At its extraordinary session on 17 July 2018, the Hungarian Parliament adopted Act XXXVIII of 2018, the Hungarian national law supplementing the General Data Protection Regulation amending Act No. CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information (the Amendment). The Amendment (in force from 26 July 2018) implements certain important substantive and procedural rules for the application of the GDPR and sanctions for non-compliance. The adoption of the Amendment is one of several GDPR-related developments occurring after the establishment of the new Parliament, following Hungary's April 2018 general elections. The new Government also implemented legislation (Act XIII of 2018) designating the Hungarian Data Protection and Freedom of Information Agency (Hungarian DPA) as Hungary's GDPR supervisory authority, which entered into force on 30 June 2018. Because Hungary did not introduce the required legislative changes before the GDPR became effective on 25 May 2018, significant legal uncertainty exists regarding the application and enforcement of the GDPR's provisions. Although the Amendment addresses some important data processing issues, others remain unresolved. The Amendment is therefore best viewed as a next step in the process. Some of the Amendment's main provisions are summarized below:
- Territorial application: The Amendment says that the Hungarian data protection law is applicable if:
- the controller's main establishment is located in Hungary; or the controller's only place of business within the European Union is in Hungary; or
- the controller's main establishment is not located in Hungary or the controller's only place of business within the European Union is not in Hungary, but the controller's or its processor(s)'s data processing operation(s) relate to: (A) the offering of goods or services to data subjects located in Hungary, irrespective of whether a payment of the data subject is required; or (B) the monitoring of data subjects' behavior which occurs in Hungary.
- Substantive scope: The Amendment extends the GDPR's application to manual data processing, even if the personal data is not contained or intended to be contained in a filing system.
- Deceased persons: The GDPR applies to living individuals. The Amendment grants the relatives of a deceased person the ability to exercise the right of erasure and to obtain a restriction on processing upon request, made within five years following the death.
- Data processing by judicial authorities: The Amendment says that data processing activities by courts will be supervised by the courts and not by the Hungarian DPA.
- Child's consent: The age of consent applicable to a child's consent, relative to information society services, remains 16 years of age under the Amendment.
- Mandatory data processing: Data processing activities based on Articles 6(1)(c) and (e) of the GDPR must be required by an act of Parliament or by a municipality decree. This means in practice that the requirements of Government Decrees, Ministerial Decrees, and Decrees of the National Bank of Hungary or of the Hungarian Media and Info-communication Authority may not be invoked as a mandatory legal basis for data processing under Hungarian laws.
- Statutory review of data processing activities: The Amendment requires the data controller to review data processing activities based on GDPR Articles 6(1)(c) and (e) at least every three years, if applicable law does not establish a specific time limit for retaining the data or for conducting the review of data processing. This review must be documented. The related documentation must be retained for 10 years and be presented to the Hungarian DPA upon its request. If the data processing started before 25 May 2018, the controller must perform the first review by 25 May 2021 at the latest.
- Processing of criminal records data: Personal data relating to criminal convictions and offences may be processed — unless the law provides otherwise — on the legal basis applicable to special categories of personal data. In practice, this means that personal data regarding criminal records (such as a criminal record certificate) may be processed with the data subject's explicit consent or if the data processing is necessary for the establishment, exercise or defense of a legal claim.
- Processing of health data: The Amendment maintains the currently applicable rules regarding the processing of health data, including the obligation to obtain written (in practice, a wet signature or at least a Qualified Electronic Signature) consent for such processing.
- DPO: The Amendment establishes the confidentiality obligations applicable to Data Protection Officers. It does not vary the threshold for appointing a data protection officer (possible under the opening clause of GDPR Article 37 (4)). The Amendment also creates the Conference of Data Protection Officers, whose purpose is to keep contact with DPOs and to establish a uniform privacy related legal practice.
- Private right of action: The Amendment authorizes individuals to bring private actions against data controllers and processors for GDPR violations. The individual may claim both damages and exemplary damages. Data controllers and processors have the burden of proving their compliance with the legal provisions.
- Penalty provisions and sanctions: The Hungarian DPA may publish its decision regarding a fine and may identify the controller or the processor fined in the publication if:
- the decision concerns (A) a wide range of persons or (B) the activity of a state budget authority; or
- the gravity of the infringement justifies publication of the decision.
The fine that may be imposed on a state budget authority is capped at a maximum of HUF 20 million (ca EUR 60,000).
- DPA registration obligations: The Amendment's ministerial reasoning confirms that no local registration of data processed under the GDPR is required. However, it says that the Hungarian data protection register shall be archived and that the Hungarian DPA may use the previous filing's details in connection with investigations concerning data processing started before 25 May 2018.
- Certifications: The Amendment defines the framework for supplementing regulations implementing the certification mechanisms under GDPR Article 42. The Hungarian DPA may perform the certification on the basis of an agreement with the data controller or processor applying for the certification.
However, the Amendment does not at all address sectoral data protection laws. As a result, comprehensive data protection legislative reform in Hungary is expected to be adopted during the Parliament's fall session. It will need to thoroughly harmonize sector-specific legislation, including the special provisions applicable to: data processing in the context of employment; the processing of health data; and data processing for whistleblowing and for direct marketing purposes. Given that the relevant sectoral laws have not yet been harmonized and amended, and that other legislation relevant to data privacy rights is pending, businesses in Hungary will continue to encounter inconsistency issues across the range of Hungarian laws that regulate data protection.