The Hungarian Government has submitted to the Hungarian Parliament the bill on the sectoral legislative amendments relating to the European Union’s data protection reform. The bill, currently being debated in Parliament, is the next step required relative to national legislation supplementing the GDPR.
The bill intends to modify 86 legislative acts and tries to harmonize Hungarian sectoral legislation with the GDPR’s requirements, relying on the GDPR’s opener clauses. Key anticipated legislative changes under the bill are summarized below on a per sector basis. Once its text is finalized, the bill will enter into force within 15 days from its publication in the Official Gazette, leaving little time for businesses to prepare for compliance with the new rules.
Health Care Sector
- Aligning the special definition of personal data concerning health with the GDPR’s provisions.
- Extending the application of health data protection laws to deceased person’s data.
- Deregulating the requirement that personal data concerning health be processed only with the data subject’s written wet signature consent. That change would enable health service providers and application providers to process personal data concerning health based on the data subject’s credibly documented explicit consent.
Financial Services Sector
- Authorizing financial service providers to transfer customer personal data to comply with group-wide AML/CFT policies and procedures. The Hungarian law implementing the AML directive did not establish that exemption and has caused uncertainty around financial service providers’ right to intragroup transfers of data for AML/KYC purposes.
Security Services Providers operating CCTV systems
- Removing the requirement to obtain from individuals implied consent for the recording and permitting data controllers to use the legitimate interest test relative to CCTV systems operations.
- Deregulating the mandatory data retention periods applicable to the CCTV security footage.
- New rules are proposed for the consumer complaints registry (“vásárlók könyve”) that each physical store must keep. Traders would be required to remove pages containing customer comment or complaint and to retain in serially numbered form the removed pages for inspection by the consumer protection authority.
- Supplementing the Hungarian Labor Code with a new chapter on personal data processing.
- Prohibiting the employee’s private use of company IT equipment - unless the employer and employee explicitly agree otherwise.
- Legitimizing the employer’s processing of job applicants’ and employees’ criminal personal data for vetting purposes, if necessary to safeguard the employer’s financial interests, to protect information protected by legislation, or if necessary in connection with the storage of firearms, ammunition, explosives, toxic or dangerous chemical or biological materials or nuclear material.
- Authorizing the employer’s use of biometric identification measures if necessary for the prevention of unauthorized access to any information or assets that may lead to serious or irreversible consequences to (A) the life, physical integrity or health of others or (B) any other significant interest protected by law.
- Relative to operation of internal whistleblowing systems, removing the ban on processing special categories of personal data, which caused several practical problems in the past regarding the handling of sexual harassment cases in Hungary.
- National identification numbers:
- Removing the current requirement that national identification numbers (tax ID, social security ID and personal identification number) must be processed and stored in physically separated records.
- Prohibiting service providers (as defined in the Anti-Money Laundering Act) from copying that side of natural person’s home address registration card that contains his/her personal identification number and from storing that number.
- Procedural changes:
- Increasing the timeline for the Hungarian DPA’s administrative procedure, from 120 to 150 days.
- Authorizing the Hungarian DPA to mandate municipal authorities to conduct local checks regarding the circumstances of data processing.
However, the marketing/advertising sectors seem largely unimpacted. The bill does not introduce any material legal changes regarding electronic and postal direct marketing, because it will not deregulate the explicit consent required to send direct marketing communications to natural persons. Accordingly, advertisers will continue to have to ask for each individual recipient’s explicit consent to send such communication – whether by electronic or postal means – in each of the B2B and the B2C contexts. The bill also does not introduce any soft-opt-in exemption for direct marketing of similar products or services obtained from customers in the context of the sale of a product or service. This approach does not seem to be aligned with the GDPR’s requirements, which say that direct marketing may be conducted based on legitimate interests. By contrast, Hungarian law generally excludes the possibility of the processing of personal data for direct marketing purposes under the balance of interests test.