The Hungarian Parliament has passed a new Act No. CXII of 2011 on data protection, which will enter into force in January 2012. The new Act retains the basic elements of the present Act, while providing extended rights for data subjects and new sanctions against infringers. It also introduces a new authority competent to replace the Office of the Commissioner for Data Protection.
The processing and controlling of personal data will continue to be permitted only if prescribed by law or with the consent of the data subject. The latter must be based on appropriate information provided to the data subject regarding the data processing. The new Act also introduces two new legal bases for the processing of personal data by implementing Article 7(e)-(f) of the Data Protection Directive (95/46/EC). This means that even if it is impossible for the controller to obtain the data subject’s consent or if obtaining this consent entails disproportionate costs, data controlling will become permitted also in Hungary if:
- the data processing is necessary for compliance with a legal obligation on the part of the data controller; or
- the data processing is necessary for the legitimate interests of the data controller or a third party, and these interests are proportionate with the interference with the rights for data privacy.
These new legal bases for data processing are contained in the European Data Protection Directive, but were missing from the current Act. This gap will now be healed by the newly adopted Act.
Included in the new Act is a new provision according to which the data controller may manage personal data to which consent has been given even after the consent has been withdrawn, provided that the data controlling is necessary for compliance with a legal obligation or for the enforcement of rights on the part of the data controller.
The new Act preserves the sharp distinction between data controlling and data processing (and also between data controller and data processor), whereas the latter is merely a technical task in order to accomplish the goal of the data controlling.
Unfortunately, the outdated prohibition of sub-contracting data processing to a further data processor has been kept in the new Act. It will continue to cause inconvenience while setting up future contractual chains of data processing.
As of 1 January 2012, the Office of the Commissioner for Data Protection will be replaced by the National Authority for Data Protection and Freedom of Information. Whereas the Commissioner's Office was only a sort of a "quasi authority", the investigative powers of the new Authority will be much broader and will have the right to impose fines of up to HUF 10 million (approx. EUR 37,000).
Data controlling/processing will still need to be notified to the Authority and the respective provisions will remain basically unchanged. The same exemptions from the notification will continue to apply in the future. The Authority will, however, charge a fee for data protection registrations, which will be determined later in a decree of the Minister of Justice.
The new Act allows data controllers to request the Authority itself to conduct a data protection audit. The findings of the audit will be published by the Authority, unless the applicant requests otherwise.
To sum up, the amendments introduced by the new Act remain somewhat twofold. Although the newly introduced legal bases for data controlling/processing and the establishment of a new Authority are welcome, the outdated restriction on subcontracting data processing is an unnecessary burden. The strict distinction between data processor and data controller does not conform to the European approach either. It is also questionable to what extent a EUR 37,000 fine will threaten or keep undertakings from infringing the provisions of data protection.