Austria is considered to be one of the EU leaders regarding implementing the GDPR, introducing the National Data Protection Act 2018 (Datenschutzgesetz - DSG) well ahead of the 25 May 2018 deadline. However, the consequence of Austria's attempt to play a pioneering role is that the new DSG is extremely difficult to read (at least in some parts), and fails to take advantage of the majority of the permitted GDPR derogations.
In fact only a handful of the 69 clauses of the GDPR which allow for Member State derogation, have been further specified by the national legislator.
Article 85 GDPR, for instance, is implemented by Article 9 DSG, which deals with the journalistic exemption. It sets out that data processing for journalistic purposes, including the publication of personal media reports, should be carried out in accordance with Art 5 GDPR (the data protection principles) – not particularly helpful.
Article 88 GDPR, provides for derogation relating to employee data protection. Under Article 11 DSG, the Austrian legislator merely stated that the Austrian Labour Constitution Act (ArbVG) is a national rule within the meaning of Art 88 GDPR.
As a result, the existing labour laws remain unchanged, although the GDPR sets out additional labour rights directly derived from the data protection legislation.
The reason the DSG contains only a small number of derogations, is that the majority of these clauses do not concern general principles of data protection law and will, where required, be implemented by specific additional laws, as stated in the explanatory remarks to the government bill of the DSG.
At the time of writing, we have not seen any further legislation on permitted GDPR derogations, however, we expect a handful of changes to national legislation in the coming months due to significant pressure from some stakeholders, especially within the field of scientific research.
The most important piece of legislation governing data protection in Hungary is the Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information (Information Act). Although a GDPR-related amendment to the Information Act has already been submitted by the government and is expected to be adopted by Parliament in the coming months, its consistency with the GDPR is highly questionable, creating unwelcome uncertainty among affected companies. The market eagerly awaits a more complex modification of the Information Act, one that ensures full harmony between the GDPR and Hungarian legislation.
At the moment, however, the proposed modifications are mainly cosmetic, introducing the GDPR's new terminology (in some occasions even failing at that), but leaving the core structure of the original statute unchanged. In some areas, in comparison to certain other European jurisdictions, Hungary is relatively advanced given aspects of the Information Act have already been more or less in line with the GDPR's approach.
Having said that, this half-hearted attempt to harmonise Hungarian legislation with mandatory EU rules has created some serious contradictions. This is best exemplified by the fact that legitimate interest has been omitted from the list of lawful bases of data processing. In addition, the obligation regarding maintaining records of processing activities will be introduced, while at the same time keeping the current, no longer required, data protection notification obligations in place.
The Hungarian Data Protection Authority does not seem to be perturbed by potential inconsistencies between EU and local law. Attila Péterfalvi, head of the Authority, recently reiterated that he does not see any reason for showing leniency after 25 May. Companies should implement the necessary changes within the deadline or be ready to face the consequences.