The Hungarian Parliament passed an amendment removing the prohibition of sub-processing from the Hungarian Privacy Act. The amendment will enter into force on 01 July 2013, resulting in a clear platform where outsourcing will not trigger any unnecessary legal risks. The amendment is a significant step towards updating Hungarian data protection legislation, implementing both European legislation and recent technology trends.
The previous preclusion of sub-processing
Both the previous Hungarian law and the current Data Protection Act (Act 112 of 2011), which entered into force on 1 January 2012, contained an outdated provision which expressly precluded sub-processing, (the outsourcing of processing functions by a processor to a sub-processor). This requirement clearly conflicted with the needs of the cloud computing industry, not to mention EU law (for example, Commission Decision 2010/87/EU on Standard Contractual Clauses for the transfer of personal data to processors established in third countries, which enables sub-contracting provided certain criteria are met). The former Data Protection Commissioner had stated that EU law should prevail in the case of a conflict between Hungarian and EU law. However, this interpretation has not been confirmed by the courts, and the Data Protection Act as it stands retains the exclusion. The head of Hungarian Data Protection Agency (NAIH) also issued an opinion in which he admitted that the provision conflicts with European law and sub-contracting should be allowed. Nevertheless, until the Data Protection Act is not amended accordingly, statutory law cannot be disregarded.
The new provision entering into force on 1 July 2013
While it is expected that the Hungarian Data Protection Act will be revised in the course of 2013 in order to make it compliant with European legislation and case law, the amendment above is not part of this long-awaited comprehensive amendment but a new act addressing data security in the public sector. The Act on the Electronic Information Security of Public and Municipal Bodies (Act 50 of 2013) was passed by the Hungarian Parliament on 15 April 2013 and published in the Official Gazette on 25 April 2013. Article 28 of this act amends Article 10(2) Hungarian Data Protection Act by stating that a processor is allowed to engage a sub-processor in accordance with instructions of the controller.
For several years stakeholders have been urging both the previous data protection commissioners and the Hungarian Data Protection Agency to lift the outdated preclusion of sub-processing as it was considered an unnecessary burden for businesses processing personal data since it clearly conflicted with cloud computing and other recent technological developments. In January 2013 Mr. Attila Péterfalvi, president of the NAIH, announced that the Hungarian Privacy Act will be significantly amended in 2013 and one of the amendments will affect the prohibition of sub-processing. By amending and replacing this provision, the Hungarian legislator also acknowledged that the preclusion of sub-processing was outdated and it is essential to update the Hungarian Data Protection Act in order to restore Hungary’s competitiveness in cloud computing and to keep up with recent technological trends, European legislation and case law.