Hungarian data protection register shall be archived and that the Hungarian DPA may use the previous filing's details in connection with investigations concerning data processing started before 25 May 2018.
  • Certifications: The Amendment defines the framework for supplementing regulations implementing the certification mechanisms under GDPR Article 42. The Hungarian DPA may perform the certification on the basis of an agreement with the data controller or processor applying for the certification.

However, the Amendment does not at all address sectorial data protection laws. Resultantly, comprehensive data protection legislative reform in Hungary is expected to be adopted during the Parliament's fall session. It will need thoroughly to harmonize sector specific legislation, including the special provisions applicable to: data processing in the context of employment; the processing of health data; and data processing for whistleblowing and for direct marketing purposes.

Besides needing to harmonize sectoral data protection rules, Parliament is also considering the bill on the Right to Privacy, a draft intended to provide civil law protections to data subjects, supplementing the Hungarian Civil Code's protection of general personal rights.

Given that the relevant sectorial laws have not yet been harmonized and amended and that other legislation relevant to data privacy rights is pending, businesses in Hungary will continue to encounter inconsistency issues across the range of Hungarian laws that regulate data protection.